From 720c638717ee0d4b19f888537e316cfac154c311 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Zwoli=C5=84ski?= Date: Tue, 16 May 2023 12:02:47 +0200 Subject: Add AES encrypted keys support for PKCS5 PBES2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maciej ZwoliƄski --- include/mbedtls/oid.h | 3 +++ library/oid.c | 14 +++++++++++++- tests/suites/host_test.function | 2 +- tests/suites/test_suite_pkcs5.data | 16 ++++++++++++++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 9545072..3a7f740 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -306,6 +306,9 @@ MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */ #define MBEDTLS_OID_DES_EDE3_CBC MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */ #define MBEDTLS_OID_AES MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */ +#define MBEDTLS_OID_AES_128_CBC MBEDTLS_OID_AES "\x02" /** aes128-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes128-CBC-PAD(2) } */ +#define MBEDTLS_OID_AES_192_CBC MBEDTLS_OID_AES "\x16" /** aes192-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes192-CBC-PAD(22) } */ +#define MBEDTLS_OID_AES_256_CBC MBEDTLS_OID_AES "\x2a" /** aes256-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes256-CBC-PAD(42) } */ /* * Key Wrapping algorithms diff --git a/library/oid.c b/library/oid.c index d139a6d..89d133d 100644 --- a/library/oid.c +++ b/library/oid.c @@ -696,9 +696,21 @@ static const oid_cipher_alg_t oid_cipher_alg[] = MBEDTLS_CIPHER_DES_EDE3_CBC, }, { + OID_DESCRIPTOR(MBEDTLS_OID_AES_128_CBC, "aes128-cbc", "AES128-CBC"), + MBEDTLS_CIPHER_AES_128_CBC, + }, + { + OID_DESCRIPTOR(MBEDTLS_OID_AES_192_CBC, "aes192-cbc", "AES192-CBC"), + MBEDTLS_CIPHER_AES_192_CBC, + }, + { + OID_DESCRIPTOR(MBEDTLS_OID_AES_256_CBC, "aes256-cbc", "AES256-CBC"), + MBEDTLS_CIPHER_AES_256_CBC, + }, + { NULL_OID_DESCRIPTOR, MBEDTLS_CIPHER_NONE, - }, + } }; FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 06f391f..95d30f8 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -459,7 +459,7 @@ int execute_tests(int argc, const char **argv) int ret; unsigned total_errors = 0, total_tests = 0, total_skipped = 0; FILE *file; - char buf[5000]; + char buf[10000]; char *params[50]; /* Store for processed integer params. */ mbedtls_test_argument_t int_params[50]; diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index f3ea553..8480b5c 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -142,6 +142,22 @@ PBES2 Decrypt (Invalid padding & PKCS7 padding enabled) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" +PBES2 Decrypt DES-EDE3-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C040832A773780540A2D602020800300C06082A864886F70D02090500301406082A864886F70D03070408480B29975B655BCE":"7A776F6C696E":"7C4948C17F9ABCDD9CC8DE3C91C83B6BAA2D01ABBC86DD3336875B018A7AA5527EEBA4788992FED8966923A1BD0405A1B2CA2FC011944E360863E4437D14C2F82A465D3F58D3B005389F8B46F5900A170B7A6A371DD052C59EF76858ADB553E1BD9EAA284EE1DA150BBF61879A6FC265886B5D12596D2413A9E3881EA49366D68BFD6DDA087E15A3F1C426D0416B294A57F7599D2F49C5090550A4DAD4781541E362D76F84A3389676EBE4F556FCCFC8E16065101ECC888E60D5DD58244A3CD1B90731DB5A43B30BDBF41C66A3E26AAF6363D630242CC1A6F456672FB7290D5542BFD32776619C6FD9C863CAC856DC529EFEFBE96F353697E5EC878762814ED0E6A672B38BF0D5B76F1825E8C697A646779FCD819BF4F28AE461D436D8535641670638E5C6FC8F7F2B6CA9F2868DEC0A3830645BC84701CC6A02A14E2AEE8D33D9224C96FA2F26F4675B3A73A0C7571552FE25C49F2455526D93F869A7E7C56E5E9F3012A05B298A38D7E3EEF66C6E13301B34B15C3D98446BF044E1F7C4A6FCE867AB9A68567ABC844A6B65AF8FA33D6BF899ADE0DCE98D50352F15EE2AFFD5D3BECD867DA7F54C6DEDB3396D30516FAECD3E62083E55A4A65D3CE6AB39DADD6A7C5EB192F14B8D13773AFA2CBB081350FA7DD9B5F1AD78E0F9DE17216DAE4D21EA843C4DDCD2C0B963F27F9F774435C200864D59CF28C483BCD948CA1E8950CF7C924D7BB69D85FD99BBB3E466AC36B0887CCCCDA508C55D55AC0B7045B6CC4013E9B216E6C40A6F1EFA299A078849DF7C90D1F8BCA7295B0C74403C6AE3D79717955F134AB7962F44DA87351B6F71569CA30A3D55B58958C485A285C169649607F2736DA0FC1E6BD35B7F63DBD8B3BDF300603BBFB54C23F895DCC5E086BDA3EB41D54E591A5B8537EBA4AA876513271270E2D953DA6F7AF95EF91CC986487E1F3136B15368C9638D5867FD4F8E581A3E6E1D552E778C99E465D7B243AE2C4525CE15C35E6588931FE8C476BA8ECA7CAE327B946C384FDF37448BE3662D1EAEFF7063C8427BADD713CB8EB7093FD9F3ABE582B9175C5AE10F1C85369B93A0DA29F120B12206B31B25670C8025C7F74FC2F59ADBA35E157F5BF2E77B01D61A77F1E33B7877A54F66ABD1E6CA12819EB951CFD89BBF985FD550EB2AB5AD4B8B0099A00E3FD358D2808E6178C14B1C365A1D31B7BA3F9F7F7A06852C5329D26C64AB4C1392C2FA9CDD78D30983C14E7BC9F19EF30BA5CC58759C7BC6F7F324D0A79188EB0740FD83E3B0B0664748F16071BB658C5679B7967C31300BC11B73A18545959F324734FCD4C06DE33E9290915A40A8F7799E049B8B7CCEACA02515720ECFAD78B7CB36A6144EB9AE483EA1AE978054B84C68BBA29D95C619516B783D11A6150D88DD594B975A7FD217944BD177E04FE21FE78B7BDC4B4E1E4012B756AF83589447739A5CEF211AB706C137FFC28D17F24891DF0C5DD811DE3AE90B6C4B0324376EB8A4980CF789541E2A1BFAAB3E0E64D50F584346727FEEB4EC1BBC1FFE08AF71E1A700E890006401191047661CAF3030F0D489C28BFFF374334036A68A6F4D67C25E90B04ADD9AC1763183E30E461918D45EE9C3A4F4CE621FABF6907901939278FB6FE940BCF0C6575F25C759263931383B001C7823340D9D739520E23517A8CE6EBBD4D16AAFA2149B9F04873DBD652D8CE033D65C021D4825A065F6E4CAD1927F9A":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" + +PBES2 Decrypt AES-128-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C0408E9ED80B476045B2602020800300C06082A864886F70D02090500301D0609608648016503040102041052C89F1A8BE8E0EAE6D415F1974624A4":"7A776F6C696E":"279EBEFD0DDC751FFEABDC91F9C8BEA6081E58702D429E0D44FE96735AE6DD58BD4CD84498A91804F43D669A7159C57B758D536C0CF237FE4E868CE0AE87DA2C97B9649975FE189A9200435BFFD0304286508B0F9AB8C2E36B09AF336E27A6F40EE1AA1906A38A9E187E4A7A14B472D89C6A65D39AA9D390445A6859894431BEF8EAE07B914A70F55D95DF2FB1DB8B40154C1F1E16B4273156328DBAFDDBE2AE41BEAF227525D3B5D57FE9B7C188A2FE8493ABA3C916EDF486F520C670F505A4FC8DD083245032EF69C6C76141C8576AE7E59D4DB5974C316848CCCF6A36EFB3BA67175FD996756F3E51034D659CF98D95F953BBE5A9DE564426FCE324D3A3F463C2E6464DBC34610ECEC20518B47ACB9A4ED85C326A963D3B3C7088AF2A320E4B364666D2EE3D38D067808EC01BB765C5D4B4487E2F9D9FFEC8F0EC4C4262070F252C7E9D95CF01747055E2176BB9D17DE302ADC1C39335849797DF171AAF89946931D5A5C94FB85DB84D67290974B4F8F8E677F77FD62FE7B0A10E4DE9FE83598F47D3B32015FA2B1558672D2D81C65C123AE821052C84FA0ED2C5A5A39A7B12CFEB68887722970FC907D1B586A67F8479A1EBC4E8AE4676047086A7EE7520C9147C089B4AE5B2505C14C6F28F645F90C55E51BADBC4B4167EC4A757CD59452E800BCCA9D3DD01BD084057102403B4804D51A6EF404AB5B31FFFFA19AC56861D9863A5460077D109E043E5B2134D812652E80E3FF804FD1A0114FD8F1F72D97A0A6E88A2DE124FFCD2C17B7BCAC30B19189BC8301B25012C05014BA7DA9949A9F0F30470C760474E27A8160F237DAFA85CBE5499C7429109858E581AD2D5A4634691BEFA1C5545F78D0B93F140D5ABF06FB91CFDBD1D93D106199A1E35F651053D0E80787CEED53404F0F0C9EA54C8CC39682916D6731C3B91A4988B54D821F0EAD621606765F8048ED9FAE9DAB781C830C77DA70C44DB8C4BB000CE12C59DCA4BA5966EB25F7B32EBCB524C8C4B019B65E3B024E41BBDE68531A2205A784A842EB9673B56CDF88C2F056C9E5685C7BA0E52E067EC8B4B7CDAA8C6F1AFAFC05C51119A6AC25122C5F93E9157761788AB76641300CCBA08845C2932729CC31FE6E8577E3A565BCA9E6668619874540FC866B8677A8452BEAD9C6648893355D82B2D0EAEF1B13C5B1A3DDDB23B2EA00B9C9F627E753D7FF51D5AF87C2A07FE228CB00EC497D8869973282188833E36C74111050B409877913760E7C77F05B6B4DD19778F69F3F46F54B4842863B7BB0716DA26DDA07DDD334FCC7DD2B1A03FE0DE31B4018D2D96AED72B8D2F206D1011BCEFEE9EA413CDB053665553FEEA2E3EB54DD525DC12B7BBC3A76F1530F320717CBEF5AA541791335901A57436ECFE9917B9D009178CDDFBD9FD8756A808B72668B34A3D86303A6D5F6D38685356C1A87ECD2EC61A63FC53F5DA959B33988E869785E694AB079763CA9DD9B1EA2B8BAE5F31EB75D0F71D87B68AA9A4CB6995859FAB0028EFC633ED4DAA4A8FB0E6A55EF9B2DEA1E947C8DEA81CEAB9232A29340947719D4CEAABFB8E1E065F43F231D6A1C83E8F554530C58F8C02D2386F2C67D2F043097375ABD0C18F390BFA2867F870B1A1DA1AB6103D2275420B09778D9B775F147B6BB47598367F9C44AF509136F5F69E61E4A8592E44C860041D5C9C94A63BE17C6E93995A321238D80EF111F8BF137C7A38FACB6329CFDC9A5B9FB2DB":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" + +PBES2 Decrypt AES-192-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C0408777618CD183CC88102020800300C06082A864886F70D02090500301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"7A776F6C696E":"540DADAE140E86453630405F6C5C97FFBD691D1BB3F9294292138BB3757EB78E1AAC1016257D387FB6D92A85E7D2E41EAC0D532018423B6DD38F3D44460FC818704BF4BF7BA15AA62143386C58615F719A1C0F4D178E0A3BECD7FFD3DC96AA261BE2006DB5C398BBDCFC8CE8D67DE6FD4B5079E60D5C865B41765A2881FD8AFC6D71B0B3B9C3F347EEDE5D355DA83895DF6E055CF6FF713AA9396821403C31440D40DD410FC0AB965ACA89A2A017A9F00084B6C32DB6A65B4EF5698C994B8B822DADE62789C7F0884372FD4CE7F5E9F9A77B35390AA1A236991B1ECA4C072A3760AEA316291112814A0B81793196EEA5ECF45A0E98DA780F251601AAC03950128A6587C83CA3F78A81D046982167B18DBEF4EEF1350E421A7CE37D62D11823E37C0CDA4FDE22198BED5C49F1ABEBDD9A769FC94B8BF2D023A876C9DE5DAC56EFDF4E00164AF02077046D7C8D5A056A2BFFA4E40B385727E12D6B9AC8CF72C7EE3B7FD86D1CE9EA9856C88A0BAE90AF780C32B9C96A064B84D16D343B9F4E5E1C0F76D19AAD9FAC7C7E56810FC44801F81207669C2E8AE3AC7CEF853F87E68082AD620131768360908A6257248FB53E185D97B22F574555F0B9E366C39FD5B1394FDBAE8D14923E90DD9A9F2256627CD3E19E1FC2C1FF773077A459B902564011E5C23254EC62084604BDA1D2ED134F5BA1EF8AB993778267E54851ED04B6A28EEBA9102F69429A8450A246730E071690E245BD5DE3522641664CC31E11AE648414AB825BB9A774CB9E525C23DD83EB7B650CFCB5AE9EE88E0504B34E667B4FE04336572AB95B42ED10C961B7D176C8E7D3A6EF797CBEF33988AB2899DA553210001855AEE49D9E218B1367472D954EDF4681F138554EBC885B5A20BAA0353AA745FBF1D1FBFE6627E5BB03A34DFA9D2A30674A7968BDD705E744A74649D16D00690D8F01880C41F0A7EC090528E228A4DD24B530BD5CDF4F0387DA4A199015CCAC611665424965F69B91782097B4AFCBB696A600A12D15C88E25A6F77FB4AE5D50E81330CBD2F6EA6704E9862413A4B8D66CC66CDAD4A06D74FF4699F06A15EEB8BC79F05A9498010013004A0BCCECBE0EB62DCFFE8F6436B567119AD0A38E870415D39E14A92BB2B4F3C05C552ACC7CC9AD0781735E94CEF1B6422660DF0E501ED8CA1BFA3EB14F9470B889D7FE006E2AD4E4999CB6DF95FF724FDDBFF4C6476FEB9D6AADD0489A226A825EA4F450DDACB34480D5F1E6B9C0A1CABE14659D28068D8806FC75833FFB98B2B81CC91AA590701E061F882020F78FC04C38E3A325E75192A22A6AE1AD60E393AA2F1DF160F881699F3025F7A78E28A14CCB99BD73C135D0E07BFE4E2A2523BF1E0445C550BAE2A72C67C649B1C29A067A7CAC2E47D4A7ECFAF8A255EAC64E764ACC741AE35FC01FA12057F7352FBE7D92E717327EEACD1BD50E5753A26C40BE8DC2FB8375621EB83F96A004BC8AC8B21C0F5217AFE091A844DE866D89E5EA9705813F960DF6457455317835C4B77A443B955960179D3E5A4649BEC702090AFE7E9E2F1AC2DE85BEB31760A8EC81CC58CFF1DD9F06E2786F4320A144E2E4F4A852056007FA5D27A22E99D60B19FC4D36FE1A5BC201D82C5BE861A9D5BAAC6AFB7F6AB1EE748B9880C40D92B7EA65D00A6970C386C1FCDC5E25B7E8790B6F6B8BF631D70262B3CDBD7CA3023090D0F34112135D75E5BE28378CC5EF48585EDD3C95FD9C817F":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" + +PBES2 Decrypt AES-256-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C0408B948C29B606B981502020800300C06082A864886F70D02090500301D060960864801650304012A0410FD87E5DBEE6E498D887C771C454D4265":"7A776F6C696E":"3BDA5B8B7C541816276A84F779F4961C291CCA695D2DEE57F23B359886852947F1609CAA73072A3D1CEC95B17E987B05C4F401ADBF73B602F031BE107D2290E905E1B16455954C58DE8605CA679FDC83EB3C16427294400AFF227126300E4568CF1332ADAA4CB361F52E0DC4FD19682B7762EAF860B1674549D30ABF4DA2F998364FED59247552E807CCCE4CFD5E4B1F5E37EF3F18ED31BC1318193160AC1FFC487646FAB1FC006A0603AB3DFAB0F068B459665D4902624AC487B924914135BDDD7A2899007F45DB30847745464E1D134A58FCFBA69E13C4BDCDAA6845D57404EF0C46C102DB3621A5EFB0B8DC247951C51BB3777782EF59BBA0211AA5B8E6A91AF6409ED2984B50DC06A2295BE99E4A9B2D769BE13E8E6CF9F01259FCDB09642C10AF77B3B3F057F2D8F7AF234293DF08175D40831FAF776C299CCE88AA5F860318BF96F5C4B52CBAEB3E9BF3092A818A4B638F835084C9666D79668E08D125E0668925123F24BE675B592068F8E29D0FCD9D763148F261D88A9DE9022A6759467EA1BB06CDB20FD335E8D080F18A8DE331873C4A5C4213D36C332E319C146EA10F6FB1BF82493616776BBBD6B38251F847F1961FDAE518E18BECACE932C1EB477946D9381036DC2C9537786A3BE295D5156AB479DD6DD0B3E85652A4B66C0BF69926504A2DC5068A99E05F08DDAC2FD99C2AFA76203B64886D99E8D3C67C94C92BDB9D22B28CA775512A55BB7B4A9483DD2541B0BABF58769CDBFB05EE53FE452E0B4B42DF086F2932969AE943837CD2EDF7B5B731245B1A6C83079F42BFF3B170819F852B5AA493B2D9A378FB8C99F400E7F4E2FE503AB7399F271451238DCA8667077E555D6F96747C5854A9D2F13CE93D2BD6AAF9808DAF0BEFE1448A5536927A9D8C7886FCA937C6912943E4B20412540625F277552E6B6FB914F2916B780CD529FB0A3491C9011E3CFED7BDBFEC3BD18B260DB882294D647AB70577E60C6E3E85F6CAAE9F2EC6820115B5CD854A1368CB4B6D23B16B32CB5DB9D77D7A556EEB6ECD4075C74CE606EA25E0300EC65761F0EFDA7B6E8DA3C0196E274D86BC2911C2A96A6E0B6C259449E4D43C248AE5614D4D74147FB1963C5770958523F7AB8606F904892523BECD2D7CC81DD296361C0D11DFB2CA306B42CC0481E9B3A66FE2E17562FC9210139CE33B9724283207EF6B17496D6D0E1D07641A7BDB4DEF9A7CDE297CFBB119FDB43CF970B6DFF5F08EABE5E087DFBDB067CAEEEB460D381C844154947B527C4C40F452A64EF2E15A4A9D13F060835380FA49B5201682F13E543207E791147D15C54C6540F2F3F3D8AAFC50623B260422EA5558906798FB555BEF0EE8BAFB544442185911883C3CA4DAC700BB8198C4C9E136F3517410AB2FFE605BA6AA27CB35958C7B51EDDA0961CD8F42ED7B61342E9BF7783289CB9D299C9CC84F08B7546D28CCCE2ABCB68A7BAEAC6C67E3FAA14E4502D9711CFAC16E4BBFBE016A9755D49E233B3DDDBF03C77F4542D7566B03264B0B85E006CAABEED61715F2E97913F36DB841B3DFEC1CF6549976D93D35AAE9BC1383F84133F38904F819DF3FDC3DBE636F0661DABEF654D2C52BF1A1A2E33F79032F4E2C34981BC354B74B727CCC759209790FFAFED8E9DB5532AD6F9F0BD7B74A5DE63A4363464DC5A137D56BCCFACBB8C77229B048A587027B24D1968A1BEB3935C6C416E4A8AB14F3AF2C1858942D27CB976AF4":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" + PBES2 Decrypt (bad params tag) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C pbes2_decrypt:MBEDTLS_ASN1_SEQUENCE:"":"":"":0:MBEDTLS_ERR_PKCS5_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:"" -- cgit v1.1 From 1c19557f49c191df26d4066838575f42d1b786d3 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 19 Sep 2023 17:27:28 +0100 Subject: Revert increase of test buffer size. Signed-off-by: Ryan Everett --- tests/suites/host_test.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 95d30f8..06f391f 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -459,7 +459,7 @@ int execute_tests(int argc, const char **argv) int ret; unsigned total_errors = 0, total_tests = 0, total_skipped = 0; FILE *file; - char buf[10000]; + char buf[5000]; char *params[50]; /* Store for processed integer params. */ mbedtls_test_argument_t int_params[50]; -- cgit v1.1 From 1a913093244aff20c37fa1b6b60fc7c21139ff37 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Mon, 25 Sep 2023 14:15:03 +0100 Subject: Restore array formatting Signed-off-by: Ryan Everett --- library/oid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/oid.c b/library/oid.c index 89d133d..a1cf6fc 100644 --- a/library/oid.c +++ b/library/oid.c @@ -710,7 +710,7 @@ static const oid_cipher_alg_t oid_cipher_alg[] = { NULL_OID_DESCRIPTOR, MBEDTLS_CIPHER_NONE, - } + }, }; FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg) -- cgit v1.1 From 223e716693f969561db05d887e66b6aad576e814 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Mon, 25 Sep 2023 14:26:53 +0100 Subject: Replace AES-CBC test data Previously the buffer size was increased in order to allow for large test data, these new tests fit in the original sized buffer. Test data generated with openssl using the following command line: openssl kdf -keylen $LEN -kdfopt digest:SHA256 -kdfopt iter:10000 -kdfopt pass:"PasswordPasswordPassword" -kdfopt hexsalt:0102030405060708 PBKDF2 openssl enc -$ENC -iv 2F904F75B47B48A618068D79BD9A826C -K $KEY -in $IN -e -out $OUT Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkcs5.data | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 8480b5c..94ac86c 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -142,21 +142,17 @@ PBES2 Decrypt (Invalid padding & PKCS7 padding enabled) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" -PBES2 Decrypt DES-EDE3-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C040832A773780540A2D602020800300C06082A864886F70D02090500301406082A864886F70D03070408480B29975B655BCE":"7A776F6C696E":"7C4948C17F9ABCDD9CC8DE3C91C83B6BAA2D01ABBC86DD3336875B018A7AA5527EEBA4788992FED8966923A1BD0405A1B2CA2FC011944E360863E4437D14C2F82A465D3F58D3B005389F8B46F5900A170B7A6A371DD052C59EF76858ADB553E1BD9EAA284EE1DA150BBF61879A6FC265886B5D12596D2413A9E3881EA49366D68BFD6DDA087E15A3F1C426D0416B294A57F7599D2F49C5090550A4DAD4781541E362D76F84A3389676EBE4F556FCCFC8E16065101ECC888E60D5DD58244A3CD1B90731DB5A43B30BDBF41C66A3E26AAF6363D630242CC1A6F456672FB7290D5542BFD32776619C6FD9C863CAC856DC529EFEFBE96F353697E5EC878762814ED0E6A672B38BF0D5B76F1825E8C697A646779FCD819BF4F28AE461D436D8535641670638E5C6FC8F7F2B6CA9F2868DEC0A3830645BC84701CC6A02A14E2AEE8D33D9224C96FA2F26F4675B3A73A0C7571552FE25C49F2455526D93F869A7E7C56E5E9F3012A05B298A38D7E3EEF66C6E13301B34B15C3D98446BF044E1F7C4A6FCE867AB9A68567ABC844A6B65AF8FA33D6BF899ADE0DCE98D50352F15EE2AFFD5D3BECD867DA7F54C6DEDB3396D30516FAECD3E62083E55A4A65D3CE6AB39DADD6A7C5EB192F14B8D13773AFA2CBB081350FA7DD9B5F1AD78E0F9DE17216DAE4D21EA843C4DDCD2C0B963F27F9F774435C200864D59CF28C483BCD948CA1E8950CF7C924D7BB69D85FD99BBB3E466AC36B0887CCCCDA508C55D55AC0B7045B6CC4013E9B216E6C40A6F1EFA299A078849DF7C90D1F8BCA7295B0C74403C6AE3D79717955F134AB7962F44DA87351B6F71569CA30A3D55B58958C485A285C169649607F2736DA0FC1E6BD35B7F63DBD8B3BDF300603BBFB54C23F895DCC5E086BDA3EB41D54E591A5B8537EBA4AA876513271270E2D953DA6F7AF95EF91CC986487E1F3136B15368C9638D5867FD4F8E581A3E6E1D552E778C99E465D7B243AE2C4525CE15C35E6588931FE8C476BA8ECA7CAE327B946C384FDF37448BE3662D1EAEFF7063C8427BADD713CB8EB7093FD9F3ABE582B9175C5AE10F1C85369B93A0DA29F120B12206B31B25670C8025C7F74FC2F59ADBA35E157F5BF2E77B01D61A77F1E33B7877A54F66ABD1E6CA12819EB951CFD89BBF985FD550EB2AB5AD4B8B0099A00E3FD358D2808E6178C14B1C365A1D31B7BA3F9F7F7A06852C5329D26C64AB4C1392C2FA9CDD78D30983C14E7BC9F19EF30BA5CC58759C7BC6F7F324D0A79188EB0740FD83E3B0B0664748F16071BB658C5679B7967C31300BC11B73A18545959F324734FCD4C06DE33E9290915A40A8F7799E049B8B7CCEACA02515720ECFAD78B7CB36A6144EB9AE483EA1AE978054B84C68BBA29D95C619516B783D11A6150D88DD594B975A7FD217944BD177E04FE21FE78B7BDC4B4E1E4012B756AF83589447739A5CEF211AB706C137FFC28D17F24891DF0C5DD811DE3AE90B6C4B0324376EB8A4980CF789541E2A1BFAAB3E0E64D50F584346727FEEB4EC1BBC1FFE08AF71E1A700E890006401191047661CAF3030F0D489C28BFFF374334036A68A6F4D67C25E90B04ADD9AC1763183E30E461918D45EE9C3A4F4CE621FABF6907901939278FB6FE940BCF0C6575F25C759263931383B001C7823340D9D739520E23517A8CE6EBBD4D16AAFA2149B9F04873DBD652D8CE033D65C021D4825A065F6E4CAD1927F9A":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" - PBES2 Decrypt AES-128-CBC (OK) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C0408E9ED80B476045B2602020800300C06082A864886F70D02090500301D0609608648016503040102041052C89F1A8BE8E0EAE6D415F1974624A4":"7A776F6C696E":"279EBEFD0DDC751FFEABDC91F9C8BEA6081E58702D429E0D44FE96735AE6DD58BD4CD84498A91804F43D669A7159C57B758D536C0CF237FE4E868CE0AE87DA2C97B9649975FE189A9200435BFFD0304286508B0F9AB8C2E36B09AF336E27A6F40EE1AA1906A38A9E187E4A7A14B472D89C6A65D39AA9D390445A6859894431BEF8EAE07B914A70F55D95DF2FB1DB8B40154C1F1E16B4273156328DBAFDDBE2AE41BEAF227525D3B5D57FE9B7C188A2FE8493ABA3C916EDF486F520C670F505A4FC8DD083245032EF69C6C76141C8576AE7E59D4DB5974C316848CCCF6A36EFB3BA67175FD996756F3E51034D659CF98D95F953BBE5A9DE564426FCE324D3A3F463C2E6464DBC34610ECEC20518B47ACB9A4ED85C326A963D3B3C7088AF2A320E4B364666D2EE3D38D067808EC01BB765C5D4B4487E2F9D9FFEC8F0EC4C4262070F252C7E9D95CF01747055E2176BB9D17DE302ADC1C39335849797DF171AAF89946931D5A5C94FB85DB84D67290974B4F8F8E677F77FD62FE7B0A10E4DE9FE83598F47D3B32015FA2B1558672D2D81C65C123AE821052C84FA0ED2C5A5A39A7B12CFEB68887722970FC907D1B586A67F8479A1EBC4E8AE4676047086A7EE7520C9147C089B4AE5B2505C14C6F28F645F90C55E51BADBC4B4167EC4A757CD59452E800BCCA9D3DD01BD084057102403B4804D51A6EF404AB5B31FFFFA19AC56861D9863A5460077D109E043E5B2134D812652E80E3FF804FD1A0114FD8F1F72D97A0A6E88A2DE124FFCD2C17B7BCAC30B19189BC8301B25012C05014BA7DA9949A9F0F30470C760474E27A8160F237DAFA85CBE5499C7429109858E581AD2D5A4634691BEFA1C5545F78D0B93F140D5ABF06FB91CFDBD1D93D106199A1E35F651053D0E80787CEED53404F0F0C9EA54C8CC39682916D6731C3B91A4988B54D821F0EAD621606765F8048ED9FAE9DAB781C830C77DA70C44DB8C4BB000CE12C59DCA4BA5966EB25F7B32EBCB524C8C4B019B65E3B024E41BBDE68531A2205A784A842EB9673B56CDF88C2F056C9E5685C7BA0E52E067EC8B4B7CDAA8C6F1AFAFC05C51119A6AC25122C5F93E9157761788AB76641300CCBA08845C2932729CC31FE6E8577E3A565BCA9E6668619874540FC866B8677A8452BEAD9C6648893355D82B2D0EAEF1B13C5B1A3DDDB23B2EA00B9C9F627E753D7FF51D5AF87C2A07FE228CB00EC497D8869973282188833E36C74111050B409877913760E7C77F05B6B4DD19778F69F3F46F54B4842863B7BB0716DA26DDA07DDD334FCC7DD2B1A03FE0DE31B4018D2D96AED72B8D2F206D1011BCEFEE9EA413CDB053665553FEEA2E3EB54DD525DC12B7BBC3A76F1530F320717CBEF5AA541791335901A57436ECFE9917B9D009178CDDFBD9FD8756A808B72668B34A3D86303A6D5F6D38685356C1A87ECD2EC61A63FC53F5DA959B33988E869785E694AB079763CA9DD9B1EA2B8BAE5F31EB75D0F71D87B68AA9A4CB6995859FAB0028EFC633ED4DAA4A8FB0E6A55EF9B2DEA1E947C8DEA81CEAB9232A29340947719D4CEAABFB8E1E065F43F231D6A1C83E8F554530C58F8C02D2386F2C67D2F043097375ABD0C18F390BFA2867F870B1A1DA1AB6103D2275420B09778D9B775F147B6BB47598367F9C44AF509136F5F69E61E4A8592E44C860041D5C9C94A63BE17C6E93995A321238D80EF111F8BF137C7A38FACB6329CFDC9A5B9FB2DB":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" +pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt AES-192-CBC (OK) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C0408777618CD183CC88102020800300C06082A864886F70D02090500301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"7A776F6C696E":"540DADAE140E86453630405F6C5C97FFBD691D1BB3F9294292138BB3757EB78E1AAC1016257D387FB6D92A85E7D2E41EAC0D532018423B6DD38F3D44460FC818704BF4BF7BA15AA62143386C58615F719A1C0F4D178E0A3BECD7FFD3DC96AA261BE2006DB5C398BBDCFC8CE8D67DE6FD4B5079E60D5C865B41765A2881FD8AFC6D71B0B3B9C3F347EEDE5D355DA83895DF6E055CF6FF713AA9396821403C31440D40DD410FC0AB965ACA89A2A017A9F00084B6C32DB6A65B4EF5698C994B8B822DADE62789C7F0884372FD4CE7F5E9F9A77B35390AA1A236991B1ECA4C072A3760AEA316291112814A0B81793196EEA5ECF45A0E98DA780F251601AAC03950128A6587C83CA3F78A81D046982167B18DBEF4EEF1350E421A7CE37D62D11823E37C0CDA4FDE22198BED5C49F1ABEBDD9A769FC94B8BF2D023A876C9DE5DAC56EFDF4E00164AF02077046D7C8D5A056A2BFFA4E40B385727E12D6B9AC8CF72C7EE3B7FD86D1CE9EA9856C88A0BAE90AF780C32B9C96A064B84D16D343B9F4E5E1C0F76D19AAD9FAC7C7E56810FC44801F81207669C2E8AE3AC7CEF853F87E68082AD620131768360908A6257248FB53E185D97B22F574555F0B9E366C39FD5B1394FDBAE8D14923E90DD9A9F2256627CD3E19E1FC2C1FF773077A459B902564011E5C23254EC62084604BDA1D2ED134F5BA1EF8AB993778267E54851ED04B6A28EEBA9102F69429A8450A246730E071690E245BD5DE3522641664CC31E11AE648414AB825BB9A774CB9E525C23DD83EB7B650CFCB5AE9EE88E0504B34E667B4FE04336572AB95B42ED10C961B7D176C8E7D3A6EF797CBEF33988AB2899DA553210001855AEE49D9E218B1367472D954EDF4681F138554EBC885B5A20BAA0353AA745FBF1D1FBFE6627E5BB03A34DFA9D2A30674A7968BDD705E744A74649D16D00690D8F01880C41F0A7EC090528E228A4DD24B530BD5CDF4F0387DA4A199015CCAC611665424965F69B91782097B4AFCBB696A600A12D15C88E25A6F77FB4AE5D50E81330CBD2F6EA6704E9862413A4B8D66CC66CDAD4A06D74FF4699F06A15EEB8BC79F05A9498010013004A0BCCECBE0EB62DCFFE8F6436B567119AD0A38E870415D39E14A92BB2B4F3C05C552ACC7CC9AD0781735E94CEF1B6422660DF0E501ED8CA1BFA3EB14F9470B889D7FE006E2AD4E4999CB6DF95FF724FDDBFF4C6476FEB9D6AADD0489A226A825EA4F450DDACB34480D5F1E6B9C0A1CABE14659D28068D8806FC75833FFB98B2B81CC91AA590701E061F882020F78FC04C38E3A325E75192A22A6AE1AD60E393AA2F1DF160F881699F3025F7A78E28A14CCB99BD73C135D0E07BFE4E2A2523BF1E0445C550BAE2A72C67C649B1C29A067A7CAC2E47D4A7ECFAF8A255EAC64E764ACC741AE35FC01FA12057F7352FBE7D92E717327EEACD1BD50E5753A26C40BE8DC2FB8375621EB83F96A004BC8AC8B21C0F5217AFE091A844DE866D89E5EA9705813F960DF6457455317835C4B77A443B955960179D3E5A4649BEC702090AFE7E9E2F1AC2DE85BEB31760A8EC81CC58CFF1DD9F06E2786F4320A144E2E4F4A852056007FA5D27A22E99D60B19FC4D36FE1A5BC201D82C5BE861A9D5BAAC6AFB7F6AB1EE748B9880C40D92B7EA65D00A6970C386C1FCDC5E25B7E8790B6F6B8BF631D70262B3CDBD7CA3023090D0F34112135D75E5BE28378CC5EF48585EDD3C95FD9C817F":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" +pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt AES-256-CBC (OK) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302906092A864886F70D01050C301C0408B948C29B606B981502020800300C06082A864886F70D02090500301D060960864801650304012A0410FD87E5DBEE6E498D887C771C454D4265":"7A776F6C696E":"3BDA5B8B7C541816276A84F779F4961C291CCA695D2DEE57F23B359886852947F1609CAA73072A3D1CEC95B17E987B05C4F401ADBF73B602F031BE107D2290E905E1B16455954C58DE8605CA679FDC83EB3C16427294400AFF227126300E4568CF1332ADAA4CB361F52E0DC4FD19682B7762EAF860B1674549D30ABF4DA2F998364FED59247552E807CCCE4CFD5E4B1F5E37EF3F18ED31BC1318193160AC1FFC487646FAB1FC006A0603AB3DFAB0F068B459665D4902624AC487B924914135BDDD7A2899007F45DB30847745464E1D134A58FCFBA69E13C4BDCDAA6845D57404EF0C46C102DB3621A5EFB0B8DC247951C51BB3777782EF59BBA0211AA5B8E6A91AF6409ED2984B50DC06A2295BE99E4A9B2D769BE13E8E6CF9F01259FCDB09642C10AF77B3B3F057F2D8F7AF234293DF08175D40831FAF776C299CCE88AA5F860318BF96F5C4B52CBAEB3E9BF3092A818A4B638F835084C9666D79668E08D125E0668925123F24BE675B592068F8E29D0FCD9D763148F261D88A9DE9022A6759467EA1BB06CDB20FD335E8D080F18A8DE331873C4A5C4213D36C332E319C146EA10F6FB1BF82493616776BBBD6B38251F847F1961FDAE518E18BECACE932C1EB477946D9381036DC2C9537786A3BE295D5156AB479DD6DD0B3E85652A4B66C0BF69926504A2DC5068A99E05F08DDAC2FD99C2AFA76203B64886D99E8D3C67C94C92BDB9D22B28CA775512A55BB7B4A9483DD2541B0BABF58769CDBFB05EE53FE452E0B4B42DF086F2932969AE943837CD2EDF7B5B731245B1A6C83079F42BFF3B170819F852B5AA493B2D9A378FB8C99F400E7F4E2FE503AB7399F271451238DCA8667077E555D6F96747C5854A9D2F13CE93D2BD6AAF9808DAF0BEFE1448A5536927A9D8C7886FCA937C6912943E4B20412540625F277552E6B6FB914F2916B780CD529FB0A3491C9011E3CFED7BDBFEC3BD18B260DB882294D647AB70577E60C6E3E85F6CAAE9F2EC6820115B5CD854A1368CB4B6D23B16B32CB5DB9D77D7A556EEB6ECD4075C74CE606EA25E0300EC65761F0EFDA7B6E8DA3C0196E274D86BC2911C2A96A6E0B6C259449E4D43C248AE5614D4D74147FB1963C5770958523F7AB8606F904892523BECD2D7CC81DD296361C0D11DFB2CA306B42CC0481E9B3A66FE2E17562FC9210139CE33B9724283207EF6B17496D6D0E1D07641A7BDB4DEF9A7CDE297CFBB119FDB43CF970B6DFF5F08EABE5E087DFBDB067CAEEEB460D381C844154947B527C4C40F452A64EF2E15A4A9D13F060835380FA49B5201682F13E543207E791147D15C54C6540F2F3F3D8AAFC50623B260422EA5558906798FB555BEF0EE8BAFB544442185911883C3CA4DAC700BB8198C4C9E136F3517410AB2FFE605BA6AA27CB35958C7B51EDDA0961CD8F42ED7B61342E9BF7783289CB9D299C9CC84F08B7546D28CCCE2ABCB68A7BAEAC6C67E3FAA14E4502D9711CFAC16E4BBFBE016A9755D49E233B3DDDBF03C77F4542D7566B03264B0B85E006CAABEED61715F2E97913F36DB841B3DFEC1CF6549976D93D35AAE9BC1383F84133F38904F819DF3FDC3DBE636F0661DABEF654D2C52BF1A1A2E33F79032F4E2C34981BC354B74B727CCC759209790FFAFED8E9DB5532AD6F9F0BD7B74A5DE63A4363464DC5A137D56BCCFACBB8C77229B048A587027B24D1968A1BEB3935C6C416E4A8AB14F3AF2C1858942D27CB976AF4":0:"308204BD020100300D06092A864886F70D0101010500048204A7308204A30201000282010100D0680E66E3F69348A111BC720B747A402236FA15B330004F21A97E903AB94419F485688BAF2EEC07306D4C321D91DEA5D426D6336D342D967DC4192D537FDFE42548AEE817B57B82A9D75C8308839C739C830C3B6847D9F2EE65899F117DA196DBF64BD6AC6CE4486619FDFB41C57AFB8B8E893526699976CEB8CD3E07B668FB3F18D70C816F6BC1B26F767B1BF987B4D994FD5F53F7B497FF6A43F73D383F8DA05BAA2A68DDDDCFD2B3A7AACFA8B06D26D2C261BFEC13E7BA7C88AC7CA5AE187BE31D8E579FEE2FC90C31E38C249EBC13C70490AC3463269FACF294D419505ADBC54B0697BF01DEB8EB83DF3236DD9059E6BD0CE64D8D39CB80A2DCDF82E19B020301000102820100517E4F1B66CAF5BEF1D4F8A673DA412FB0F1648B75BD3071C10D0143AEE2E14170FF75E92140ACE506C7C682D6534307FF548C7021A4C4AAD3550A2F52366FBB4BE5071814A54FBDC1624877A8ADA6510303AF95CF6A414CA0722E05789672C8860CE28CF871C0369B4E50A59E8B7552C5B89FE89BB3B161E6E616C3C9CA47743A32482A8885035BEB72E85564A0F004C4A99A935F4BAB523857E558FCF4A27ECD30EA5A91205BD84B9F550565561C9CDC324E3CFC478445D12C032B0057035EF4F548280F238038F3EE6097864D8724AFB53BCA8C62A8F5177AA072D4784EAAEB8B81BB6A3ACF453C5859B374E1FA3B3959FDBD630044B530A2FB50232517D902818100FE860C42D18CBDF8758CF5D4D2487E8EA4C0D6D3A1C735AD14A37A66D972B7B2B3D9551E0B25BAB7F58EAD0B7A696686F4B98DDCB15A20A388D1AB7793004B83B97915D747F8CB09390D2C2A0DE05FCAFAA36911DA2F5D30E0E0178FA7B7B0E57006A44056169078690F9B48225340812A2ADA48CC56B48A0FC75C842DE94FA702818100D19D86F612C92312B3C7F673CA9F4C4808ABEBAD925526A4509E3179C025DFE351720B40562355955B5856A0C9B306F0AAA3C132CEF8E04D94651FCE6A6B89FAD6A683E40551743D962FB4AE5895F7186D9EEC1F5E8A11CCC8BE1783080C5C86E909CF366B26E79316AC687F42E6A6300BC50B944642CF297393FE9EF47F3CED0281806035C18ABC754C1610314177BA2947159A777E7D2F0903643289FD29C58694A3CB521AD7A97510989B0CDCA29B1A1E74632B84D16884DE13931356927391C7F9B9F1686D213A8D5D2620B1920FFEC1971399138D79013063DA8D3ABAC5B62CFAFD96B51DD0ACE4DD6F31440C47555AEBB849CC8B7A1A48526BD67B4547A98ABF0281800E8210AD476F9475DEEBA02B3383030C994D0CEADE8DF636B93DB9BEEB85B3915039CC7D8F78B29BBBCEC9702785B49D43B241D4FA6E4F580F45508640E7608D73FDE2730DCB2D7875C4A784C9ACD7856150F696D53C492F1B55CCDACCDBCE2BA8457D8A0EB08AA6AB9313487BA0EB2FB820D34457F897CE0EA9D79DB8DE75A102818100DB30BDD1E07CB8131091FB3DE7284553FCB0C5C9797C02A74D364D235A41DBCB3D210528722440AF91B073BD5D8EEE0123DC32FF67CE8410E9875B3061AA976E0470797A03C7A59B4A25986AF2C79D2237AABADEF8A9F7BD117CA7274FBFAB4DB7BB77583720419A14938FF1DC643D7AAF7119A3DC46F7F178778C51310579A1" +pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt (bad params tag) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C -- cgit v1.1 From 8494c986a0cf12ad8e8dd8359bed055eb7028f0a Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 10 Oct 2023 18:26:57 +0100 Subject: Add Encryption test data for AES 128,196,256 PBES2 Data (for encryption and decryption) generated using openssl: openssl kdf -keylen 24 -kdfopt digest:SHA256 -kdfopt iter:10000 -kdfopt pass:"PasswordPasswordPassword" -kdfopt hexsalt:0102030405060708 PBKDF2 69D1831EA16816B82797E5E9619C2F62153BC65C1791B5C0 openssl enc $MODE -iv 2F904F75B47B48A618068D79BD9A826C -K $KEY -in $FILE -e -out $ENC Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkcs5.data | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 94ac86c..f372520 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -142,6 +142,18 @@ PBES2 Decrypt (Invalid padding & PKCS7 padding enabled) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" +PBES2 Encrypt AES-128-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" + +PBES2 Encrypt AES-192-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94" + +PBES2 Encrypt AES-256-CBC (OK) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" + PBES2 Decrypt AES-128-CBC (OK) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" -- cgit v1.1 From 632699b9255be5070c35618622b70db1bbc7248d Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 11 Oct 2023 14:20:33 +0100 Subject: Add Changelog Signed-off-by: Ryan Everett --- ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt diff --git a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt new file mode 100644 index 0000000..96f48d6 --- /dev/null +++ b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt @@ -0,0 +1,3 @@ +Features + * Add support for using AES-CBC 128, 192, and 256 bit schemes + with PKCS#5 PBES2. \ No newline at end of file -- cgit v1.1 From cd80f09aa3628d671394fa985948de1b287c5689 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 12 Oct 2023 11:08:20 +0100 Subject: Fix Changelog formatting Signed-off-by: Ryan Everett --- ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt index 96f48d6..e00c1e0 100644 --- a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt +++ b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt @@ -1,3 +1,3 @@ Features * Add support for using AES-CBC 128, 192, and 256 bit schemes - with PKCS#5 PBES2. \ No newline at end of file + with PKCS#5 PBES2. -- cgit v1.1 From 86bfbe8ef2621973f4760bc8f0299e14aa1dc7a2 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 12 Oct 2023 11:19:13 +0100 Subject: Fix test data dependencies Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkcs5.data | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index f372520..3bd6b49 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -143,27 +143,27 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIP pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" PBES2 Encrypt AES-128-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" PBES2 Encrypt AES-192-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94" PBES2 Encrypt AES-256-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" PBES2 Decrypt AES-128-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt AES-192-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt AES-256-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt (bad params tag) -- cgit v1.1 From 7ee4cc302a113edf92ff231573a52eb5b3964ba9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Nov 2023 15:49:57 +0100 Subject: Create legacy-API bridge API design document Do the analysis for hashes. Signed-off-by: Gilles Peskine --- .../psa-migration/psa-legacy-bridges.md | 137 +++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 docs/architecture/psa-migration/psa-legacy-bridges.md diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md new file mode 100644 index 0000000..e8f20b2 --- /dev/null +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -0,0 +1,137 @@ +Bridges between legacy and PSA crypto APIs +========================================== + +## Introduction + +### Goal of this document + +This document explores the needs of applications that use both Mbed TLS legacy crypto interfaces and PSA crypto interfaces. Based on [requirements](#requirements), we [analyze gaps](#gap-analysis) and [API design](#api-design). + +This is a design document. The target audience is library maintainers. See the companion document [“Transitioning to the PSA API”](../../psa-transition.md) for a user focus on the same topic. + +### Keywords + +* [TODO] A part of the analysis that isn't finished. +* [QUESTION] A specific aspect of the design where there are several plausible decisions. +* [ACTION] A finalized part of the design that will need to be carried out. + +### Context + +Mbed TLS 3.x supports two cryptographic APIs: + +* The legacy API `mbedtls_xxx` is inherited from PolarSSL. +* The PSA API `psa_xxx` was introduced in Mbed TLS 2.17. + +Mbed TLS is gradually shifting from the legacy API to the PSA API. Mbed TLS 4.0 will be the first version where the PSA API is considered the main API, and large parts of the legacy API will be removed. + +In Mbed TLS 4.0, the cryptography will be provided by a separate project [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). For simplicity, in this document, we just refer to the whole as “Mbed TLS”. + +### Document history + +This document was originally written when preparing Mbed TLS 3.6. Mbed TLS 3.6 includes both PSA and legacy APIs covering largely overlapping ground. Many legacy APIs will be removed in Mbed TLS 4.0. + +## Requirements + +### Why mix APIs? + +There is functionality that is tied to one API and is not directly available in the other API: + +* Only PSA fully supports PSA accelerators and secure element integration. +* Only PSA supports isolating cryptographic material in a secure service. +* The legacy API has features that are not present (yet) in PSA, notably parsing and formatting asymmetric keys. + +The legacy API can partially leverage PSA features via `MBEDTLS_USE_PSA_CRYPTO`, but this has limited scope. + +In addition, many applications cannot be migrated in a single go. For large projects, it is impractical to rewrite a significant part of the code all at once. (For example, Mbed TLS itself will have taken more than 6 years to transition.) Projects that use one or more library in addition to Mbed TLS must follow the evolution of these libraries, each of which might have its own pace. + +### Where mixing happens + +Mbed TLS can be, and normally is, built with support for both APIs. Therefore no special effort is necessary to allow an application to use both APIs. + +Special effort is necessary to use both APIs as part of the implementation of the same feature. From an informal analysis of typical application requirements, we identify four parts of the use of cryptography which can be provided by different APIs: + +* Metadata manipulation: parsing and producing encrypted or signed files, finding mutually supported algorithms in a network protocol negotiation, etc. +* Key management: parsing, generating, deriving and formatting cryptographic keys. +* Data manipulation other than keys. In practice, most data formats within the scope of the legacy crypto APIs are trivial (ciphertexts, hashes, MACs, shared secrets). The one exception is ECDSA signatures. +* Cryptographic operations: hash, sign, encrypt, etc. + +From this, we deduce the following requirements: + +* Convert between PSA and legacy metadata. +* Creating a key with the legacy API and consuming it in the PSA API. +* Creating a key with the PSA API and consuming it in the legacy API. +* Manipulating data formats, other than keys, where the PSA API is lacking. + +### Scope limitations + +The goal of this document is to bridge the legacy API and the PSA API. The goal is not to provide a PSA way to do everything that is currently possible with the legacy API. The PSA API is less flexible in some regards, and extending it is out of scope in the present study. + +With respect to the legacy API, we do not consider functionality of low-level modules for individual algorithms. Our focus is on applications that use high-level legacy crypto modules (md, cipher, pk) and need to combine that with uses of the PSA APIs. + +## Gap analysis + +Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms. + +### Generic metadata gaps + +#### Need for error code conversion + +[QUESTION] Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use. + +### Hash gap analysis + +Hashes do not involve keys, and involves no nontrivial data format. Therefore the only gap is with metadata, namely specifying a hash algorithm. + +Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, etc.). Therefore metadata about hashes is relevant not only when calculating hashes, but also when performing many other cryptographic operations. + +Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls_md_type_t`. Such functions exist in Mbed TLS 3.5 (`mbedtls_md_psa_alg_from_type`, `mbedtls_md_type_from_psa_alg`) but they are declared only in private headers. + +### MAC gap analysis + +[TODO] + +### Cipher and AEAD gap analysis + +[TODO] + +### Key derivation gap analysis + +[TODO] + +### Random generation gap analysis + +[TODO] + +### Asymmetric cryptography gap analysis + +[TODO] + +## New APIs + +This section presents new APIs to implement based on the [gap analysis](#gap-analysis). + +### Hash APIs + +Based on the [gap analysis](#hash-gap-analysis): + +[ACTION] Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`. + +### MAC APIs + +[TODO] + +### Cipher and AEAD APIs + +[TODO] + +### Key derivation APIs + +[TODO] + +### Random generation APIs + +[TODO] + +### Asymmetric cryptography APIs + +[TODO] -- cgit v1.1 From b422cab052b51ec84758638d6783d6ba4fc60613 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 16:18:10 +0800 Subject: tls: check RNG in ssl_conf_check when calling mbedtls_ssl_setup Signed-off-by: Yanray Wang --- library/ssl_tls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6678b71..28be8a6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1355,6 +1355,11 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl) } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + if (ssl->conf->f_rng == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); + return MBEDTLS_ERR_SSL_NO_RNG; + } + /* Space for further checks */ return 0; -- cgit v1.1 From f88e529de348c18467c84925298167fedde86844 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 16:39:34 +0800 Subject: ssl_helpers: make rng_get available for other test cases This is a pre-step to configure random number generator in some TLS tests. Signed-off-by: Yanray Wang --- tests/include/test/ssl_helpers.h | 4 ++++ tests/src/test_helpers/ssl_helpers.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index d03c624..b45e969 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -193,6 +193,10 @@ typedef struct mbedtls_test_ssl_endpoint { #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int rng_get(void *p_rng, unsigned char *output, size_t output_len); +#endif + /* * This function can be passed to mbedtls to receive output logs from it. In * this case, it will count the instances of a mbedtls_test_ssl_log_pattern diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index d02d305..549a4ff 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -14,7 +14,7 @@ #if defined(MBEDTLS_SSL_TLS_C) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) static int rng_seed = 0xBEEF; -static int rng_get(void *p_rng, unsigned char *output, size_t output_len) +int rng_get(void *p_rng, unsigned char *output, size_t output_len) { (void) p_rng; for (size_t i = 0; i < output_len; i++) { -- cgit v1.1 From d6128e9ab94ded4879771cf9e6371ca041713cc5 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 17:08:56 +0800 Subject: test_suite_ssl.function: configure RNG to address test failure Signed-off-by: Yanray Wang --- tests/suites/test_suite_ssl.function | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 05571a1..050e525 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1121,6 +1121,8 @@ void ssl_dtls_replay(data_t *prevs, data_t *new, int ret) mbedtls_ssl_config_init(&conf); MD_OR_USE_PSA_INIT(); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_DATAGRAM, @@ -2892,6 +2894,7 @@ void conf_version(int endpoint, int transport, mbedtls_ssl_conf_transport(&conf, transport); mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version); mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result); TEST_EQUAL(mbedtls_ssl_conf_get_endpoint( @@ -2933,6 +2936,8 @@ void conf_curve() mbedtls_ssl_init(&ssl); MD_OR_USE_PSA_INIT(); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL); @@ -2964,6 +2969,7 @@ void conf_group() mbedtls_ssl_config conf; mbedtls_ssl_config_init(&conf); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); @@ -3069,6 +3075,8 @@ void cookie_parsing(data_t *cookie, int exp_ret) mbedtls_ssl_config_init(&conf); USE_PSA_INIT(); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT), @@ -3122,6 +3130,8 @@ void cid_sanity() mbedtls_ssl_config_init(&conf); MD_OR_USE_PSA_INIT(); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, @@ -3380,6 +3390,8 @@ void ssl_ecjpake_set_password(int use_opaque_arg) mbedtls_ssl_config_init(&conf); + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, -- cgit v1.1 From 5b60b424b7a7ecc366c3e8abf59a62d03cb7921a Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 17:20:22 +0800 Subject: test_suite_debug.function: configure RNG to address test failure Signed-off-by: Yanray Wang --- tests/suites/test_suite_debug.function | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index b961040..c96e305 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -2,6 +2,7 @@ #include "mbedtls/debug.h" #include "string.h" #include "mbedtls/pk.h" +#include struct buffer_data { char buf[2000]; @@ -65,6 +66,8 @@ void debug_print_msg_threshold(int threshold, int level, char *file, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, @@ -103,6 +106,8 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, @@ -138,6 +143,8 @@ void mbedtls_debug_print_buf(char *file, int line, char *text, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, @@ -175,6 +182,8 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, @@ -214,6 +223,8 @@ void mbedtls_debug_print_mpi(char *value, char *file, int line, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; + mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, -- cgit v1.1 From c83186effa97dfb03c373a5fdce45337fe7ec633 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 17:24:48 +0800 Subject: ssl_client: remove RNG check in `write_client_hello` RNG check is added in ssl_conf_check when calling mbedtls_ssl_setup, so there is no need to check it again. Signed-off-by: Yanray Wang --- library/ssl_client.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 55fe352..bef7fc0 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -764,11 +764,6 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */ - if (ssl->conf->f_rng == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); - return MBEDTLS_ERR_SSL_NO_RNG; - } - /* Bet on the highest configured version if we are not in a TLS 1.2 * renegotiation or session resumption. */ -- cgit v1.1 From 197199f154e9c7fd45c2f7ab1815db6718830a2f Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 17:28:56 +0800 Subject: tls12 & tls13 server: remove RNG check in `write_server_hello` RNG check is added in ssl_conf_check when calling mbedtls_ssl_setup, so there is no need to check it again. Signed-off-by: Yanray Wang --- library/ssl_tls12_server.c | 5 ----- library/ssl_tls13_server.c | 4 ---- 2 files changed, 9 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index a07d0fb..72564ac 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2177,11 +2177,6 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl) } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ - if (ssl->conf->f_rng == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); - return MBEDTLS_ERR_SSL_NO_RNG; - } - /* * 0 . 0 handshake type * 1 . 3 handshake length diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d983a00..25a182c 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1948,10 +1948,6 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *server_randbytes = ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN; - if (ssl->conf->f_rng == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); - return MBEDTLS_ERR_SSL_NO_RNG; - } if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes, MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) { -- cgit v1.1 From a72bc9adf7fb345af59f7137a5389ef0ace67030 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 23:34:27 +0800 Subject: ssl_helpers: remove guard for rng_get() After adding a check in ssl_conf_check(), we have configured RNG via mbedtls_ssl_conf_rng() for TLS tests in both test_suite_ssl.function and test_suite_debug.function. As a result, rng_get() is not only available when MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED enabled. Therefore, we remove the guard for rng_get() to make it accessible for TLS tests which have call for mbedtls_ssl_setup(). Signed-off-by: Yanray Wang --- tests/include/test/ssl_helpers.h | 2 -- tests/src/test_helpers/ssl_helpers.c | 5 ++--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index b45e969..9493b69 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -193,9 +193,7 @@ typedef struct mbedtls_test_ssl_endpoint { #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) int rng_get(void *p_rng, unsigned char *output, size_t output_len); -#endif /* * This function can be passed to mbedtls to receive output logs from it. In diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 549a4ff..de76b09 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -12,8 +12,6 @@ #include "md_psa.h" #if defined(MBEDTLS_SSL_TLS_C) -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -static int rng_seed = 0xBEEF; int rng_get(void *p_rng, unsigned char *output, size_t output_len) { (void) p_rng; @@ -23,7 +21,6 @@ int rng_get(void *p_rng, unsigned char *output, size_t output_len) return 0; } -#endif void mbedtls_test_ssl_log_analyzer(void *ctx, int level, const char *file, int line, @@ -46,6 +43,8 @@ void mbedtls_test_init_handshake_options( mbedtls_test_handshake_test_options *opts) { #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) + int rng_seed = 0xBEEF; + srand(rng_seed); rng_seed += 0xD0; #endif -- cgit v1.1 From aad9449146f67ead757a663d27971b1a0f494dcc Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 4 Dec 2023 10:42:06 +0800 Subject: test_suite_debug.function: check return value for _config_defaults Signed-off-by: Yanray Wang --- tests/suites/test_suite_debug.function | 45 +++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index c96e305..fca7ea0 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -68,10 +68,11 @@ void debug_print_msg_threshold(int threshold, int level, char *file, mbedtls_ssl_conf_rng(&conf, rng_get, NULL); - mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), + 0); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); @@ -108,10 +109,11 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value, mbedtls_ssl_conf_rng(&conf, rng_get, NULL); - mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), + 0); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); @@ -145,10 +147,11 @@ void mbedtls_debug_print_buf(char *file, int line, char *text, mbedtls_ssl_conf_rng(&conf, rng_get, NULL); - mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), + 0); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); @@ -184,10 +187,11 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line, mbedtls_ssl_conf_rng(&conf, rng_get, NULL); - mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), + 0); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); @@ -225,10 +229,11 @@ void mbedtls_debug_print_mpi(char *value, char *file, int line, mbedtls_ssl_conf_rng(&conf, rng_get, NULL); - mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT); + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), + 0); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); -- cgit v1.1 From 8f1307adcd818f628014d97a77ffb21e06b8d9fc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 25 Dec 2023 21:42:23 +0100 Subject: Asymmetric cryptography: rough draft Still many open questions Signed-off-by: Gilles Peskine --- .../psa-migration/psa-legacy-bridges.md | 194 ++++++++++++++++++++- 1 file changed, 189 insertions(+), 5 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index e8f20b2..75a05fc 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -12,7 +12,7 @@ This is a design document. The target audience is library maintainers. See the c ### Keywords * [TODO] A part of the analysis that isn't finished. -* [QUESTION] A specific aspect of the design where there are several plausible decisions. +* [OPEN] Open question: a specific aspect of the design where there are several plausible decisions. * [ACTION] A finalized part of the design that will need to be carried out. ### Context @@ -70,13 +70,18 @@ With respect to the legacy API, we do not consider functionality of low-level mo ## Gap analysis +The document [“Transitioning to the PSA API”](../../psa-transition.md) enumerates the public header files in Mbed TLS 3.4 and the API elements (especially enums and functions) that they provide, listing PSA equivalents where they exist. There are gaps in two cases: + +* Where the PSA equivalents do not provide the same functionality. A typical example is parsing and formatting asymmetric keys. +* To convert between data representations used by legacy APIs and data representations used by PSA APIs. + Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms. ### Generic metadata gaps #### Need for error code conversion -[QUESTION] Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use. +[OPEN] Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use. ### Hash gap analysis @@ -104,17 +109,101 @@ Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls ### Asymmetric cryptography gap analysis -[TODO] +#### Asymmetric cryptography metadata + +The legacy API only has generic support for two key types: RSA and ECC, via the pk module. The type of ECC keys is divided in subtypes: one for each curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module. + +An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module: + +* RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption. +* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement. + +ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve. + +Since there is no algorithm that can be used with multiple types, and PSA keys have a policy that (for the most part) limits them to one algorithm, there does not seem to be a need to convert between legacy and PSA asymmetric key types on their own. The useful metadata conversions are: + +* Selecting an **elliptic curve**. + + This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`. + + This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_of_psa`, which were introduced into the public API after Mbed TLS 3.5. + +* Selecting A **DHM group**. + + PSA only supports predefined groups, whereas legacy only supports ad hoc groups. An existing application referring to `MBEDTLS_DHM_RFC7919_FFDHExxx` values would need to refer to `PSA_DH_FAMILY_RFC7919`; an existing application using arbitrary groups cannot migrate to PSA. + +* Simultaneously supporting **a key type and an algorithm**. + + On the legacy side, this is an `mbedtls_pk_type_t` value and more. For ECDSA, the choice between randomized and deterministic is made at compile time. For RSA, the choice of encryption or signature algorithm is made either by configuring the underlying `mbedtls_rsa_context` or when calling the operation function. + + On the PSA side, this is a `psa_key_type_t` value and an algorithm which is normally encoded as policy information in a `psa_key_attributes_t`. The algorithm is also needed in its own right when calling operation functions. + +#### Using a legacy key pair or public key with PSA + +There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`). + +Reasons for creating a legacy key object, where it's impossible or impractical to directly create a PSA key: + +* A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions. +* The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent. +* The pk object may be created by a part of the application (or a third-party library) that hasn't been migrated to the PSA API yet. + +Reasons for needing a PSA key object: + +* Using the key in TLS 1.3 or some third-party interface that takes a PSA key identifier as input. +* Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.) + +Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below. + +#### Using a PSA key as a PK context + +There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 API or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents. + +There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations: + +* It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded. +* It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object. +* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority concern: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.) + +Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable. + +[OPEN] Is `mbedtls_pk_setup_opaque` ok or do we want to tweak it? + +#### Signature formats + +The pk module uses signature formats intended for X.509. The PSA module uses the simplest sensible signature format. + +* For RSA, the formats are the same. +* For ECDSA, PSA uses a fixed-size concatenation of (r,s), whereas X.509 and pk use an ASN.1 DER encoding of the sequence (r,s). + +Gap: We need APIs to convert between these two formats. The conversion code already exists under the hood, but it's in pieces that can't be called directly. + +There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain. + +Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. + +#### Asymmetric cryptography TODO + +[TODO] Other gaps? ## New APIs This section presents new APIs to implement based on the [gap analysis](#gap-analysis). +### General notes + +Each action to implement a function entails: + +* Implement the library function. +* Document it precisely, including error conditions. +* Unit-test it. +* Mention it where relevant in the PSA transition guide. + ### Hash APIs Based on the [gap analysis](#hash-gap-analysis): -[ACTION] Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`. +[ACTION] [#8340](https://github.com/Mbed-TLS/mbedtls/issues/8340) Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`. ### MAC APIs @@ -134,4 +223,99 @@ Based on the [gap analysis](#hash-gap-analysis): ### Asymmetric cryptography APIs -[TODO] +#### Asymmetric cryptography metadata APIs + +Based on the [gap analysis](#asymmetric-cryptography-metadata): + +* No further work is needed about RSA specifically. The amount of metadata other than hashes is sufficiently small to be handled in ad hoc ways in applications, and hashes have [their own conversions](#hash-apis). +* No further work is needed about ECC specifically. We have just added adequate functions. +* No further work is needed about DHM specifically. There is no good way to translate the relevant information. +* [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm. + +#### API to create a PSA key from a PK context + +Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa): + +Given an `mbedtls_pk_context`, we want a function that creates a PSA key with the same key material and algorithm. “Same key material” is straightforward, but “same algorithm” is not, because a PK context has incomplete algorithm information. For example, there is no way to distinguish between an RSA key that is intended for signature or for encryption. Between algorithms of the same nature, there is no way to distinguish a key intended for PKCS#1v1.5 and one intended for PKCS#1v2.1 (OAEP/PSS): this is indicated in the underlying RSA context, but the indication there is only a default that can be overridden by calling `mbedtls_pk_{sign,verify}_ext`. Also there is no way to distinguish between `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)` and `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`: in the legacy interface, this is only determined when actually doing a signature/verification operation. Therefore the function that creates the PSA key needs extra information to indicate which algorithm to put in the key's policy. + +When creating a PSA key, apart from the key material, the key is determined by attributes, which fall under three categories: + +* Type and size. These are directly related to the key material and can be deduced from it if the key material is in a structured format, which is the case with an `mbedtls_pk_context` input. +* Policy. This includes the chosen algorithm, which as discussed above cannot be fully deduced from the `mbedtls_pk_context` object. Just choosing one algorithm is problematic because it doesn't allow implementation-specific extensions, such as Mbed TLS's enrollment algorithm. The intended usage flags cannot be deduced from the PK context either, but the conversion function could sensibly just enable all the relevant usage flags. Users who want a more restrictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more restrictive usage. +* Persistence and location. This is completely orthogonal to the information from the `mbedtls_pk_context` object. It is convenient, but not necessary, for the conversion function to allow customizing these aspects. If it doesn't, users can call the conversion function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired location. + +To allow the full flexibility around policies, and make the creation of a persistent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` input, like all other functions that create a PSA key. In addition, there shall be a helper function to populate a `psa_key_attributes_t` with a sensible default. This lets the caller choose a more flexible, or just different usage policy, unlike the default-then-copy approach which only allows restricting the policy. + +This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases. + +[ACTION] Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`. + +``` +int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, + psa_key_attributes_t *attributes); +int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *key_id); +``` + +* `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default). +* `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context. + * The key type is a key pair if the context contains a private key, and a public key if the context only contains a public key. +* `mbedtls_pk_get_psa_attributes` sets all the potentially applicable usage flags: `EXPORT`, `COPY`; `VERIFY_HASH | VERIFY_MESSAGE` or `ENCRYPT` as applicable for both public keys and key pairs; `SIGN` or `DECRYPT` as applicable for a key pair. +* [OPEN] What is the default algorithm for `mbedtls_pk_get_psa_attributes`? Suggestion: assume signature by default. For RSA, either `PSA_RSA_PKCS1_V15_SIGN(PSA_ALG_ANY_HASH)` or `PSA_ALG_RSA_PSS(hash_alg)` depending on the RSA context's padding mode. For ECC, `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. +* [OPEN] Or does `mbedtls_pk_get_psa_attributes` need an extra argument indicating how to treat RSA and ECC keys? +* `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key). + * The key type can be a public key even if the private key is available. +* `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks. +* `mbedtls_pk_import_into_psa` does not check that the policy in the attributes is sensible. That's on the user. + +#### API to copy a PSA key to a PK context + +Based on the [gap analysis](#using-a-psa-key-as-a-pk-context): + +[ACTION] Implement `mbedtls_pk_copy_from_psa` as described below. + +``` +int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, + mbedtls_pk_context *pk); +``` + +* `pk` must be initialized, but not set up. +* It is an error if the key is neither a key pair nor a public key. +* It is an error if the key is not exportable. +* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. +* Once this function returns, the pk object is completely independent of the PSA key. +* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`). For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today. + * [OPEN] How do we distinguish between signature-only and encryption-only RSA keys? Do we just allow both (e.g. a PSS key gets generalized into a PSS/OAEP key)? + * [OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? + +[OPEN] Should there be a way to use a different algorithm? This can be resolved by `psa_copy_key` on the input to tweak the policy if needed. + +#### API to create a PK object that wraps a PSA key + +Based on the [gap analysis](#using-a-psa-key-as-a-pk-context): + +[ACTION] Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`. + +[OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? + +#### API to convert between signature formats + +Based on the [gap analysis](#signature-formats): + +[ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below. + +``` +int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len); +int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len, + size_t bits); +``` + +* These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`. +* The input and output buffers can overlap. +* [OPEN] Should we maybe use a different interface that is better integrated with ASN.1 and X.509 parsing and writing functions in Mbed TLS? That is: + * DER production writes from right to left in the destination buffer. + * DER parsing takes a pointer-to-pointer to the start of the buffer and an end pointer, instead of pointer-to-start and size. + * Names should match the patterns found in X.509 and ASN.1 parsing and writing function. -- cgit v1.1 From 6d0a09358275e5c131c6a7e23d36d6f89fbd4996 Mon Sep 17 00:00:00 2001 From: Benson Liou Date: Wed, 27 Dec 2023 22:03:24 +0800 Subject: use mbedtls_ssl_session_init() to init session variable Use mbedtls_ssl_session_init() to init variable just like session-family APIs described Signed-off-by: Benson Liou --- include/mbedtls/ssl.h | 2 +- programs/ssl/ssl_client2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 043988f..96f4bb2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4669,7 +4669,7 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl * \param ssl The SSL context representing the connection for which to * to export a session structure for later resumption. * \param session The target structure in which to store the exported session. - * This must have been initialized with mbedtls_ssl_init_session() + * This must have been initialized with mbedtls_ssl_session_init() * but otherwise be unused. * * \note This function can handle a variety of mechanisms for session diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1b3dedb..05bb2ff 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -833,7 +833,7 @@ int main(int argc, char *argv[]) mbedtls_net_init(&server_fd); mbedtls_ssl_init(&ssl); mbedtls_ssl_config_init(&conf); - memset(&saved_session, 0, sizeof(mbedtls_ssl_session)); + mbedtls_ssl_session_init(&saved_session); rng_init(&rng); #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) mbedtls_x509_crt_init(&cacert); -- cgit v1.1 From 93cdb778352ca5a59d9074aecc9f3359abaabe06 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2024 13:15:04 +0100 Subject: Minor clarifications Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 75a05fc..5798728 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -111,12 +111,12 @@ Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls #### Asymmetric cryptography metadata -The legacy API only has generic support for two key types: RSA and ECC, via the pk module. The type of ECC keys is divided in subtypes: one for each curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module. +The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys can also be further classified according to their curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module. An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module: * RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption. -* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement. +* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`). ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve. @@ -142,7 +142,7 @@ Since there is no algorithm that can be used with multiple types, and PSA keys h There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`). -Reasons for creating a legacy key object, where it's impossible or impractical to directly create a PSA key: +Reasons for first creating a legacy key object, where it's impossible or impractical to directly create a PSA key: * A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions. * The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent. @@ -157,7 +157,7 @@ Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partial #### Using a PSA key as a PK context -There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 API or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents. +There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 and TLS APIs or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents. There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations: @@ -165,6 +165,11 @@ There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it * It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object. * It is only available under `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority concern: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.) +It therefore appears that we need two ways to “convert” a PSA key to PK: + +* Wrapping, which is what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's lifetime and creates a PK object with limited functionality. +* Copying, which requires a new function. This requires an exportable key but creates a fully independent, fully functional PK object. + Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable. [OPEN] Is `mbedtls_pk_setup_opaque` ok or do we want to tweak it? @@ -180,7 +185,7 @@ Gap: We need APIs to convert between these two formats. The conversion code alre There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain. -Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. +Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage. #### Asymmetric cryptography TODO @@ -263,7 +268,7 @@ int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, * The key type is a key pair if the context contains a private key, and a public key if the context only contains a public key. * `mbedtls_pk_get_psa_attributes` sets all the potentially applicable usage flags: `EXPORT`, `COPY`; `VERIFY_HASH | VERIFY_MESSAGE` or `ENCRYPT` as applicable for both public keys and key pairs; `SIGN` or `DECRYPT` as applicable for a key pair. * [OPEN] What is the default algorithm for `mbedtls_pk_get_psa_attributes`? Suggestion: assume signature by default. For RSA, either `PSA_RSA_PKCS1_V15_SIGN(PSA_ALG_ANY_HASH)` or `PSA_ALG_RSA_PSS(hash_alg)` depending on the RSA context's padding mode. For ECC, `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. -* [OPEN] Or does `mbedtls_pk_get_psa_attributes` need an extra argument indicating how to treat RSA and ECC keys? +* [OPEN] Or does `mbedtls_pk_get_psa_attributes` need an extra argument that conveys some kind of policy for RSA keys and, independently, some kind of policy for ECC keys? * `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key). * The key type can be a public key even if the private key is available. * `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks. -- cgit v1.1 From a7226a1f60fa08f2f8de65d67241b7aaad8a9693 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2024 13:15:14 +0100 Subject: Our TLS 1.3 API doesn't actually require PSA key identifiers Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 5798728..6ffe28f 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -150,7 +150,7 @@ Reasons for first creating a legacy key object, where it's impossible or impract Reasons for needing a PSA key object: -* Using the key in TLS 1.3 or some third-party interface that takes a PSA key identifier as input. +* Using the key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a few TLS functions that take PSA key identifiers, but as of Mbed TLS 3.5, it is always possible to use a legacy key instead.) * Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.) Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below. -- cgit v1.1 From f80dcc5f8bb54ae441be07a5cac3c77c22e70263 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2024 13:15:47 +0100 Subject: Resolve ECDSA conversion API: don't use an ASN.1 interface Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 6ffe28f..0c3e05a 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -187,6 +187,8 @@ There is a design choice here: do we provide conversions functions for ECDSA spe Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage. +For ECDSA, there are two plausible APIs: follow the ASN.1/X.509 write/parse APIs, or present an ordinary input/output API. The ASN.1 APIs are the way they are to accommodate nested TLV structures. But ECDSA signatures do not appear nested in TLV structures in either TLS (there's just a signature field) or X.509 (the signature is inside a BITSTRING, not directly in a SEQUENCE). So there does not seem to be a need for an ASN.1-like API for the ASN.1 format, just the format conversion itself in a buffer that just contains the signature. + #### Asymmetric cryptography TODO [TODO] Other gaps? @@ -320,7 +322,3 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, * These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`. * The input and output buffers can overlap. -* [OPEN] Should we maybe use a different interface that is better integrated with ASN.1 and X.509 parsing and writing functions in Mbed TLS? That is: - * DER production writes from right to left in the destination buffer. - * DER parsing takes a pointer-to-pointer to the start of the buffer and an end pointer, instead of pointer-to-start and size. - * Names should match the patterns found in X.509 and ASN.1 parsing and writing function. -- cgit v1.1 From 9fe1c699a8a73a528878f3072c5ee127a3928f84 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2024 13:16:31 +0100 Subject: Clarify PSA-to-PK copy intent Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 0c3e05a..064b7d2 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -290,9 +290,10 @@ int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, * `pk` must be initialized, but not set up. * It is an error if the key is neither a key pair nor a public key. * It is an error if the key is not exportable. -* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. +* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS)` as a type, and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse). * Once this function returns, the pk object is completely independent of the PSA key. * Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`). For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today. + * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. [ACTION] Convey this in the documentation. * [OPEN] How do we distinguish between signature-only and encryption-only RSA keys? Do we just allow both (e.g. a PSS key gets generalized into a PSS/OAEP key)? * [OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? -- cgit v1.1 From 4580d4d8297d8339f23ef837a65d02a8aee5eeff Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 27 Oct 2023 18:41:02 +0100 Subject: Add accessor helpers for mbedtls_test_info Step one of being able to control access to mbedtls_test_info with a mutex. Signed-off-by: Paul Elliott --- programs/ssl/ssl_test_lib.c | 2 +- programs/test/metatest.c | 6 ++- tests/include/test/helpers.h | 76 +++++++++++++++++++++++++++++++++++- tests/src/helpers.c | 55 ++++++++++++++++++++++++++ tests/src/threading_helpers.c | 14 +++---- tests/suites/host_test.function | 37 +++++++++--------- tests/suites/test_suite_dhm.function | 2 +- 7 files changed, 159 insertions(+), 33 deletions(-) diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index b49dd67..d4511ac 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -427,7 +427,7 @@ int test_hooks_failure_detected(void) mbedtls_test_mutex_usage_check(); #endif - if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_SUCCESS) { + if (mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_SUCCESS) { return 1; } return 0; diff --git a/programs/test/metatest.c b/programs/test/metatest.c index b8dffa9..545129d 100644 --- a/programs/test/metatest.c +++ b/programs/test/metatest.c @@ -343,9 +343,11 @@ int main(int argc, char *argv[]) #if defined(MBEDTLS_TEST_MUTEX_USAGE) mbedtls_test_mutex_usage_check(); #endif + int result = (int) mbedtls_test_get_result(); + mbedtls_printf("Running metatest %s... done, result=%d\n", - argv[1], (int) mbedtls_test_info.result); - mbedtls_exit(mbedtls_test_info.result == MBEDTLS_TEST_RESULT_SUCCESS ? + argv[1], result); + mbedtls_exit(result == MBEDTLS_TEST_RESULT_SUCCESS ? MBEDTLS_EXIT_SUCCESS : MBEDTLS_EXIT_FAILURE); } diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 7c962a2..689a1b5 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -74,7 +74,81 @@ typedef struct { #endif } mbedtls_test_info_t; -extern mbedtls_test_info_t mbedtls_test_info; + +/** + * \brief Get the current test result status + * + * \return The current test result status + */ +mbedtls_test_result_t mbedtls_test_get_result(void); + +/** + * \brief Get the current test name/description + * + * \return The current test name/description + */ +const char *mbedtls_test_get_test(void); + +/** + * \brief Get the current test filename + * + * \return The current test filename + */ +const char *mbedtls_get_test_filename(void); + +/** + * \brief Get the current test file line number (for failure / skip) + * + * \return The current test file line number (for failure / skip) + */ +int mbedtls_test_get_line_no(void); + +/** + * \brief Increment the current test step. + */ +void mbedtls_test_increment_step(void); + +/** + * \brief Get the current test step + * + * \return The current test step + */ +unsigned long mbedtls_test_get_step(void); + +/** + * \brief Get the current test line buffer 1 + * + * \return The current test line buffer 1 + */ +const char *mbedtls_test_get_line1(void); + +/** + * \brief Get the current test line buffer 2 + * + * \return The current test line buffer 2 + */ +const char *mbedtls_test_get_line2(void); + +#if defined(MBEDTLS_TEST_MUTEX_USAGE) +/** + * \brief Get the current mutex usage error message + * + * \return The current mutex error message (may be NULL if no error) + */ +const char *mbedtls_test_get_mutex_usage_error(void); + +/** + * \brief Set the current mutex usage error message + * + * \note This will only set the mutex error message if one has not + * already been set, or if we are clearing the message (msg is + * NULL) + * + * \param msg Error message to set (can be NULL to clear) + */ +void mbedtls_test_set_mutex_usage_error(const char *msg); +#endif + int mbedtls_test_platform_setup(void); void mbedtls_test_platform_teardown(void); diff --git a/tests/src/helpers.c b/tests/src/helpers.c index eb28919..6bfe15d 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -23,6 +23,61 @@ static mbedtls_platform_context platform_ctx; mbedtls_test_info_t mbedtls_test_info; /*----------------------------------------------------------------------------*/ +/* Mbedtls Test Info accessors */ + +mbedtls_test_result_t mbedtls_test_get_result(void) +{ + return mbedtls_test_info.result; +} + +const char *mbedtls_test_get_test(void) +{ + return mbedtls_test_info.test; +} +const char *mbedtls_get_test_filename(void) +{ + return mbedtls_test_info.filename; +} + +int mbedtls_test_get_line_no(void) +{ + return mbedtls_test_info.line_no; +} + +void mbedtls_test_increment_step(void) +{ + ++mbedtls_test_info.step; +} + +unsigned long mbedtls_test_get_step(void) +{ + return mbedtls_test_info.step; +} + +const char *mbedtls_test_get_line1(void) +{ + return mbedtls_test_info.line1; +} +const char *mbedtls_test_get_line2(void) +{ + return mbedtls_test_info.line2; +} + +#if defined(MBEDTLS_TEST_MUTEX_USAGE) +const char *mbedtls_test_get_mutex_usage_error(void) +{ + return mbedtls_test_info.mutex_usage_error; +} + +void mbedtls_test_set_mutex_usage_error(const char *msg) +{ + if (mbedtls_test_info.mutex_usage_error == NULL || msg == NULL) { + mbedtls_test_info.mutex_usage_error = msg; + } +} +#endif // #if defined(MBEDTLS_TEST_MUTEX_USAGE) + +/*----------------------------------------------------------------------------*/ /* Helper Functions */ int mbedtls_test_platform_setup(void) diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index 5fbf65b..261d141 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -109,9 +109,7 @@ static void mbedtls_test_mutex_usage_error(mbedtls_threading_mutex_t *mutex, { (void) mutex; - if (mbedtls_test_info.mutex_usage_error == NULL) { - mbedtls_test_info.mutex_usage_error = msg; - } + mbedtls_test_set_mutex_usage_error(msg); mbedtls_fprintf(stdout, "[mutex: %s] ", msg); /* Don't mark the test as failed yet. This way, if the test fails later * for a functional reason, the test framework will report the message @@ -233,17 +231,15 @@ void mbedtls_test_mutex_usage_check(void) * negative number means a missing init somewhere. */ mbedtls_fprintf(stdout, "[mutex: %d leaked] ", live_mutexes); live_mutexes = 0; - if (mbedtls_test_info.mutex_usage_error == NULL) { - mbedtls_test_info.mutex_usage_error = "missing free"; - } + mbedtls_test_set_mutex_usage_error("missing free"); } - if (mbedtls_test_info.mutex_usage_error != NULL && - mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { + if (mbedtls_test_get_mutex_usage_error() != NULL && + mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_FAILED) { /* Functionally, the test passed. But there was a mutex usage error, * so mark the test as failed after all. */ mbedtls_test_fail("Mutex usage error", __LINE__, __FILE__); } - mbedtls_test_info.mutex_usage_error = NULL; + mbedtls_test_set_mutex_usage_error(NULL); } void mbedtls_test_mutex_usage_end(void) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index cc28697..1ebaf46 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -371,14 +371,12 @@ static void write_outcome_entry(FILE *outcome_file, * \param missing_unmet_dependencies Non-zero if there was a problem tracking * all unmet dependencies, 0 otherwise. * \param ret The test dispatch status (DISPATCH_xxx). - * \param info A pointer to the test info structure. */ static void write_outcome_result(FILE *outcome_file, size_t unmet_dep_count, int unmet_dependencies[], int missing_unmet_dependencies, - int ret, - const mbedtls_test_info_t *info) + int ret) { if (outcome_file == NULL) { return; @@ -401,7 +399,7 @@ static void write_outcome_result(FILE *outcome_file, } break; } - switch (info->result) { + switch (mbedtls_test_get_result()) { case MBEDTLS_TEST_RESULT_SUCCESS: mbedtls_fprintf(outcome_file, "PASS;"); break; @@ -410,8 +408,9 @@ static void write_outcome_result(FILE *outcome_file, break; default: mbedtls_fprintf(outcome_file, "FAIL;%s:%d:%s", - info->filename, info->line_no, - info->test); + mbedtls_get_test_filename(), + mbedtls_test_get_line_no(), + mbedtls_test_get_test()); break; } break; @@ -614,7 +613,7 @@ int execute_tests(int argc, const char **argv) break; } mbedtls_fprintf(stdout, "%s%.66s", - mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED ? + mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED ? "\n" : "", buf); mbedtls_fprintf(stdout, " "); for (i = strlen(buf) + 1; i < 67; i++) { @@ -690,7 +689,7 @@ int execute_tests(int argc, const char **argv) write_outcome_result(outcome_file, unmet_dep_count, unmet_dependencies, missing_unmet_dependencies, - ret, &mbedtls_test_info); + ret); if (unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE) { total_skipped++; mbedtls_fprintf(stdout, "----"); @@ -715,30 +714,30 @@ int execute_tests(int argc, const char **argv) unmet_dep_count = 0; missing_unmet_dependencies = 0; } else if (ret == DISPATCH_TEST_SUCCESS) { - if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_SUCCESS) { + if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_SUCCESS) { mbedtls_fprintf(stdout, "PASS\n"); - } else if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_SKIPPED) { + } else if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_SKIPPED) { mbedtls_fprintf(stdout, "----\n"); total_skipped++; } else { total_errors++; mbedtls_fprintf(stdout, "FAILED\n"); mbedtls_fprintf(stdout, " %s\n at ", - mbedtls_test_info.test); - if (mbedtls_test_info.step != (unsigned long) (-1)) { + mbedtls_test_get_test()); + if (mbedtls_test_get_step() != (unsigned long) (-1)) { mbedtls_fprintf(stdout, "step %lu, ", - mbedtls_test_info.step); + mbedtls_test_get_step()); } mbedtls_fprintf(stdout, "line %d, %s", - mbedtls_test_info.line_no, - mbedtls_test_info.filename); - if (mbedtls_test_info.line1[0] != 0) { + mbedtls_test_get_line_no(), + mbedtls_get_test_filename()); + if (mbedtls_test_get_line1()[0] != 0) { mbedtls_fprintf(stdout, "\n %s", - mbedtls_test_info.line1); + mbedtls_test_get_line1()); } - if (mbedtls_test_info.line2[0] != 0) { + if (mbedtls_test_get_line2()[0] != 0) { mbedtls_fprintf(stdout, "\n %s", - mbedtls_test_info.line2); + mbedtls_test_get_line2()); } } fflush(stdout); diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function index e6f75de..2090594 100644 --- a/tests/suites/test_suite_dhm.function +++ b/tests/suites/test_suite_dhm.function @@ -31,7 +31,7 @@ static int check_dhm_param_output(const mbedtls_mpi *expected, int ok = 0; mbedtls_mpi_init(&actual); - ++mbedtls_test_info.step; + mbedtls_test_increment_step(); TEST_ASSERT(size >= *offset + 2); n = (buffer[*offset] << 8) | buffer[*offset + 1]; -- cgit v1.1 From 5c498f355dffbb479283125bb2c22b08ac076273 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 31 Oct 2023 16:38:56 +0000 Subject: Use mbedtls_test_info accessors internally as well Signed-off-by: Paul Elliott --- tests/include/test/helpers.h | 6 ++- tests/src/helpers.c | 94 +++++++++++++++++++++++++++----------------- 2 files changed, 62 insertions(+), 38 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 689a1b5..564a553 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -61,14 +61,16 @@ typedef enum { MBEDTLS_TEST_RESULT_SKIPPED } mbedtls_test_result_t; +#define MBEDTLS_TEST_LINE_LENGTH 76 + typedef struct { mbedtls_test_result_t result; const char *test; const char *filename; int line_no; unsigned long step; - char line1[76]; - char line2[76]; + char line1[MBEDTLS_TEST_LINE_LENGTH]; + char line2[MBEDTLS_TEST_LINE_LENGTH]; #if defined(MBEDTLS_TEST_MUTEX_USAGE) const char *mutex_usage_error; #endif diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 6bfe15d..52785fc 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -30,6 +30,15 @@ mbedtls_test_result_t mbedtls_test_get_result(void) return mbedtls_test_info.result; } +void mbedtls_test_set_result(mbedtls_test_result_t result, const char *test, + int line_no, const char *filename) +{ + mbedtls_test_info.result = result; + mbedtls_test_info.test = test; + mbedtls_test_info.line_no = line_no; + mbedtls_test_info.filename = filename; +} + const char *mbedtls_test_get_test(void) { return mbedtls_test_info.test; @@ -54,15 +63,38 @@ unsigned long mbedtls_test_get_step(void) return mbedtls_test_info.step; } +void mbedtls_test_set_step(unsigned long step) { + mbedtls_test_info.step = step; +} + const char *mbedtls_test_get_line1(void) { return mbedtls_test_info.line1; } + +void mbedtls_test_set_line1(const char *line) +{ + if (line == NULL) { + memset(mbedtls_test_info.line1, 0, sizeof(mbedtls_test_info.line1)); + } else { + strncpy(mbedtls_test_info.line1, line, sizeof(mbedtls_test_info.line1)); + } +} + const char *mbedtls_test_get_line2(void) { return mbedtls_test_info.line2; } +void mbedtls_test_set_line2(const char *line) { + if (line == NULL) { + memset(mbedtls_test_info.line2, 0, sizeof(mbedtls_test_info.line2)); + } else { + strncpy(mbedtls_test_info.line2, line, sizeof(mbedtls_test_info.line2)); + } +} + + #if defined(MBEDTLS_TEST_MUTEX_USAGE) const char *mbedtls_test_get_mutex_usage_error(void) { @@ -126,28 +158,17 @@ int mbedtls_test_ascii2uc(const char c, unsigned char *uc) void mbedtls_test_fail(const char *test, int line_no, const char *filename) { - if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) { + if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { /* We've already recorded the test as having failed. Don't * overwrite any previous information about the failure. */ return; } - mbedtls_test_info.result = MBEDTLS_TEST_RESULT_FAILED; - mbedtls_test_info.test = test; - mbedtls_test_info.line_no = line_no; - mbedtls_test_info.filename = filename; + mbedtls_test_set_result(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename); } void mbedtls_test_skip(const char *test, int line_no, const char *filename) { - mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SKIPPED; - mbedtls_test_info.test = test; - mbedtls_test_info.line_no = line_no; - mbedtls_test_info.filename = filename; -} - -void mbedtls_test_set_step(unsigned long step) -{ - mbedtls_test_info.step = step; + mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SKIPPED, test, line_no, filename); } #if defined(MBEDTLS_BIGNUM_C) @@ -156,13 +177,11 @@ unsigned mbedtls_test_case_uses_negative_0 = 0; void mbedtls_test_info_reset(void) { - mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SUCCESS; - mbedtls_test_info.step = (unsigned long) (-1); - mbedtls_test_info.test = 0; - mbedtls_test_info.line_no = 0; - mbedtls_test_info.filename = 0; - memset(mbedtls_test_info.line1, 0, sizeof(mbedtls_test_info.line1)); - memset(mbedtls_test_info.line2, 0, sizeof(mbedtls_test_info.line2)); + mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0); + mbedtls_test_set_step((unsigned long) (-1)); + mbedtls_test_set_line1(NULL); + mbedtls_test_set_line2(NULL); + #if defined(MBEDTLS_BIGNUM_C) mbedtls_test_case_uses_negative_0 = 0; #endif @@ -178,20 +197,21 @@ int mbedtls_test_equal(const char *test, int line_no, const char *filename, return 1; } - if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) { + if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { /* We've already recorded the test as having failed. Don't * overwrite any previous information about the failure. */ return 0; } + char buf[MBEDTLS_TEST_LINE_LENGTH]; mbedtls_test_fail(test, line_no, filename); - (void) mbedtls_snprintf(mbedtls_test_info.line1, - sizeof(mbedtls_test_info.line1), + (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %lld", value1, (long long) value1); - (void) mbedtls_snprintf(mbedtls_test_info.line2, - sizeof(mbedtls_test_info.line2), + mbedtls_test_set_line1(buf); + (void) mbedtls_snprintf(buf, sizeof(buf), "rhs = 0x%016llx = %lld", value2, (long long) value2); + mbedtls_test_set_line2(buf); return 0; } @@ -205,20 +225,21 @@ int mbedtls_test_le_u(const char *test, int line_no, const char *filename, return 1; } - if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) { + if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { /* We've already recorded the test as having failed. Don't * overwrite any previous information about the failure. */ return 0; } + char buf[MBEDTLS_TEST_LINE_LENGTH]; mbedtls_test_fail(test, line_no, filename); - (void) mbedtls_snprintf(mbedtls_test_info.line1, - sizeof(mbedtls_test_info.line1), + (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %llu", value1, value1); - (void) mbedtls_snprintf(mbedtls_test_info.line2, - sizeof(mbedtls_test_info.line2), + mbedtls_test_set_line1(buf); + (void) mbedtls_snprintf(buf, sizeof(buf), "rhs = 0x%016llx = %llu", value2, value2); + mbedtls_test_set_line2(buf); return 0; } @@ -232,20 +253,21 @@ int mbedtls_test_le_s(const char *test, int line_no, const char *filename, return 1; } - if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) { + if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { /* We've already recorded the test as having failed. Don't * overwrite any previous information about the failure. */ return 0; } + char buf[MBEDTLS_TEST_LINE_LENGTH]; mbedtls_test_fail(test, line_no, filename); - (void) mbedtls_snprintf(mbedtls_test_info.line1, - sizeof(mbedtls_test_info.line1), + (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %lld", (unsigned long long) value1, value1); - (void) mbedtls_snprintf(mbedtls_test_info.line2, - sizeof(mbedtls_test_info.line2), + mbedtls_test_set_line1(buf); + (void) mbedtls_snprintf(buf, sizeof(buf), "rhs = 0x%016llx = %lld", (unsigned long long) value2, value2); + mbedtls_test_set_line2(buf); return 0; } -- cgit v1.1 From 17c119a5e30631716773eb96ce3e8b507daf4a41 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 8 Dec 2023 16:55:03 +0000 Subject: Migrate to threading_helpers.h Signed-off-by: Paul Elliott --- programs/ssl/ssl_test_lib.c | 2 +- programs/test/metatest.c | 1 + tests/include/test/helpers.h | 24 +----------------- tests/include/test/threading_helpers.h | 45 ++++++++++++++++++++++++++++++++++ tests/src/threading_helpers.c | 1 + tests/suites/helpers.function | 1 + 6 files changed, 50 insertions(+), 24 deletions(-) create mode 100644 tests/include/test/threading_helpers.h diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index b49dd67..d562cb1 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -13,7 +13,7 @@ #include "ssl_test_lib.h" #if defined(MBEDTLS_TEST_HOOKS) -#include "test/helpers.h" +#include "test/threading_helpers.h" #endif #if !defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) diff --git a/programs/test/metatest.c b/programs/test/metatest.c index b8dffa9..82ecf95 100644 --- a/programs/test/metatest.c +++ b/programs/test/metatest.c @@ -31,6 +31,7 @@ #include #include #include "test/helpers.h" +#include "test/threading_helpers.h" #include "test/macros.h" #include diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 7c962a2..b2b07cf 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -35,11 +35,7 @@ # endif #endif -#if defined(MBEDTLS_THREADING_C) && defined(MBEDTLS_THREADING_PTHREAD) && \ - defined(MBEDTLS_TEST_HOOKS) -#define MBEDTLS_TEST_MUTEX_USAGE -#endif - +#include "test/threading_helpers.h" #include "mbedtls/platform.h" #include @@ -254,24 +250,6 @@ int mbedtls_test_hexcmp(uint8_t *a, uint8_t *b, #include "test/fake_external_rng_for_test.h" #endif -#if defined(MBEDTLS_TEST_MUTEX_USAGE) -/** - * Activate the mutex usage verification framework. See threading_helpers.c for - * information. - * */ -void mbedtls_test_mutex_usage_init(void); - -/** - * Deactivate the mutex usage verification framework. See threading_helpers.c - * for information. - */ -void mbedtls_test_mutex_usage_end(void); - -/** Call this function after executing a test case to check for mutex usage - * errors. */ -void mbedtls_test_mutex_usage_check(void); -#endif /* MBEDTLS_TEST_MUTEX_USAGE */ - #if defined(MBEDTLS_TEST_HOOKS) /** * \brief Check that only a pure high-level error code is being combined with diff --git a/tests/include/test/threading_helpers.h b/tests/include/test/threading_helpers.h new file mode 100644 index 0000000..3c4d441 --- /dev/null +++ b/tests/include/test/threading_helpers.h @@ -0,0 +1,45 @@ +/** + * \file threading_helpers.h + * + * \brief This file contains the prototypes of helper functions for the purpose + * of testing threading. + */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef THREADING_HELPERS_H +#define THREADING_HELPERS_H + +#if defined MBEDTLS_THREADING_C + +#if defined(MBEDTLS_THREADING_PTHREAD) && defined(MBEDTLS_TEST_HOOKS) +#define MBEDTLS_TEST_MUTEX_USAGE +#endif + +#if defined(MBEDTLS_TEST_MUTEX_USAGE) +/** + * Activate the mutex usage verification framework. See threading_helpers.c for + * information. + */ +void mbedtls_test_mutex_usage_init(void); + +/** + * Deactivate the mutex usage verification framework. See threading_helpers.c + * for information. + */ +void mbedtls_test_mutex_usage_end(void); + +/** + * Call this function after executing a test case to check for mutex usage + * errors. + */ +void mbedtls_test_mutex_usage_check(void); +#endif /* MBEDTLS_TEST_MUTEX_USAGE */ + +#endif /* MBEDTLS_THREADING_C */ + +#endif /* THREADING_HELPERS_H */ + diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index 5fbf65b..3805934 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -6,6 +6,7 @@ */ #include +#include #include #if defined(MBEDTLS_TEST_MUTEX_USAGE) diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 86ff5b4..b5f5796 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -8,6 +8,7 @@ #include #include #include +#include #include #include -- cgit v1.1 From 3a4d2f14a8c05a4f16a86d4ebf3d46f2d9f59a0a Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 8 Dec 2023 20:49:47 +0000 Subject: Add test thread create/join abstraction Signed-off-by: Paul Elliott --- tests/include/test/threading_helpers.h | 61 ++++++++++++++++++++++++++++++- tests/src/threading_helpers.c | 67 ++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+), 1 deletion(-) diff --git a/tests/include/test/threading_helpers.h b/tests/include/test/threading_helpers.h index 3c4d441..9b7ced5 100644 --- a/tests/include/test/threading_helpers.h +++ b/tests/include/test/threading_helpers.h @@ -15,6 +15,66 @@ #if defined MBEDTLS_THREADING_C +#include "mbedtls/private_access.h" +#include "mbedtls/build_info.h" + +/* Most fields of publicly available structs are private and are wrapped with + * MBEDTLS_PRIVATE macro. This define allows tests to access the private fields + * directly (without using the MBEDTLS_PRIVATE wrapper). */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#define MBEDTLS_ERR_THREADING_THREAD_ERROR -0x001F + +#if defined(MBEDTLS_THREADING_PTHREAD) +#include + +typedef struct mbedtls_test_thread_t { + pthread_t MBEDTLS_PRIVATE(thread); +} mbedtls_test_thread_t; + +#endif /* MBEDTLS_THREADING_PTHREAD */ + +#if defined(MBEDTLS_THREADING_ALT) +/* You should define the mbedtls_test_thread_t type in your header */ +#include "threading_alt.h" + +/** + * \brief Set your alternate threading implementation + * function pointers fgr test threads. If used, + * this function must be called once in the main thread + * before any other MbedTLS function is called. + * + * \note These functions are part of the testing API only and + * thus not considered part of the public API of + * MbedTLS and thus may change without notice. + * + * \param thread_create The thread create function implementation + * \param thread_join The thread join function implementation + + */ +void mbedtls_test_thread_set_alt(int (*thread_create)(mbedtls_test_thread_t *thread, + void *(*thread_func)( + void *), + void *thread_data), + int (*thread_join)(mbedtls_test_thread_t *thread)); + +#endif /* MBEDTLS_THREADING_ALT*/ + +/** + * \brief The function pointers for thread create and thread + * join. + * + * \note These functions are part of the testing API only and + * thus not considered part of the public API of + * MbedTLS and thus may change without notice. + * + * \note All these functions are expected to work or + * the result will be undefined. + */ +extern int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, + void *(*thread_func)(void *), void *thread_data); +extern int (*mbedtls_test_thread_join)(mbedtls_test_thread_t *thread); + #if defined(MBEDTLS_THREADING_PTHREAD) && defined(MBEDTLS_TEST_HOOKS) #define MBEDTLS_TEST_MUTEX_USAGE #endif @@ -42,4 +102,3 @@ void mbedtls_test_mutex_usage_check(void); #endif /* MBEDTLS_THREADING_C */ #endif /* THREADING_HELPERS_H */ - diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index 3805934..5a871e1 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -9,6 +9,71 @@ #include #include +#include "mbedtls/threading.h" + +#if defined(MBEDTLS_THREADING_C) + +#if defined(MBEDTLS_THREADING_PTHREAD) + +static int threading_thread_create_pthread(mbedtls_test_thread_t *thread, void *(*thread_func)( + void *), void *thread_data) +{ + if (thread == NULL || thread_func == NULL) { + return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA; + } + + if (pthread_create(&thread->thread, NULL, thread_func, thread_data)) { + return MBEDTLS_ERR_THREADING_THREAD_ERROR; + } + + return 0; +} + +static int threading_thread_join_pthread(mbedtls_test_thread_t *thread) +{ + if (thread == NULL) { + return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA; + } + + if (pthread_join(thread->thread, NULL) != 0) { + return MBEDTLS_ERR_THREADING_THREAD_ERROR; + } + + return 0; +} + +int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, void *(*thread_func)(void *), + void *thread_data) = threading_thread_create_pthread; +int (*mbedtls_test_thread_join)(mbedtls_test_thread_t *thread) = threading_thread_join_pthread; + +#endif /* MBEDTLS_THREADING_PTHREAD */ + +#if defined(MBEDTLS_THREADING_ALT) + +static int threading_thread_create_fail(mbedtls_test_thread_t *thread, + void *(*thread_func)(void *), + void *thread_data) +{ + (void) thread; + (void) thread_func; + (void) thread_data; + + return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA; +} + +static int threading_thread_join_fail(mbedtls_test_thread_t *thread) +{ + (void) thread; + + return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA; +} + +int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, void *(*thread_func)(void *), + void *thread_data) = threading_thread_create_fail; +int (*mbedtls_test_thread_join)(mbedtls_test_thread_t *thread) = threading_thread_join_fail; + +#endif /* MBEDTLS_THREADING_ALT */ + #if defined(MBEDTLS_TEST_MUTEX_USAGE) #include "mbedtls/threading.h" @@ -258,3 +323,5 @@ void mbedtls_test_mutex_usage_end(void) } #endif /* MBEDTLS_TEST_MUTEX_USAGE */ + +#endif /* MBEDTLS_THREADING_C */ -- cgit v1.1 From 3dce2327ab55525bdecdf69f73805d016fbd08d5 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 8 Dec 2023 21:13:42 +0000 Subject: Use new thread abstraction for ctr_drbg tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_ctr_drbg.function | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function index 1f0a072..492a65f 100644 --- a/tests/suites/test_suite_ctr_drbg.function +++ b/tests/suites/test_suite_ctr_drbg.function @@ -346,7 +346,7 @@ exit: void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count) { size_t thread_count = (size_t) arg_thread_count; - pthread_t *threads = NULL; + mbedtls_test_thread_t *threads = NULL; unsigned char out[16]; unsigned char *entropy = NULL; @@ -358,7 +358,7 @@ void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count) AES_PSA_INIT(); - TEST_CALLOC(threads, sizeof(pthread_t) * thread_count); + TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count); memset(out, 0, sizeof(out)); mbedtls_ctr_drbg_context ctx; @@ -392,13 +392,13 @@ void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count) for (size_t i = 0; i < thread_count; i++) { TEST_EQUAL( - pthread_create(&threads[i], NULL, - thread_random_function, (void *) &ctx), + mbedtls_test_thread_create(&threads[i], + thread_random_function, (void *) &ctx), 0); } for (size_t i = 0; i < thread_count; i++) { - TEST_EQUAL(pthread_join(threads[i], NULL), 0); + TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); } /* Take a last output for comparing and thus verifying the DRBG state */ -- cgit v1.1 From 4068c7e47cf7180550c7a52e3c5f6513392c7720 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 15 Dec 2023 17:14:34 +0000 Subject: Link programs with pthread via cmake All programs are now linked directly with all test code, thus adding a pthread abstraction into the test code means having to link the programs with pthread (if the library is found under cmake). Signed-off-by: Paul Elliott --- programs/aes/CMakeLists.txt | 4 +++- programs/cipher/CMakeLists.txt | 4 +++- programs/fuzz/CMakeLists.txt | 3 +++ programs/fuzz/Makefile | 4 ++++ programs/hash/CMakeLists.txt | 4 +++- programs/pkey/CMakeLists.txt | 6 ++++-- programs/psa/CMakeLists.txt | 4 +++- programs/random/CMakeLists.txt | 4 +++- programs/ssl/CMakeLists.txt | 2 +- programs/test/CMakeLists.txt | 8 +++++--- programs/test/cmake_subproject/CMakeLists.txt | 4 +++- programs/util/CMakeLists.txt | 4 +++- programs/x509/CMakeLists.txt | 4 +++- 13 files changed, 41 insertions(+), 14 deletions(-) diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt index 85bcd5f..457a0fc 100644 --- a/programs/aes/CMakeLists.txt +++ b/programs/aes/CMakeLists.txt @@ -1,10 +1,12 @@ +find_package(Threads) + set(executables crypt_and_hash ) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt index 93e5f31..c047dd6 100644 --- a/programs/cipher/CMakeLists.txt +++ b/programs/cipher/CMakeLists.txt @@ -1,10 +1,12 @@ +find_package(Threads) + set(executables cipher_aead_demo ) foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index 7747744..a0eba0f 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -1,5 +1,8 @@ +find_package(Threads) + set(libs ${mbedtls_target} + ${CMAKE_THREAD_LIBS_INIT} ) find_library(FUZZINGENGINE_LIB FuzzingEngine) diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile index b4fc76a..3b9b50d 100644 --- a/programs/fuzz/Makefile +++ b/programs/fuzz/Makefile @@ -29,6 +29,10 @@ endif ifdef WINDOWS_BUILD LOCAL_LDFLAGS += -lbcrypt +else +ifeq ($(THREADING),pthread) +LOCAL_LDFLAGS += -lpthread +endif endif # A test application is built for each suites/test_suite_*.data file. diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt index da98188..3d6989c 100644 --- a/programs/hash/CMakeLists.txt +++ b/programs/hash/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(executables generic_sum hello @@ -6,7 +8,7 @@ set(executables foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index 3ad5643..e2fb404 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(executables_mbedtls dh_client dh_server @@ -5,7 +7,7 @@ set(executables_mbedtls foreach(exe IN LISTS executables_mbedtls) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedtls_target}) + target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() @@ -32,7 +34,7 @@ set(executables_mbedcrypto foreach(exe IN LISTS executables_mbedcrypto) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt index c8ee626..d86f29e 100644 --- a/programs/psa/CMakeLists.txt +++ b/programs/psa/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(executables aead_demo crypto_examples @@ -28,7 +30,7 @@ endif() foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt index e5edf7b..a4c99f5 100644 --- a/programs/random/CMakeLists.txt +++ b/programs/random/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(executables gen_entropy gen_random_ctr_drbg @@ -5,7 +7,7 @@ set(executables foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index 280bbcf..8ffa854 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -39,7 +39,7 @@ foreach(exe IN LISTS executables) endif() add_executable(${exe} ${exe}.c $ ${extra_sources}) - target_link_libraries(${exe} ${libs}) + target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2") if(GEN_FILES) diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 0778731..a726045 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(libs ${mbedtls_target} ) @@ -26,7 +28,7 @@ if(TEST_CPP) ) add_executable(cpp_dummy_build "${cpp_dummy_build_cpp}") target_include_directories(cpp_dummy_build PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include) - target_link_libraries(cpp_dummy_build ${mbedcrypto_target}) + target_link_libraries(cpp_dummy_build ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) endif() if(USE_SHARED_MBEDTLS_LIBRARY AND @@ -81,9 +83,9 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto) # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3 list(FIND executables_libs ${exe} exe_index) if (${exe_index} GREATER -1) - target_link_libraries(${exe} ${libs}) + target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) else() - target_link_libraries(${exe} ${mbedcrypto_target}) + target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT}) endif() endforeach() diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt index 3c3cba3..dd23d61 100644 --- a/programs/test/cmake_subproject/CMakeLists.txt +++ b/programs/test/cmake_subproject/CMakeLists.txt @@ -1,5 +1,7 @@ cmake_minimum_required(VERSION 3.5.1) +find_package(Threads) + # Test the target renaming support by adding a prefix to the targets built set(MBEDTLS_TARGET_PREFIX subproject_test_) @@ -20,4 +22,4 @@ set(libs ) add_executable(cmake_subproject cmake_subproject.c) -target_link_libraries(cmake_subproject ${libs}) +target_link_libraries(cmake_subproject ${libs} ${CMAKE_THREAD_LIBS_INIT}) diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt index 7fc58cb..920f69e 100644 --- a/programs/util/CMakeLists.txt +++ b/programs/util/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(libs ${mbedcrypto_target} ) @@ -9,7 +11,7 @@ set(executables foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${libs}) + target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt index 5876b8d..c507de2 100644 --- a/programs/x509/CMakeLists.txt +++ b/programs/x509/CMakeLists.txt @@ -1,3 +1,5 @@ +find_package(Threads) + set(libs ${mbedx509_target} ) @@ -13,7 +15,7 @@ set(executables foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $) - target_link_libraries(${exe} ${libs}) + target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) endforeach() -- cgit v1.1 From 7ed1cf57ba67c736cf311663ba995805d4428b2f Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 5 Jan 2024 18:10:44 +0000 Subject: Enable common.make to be included by programs/fuzz Signed-off-by: Paul Elliott --- scripts/common.make | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/scripts/common.make b/scripts/common.make index 6c95b42..2714bcd 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -1,25 +1,29 @@ # To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS +ifndef MBEDTLS_PATH +MBEDTLS_PATH := .. +endif + CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral LDFLAGS ?= -LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I../include -D_FILE_OFFSET_BITS=64 -LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -I../tests/include -D_FILE_OFFSET_BITS=64 +LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I$(MBEDTLS_PATH)/include -D_FILE_OFFSET_BITS=64 +LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tests/include -D_FILE_OFFSET_BITS=64 LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ - -L../library \ + -L$(MBEDTLS_PATH)/library \ -lmbedtls$(SHARED_SUFFIX) \ -lmbedx509$(SHARED_SUFFIX) \ -lmbedcrypto$(SHARED_SUFFIX) -include ../3rdparty/Makefile.inc +include $(MBEDTLS_PATH)/3rdparty/Makefile.inc LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) ifndef SHARED -MBEDLIBS=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a +MBEDLIBS=$(MBEDTLS_PATH)/library/libmbedcrypto.a $(MBEDTLS_PATH)/library/libmbedx509.a $(MBEDTLS_PATH)/library/libmbedtls.a else -MBEDLIBS=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT) +MBEDLIBS=$(MBEDTLS_PATH)/library/libmbedcrypto.$(DLEXT) $(MBEDTLS_PATH)/library/libmbedx509.$(DLEXT) $(MBEDTLS_PATH)/library/libmbedtls.$(DLEXT) endif ifdef DEBUG @@ -97,7 +101,7 @@ endif default: all $(MBEDLIBS): - $(MAKE) -C ../library + $(MAKE) -C $(MBEDTLS_PATH)/library neat: clean ifndef WINDOWS -- cgit v1.1 From 053db696b37dfccb4e251ebd22c532438f92b0ef Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 5 Jan 2024 18:11:32 +0000 Subject: Allow programs/fuzz to be linked against pthread Use the same mechanisms used to link other programs against pthread with make, i.e. include common.make, and remove common code from programs/ fuzz/Makefile Signed-off-by: Paul Elliott --- programs/fuzz/Makefile | 34 ++++------------------------------ 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile index 3b9b50d..afe80b7 100644 --- a/programs/fuzz/Makefile +++ b/programs/fuzz/Makefile @@ -1,40 +1,17 @@ -MBEDTLS_TEST_PATH:=../../tests/src -MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c ${MBEDTLS_TEST_PATH}/drivers/*.c)) +MBEDTLS_TEST_PATH:=../../tests -CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -Wextra LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../../tests/include -I../../include -D_FILE_OFFSET_BITS=64 -LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ - -L../../library \ - -lmbedtls$(SHARED_SUFFIX) \ - -lmbedx509$(SHARED_SUFFIX) \ - -lmbedcrypto$(SHARED_SUFFIX) +MBEDTLS_PATH := ../.. +include ../../scripts/common.make LOCAL_CFLAGS += $(patsubst -I../%,-I../../%,$(THIRDPARTY_INCLUDES)) -ifndef SHARED -DEP=../../library/libmbedcrypto.a ../../library/libmbedx509.a ../../library/libmbedtls.a -else -DEP=../../library/libmbedcrypto.$(DLEXT) ../../library/libmbedx509.$(DLEXT) ../../library/libmbedtls.$(DLEXT) -endif - - -DLEXT ?= so -EXEXT= -SHARED_SUFFIX= +DEP=${MBEDLIBS} ifdef FUZZINGENGINE LOCAL_LDFLAGS += -lFuzzingEngine endif -ifdef WINDOWS_BUILD -LOCAL_LDFLAGS += -lbcrypt -else -ifeq ($(THREADING),pthread) -LOCAL_LDFLAGS += -lpthread -endif -endif - # A test application is built for each suites/test_suite_*.data file. # Application name is same as .data file's base name and can be # constructed by stripping path 'suites/' and extension .data. @@ -49,9 +26,6 @@ BINARIES := $(addsuffix $(EXEXT),$(APPS)) all: $(BINARIES) -$(DEP): - $(MAKE) -C ../../library - C_FILES := $(addsuffix .c,$(APPS)) %.o: %.c -- cgit v1.1 From c7a1e9936aaca86c85c1ec1bff3a56a04a6454fa Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Nov 2023 18:44:57 +0000 Subject: Move bignum flag for negative zero into test_info Add accessors ready for protection with test_info mutex. Signed-off-by: Paul Elliott --- tests/include/test/bignum_helpers.h | 28 ++++++++++------------------ tests/include/test/helpers.h | 25 +++++++++++++++++++++++++ tests/src/bignum_helpers.c | 2 +- tests/src/helpers.c | 25 ++++++++++++++++++++----- tests/suites/test_suite_bignum.function | 2 +- 5 files changed, 57 insertions(+), 25 deletions(-) diff --git a/tests/include/test/bignum_helpers.h b/tests/include/test/bignum_helpers.h index 2f6bf89..cf175a3 100644 --- a/tests/include/test/bignum_helpers.h +++ b/tests/include/test/bignum_helpers.h @@ -77,30 +77,22 @@ void mbedtls_test_mpi_mod_modulus_free_with_limbs(mbedtls_mpi_mod_modulus *N); * * - This function guarantees that if \p s begins with '-' then the sign * bit of the result will be negative, even if the value is 0. - * When this function encounters such a "negative 0", it - * increments #mbedtls_test_case_uses_negative_0. - * - The size of the result is exactly the minimum number of limbs needed - * to fit the digits in the input. In particular, this function constructs - * a bignum with 0 limbs for an empty string, and a bignum with leading 0 - * limbs if the string has sufficiently many leading 0 digits. - * This is important so that the "0 (null)" and "0 (1 limb)" and - * "leading zeros" test cases do what they claim. + * When this function encounters such a "negative 0", it calls + * mbedtls_test_increment_case_uses_negative_0(). + * - The size of the result is exactly the minimum number of limbs needed to fit + * the digits in the input. In particular, this function constructs a bignum + * with 0 limbs for an empty string, and a bignum with leading 0 limbs if the + * string has sufficiently many leading 0 digits. This is important so that + * the "0 (null)" and "0 (1 limb)" and "leading zeros" test cases do what they + * claim. * - * \param[out] X The MPI object to populate. It must be initialized. - * \param[in] s The null-terminated hexadecimal string to read from. + * \param[out] X The MPI object to populate. It must be initialized. + * \param[in] s The null-terminated hexadecimal string to read from. * * \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise. */ int mbedtls_test_read_mpi(mbedtls_mpi *X, const char *s); -/** Nonzero if the current test case had an input parsed with - * mbedtls_test_read_mpi() that is a negative 0 (`"-"`, `"-0"`, `"-00"`, etc., - * constructing a result with the sign bit set to -1 and the value being - * all-limbs-0, which is not a valid representation in #mbedtls_mpi but is - * tested for robustness). - */ -extern unsigned mbedtls_test_case_uses_negative_0; - #endif /* MBEDTLS_BIGNUM_C */ #endif /* TEST_BIGNUM_HELPERS_H */ diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 564a553..b672ecc 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -74,6 +74,9 @@ typedef struct { #if defined(MBEDTLS_TEST_MUTEX_USAGE) const char *mutex_usage_error; #endif +#if defined(MBEDTLS_BIGNUM_C) + unsigned case_uses_negative_0; +#endif } mbedtls_test_info_t; @@ -151,6 +154,28 @@ const char *mbedtls_test_get_mutex_usage_error(void); void mbedtls_test_set_mutex_usage_error(const char *msg); #endif +#if defined(MBEDTLS_BIGNUM_C) + +/** + * \brief Get whether the current test is a bignum test that uses + * negative zero. + * + * \return non zero if the current test uses bignum negative zero. + */ +unsigned mbedtls_test_get_case_uses_negative_0(void); + +/** + * \brief Indicate that the current test uses bignum negative zero. + * + * \note This function is called if the current test case had an + * input parsed with mbedtls_test_read_mpi() that is a negative + * 0 (`"-"`, `"-0"`, `"-00"`, etc., constructing a result with + * the sign bit set to -1 and the value being all-limbs-0, + * which is not a valid representation in #mbedtls_mpi but is + * tested for robustness). * + */ +void mbedtls_test_increment_case_uses_negative_0(void); +#endif int mbedtls_test_platform_setup(void); void mbedtls_test_platform_teardown(void); diff --git a/tests/src/bignum_helpers.c b/tests/src/bignum_helpers.c index c85e2ca..913f5e3 100644 --- a/tests/src/bignum_helpers.c +++ b/tests/src/bignum_helpers.c @@ -135,7 +135,7 @@ int mbedtls_test_read_mpi(mbedtls_mpi *X, const char *s) } if (negative) { if (mbedtls_mpi_cmp_int(X, 0) == 0) { - ++mbedtls_test_case_uses_negative_0; + mbedtls_test_increment_case_uses_negative_0(); } X->s = -1; } diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 52785fc..03a8fa7 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -109,6 +109,25 @@ void mbedtls_test_set_mutex_usage_error(const char *msg) } #endif // #if defined(MBEDTLS_TEST_MUTEX_USAGE) +#if defined(MBEDTLS_BIGNUM_C) + +unsigned mbedtls_test_get_case_uses_negative_0(void) +{ + return mbedtls_test_info.case_uses_negative_0; +} + +void mbedtls_test_set_case_uses_negative_0(unsigned uses) +{ + mbedtls_test_info.case_uses_negative_0 = uses; +} + +void mbedtls_test_increment_case_uses_negative_0(void) +{ + ++mbedtls_test_info.case_uses_negative_0; +} + +#endif + /*----------------------------------------------------------------------------*/ /* Helper Functions */ @@ -171,10 +190,6 @@ void mbedtls_test_skip(const char *test, int line_no, const char *filename) mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SKIPPED, test, line_no, filename); } -#if defined(MBEDTLS_BIGNUM_C) -unsigned mbedtls_test_case_uses_negative_0 = 0; -#endif - void mbedtls_test_info_reset(void) { mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0); @@ -183,7 +198,7 @@ void mbedtls_test_info_reset(void) mbedtls_test_set_line2(NULL); #if defined(MBEDTLS_BIGNUM_C) - mbedtls_test_case_uses_negative_0 = 0; + mbedtls_test_set_case_uses_negative_0(0); #endif } diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index c90f1bb..35900e6 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -24,7 +24,7 @@ static int sign_is_valid(const mbedtls_mpi *X) * we sometimes test the robustness of library functions when given * a negative zero input. If a test case has a negative zero as input, * we don't mind if the function has a negative zero output. */ - if (!mbedtls_test_case_uses_negative_0 && + if (!mbedtls_test_get_case_uses_negative_0() && mbedtls_mpi_bitlen(X) == 0 && X->s != 1) { return 0; } -- cgit v1.1 From 65064265c2706b88b8e6ba44f7d65e7053bd7140 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 27 Nov 2023 17:29:05 +0000 Subject: Protect test info access with mutex Signed-off-by: Paul Elliott --- tests/include/test/helpers.h | 10 +- tests/src/helpers.c | 202 ++++++++++++++++++++++++++++++++++++---- tests/suites/host_test.function | 15 +-- 3 files changed, 201 insertions(+), 26 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index b672ecc..73459d9 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -123,16 +123,18 @@ unsigned long mbedtls_test_get_step(void); /** * \brief Get the current test line buffer 1 * - * \return The current test line buffer 1 + * \param line Buffer of minimum size \c MBEDTLS_TEST_LINE_LENGTH, + * which will have line buffer 1 copied to it. */ -const char *mbedtls_test_get_line1(void); +void mbedtls_test_get_line1(char *line); /** * \brief Get the current test line buffer 2 * - * \return The current test line buffer 2 + * \param line Buffer of minimum size \c MBEDTLS_TEST_LINE_LENGTH, + * which will have line buffer 1 copied to it. */ -const char *mbedtls_test_get_line2(void); +void mbedtls_test_get_line2(char *line); #if defined(MBEDTLS_TEST_MUTEX_USAGE) /** diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 03a8fa7..1bad819 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -13,6 +13,10 @@ #include #endif +#if defined(MBEDTLS_THREADING_C) +#include "mbedtls/threading.h" +#endif + /*----------------------------------------------------------------------------*/ /* Static global variables */ @@ -22,76 +26,200 @@ static mbedtls_platform_context platform_ctx; mbedtls_test_info_t mbedtls_test_info; +#ifdef MBEDTLS_THREADING_C +mbedtls_threading_mutex_t mbedtls_test_info_mutex; +#endif /* MBEDTLS_THREADING_C */ + /*----------------------------------------------------------------------------*/ /* Mbedtls Test Info accessors */ mbedtls_test_result_t mbedtls_test_get_result(void) { - return mbedtls_test_info.result; + mbedtls_test_result_t result; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + result = mbedtls_test_info.result; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return result; } void mbedtls_test_set_result(mbedtls_test_result_t result, const char *test, int line_no, const char *filename) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + mbedtls_test_info.result = result; mbedtls_test_info.test = test; mbedtls_test_info.line_no = line_no; mbedtls_test_info.filename = filename; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } const char *mbedtls_test_get_test(void) { - return mbedtls_test_info.test; + const char *test; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + test = mbedtls_test_info.test; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return test; } const char *mbedtls_get_test_filename(void) { - return mbedtls_test_info.filename; + const char *filename; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + /* It should be ok just to pass back the pointer here, as it is going to + * be a pointer into non changing data. */ + filename = mbedtls_test_info.filename; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return filename; } int mbedtls_test_get_line_no(void) { - return mbedtls_test_info.line_no; + int line_no; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + line_no = mbedtls_test_info.line_no; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return line_no; } void mbedtls_test_increment_step(void) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + ++mbedtls_test_info.step; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } unsigned long mbedtls_test_get_step(void) { - return mbedtls_test_info.step; + unsigned long step; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + step = mbedtls_test_info.step; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return step; } -void mbedtls_test_set_step(unsigned long step) { +void mbedtls_test_set_step(unsigned long step) +{ +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + mbedtls_test_info.step = step; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } -const char *mbedtls_test_get_line1(void) +void mbedtls_test_get_line1(char *line) { - return mbedtls_test_info.line1; +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + memcpy(line, mbedtls_test_info.line1, MBEDTLS_TEST_LINE_LENGTH); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_set_line1(const char *line) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + if (line == NULL) { - memset(mbedtls_test_info.line1, 0, sizeof(mbedtls_test_info.line1)); + memset(mbedtls_test_info.line1, 0, MBEDTLS_TEST_LINE_LENGTH); } else { - strncpy(mbedtls_test_info.line1, line, sizeof(mbedtls_test_info.line1)); + memcpy(mbedtls_test_info.line1, line, MBEDTLS_TEST_LINE_LENGTH); } + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } -const char *mbedtls_test_get_line2(void) +void mbedtls_test_get_line2(char *line) { - return mbedtls_test_info.line2; +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + memcpy(line, mbedtls_test_info.line2, MBEDTLS_TEST_LINE_LENGTH); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } -void mbedtls_test_set_line2(const char *line) { +void mbedtls_test_set_line2(const char *line) +{ +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + if (line == NULL) { - memset(mbedtls_test_info.line2, 0, sizeof(mbedtls_test_info.line2)); + memset(mbedtls_test_info.line2, 0, MBEDTLS_TEST_LINE_LENGTH); } else { - strncpy(mbedtls_test_info.line2, line, sizeof(mbedtls_test_info.line2)); + memcpy(mbedtls_test_info.line2, line, MBEDTLS_TEST_LINE_LENGTH); } + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } @@ -103,9 +231,17 @@ const char *mbedtls_test_get_mutex_usage_error(void) void mbedtls_test_set_mutex_usage_error(const char *msg) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + if (mbedtls_test_info.mutex_usage_error == NULL || msg == NULL) { mbedtls_test_info.mutex_usage_error = msg; } + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } #endif // #if defined(MBEDTLS_TEST_MUTEX_USAGE) @@ -113,17 +249,43 @@ void mbedtls_test_set_mutex_usage_error(const char *msg) unsigned mbedtls_test_get_case_uses_negative_0(void) { - return mbedtls_test_info.case_uses_negative_0; + unsigned test_case_uses_negative_0 = 0; +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + test_case_uses_negative_0 = mbedtls_test_info.case_uses_negative_0; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return test_case_uses_negative_0; } void mbedtls_test_set_case_uses_negative_0(unsigned uses) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + mbedtls_test_info.case_uses_negative_0 = uses; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_increment_case_uses_negative_0(void) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + ++mbedtls_test_info.case_uses_negative_0; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } #endif @@ -150,11 +312,19 @@ int mbedtls_test_platform_setup(void) ret = mbedtls_platform_setup(&platform_ctx); #endif /* MBEDTLS_PLATFORM_C */ +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_init(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + return ret; } void mbedtls_test_platform_teardown(void) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_free(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + #if defined(MBEDTLS_PLATFORM_C) mbedtls_platform_teardown(&platform_ctx); #endif /* MBEDTLS_PLATFORM_C */ diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 1ebaf46..eb42a07 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -720,6 +720,8 @@ int execute_tests(int argc, const char **argv) mbedtls_fprintf(stdout, "----\n"); total_skipped++; } else { + char line_buffer[MBEDTLS_TEST_LINE_LENGTH]; + total_errors++; mbedtls_fprintf(stdout, "FAILED\n"); mbedtls_fprintf(stdout, " %s\n at ", @@ -731,13 +733,14 @@ int execute_tests(int argc, const char **argv) mbedtls_fprintf(stdout, "line %d, %s", mbedtls_test_get_line_no(), mbedtls_get_test_filename()); - if (mbedtls_test_get_line1()[0] != 0) { - mbedtls_fprintf(stdout, "\n %s", - mbedtls_test_get_line1()); + + mbedtls_test_get_line1(line_buffer); + if (line_buffer[0] != 0) { + mbedtls_fprintf(stdout, "\n %s", line_buffer); } - if (mbedtls_test_get_line2()[0] != 0) { - mbedtls_fprintf(stdout, "\n %s", - mbedtls_test_get_line2()); + mbedtls_test_get_line2(line_buffer); + if (line_buffer[0] != 0) { + mbedtls_fprintf(stdout, "\n %s", line_buffer); } } fflush(stdout); -- cgit v1.1 From 0710ac4ec88faa168876525e17e9b409ee13cd16 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 9 Jan 2024 17:20:58 +0000 Subject: Add ability to exclude mutex from tests We need to be able to exclude mbedtls_test_info_mutex() from the normal tests, as this mutex has to be locked to report mutex errors, and also reports as leaked, due to where it is initialised / free'd. Signed-off-by: Paul Elliott --- tests/src/threading_helpers.c | 139 +++++++++++++++++++++++++----------------- 1 file changed, 84 insertions(+), 55 deletions(-) diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index 261d141..0894700 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -117,40 +117,62 @@ static void mbedtls_test_mutex_usage_error(mbedtls_threading_mutex_t *mutex, * mbedtls_test_mutex_usage_check() will mark it as failed. */ } +extern mbedtls_threading_mutex_t mbedtls_test_info_mutex; + +static int mbedtls_test_mutex_can_test(mbedtls_threading_mutex_t *mutex) +{ + /* If we attempt to run tests on this mutex then we are going to run into a + * couple of problems: + * 1. If any test on this mutex fails, we are going to deadlock when + * reporting that failure, as we already hold the mutex at that point. + * 2. Given the 'global' position of the initialization and free of this + * mutex, it will be shown as leaked on the first test run. */ + if (mutex == &mbedtls_test_info_mutex) { + return 0; + } + + return 1; +} + static void mbedtls_test_wrap_mutex_init(mbedtls_threading_mutex_t *mutex) { mutex_functions.init(mutex); - if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { - mutex->state = MUTEX_IDLE; - ++live_mutexes; + if (mbedtls_test_mutex_can_test(mutex)) { + if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { + mutex->state = MUTEX_IDLE; + ++live_mutexes; - mutex_functions.unlock(&mbedtls_test_mutex_mutex); + mutex_functions.unlock(&mbedtls_test_mutex_mutex); + } } } static void mbedtls_test_wrap_mutex_free(mbedtls_threading_mutex_t *mutex) { - if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { - - switch (mutex->state) { - case MUTEX_FREED: - mbedtls_test_mutex_usage_error(mutex, "free without init or double free"); - break; - case MUTEX_IDLE: - mutex->state = MUTEX_FREED; - --live_mutexes; - break; - case MUTEX_LOCKED: - mbedtls_test_mutex_usage_error(mutex, "free without unlock"); - break; - default: - mbedtls_test_mutex_usage_error(mutex, "corrupted state"); - break; - } + if (mbedtls_test_mutex_can_test(mutex)) { + if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { - mutex_functions.unlock(&mbedtls_test_mutex_mutex); + switch (mutex->state) { + case MUTEX_FREED: + mbedtls_test_mutex_usage_error(mutex, "free without init or double free"); + break; + case MUTEX_IDLE: + mutex->state = MUTEX_FREED; + --live_mutexes; + break; + case MUTEX_LOCKED: + mbedtls_test_mutex_usage_error(mutex, "free without unlock"); + break; + default: + mbedtls_test_mutex_usage_error(mutex, "corrupted state"); + break; + } + + mutex_functions.unlock(&mbedtls_test_mutex_mutex); + } } + mutex_functions.free(mutex); } @@ -160,26 +182,30 @@ static int mbedtls_test_wrap_mutex_lock(mbedtls_threading_mutex_t *mutex) * is to hold the passed in and internal mutex - otherwise we create a race * condition. */ int ret = mutex_functions.lock(mutex); - if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { - switch (mutex->state) { - case MUTEX_FREED: - mbedtls_test_mutex_usage_error(mutex, "lock without init"); - break; - case MUTEX_IDLE: - if (ret == 0) { - mutex->state = MUTEX_LOCKED; - } - break; - case MUTEX_LOCKED: - mbedtls_test_mutex_usage_error(mutex, "double lock"); - break; - default: - mbedtls_test_mutex_usage_error(mutex, "corrupted state"); - break; - } - mutex_functions.unlock(&mbedtls_test_mutex_mutex); + if (mbedtls_test_mutex_can_test(mutex)) { + if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { + switch (mutex->state) { + case MUTEX_FREED: + mbedtls_test_mutex_usage_error(mutex, "lock without init"); + break; + case MUTEX_IDLE: + if (ret == 0) { + mutex->state = MUTEX_LOCKED; + } + break; + case MUTEX_LOCKED: + mbedtls_test_mutex_usage_error(mutex, "double lock"); + break; + default: + mbedtls_test_mutex_usage_error(mutex, "corrupted state"); + break; + } + + mutex_functions.unlock(&mbedtls_test_mutex_mutex); + } } + return ret; } @@ -188,23 +214,26 @@ static int mbedtls_test_wrap_mutex_unlock(mbedtls_threading_mutex_t *mutex) /* Lock the internal mutex first and change state, so that the only way to * change the state is to hold the passed in and internal mutex - otherwise * we create a race condition. */ - if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { - switch (mutex->state) { - case MUTEX_FREED: - mbedtls_test_mutex_usage_error(mutex, "unlock without init"); - break; - case MUTEX_IDLE: - mbedtls_test_mutex_usage_error(mutex, "unlock without lock"); - break; - case MUTEX_LOCKED: - mutex->state = MUTEX_IDLE; - break; - default: - mbedtls_test_mutex_usage_error(mutex, "corrupted state"); - break; + if (mbedtls_test_mutex_can_test(mutex)) { + if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { + switch (mutex->state) { + case MUTEX_FREED: + mbedtls_test_mutex_usage_error(mutex, "unlock without init"); + break; + case MUTEX_IDLE: + mbedtls_test_mutex_usage_error(mutex, "unlock without lock"); + break; + case MUTEX_LOCKED: + mutex->state = MUTEX_IDLE; + break; + default: + mbedtls_test_mutex_usage_error(mutex, "corrupted state"); + break; + } + mutex_functions.unlock(&mbedtls_test_mutex_mutex); } - mutex_functions.unlock(&mbedtls_test_mutex_mutex); } + return mutex_functions.unlock(mutex); } -- cgit v1.1 From 5f3a938d9542bfa93f82f926586bd0e715df08da Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Wed, 13 Sep 2023 16:28:12 +0530 Subject: Fix psa_key_derivation_setup_kdf Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 83 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 57 insertions(+), 26 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a8baa6b..3ca89fb 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6075,27 +6075,39 @@ static psa_status_t psa_key_derivation_setup_kdf( if (!is_kdf_alg_supported(kdf_alg)) { return PSA_ERROR_NOT_SUPPORTED; } + psa_status_t status = PSA_SUCCESS; + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { + operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256); + return PSA_SUCCESS; + } +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) + if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { +#if (UINT_MAX > UINT32_MAX) + operation->capacity = UINT32_MAX * PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, + 128U, + PSA_ALG_CMAC); +#else + operation->capacity = UINT32_MAX; +#endif + return PSA_SUCCESS; + } +#endif - /* All currently supported key derivation algorithms (apart from - * ecjpake to pms and pbkdf2_aes_cmac_128) are based on a hash algorithm. */ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg); size_t hash_size = PSA_HASH_LENGTH(hash_alg); - if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { - hash_size = PSA_HASH_LENGTH(PSA_ALG_SHA_256); - } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { - hash_size = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); - } else { - if (hash_size == 0) { - return PSA_ERROR_NOT_SUPPORTED; - } + if (hash_size == 0) { + return PSA_ERROR_NOT_SUPPORTED; + } - /* Make sure that hash_alg is a supported hash algorithm. Otherwise - * we might fail later, which is somewhat unfriendly and potentially - * risk-prone. */ - psa_status_t status = psa_hash_try_support(hash_alg); - if (status != PSA_SUCCESS) { - return status; - } + /* Make sure that hash_alg is a supported hash algorithm. Otherwise + * we might fail later, which is somewhat unfriendly and potentially + * risk-prone. */ + status = psa_hash_try_support(hash_alg); + if (status != PSA_SUCCESS) { + return status; } if ((PSA_ALG_IS_TLS12_PRF(kdf_alg) || @@ -6103,16 +6115,35 @@ static psa_status_t psa_key_derivation_setup_kdf( !(hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { return PSA_ERROR_NOT_SUPPORTED; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) - if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) || - (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS)) { + if (PSA_ALG_IS_HKDF(kdf_alg)) { + operation->capacity = 255 * hash_size; + } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) + if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { operation->capacity = hash_size; - } else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || - MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ - operation->capacity = 255 * hash_size; - return PSA_SUCCESS; + } +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) + if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { + operation->capacity = 255 * hash_size; + } +#endif + if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { + operation->capacity = UINT_MAX; + } + if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { + /* Master Secret consists of 2-byte version number + * and a 46-byte random value */ + operation->capacity = 48U; + } + if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { +#if (UINT_MAX > UINT32_MAX) + operation->capacity = UINT32_MAX * hash_size; +#else + operation->capacity = UINT32_MAX; +#endif + } + return status; } static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg) -- cgit v1.1 From 4aa6b36a3510695d4caad9d272bb4160d393a05d Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Wed, 13 Sep 2023 16:50:09 +0530 Subject: add tests for derive_full and derive_set_capacity Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 1bd8b65..aa9f4e3 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6320,6 +6320,10 @@ PSA key derivation: HKDF-Expand SHA-1, request too much capacity depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1 derive_set_capacity:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1) + 1:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: TLS 1.2 PSK-to-MS, request too much capacity +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +derive_set_capacity:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):48U + 1U:PSA_ERROR_INVALID_ARGUMENT + PSA key derivation: over capacity 42: output 42+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"ff":0:1:0 @@ -6528,6 +6532,14 @@ PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) +PSA key derivation: TLS 1.2 PSK-to-MS, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47 + +PSA key derivation: TLS 1.2 PSK-to-MS, read maximum capacity +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48 + PSA key derivation: HKDF SHA-256, exercise AES128-CTR depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR -- cgit v1.1 From a0907f5750efedda58e11ea6b09395ba36b0fc2d Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 27 Oct 2023 15:08:00 +0530 Subject: Reorder and correct comment Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3ca89fb..a1d96bf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6110,11 +6110,6 @@ static psa_status_t psa_key_derivation_setup_kdf( return status; } - if ((PSA_ALG_IS_TLS12_PRF(kdf_alg) || - PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) && - !(hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { - return PSA_ERROR_NOT_SUPPORTED; - } if (PSA_ALG_IS_HKDF(kdf_alg)) { operation->capacity = 255 * hash_size; } @@ -6128,12 +6123,17 @@ static psa_status_t psa_key_derivation_setup_kdf( operation->capacity = 255 * hash_size; } #endif + if ((PSA_ALG_IS_TLS12_PRF(kdf_alg) || + PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) && + !(hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { + return PSA_ERROR_NOT_SUPPORTED; + } if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { operation->capacity = UINT_MAX; } if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { - /* Master Secret consists of 2-byte version number - * and a 46-byte random value */ + /* Master Secret is always 48 bytes + * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */ operation->capacity = 48U; } if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { -- cgit v1.1 From 86e83dd4a7be88d6da353aa787d38aa777364aa1 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:38:26 +0530 Subject: Add kdf_set_max_capacity function Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 93 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 54 insertions(+), 39 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a1d96bf..a116bef 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6063,89 +6063,104 @@ static psa_status_t psa_hash_try_support(psa_algorithm_t alg) return status; } -static psa_status_t psa_key_derivation_setup_kdf( +static psa_status_t psa_key_derivation_set_maximum_capacity( psa_key_derivation_operation_t *operation, psa_algorithm_t kdf_alg) { - /* Make sure that operation->ctx is properly zero-initialised. (Macro - * initialisers for this union leave some bytes unspecified.) */ - memset(&operation->ctx, 0, sizeof(operation->ctx)); - - /* Make sure that kdf_alg is a supported key derivation algorithm. */ - if (!is_kdf_alg_supported(kdf_alg)) { - return PSA_ERROR_NOT_SUPPORTED; - } - psa_status_t status = PSA_SUCCESS; - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256); return PSA_SUCCESS; } #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) +#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { -#if (UINT_MAX > UINT32_MAX) +#if (SIZE_MAX > UINT32_MAX) operation->capacity = UINT32_MAX * PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); #else - operation->capacity = UINT32_MAX; + operation->capacity = SIZE_MAX; #endif return PSA_SUCCESS; } -#endif +#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */ - psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg); + /* After this point, if kdf_alg is not valid then value of hash_alg may be + * invalid or meaningless but it does not affect this function */ + psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg); size_t hash_size = PSA_HASH_LENGTH(hash_alg); - if (hash_size == 0) { - return PSA_ERROR_NOT_SUPPORTED; - } /* Make sure that hash_alg is a supported hash algorithm. Otherwise * we might fail later, which is somewhat unfriendly and potentially * risk-prone. */ - status = psa_hash_try_support(hash_alg); + psa_status_t status = psa_hash_try_support(hash_alg); if (status != PSA_SUCCESS) { return status; } +#if defined(PSA_WANT_ALG_HKDF) if (PSA_ALG_IS_HKDF(kdf_alg)) { operation->capacity = 255 * hash_size; - } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) + } else +#endif +#if defined(PSA_WANT_ALG_HKDF_EXTRACT) if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { operation->capacity = hash_size; - } -#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) + } else +#endif +#if defined(PSA_WANT_ALG_HKDF_EXPAND) if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { operation->capacity = 255 * hash_size; - } + } else #endif - if ((PSA_ALG_IS_TLS12_PRF(kdf_alg) || - PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) && - !(hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { - return PSA_ERROR_NOT_SUPPORTED; - } - if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { - operation->capacity = UINT_MAX; - } - if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { +#if defined(PSA_WANT_ALG_TLS12_PRF) + if (PSA_ALG_IS_TLS12_PRF(kdf_alg) && + (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { + operation->capacity = SIZE_MAX; + } else +#endif +#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) + if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) && + (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { /* Master Secret is always 48 bytes * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */ operation->capacity = 48U; - } + } else +#endif +#if defined(PSA_WANT_ALG_PBKDF2_HMAC) if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { -#if (UINT_MAX > UINT32_MAX) +#if (SIZE_MAX > UINT32_MAX) operation->capacity = UINT32_MAX * hash_size; #else - operation->capacity = UINT32_MAX; + operation->capacity = SIZE_MAX; #endif + } else +#endif /* PSA_WANT_ALG_PBKDF2_HMAC */ + { + status = PSA_ERROR_NOT_SUPPORTED; } return status; } +static psa_status_t psa_key_derivation_setup_kdf( + psa_key_derivation_operation_t *operation, + psa_algorithm_t kdf_alg) +{ + /* Make sure that operation->ctx is properly zero-initialised. (Macro + * initialisers for this union leave some bytes unspecified.) */ + memset(&operation->ctx, 0, sizeof(operation->ctx)); + + /* Make sure that kdf_alg is a supported key derivation algorithm. */ + if (!is_kdf_alg_supported(kdf_alg)) { + return PSA_ERROR_NOT_SUPPORTED; + } + + psa_status_t status = psa_key_derivation_set_maximum_capacity(operation, + kdf_alg); + return status; +} + static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg) { #if defined(PSA_WANT_ALG_ECDH) -- cgit v1.1 From 9ffd397e4c217ef7cb3fdae4ea79fb2a7a8a4de8 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:40:13 +0530 Subject: Increase input parameter type and buffer size Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 4c08a90..f87c800 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -8451,7 +8451,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void derive_set_capacity(int alg_arg, int capacity_arg, +void derive_set_capacity(int alg_arg, int64_t capacity_arg, int expected_status_arg) { psa_algorithm_t alg = alg_arg; @@ -8932,7 +8932,7 @@ void derive_full(int alg_arg, psa_algorithm_t alg = alg_arg; size_t requested_capacity = requested_capacity_arg; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; - unsigned char output_buffer[16]; + unsigned char output_buffer[32]; size_t expected_capacity = requested_capacity; size_t current_capacity; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; -- cgit v1.1 From 2c4264bd412f64bafda9a19e6756efd3c0a1828d Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:41:26 +0530 Subject: Add hkdf_extract, hkdf_expand and ecjpake_to_pms cases Signed-off-by: Kusumit Ghoderao --- tests/src/psa_exercise_key.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index f8b36e1..560b711 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -414,6 +414,21 @@ int mbedtls_test_psa_setup_key_derivation_wrap( PSA_KEY_DERIVATION_INPUT_INFO, input2, input2_length)); + } else if (PSA_ALG_IS_HKDF_EXTRACT(alg)) { + PSA_ASSERT(psa_key_derivation_input_bytes(operation, + PSA_KEY_DERIVATION_INPUT_SALT, + input1, input1_length)); + PSA_ASSERT(psa_key_derivation_input_key(operation, + PSA_KEY_DERIVATION_INPUT_SECRET, + key)); + } else if (PSA_ALG_IS_HKDF_EXPAND(alg)) { + PSA_ASSERT(psa_key_derivation_input_key(operation, + PSA_KEY_DERIVATION_INPUT_SECRET, + key)); + PSA_ASSERT(psa_key_derivation_input_bytes(operation, + PSA_KEY_DERIVATION_INPUT_INFO, + input2, + input2_length)); } else if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { PSA_ASSERT(psa_key_derivation_input_bytes(operation, @@ -436,6 +451,10 @@ int mbedtls_test_psa_setup_key_derivation_wrap( PSA_ASSERT(psa_key_derivation_input_key(operation, PSA_KEY_DERIVATION_INPUT_PASSWORD, key)); + } else if (alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { + PSA_ASSERT(psa_key_derivation_input_bytes(operation, + PSA_KEY_DERIVATION_INPUT_SECRET, + input1, input1_length)); } else { TEST_FAIL("Key derivation algorithm not supported"); } -- cgit v1.1 From 604e1cbbe70d4485c6a34bf78bf2722aebc8f4ea Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:43:03 +0530 Subject: Change error status for invalid HKDF alg Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index aa9f4e3..61181f4 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5185,7 +5185,7 @@ derive_setup:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_INVALID_ARGUMENT PSA key derivation setup: algorithm from bad hash depends_on:PSA_WANT_ALG_SHA_256 -derive_setup:PSA_ALG_HKDF(PSA_ALG_CATEGORY_HASH):PSA_ERROR_NOT_SUPPORTED +derive_setup:PSA_ALG_HKDF(PSA_ALG_CATEGORY_HASH):PSA_ERROR_INVALID_ARGUMENT PSA key derivation setup: bad algorithm depends_on:PSA_WANT_ALG_SHA_256 @@ -7041,7 +7041,7 @@ key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA PSA key agreement setup: ECDH, unknown KDF depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256 -key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_NOT_SUPPORTED +key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_INVALID_ARGUMENT PSA key agreement setup: bad key agreement algorithm depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256 -- cgit v1.1 From 1da06da398eb9c0d03a269ac546f7ea2f3f8c588 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:44:02 +0530 Subject: Add tests for derive_set_capacity for pbkdf and ecjpake_to_pms Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 61181f4..3ab07d9 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6324,6 +6324,32 @@ PSA key derivation: TLS 1.2 PSK-to-MS, request too much capacity depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_set_capacity:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):48U + 1U:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, request too much capacity +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT + +# UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256) = 137438953440 +# This test case will work correctly on 64-bit machines +PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:UINT32_MAX * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE + 1:PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: TLS 1.2 PRF, request maximum capacity +depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_256 +derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):SIZE_MAX:PSA_SUCCESS + +PSA key derivation: PBKDF2-HMAC-SHA256, request maximum capacity +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS + +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:UINT32_MAX * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE:PSA_SUCCESS + PSA key derivation: over capacity 42: output 42+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"ff":0:1:0 -- cgit v1.1 From d3ae165adb1b375828e0724632acbcb13adaf387 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:44:52 +0530 Subject: Add tests for derive_full for hkdf_extract, hkdf_expand and ecjpake_to_pms Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 3ab07d9..3d79e45 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6550,13 +6550,21 @@ PSA key derivation: HKDF SHA-256, read maximum capacity depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) -PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity minus 1 -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF -derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 +PSA key derivation: HKDF-Extract SHA-256, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256 +derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 -PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF -derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) +PSA key derivation: HKDF-Extract SHA-256, read maximum capacity +depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256 +derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) + +PSA key derivation: HKDF-Expand SHA-256, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256 +derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 + +PSA key derivation: HKDF-Expand SHA-256, read maximum capacity +depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256 +derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) PSA key derivation: TLS 1.2 PSK-to-MS, read maximum capacity minus 1 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS @@ -6566,6 +6574,10 @@ PSA key derivation: TLS 1.2 PSK-to-MS, read maximum capacity depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48 +PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, read maximum capacity +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_full:PSA_ALG_TLS12_ECJPAKE_TO_PMS:"deadbeef":"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) + PSA key derivation: HKDF SHA-256, exercise AES128-CTR depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR -- cgit v1.1 From 83455ebcc002d5604c7a492b84c1158a8b428f6f Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:50:51 +0530 Subject: disable pbkdf2_hmac set max capacity test Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 3d79e45..36f48f2 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6328,11 +6328,10 @@ PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, request too much capacity depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT -# UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256) = 137438953440 # This test case will work correctly on 64-bit machines -PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT +#PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity +#depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +#erive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES -- cgit v1.1 From 911eafda316e3f1ba3ba43af143c06cbbec48c3d Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 1 Dec 2023 16:59:56 +0530 Subject: add bugfix changelog entry Signed-off-by: Kusumit Ghoderao --- ChangeLog.d/fix_kdf_correct_initial_capacity.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/fix_kdf_correct_initial_capacity.txt diff --git a/ChangeLog.d/fix_kdf_correct_initial_capacity.txt b/ChangeLog.d/fix_kdf_correct_initial_capacity.txt new file mode 100644 index 0000000..6eeffd7 --- /dev/null +++ b/ChangeLog.d/fix_kdf_correct_initial_capacity.txt @@ -0,0 +1,3 @@ +Bugfix + * Correct initial capacities for key derivation algorithms:TLS12_PRF, + TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC -- cgit v1.1 From d3f70d321a16a5e043a8d6341a830b516024d1f4 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Wed, 6 Dec 2023 16:20:04 +0530 Subject: fix unused variable warning and other fixes Signed-off-by: Kusumit Ghoderao --- ChangeLog.d/fix_kdf_correct_initial_capacity.txt | 3 --- ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt | 3 +++ library/psa_crypto.c | 11 ++++++++--- 3 files changed, 11 insertions(+), 6 deletions(-) delete mode 100644 ChangeLog.d/fix_kdf_correct_initial_capacity.txt create mode 100644 ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt diff --git a/ChangeLog.d/fix_kdf_correct_initial_capacity.txt b/ChangeLog.d/fix_kdf_correct_initial_capacity.txt deleted file mode 100644 index 6eeffd7..0000000 --- a/ChangeLog.d/fix_kdf_correct_initial_capacity.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Correct initial capacities for key derivation algorithms:TLS12_PRF, - TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC diff --git a/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt b/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt new file mode 100644 index 0000000..10e2795 --- /dev/null +++ b/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt @@ -0,0 +1,3 @@ +Bugfix + * Correct initial capacities for key derivation algorithms:TLS12_PRF, + TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a116bef..672a97d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6076,9 +6076,10 @@ static psa_status_t psa_key_derivation_set_maximum_capacity( #if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { #if (SIZE_MAX > UINT32_MAX) - operation->capacity = UINT32_MAX * PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, - 128U, - PSA_ALG_CMAC); + operation->capacity = UINT32_MAX * (size_t)PSA_MAC_LENGTH( + PSA_KEY_TYPE_AES, + 128U, + PSA_ALG_CMAC); #else operation->capacity = SIZE_MAX; #endif @@ -6090,6 +6091,9 @@ static psa_status_t psa_key_derivation_set_maximum_capacity( * invalid or meaningless but it does not affect this function */ psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg); size_t hash_size = PSA_HASH_LENGTH(hash_alg); + if (hash_size == 0) { + return PSA_ERROR_NOT_SUPPORTED; + } /* Make sure that hash_alg is a supported hash algorithm. Otherwise * we might fail later, which is somewhat unfriendly and potentially @@ -6138,6 +6142,7 @@ static psa_status_t psa_key_derivation_set_maximum_capacity( } else #endif /* PSA_WANT_ALG_PBKDF2_HMAC */ { + (void) hash_size; status = PSA_ERROR_NOT_SUPPORTED; } return status; -- cgit v1.1 From f4351c1a619859fe7215c9a5e7efd6dbfe6a1b18 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Wed, 6 Dec 2023 16:20:47 +0530 Subject: correct test data Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 36f48f2..71f5b8e 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5185,7 +5185,7 @@ derive_setup:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_INVALID_ARGUMENT PSA key derivation setup: algorithm from bad hash depends_on:PSA_WANT_ALG_SHA_256 -derive_setup:PSA_ALG_HKDF(PSA_ALG_CATEGORY_HASH):PSA_ERROR_INVALID_ARGUMENT +derive_setup:PSA_ALG_HKDF(PSA_ALG_CATEGORY_HASH):PSA_ERROR_NOT_SUPPORTED PSA key derivation setup: bad algorithm depends_on:PSA_WANT_ALG_SHA_256 @@ -6329,25 +6329,28 @@ depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT # This test case will work correctly on 64-bit machines -#PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity -#depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -#erive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT +# This test case will work correctly on 64-bit machines PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES -derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:UINT32_MAX * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE + 1:PSA_ERROR_INVALID_ARGUMENT +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE + 1:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: TLS 1.2 PRF, request maximum capacity depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_256 derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):SIZE_MAX:PSA_SUCCESS +# This test case will work correctly on 64-bit machines PSA key derivation: PBKDF2-HMAC-SHA256, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):UINT32_MAX * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS +# This test case will work correctly on 64-bit machines PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES -derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:UINT32_MAX * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE:PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE:PSA_SUCCESS PSA key derivation: over capacity 42: output 42+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 @@ -7078,7 +7081,7 @@ key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA PSA key agreement setup: ECDH, unknown KDF depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_256 -key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_INVALID_ARGUMENT +key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(0)):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_ERROR_NOT_SUPPORTED PSA key agreement setup: bad key agreement algorithm depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256 -- cgit v1.1 From 7d4db631cf7396e71473e690b9bd24d9aee4ff4b Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 7 Dec 2023 16:17:46 +0530 Subject: add depends on for capacity tests and fix code style Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 2 +- tests/suites/test_suite_psa_crypto.data | 20 ++++++++------------ 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 672a97d..8e6a758 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6076,7 +6076,7 @@ static psa_status_t psa_key_derivation_set_maximum_capacity( #if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { #if (SIZE_MAX > UINT32_MAX) - operation->capacity = UINT32_MAX * (size_t)PSA_MAC_LENGTH( + operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH( PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 71f5b8e..7f9fa3c 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6328,28 +6328,24 @@ PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, request too much capacity depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT -# This test case will work correctly on 64-bit machines -PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT +#PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity +#depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff +#derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT -# This test case will work correctly on 64-bit machines -PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity -depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES -derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE + 1:PSA_ERROR_INVALID_ARGUMENT +#PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity +#depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff +#derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE + 1:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: TLS 1.2 PRF, request maximum capacity depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_256 derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):SIZE_MAX:PSA_SUCCESS -# This test case will work correctly on 64-bit machines PSA key derivation: PBKDF2-HMAC-SHA256, request maximum capacity -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS -# This test case will work correctly on 64-bit machines PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity -depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE:PSA_SUCCESS PSA key derivation: over capacity 42: output 42+1 -- cgit v1.1 From 179f33a1ea356f5bec04896efbdda8a6d5c8f2f5 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Wed, 10 Jan 2024 21:48:38 +0530 Subject: add test cases with different hash algs Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 85 ++++++++++++++++++++++++++------- 1 file changed, 68 insertions(+), 17 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 7f9fa3c..bc35d32 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5452,19 +5452,19 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY derive_input:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE PSA key derivation: TLS12_ECJPAKE_TO_PMS, good input, output too short -depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_SUCCESS:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: TLS12_ECJPAKE_TO_PMS, input[0]=0x02 -depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"02aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too short -depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too long -depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE PSA key derivation: PBKDF2-HMAC-SHA256, good case, direct output @@ -6320,33 +6320,52 @@ PSA key derivation: HKDF-Expand SHA-1, request too much capacity depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1 derive_set_capacity:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1) + 1:PSA_ERROR_INVALID_ARGUMENT -PSA key derivation: TLS 1.2 PSK-to-MS, request too much capacity +# TLS 1.2 PRF does not have a maximum capacity therefore +# derive_set_capacity negative test case is not added + +PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, request too much capacity depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_set_capacity:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):48U + 1U:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, request too much capacity +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_ALG_TLS12_PSK_TO_MS +derive_set_capacity:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):48U + 1U:PSA_ERROR_INVALID_ARGUMENT + PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, request too much capacity -depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256 derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT -#PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity -#depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff -#derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: PBKDF2-HMAC-SHA512, request too much capacity +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_512) + 1:PSA_ERROR_INVALID_ARGUMENT -#PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity -#depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff -#derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE + 1:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * 16 + 1:PSA_ERROR_INVALID_ARGUMENT -PSA key derivation: TLS 1.2 PRF, request maximum capacity +PSA key derivation: TLS 1.2 PRF SHA-256, request maximum capacity depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_256 derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):SIZE_MAX:PSA_SUCCESS +PSA key derivation: TLS 1.2 PRF SHA-384, request maximum capacity +depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_384 +derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):SIZE_MAX:PSA_SUCCESS + PSA key derivation: PBKDF2-HMAC-SHA256, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS +PSA key derivation: PBKDF2-HMAC-SHA512, request maximum capacity +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_512):PSA_SUCCESS + PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE:PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * 16:PSA_SUCCESS PSA key derivation: over capacity 42: output 42+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 @@ -6544,36 +6563,68 @@ PSA key derivation: HKDF SHA-256, read maximum capacity minus 1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 +PSA key derivation: HKDF SHA-512, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_512 +derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512) - 1 + PSA key derivation: HKDF SHA-256, read maximum capacity depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) +PSA key derivation: HKDF SHA-512, read maximum capacity +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_512 +derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512) + PSA key derivation: HKDF-Extract SHA-256, read maximum capacity minus 1 depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 +PSA key derivation: HKDF-Extract SHA-512, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_512 +derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_512) - 1 + PSA key derivation: HKDF-Extract SHA-256, read maximum capacity depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) +PSA key derivation: HKDF-Extract SHA-512, read maximum capacity +depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_512 +derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_512) + PSA key derivation: HKDF-Expand SHA-256, read maximum capacity minus 1 depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 +PSA key derivation: HKDF-Expand SHA-512, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_512 +derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512) - 1 + PSA key derivation: HKDF-Expand SHA-256, read maximum capacity depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) -PSA key derivation: TLS 1.2 PSK-to-MS, read maximum capacity minus 1 +PSA key derivation: HKDF-Expand SHA-512, read maximum capacity +depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_512 +derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512) + +PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, read maximum capacity minus 1 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47 -PSA key derivation: TLS 1.2 PSK-to-MS, read maximum capacity +PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, read maximum capacity minus 1 +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47 + +PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, read maximum capacity depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48 +PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, read maximum capacity +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48 + PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, read maximum capacity -depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_TLS12_ECJPAKE_TO_PMS:"deadbeef":"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) PSA key derivation: HKDF SHA-256, exercise AES128-CTR -- cgit v1.1 From a7c55d5a1484db6eb502712e5171043a1e395a75 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 11 Jan 2024 00:43:48 +0530 Subject: fix depends on condition Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index bc35d32..660b73d 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6361,7 +6361,7 @@ derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH PSA key derivation: PBKDF2-HMAC-SHA512, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_512):PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_512):PSA_SUCCESS PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff @@ -6612,7 +6612,7 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47 PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, read maximum capacity minus 1 -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47 PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, read maximum capacity @@ -6620,7 +6620,7 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48 PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, read maximum capacity -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_ALG_TLS12_PSK_TO_MS derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48 PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, read maximum capacity -- cgit v1.1 From 4cfd6a6bc6ca35f8debc069c2a1ff026756c303b Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 10 Jan 2024 19:15:45 +0000 Subject: Fix dependencies in pkcs5 aes-128-cbc tests These tests do not specify a hash function. This is an optional parameter with default value hmacWithSHA1, so these test cases are dependant on SHA-1 and not SHA-256 Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkcs5.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 3bd6b49..453ee23 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -143,7 +143,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIP pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" PBES2 Encrypt AES-128-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" PBES2 Encrypt AES-192-CBC (OK) @@ -155,7 +155,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_ pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" PBES2 Decrypt AES-128-CBC (OK) -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt AES-192-CBC (OK) -- cgit v1.1 From ae0b4bd04c10df2ca397844359c5a93f1c65e327 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 10 Jan 2024 19:19:10 +0000 Subject: Add more details to comments Signed-off-by: Ryan Everett --- include/mbedtls/oid.h | 4 +++- tests/suites/test_suite_pkcs5.data | 12 ++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 3a7f740..de8e454 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -300,7 +300,9 @@ #define MBEDTLS_OID_HMAC_RIPEMD160 MBEDTLS_OID_INTERNET "\x05\x05\x08\x01\x04" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) iso-identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) ipsec(8) isakmpOakley(1) hmacRIPEMD160(4)} */ /* - * Encryption algorithms + * Encryption algorithms, + * the following standardized object identifiers are specified at + * https://datatracker.ietf.org/doc/html/rfc8018#appendix-C. */ #define MBEDTLS_OID_DES_CBC MBEDTLS_OID_ISO_IDENTIFIED_ORG \ MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */ diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 453ee23..790a31b 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -142,27 +142,27 @@ PBES2 Decrypt (Invalid padding & PKCS7 padding enabled) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" -PBES2 Encrypt AES-128-CBC (OK) +PBES2 Encrypt AES-128-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" -PBES2 Encrypt AES-192-CBC (OK) +PBES2 Encrypt AES-192-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94" -PBES2 Encrypt AES-256-CBC (OK) +PBES2 Encrypt AES-256-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" -PBES2 Decrypt AES-128-CBC (OK) +PBES2 Decrypt AES-128-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" -PBES2 Decrypt AES-192-CBC (OK) +PBES2 Decrypt AES-192-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" -PBES2 Decrypt AES-256-CBC (OK) +PBES2 Decrypt AES-256-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" -- cgit v1.1 From 1f935f50270f759c4223ef08dffb1f09312c516e Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 10 Jan 2024 19:26:19 +0000 Subject: Add AES tests to test_suite_pkparse Test data generated using openssl: openssl genpkey -algorithm rsa -out $OUT -$ALG Signed-off-by: Ryan Everett --- .../rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem | 30 ++++++++++++++++++++++ .../rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem | 30 ++++++++++++++++++++++ .../rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem | 30 ++++++++++++++++++++++ tests/suites/test_suite_pkparse.data | 12 +++++++++ 4 files changed, 102 insertions(+) create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem new file mode 100644 index 0000000..276c613 --- /dev/null +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIV3y5ahakUYYCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBCcu2VAdIWUQawcrlhFDgV+BIIE +0JMB3FUnHGs5otXZJvxOkiIrliuQiDjy8AuctQdVNhArYeTfTxW6wZZxacDOAJT/ +JvxbpKRANBSCp+TOf5jMAHl11L8Pr7Z22HumPjJXyuTwntG/lYpWzHKLo+V2GGFo +8E5Q0uya0A+4sL80JQMKa6G4BZGdnOwD1krUPxrxsNXVRbsHcsewUc1nKshPlj0X +1A4Fe6IqgichLPODluJcJo6tWCrhKdDxyDzCdZ0ZiJpUgH7SPo3XZ6GO68nlSKz6 +vwChjrkUsmgDbeGr8yFP4kuaagRngMovGQXcYyNBDWZQYKM7uMqz6zuh4VJuvAJk +h/d8WDkFz6fJAEpqYYDBqVj5vGH3Xq0e4LzErJ0s8jQuOy66noiQIXF5U9V6sLvk +irbIyEVcBUWUIs2QCgEVbKRTNAzo3+V690etqVYx5mW8m3CenJ4TrrtsQJwOZlF5 +tz6a+RNjj5EZKRx5WoOQ/ZyQK77+dg4lO0MbaUptBawsLifCQANmJ7hOIl/aG8ae +8ZnBUFYR4Cmomkcb/OjabGv5iyizZ3esf5kfmhvaRDQN+V7Vx7Dy6lzzpJ3vhxoo ++VRCFAVIS+XPvGLynUvawHiSWlzYFKeX6t9ZriIDomVxZE/+zFbw6iQmE4pM6jS7 +mgwuVeKFeD0zVOI3I3pXN0NBZYZgkO3gdly6QbmETxkZB2ccv+Bqe/DdAi4Zq/JO +prW8x4o5wogfn5heVGB++Kh8l9jXxqqh8f8txNwfR0oli/TQdT78FgXcaWbQh+e+ +vFtIAIHlGK+u+FGPJm4DuyW5LY+lYE0aJMD9Bre8yWVy3aF4IZ9KQz4gxObQS/mu +CXHqPCiuwnjaiGFwf6IuTvX3hD+9j9XvGKZn8Y7U42iwzKdYD6qRAXn4+v1G9KIV +cPB1XBCpnEk8E+whjaht5EnAk2I/vesT3akfemgRxEegKS1Ziu/bwTId5mFLx3oV +ql0Nb8dAlIkpDTwxGK7FgRhUwutml6HvvYKtG10OqvrFV026pyQnkVMBGCUMRKvO +ddNAKOr8Mz0qrme0osCxVBdLxnVjvIwsiPBsX2INV86xW7DUe50u+mbCxu4eXCsA +zIJps5WP+ol4z04oZEUp9DEFxILO65MBmWd8y43UqRaaAOXYU+IZ5Tyx0wPcSAbb +iLMFwZ5uA3rIXSvzesgdiX5oJOY1+Y4hpBB6148u2YmKQsNLC0FLodEdXrrDacS4 +jJbc/Zlw2Q2u+YXBzec9hLGsA63qGybc8gmrYYoutwv4fYwSFx8N5AiENFYughBv +EyYXx/gjsSUJOZpI7VDcTS5YiqxRy8VBGXM/ewcvsNxjLTiyQz2Dv8PvGdCzJHbE +CelmFM+RKa/NzkIv/SwM5hXKCO8wpXT5HApXiTxCjonX/f4Uqu0JxiHYqvV7ih3p +k+9kE2eo3GzXWPG4DvcKpDd8pz0aAV02+AGZatRceg0wpOVzo+EC7c8V0SU4De9V +gLyYzY53HLbeqhPm3Yb0yt6fIBfcRxLi7A86K9c2+Na4BFLJPvf7pMQLmLlcdp1M +wKQhQw8DFxxstrup98H29r2n+XzPukhZawQfTEJwfx8y1Kp1UvJOeg/wL1PayyNv +0CQRRMZ0UEb3o6GjSyb3j98oGNe1LAvoykqc8QsBlP6f +-----END ENCRYPTED PRIVATE KEY----- \ No newline at end of file diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem new file mode 100644 index 0000000..06bcd28 --- /dev/null +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIw3sKoAeJu8kCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEWBBB/MRVI6fUEUiqwEb+tcClNBIIE +0JH3R2rIt9cTB0FcsWjoHKFtVy1DTtHZUwk5FlHXm00ngB46gIDzAbTdow6WpspV +H3wJgwU//AAE4bwuZ/AcQlRz2M+OuO3GT47EhjKvXiS3OjrIvkXp24LCS3lSbFV+ +dGc6A2CXlSHF9c/umrKlRtVpSXsnBlVhggVyI/1RidBmCeF2i2205bt/Z2mjODo3 +SlSZjZ8GeFOnm/0zSBxgltbemgfsNMo1QOFRTXblzRE9Ldc5DCPgyCNDHOVUugO3 +lrf9Wyak2oiUtCG5cApaeDTedQv61YK+Zt/ptJmXps/N0nskb3X40ngs+buDuAVP +7uUTxP8ZkvQdVcWD/FNweAPssAGxDcWhacVxeuXdDb+ktjZuHnYJ06lC5nTdJAi3 +zRuvXpYNPQNBfU2MwYV4P4g67ltqdtfZcOiqMIqtb0rWu+dfS0cVPUZHBhHATFbA +Tvo0GtUKuhLzGP4Zr6RSJVlxkjbNtfrE3lS1b5HwaE04F6iagRdH1b6f00FfFXAr +oTFz4/ykkY9q7w3yTLfX/8B5EUbcXLzJBZrAWA1RmsV6aiAvgh94587QprRrL6dD +gcCTjLeVIFw4QNQvzkroErWQbEsZ33cAFB/qJDSEd1FgEMh4LsbHwGP8M/iQNaV1 +WWgh43j3XjwAC2f17okd/+1WxhwpugEJ8EeSfY3oONtyE8sAXRhPLpR1eouRqTmY +5032TNhf9hzNIvJ1eYwehCZfZkvuqJxGe6rXbV579qSThzUpfz6BYylS+xcf6nJP +JniG1RodX/AkkicmKja4fNcp7JDDsmBPU9pLOfr8SodUlimGEQ8PGNNYIrOjKbHe +BICi0ZDSxgt+pPUfjeF9VIcYHF7vUj15ovbd7uJSshmEIIxdX2YDzOjoJHYevsyZ +uZm2ONA90R9szgJMWP2ChKXaNF0UySaG3hueWDRa7GJMPRjpCvcwhAw29YHSvNOq +MbQmyyjFDAk07BFXvXSahSXODe0HPVTbyT8eP2SO7VMPuOWdxH9+adOl8KPCx0L7 +kwiPgnRhAGaevOZs8M80EEOC6JLR9hM9LVCHWnXD41NvGgCSmu8SwzKzKB3KBVas +aSb8XW7IuNFZh2o6FfmDKUp0uXoifWVWe96ertJrHckRbTd4ZpjK2bWChh3WxE9s +0EYG8PAu/NSW7ARPgXZ43f/nYieSQd01zty8Vj4io2gVpQDm0YtZrv/a+gW3HSQj +mBmdDOsQmpP9gfCnOJOILlE/+ouVYiGeSMFbKc1tde1FBtwt0RGQVM7KoRb7itNe +AntBerIDERzq83iXvalzYdB2qw9yzZwvf5hGvNn+rDCD3aZTrr6if9QrrVeDYcTd +TTOVeQx2RgtXv4xdiV4epS8e7xOgLZphC52E4WTRoBz1qEJRHGj1HX8REJ7Q47HK +cZr5IZdLuIulvPPWcY/KLw437h7njAMM2rT0HqL5yZA5Bcnpj/SCQGRHew7OacSK +p1WKw2C/R6MTGDFplefr/f3NUT4quWybfHQG3L3zqjSbKBS0pVPlA4SPwhSgev3P +v+sShYuWwLTiVfzep/nBRcz2W3CHtHI2oahjEI9Vm/7WSdjxl7tSrHlsy7JbVuOA +3PF6QbG2JWgnyfmmgtK86iTchMlxBgWe5S5lz6kZNUXN +-----END ENCRYPTED PRIVATE KEY----- \ No newline at end of file diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem new file mode 100644 index 0000000..eb2ee14 --- /dev/null +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIcVlPn8HF5kcCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBA6UHwbVfKyYQwiCmyTPE/QBIIE +0Na0hdMyQvJvRUKDvR9Gds0VrwRjHq+WBCDcHfJJRS5RiSCWnOCifZHA/zYoYZ4j +rHnuzmheOuGZWjUkdZQ8kVKFGGCKQjHKHTlfDhVv/SQzwYYWVRyaubDC2SKYORKf +zCFzLjr8RCwBo0ubh9q+QvPrmvy/jZYHYruU7vGseS4vKnWwnXey0ii8L2qD71Fo +uH6WAMRc6xHzm1W2WSnFZvZFLwCmGg/LlHc34TdCgXyX8dhJsIAwlwuCStFWs194 +A5h5ZrLiDdpGCThn47H0jx8kzVcoY+dwuJXgNfzAbzDgbRyzCpQx7Fulzf36iyPO +fq1OrF0+DUSrEv1GJTXT4/1xlpaZgR2RT7in7jCSE7XyATBLRrL9nKAQCmLAARnb +ITLWUPMmxJJDLLn9faBt7ZpyRzLRqGMT6nRNBouAg8DWqqcRvBLfi3TxoQ/KS2BJ +HMtyTfSQpghAsUUqraquSfyLoA1+b47gO+H/grQIMMnfThGiUx9MLOGFAvQ3Um8R +aoTm8X8RuAH3BALA0m9isRww/yA/dw/03jtByDYMeQ/NAHAgL1proXqsojHIYN5v +6vesHcATHGiFnPY0kqKVyIN1G8n5Gji5P875GPq00WN2kPMLiBG9woq9yZ+l5HYu +ofpdtpQRgJJSmEBJgpvwxoJKTUa9mYN29klYiv97AwWj2D2VsJvjG+IlfVybUB26 +mkenc3Hve2V2JueYh8Oijl1j+plc61tYJ0WQloZHQWHSqCJkXEMqUX6DZZyxREix +8kUuWabSkxSq1uRxf7iG442oaer5mhktpbEMWyA22mJLfXBwNaULqlhZGdeqKz4N +zwE0vg1rug1ooLX/s85n6h0FMD+ANbbNU18hQaxmjiCETPp0txAVWpaGAQZsYkW2 +ff+Aj5Mer/qB/K/TBh+7c5PkwcpTTCF/HQ2XF3B30lsBhFmsbXBkvxThhgZkGHfO +EQrxsgc9pwQrM3WT70ZI3uMrN5DfK7Dp+AVwIIBlEeai6FEMpZkg/4tPYK4GkwWP +ZEzSBoUETO9up3NwKuYWS3VOAmsOO8qRXw9bynV2WxMZ8NTWDmSKX+MqYz28ejjK +/5EYX3uW1NVjz608QbzT3XxNtX9B/FTPT9OlK8IxeiOjfDG2fqe3k7bYBZGVC2/M +aCaVPTND8xHsodxIoYbEbF29YSV/FLtw1eQ3LpwDN5OCzXpiZ65A4PxnB3iPHoNl +8o76h2dcksN+NKsdjnRH95b9V8CVlc8QwLBSCWk5bkfTXLeSkDM14jpJ0+BCuAyD +bdCo+R32ItDlke/L6d+CtVbyhDJigdl9w9XKBJ3f9XKw6Q4RnuCNQf3fqo1h+vVs +Ia4Mau6XSKyyZtEH5F0mO0iwpYBxPz6S9u36WnI6ot2Ep8AlfjBTRbH0g/luPjaz +9Jiah0i9p79L3wMNJHfqkdkUvJyLKu0rTy23L0sw3Eg9rx2TErrlIWugoAi0peia +36sC82X78xIzOCq1XwaIojnyB0fqxJDn93BI9dKhnBzWP54oY/ckq+ixb1oBQ0Kx +sLWcOwbT/yprpo36ZMy1DcxjjVyEfRmzwJJ65qFk48XJ4JIswdmaFfYbZ8yQyRiy +coJGwITg1bspV4krBAspArmqN3D4LviHXojUMxD6Sx8R +-----END ENCRYPTED PRIVATE KEY----- \ No newline at end of file diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index f82dcb5..67723c9 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -890,6 +890,18 @@ Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +Parse RSA Key #99.3 (Generated with OpenSSL, PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA256, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem":"PolarSSLTest":0 + +Parse RSA Key #99.4 (Generated with OpenSSL, PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA256, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem":"PolarSSLTest":0 + +Parse RSA Key #99.5 (Generated with OpenSSL, PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA256, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem":"PolarSSLTest":0 + Parse Public RSA Key #1 (PKCS#8 wrapped) depends_on:MBEDTLS_PEM_PARSE_C pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.pem":0 -- cgit v1.1 From d00a138075dd2032faeabb6a40b8196053b97a89 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 11 Jan 2024 17:23:15 +0000 Subject: Change test data for pkparse aes Test data generated using openSSL with: openssl pkcs8 -topk8 -v2 $ENC -v2prf hmacWithSHA384 -inform PEM -in $IN -outform PEM -out $OUT -passout "pass:PolarSSLTest" Signed-off-by: Ryan Everett --- tests/data_files/Makefile | 24 +++++++++ .../rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem | 56 ++++++++++----------- .../rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem | 30 ----------- ...sa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der | Bin 0 -> 1329 bytes ...sa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem | 30 +++++++++++ .../rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem | 30 ----------- ...sa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der | Bin 0 -> 1329 bytes ...sa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem | 30 +++++++++++ .../rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem | 30 ----------- ...sa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der | Bin 0 -> 1329 bytes ...sa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem | 30 +++++++++++ tests/suites/test_suite_pkparse.data | 30 +++++++---- 12 files changed, 163 insertions(+), 127 deletions(-) delete mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem delete mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem delete mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der create mode 100644 tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 21ca489..cb4a683 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1045,6 +1045,30 @@ rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem: rsa_pkcs1_2048_clear.pem all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem keys_rsa_enc_pkcs8_v2_2048_3des_sha384: rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem +rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der: rsa_pkcs1_2048_clear.pem + $(OPENSSL) pkcs8 -topk8 -v2 aes-128-cbc -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" +all_final += rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der +rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem: rsa_pkcs1_2048_clear.pem + $(OPENSSL) pkcs8 -topk8 -v2 aes-128-cbc -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" +all_final += rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem +keys_rsa_enc_pkcs8_v2_2048_aes128cbc_sha384: rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem + +rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der: rsa_pkcs1_2048_clear.pem + $(OPENSSL) pkcs8 -topk8 -v2 aes-192-cbc -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" +all_final += rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der +rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem: rsa_pkcs1_2048_clear.pem + $(OPENSSL) pkcs8 -topk8 -v2 aes-192-cbc -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" +all_final += rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem +keys_rsa_enc_pkcs8_v2_2048_aes192cbc_sha384: rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem + +rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der: rsa_pkcs1_2048_clear.pem + $(OPENSSL) pkcs8 -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" +all_final += rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der +rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem: rsa_pkcs1_2048_clear.pem + $(OPENSSL) pkcs8 -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" +all_final += rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem +keys_rsa_enc_pkcs8_v2_2048_aes256cbc_sha384: rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem + rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der: rsa_pkcs1_2048_clear.pem $(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem index 0d1b587..f917af2 100644 --- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem @@ -1,30 +1,30 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIYFcs8Uhn2poCAggA -MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECKCBLl+C+3nCBIIEyEnIPlXdh1e3 -+cnyhX7dCRzR/NsygcRBJUPdwRUMAaOo/t+oZxFmHnblchxQ+pFoHrI9GVwg8uID -meEHlzSSKt8kOTvJ3C148jRFJy61YH6k5GEN+z5ihS9uTszaXRUlEsGfP1/SzWY9 -ME+pX+0kwJ4az87mYKyNUwK4U5d65Ic30pvRJc4unvFtRz6wtwqU+EV283pXHfyc -VNgQFjb1IPHEz/PSuE9p94mQvdIbVmuK2dRiMag/HcABvVhxzLldKyEHHhrHR0pa -gc41+3HVjz0b6RPE24zNrxA9bU+1URGwlkIlh7Jpc/ZuYRj6LQ33xUdYZcMZw0b4 -pSFJcUgX+GUXLyWLqhIxxc+GIeL2Vt5G0ea5KEqxOvSj2bJV2/JA0KtmrcIjX5Kz -d/9bAvxatcqIikVNVkQpUc1glKiIBfVrmyJ4XUlX9i5F3cgl18zrYUI4zPSBn8o5 -yxSfCuIMx+3zS4BiyugGNOclIbpLMjQuMrXxrt7S+QlXfdbXvyNfxa3qfqf7/P2k -ykxl0z1bjvkck6XoFGXdb13isUEtY2NjujZKZe55BLGqr7FsIIQSTAHilwMpK+CV -fA1EL4ck1+7FV+l8fJ0nN1Li1xOnDeAFuO2m91uibNMYPvRSoX9c+HQKXCdGfiuk -5tfNaq8bbXeIJ/P8wTjMZqI2l6HZRuXvvmRHN2zZ4BSsT3+61xtvSTISEimDSm5T -hYY583LG5lpFoOC0Y4EUw/ltmQpKW7AGkLg7SyC9oKvoeWM4c2t8HrL3iKPXtkwd -A/iEfZTxzmR57u+ZMlbws0evPiZQml8voJnuT6qwbos7g7V/Pc3Rj+b84JZcI2Jz -D89/VudIHfFDTXC/gcSRG4bd0glILJHT9FOCAlX5TEuRyeWasoVOV+m3Pi8vQM1u -tCsjE9UdoIdhoI5j94VhzHApdD4fePcQW9DysYa2R10gWIZKUvhUHH3FWLR2X2gK -Wiz5YkhEGXBRtDHd4cx8EM1bJMKwFyYXjXTPGfGlGiPt8b9u4F++IlsKcgGgPIvh -2rIm4jHuN3LRRlFkJ5B0kuOOxZ6GBfxasS+Ix4DZoIfqZsGNI5Wu2ikGZOKxX7Ij -G9RvcdpVV8C2Y+M9qI2+x93WAtQ+NRJo4/+gJ0O9bVUhjjAmIHu2bMtbvr9aPJhd -OpB9VQxB3c5mEXkNOV52oOGnIGVjbJMb4e3/MRpWtTFVcX6r200Gn6Hn3MnWZXdd -H7pOpAowTcTlFcbJ0WWjfZygj5HKKUOFzPYNnXKizjzQhF6yK0mphKFY+8tpFQqB -mV/1HlWJTSsAmh/FN21B2qq+KRiwMdpzKIEKC47mK+dzzo1mrTqmExvbiaLG8upr -KMb/lEnSCasiZKTh71J3+5vUE+Nw73rYNZcdh7fj+GBK9KJ3hdKwYc/9yyQx1Lua -4aXnUM6vQAsV+OLYNQE8vXMRtuftbPbV9sqiBLPIc/0P2EJ9mbEye8FM+koHUCKo -xtJe5SK36DMwAas6tjimouVgWTcAdbq9r8jQlCJ1WxXPUcCJdv6pFQUGKQ+34TMK -uWOhErUNRdqel9DthU5ig5dZs2DqlzbRzWYosZc1B6Q4/nua2JiBi8IeqtPILr2a -JYJ9DNzxn07lcFHiVgrJuA== +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI11AY9mDsg8QCAggA +MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECDzvZWW4smTrBIIEyG/U2B5LazZZ +rzLUN7V38xI1ZR6rcBJreOk0QmVOSk9QMh+Kq+LmFwnY2NY+xikAfRJKWUsjk+h4 +DzCWn+nsrvU2wK582XThWYwJ79BIwkweUWV9l1Nfw0vyx/FkcTHE+eGPdABBL4BO +o4uajZso7tYY2+jyPobqSn18j2TInKbHR7lB5l6OAX9FsV0pGKYBgKxa9LTj7ufD +70G5WLHJAfnTX/6+wWktDOMMCPTXij3qA0fyu835shMUWQ+KUx0Dyp2A6qeprV1Z +nklRzevWsA4pbNMe+GG3WrRj52YRVuwDJjgTeq5rIfyoyLGv0ZUZsa/KEP/oToe9 +CmFPHWA2RDpK4zD8lscsjsOj+B0UREcSw9CdL91rFZkr++PuI3A1/T+3M8DkjLiB +CvSVziZLyZaqUVd0UdXrHyGeFxIMAx8xfYGiLi/EEay2zEScGbQ2kU+N1Vpuyu39 +PoEmqNOchoEkLeMVTYTQDfK3LgYQXpvdLCQQG76AqRIbuY+ZfYYw8eWyJhm78Qwx +fAenH4i5AjgJcV/5xiLpj+1trdefaCSp0Z8XY7ng/xyNCOOdSbBOPl4JnD6snYaT +06dtpowP7gcN3bZQo/r2XsH8F1VPvjG2wZ38R7aHlF8vjCZ1gUtCuraoM9AAdVoW +zWiptA4Lc5CAp+kDa2Nf5gyL0lvN/IbWYE23/OMTECmwG+O/HNtvltmdmYB8Ze6A +pdlkftjf/NvFsHloJS76SreR0tpWM8rGnSqQdecWLutgWP7HiK6C77UYv3b71SVj +ga5uv2l67UAj9EPTizZvLJjn0ubylfCW4eaPkEJBaYW4uG/3BcWzpLRnGyq6csMC +/tly2Y1L9dBqyZMIMW/ZFm8/64K8IRaSu/8mMGxjQ7VHeU6JSDk3G4by8jdYjLA2 +Y3tWYaelX8oE02jrwv47PPFWft/P+3Gjwo8lFq0zQTAk2C1vHs44jLzsOxfizo6s +mzmGh54JFsdE1tlYoa515Id2I27vjCvK6XbbgguinHaIsRgaRnCyyqEjO22z2zP3 +RpJD7FdugvZDepLfII1H8+JlbyBEd2zByMIPehIeM/HWWN0ukAgIz6yardrCYiuU +hXTqTz6bzaZMRJauPt/gpSvAx8kTKr9nXH2VRiToUs3ABjT9DN1/mQ1RlA0NmK1i +qfsMRXWzckaKgmJ8fglxEY7UR6fOqt3325yVQ/x49AKBxBDO9wmfpHEO3aQY7+H5 +hP/5tuc81226VFbyTERtTaEb/I+7iiImcWtVW4bB/1DgCu1NTlay6XaHOoclxcEE +N+d/3wDjSrsUhAKcK42wNPa74eSZy9ElJ+33xC56tqxhvo6YdG7VFu3S8qnhaXf1 +ijcRCw7vr2ShGMAhnloz4T+IX3ZGrzkVSXQG+rpaFag0b1QxeS6w/V7F8u+wljnq +1BzIfEjnE3lpR1eiZ8Ygu/n4kb7n5gHZqd1C8QiFZOGczX3uKFbH3/HOS20A+/6R +3rkjCQ+Uyxl3+wVdyOSpUCqtLfJBx69CM/6lDBPrliQ6DE94xKFrNEogG3IE36rW +oSCJcveg3cdbrHSqc+3m36FbQl2YKy8hgBwhrym2xHZ/ZS+acUQsN/V3VvEym3N6 +QXFLn3yqnmpr1g+yqXfQwA== -----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem deleted file mode 100644 index 276c613..0000000 --- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIV3y5ahakUYYCAggA -MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBCcu2VAdIWUQawcrlhFDgV+BIIE -0JMB3FUnHGs5otXZJvxOkiIrliuQiDjy8AuctQdVNhArYeTfTxW6wZZxacDOAJT/ -JvxbpKRANBSCp+TOf5jMAHl11L8Pr7Z22HumPjJXyuTwntG/lYpWzHKLo+V2GGFo -8E5Q0uya0A+4sL80JQMKa6G4BZGdnOwD1krUPxrxsNXVRbsHcsewUc1nKshPlj0X -1A4Fe6IqgichLPODluJcJo6tWCrhKdDxyDzCdZ0ZiJpUgH7SPo3XZ6GO68nlSKz6 -vwChjrkUsmgDbeGr8yFP4kuaagRngMovGQXcYyNBDWZQYKM7uMqz6zuh4VJuvAJk -h/d8WDkFz6fJAEpqYYDBqVj5vGH3Xq0e4LzErJ0s8jQuOy66noiQIXF5U9V6sLvk -irbIyEVcBUWUIs2QCgEVbKRTNAzo3+V690etqVYx5mW8m3CenJ4TrrtsQJwOZlF5 -tz6a+RNjj5EZKRx5WoOQ/ZyQK77+dg4lO0MbaUptBawsLifCQANmJ7hOIl/aG8ae -8ZnBUFYR4Cmomkcb/OjabGv5iyizZ3esf5kfmhvaRDQN+V7Vx7Dy6lzzpJ3vhxoo -+VRCFAVIS+XPvGLynUvawHiSWlzYFKeX6t9ZriIDomVxZE/+zFbw6iQmE4pM6jS7 -mgwuVeKFeD0zVOI3I3pXN0NBZYZgkO3gdly6QbmETxkZB2ccv+Bqe/DdAi4Zq/JO -prW8x4o5wogfn5heVGB++Kh8l9jXxqqh8f8txNwfR0oli/TQdT78FgXcaWbQh+e+ -vFtIAIHlGK+u+FGPJm4DuyW5LY+lYE0aJMD9Bre8yWVy3aF4IZ9KQz4gxObQS/mu -CXHqPCiuwnjaiGFwf6IuTvX3hD+9j9XvGKZn8Y7U42iwzKdYD6qRAXn4+v1G9KIV -cPB1XBCpnEk8E+whjaht5EnAk2I/vesT3akfemgRxEegKS1Ziu/bwTId5mFLx3oV -ql0Nb8dAlIkpDTwxGK7FgRhUwutml6HvvYKtG10OqvrFV026pyQnkVMBGCUMRKvO -ddNAKOr8Mz0qrme0osCxVBdLxnVjvIwsiPBsX2INV86xW7DUe50u+mbCxu4eXCsA -zIJps5WP+ol4z04oZEUp9DEFxILO65MBmWd8y43UqRaaAOXYU+IZ5Tyx0wPcSAbb -iLMFwZ5uA3rIXSvzesgdiX5oJOY1+Y4hpBB6148u2YmKQsNLC0FLodEdXrrDacS4 -jJbc/Zlw2Q2u+YXBzec9hLGsA63qGybc8gmrYYoutwv4fYwSFx8N5AiENFYughBv -EyYXx/gjsSUJOZpI7VDcTS5YiqxRy8VBGXM/ewcvsNxjLTiyQz2Dv8PvGdCzJHbE -CelmFM+RKa/NzkIv/SwM5hXKCO8wpXT5HApXiTxCjonX/f4Uqu0JxiHYqvV7ih3p -k+9kE2eo3GzXWPG4DvcKpDd8pz0aAV02+AGZatRceg0wpOVzo+EC7c8V0SU4De9V -gLyYzY53HLbeqhPm3Yb0yt6fIBfcRxLi7A86K9c2+Na4BFLJPvf7pMQLmLlcdp1M -wKQhQw8DFxxstrup98H29r2n+XzPukhZawQfTEJwfx8y1Kp1UvJOeg/wL1PayyNv -0CQRRMZ0UEb3o6GjSyb3j98oGNe1LAvoykqc8QsBlP6f ------END ENCRYPTED PRIVATE KEY----- \ No newline at end of file diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der new file mode 100644 index 0000000..0051940 Binary files /dev/null and b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der differ diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem new file mode 100644 index 0000000..b99af2c --- /dev/null +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIID4AYf5oXcICAggA +MAwGCCqGSIb3DQIKBQAwHQYJYIZIAWUDBAECBBCtsq1ZGRGQPDOZ5HWj2WM3BIIE +0G6XYOdWx+gqDnXbV4/I8o/whdxUKNXi6lhrJHQBnl+qQPSJnDl4lH6/U7LimyeM +SASN9h2BqOQhLi+FPxw19Vn7IzKkNe4c2S87t27/p9ss8jgbKfEDPJ77uxMb64eA +WAmDjOr1eL+HM54pIxrWcHKUNrfliffyzcwcTqf99ORj9QeGJ37XuZ7RLMxfoOij +4v1YVbSVlMX5SM0tI9/Atm3fUG1zVAm3p3SrSAOr9FkVE0wh/aC5f5KnMzurBq8J +f8zGrCP4AmXiowbsJ+GCpKBqOB2mFpBjWt2cwYPuZzP5VUaXiJyOgOYXvxLF4TpB ++pDhJfs+P0iG1SWssfLOkp7smFWtowFrGn3y5nDHHd3P8/vyEDS02hdJxoLw0MBe +zD3aVeaISOMqjc43cA27Kp7uvG7814XAXe1MPt7Bm5CGa9k6XtVhMTp6RBKxL2ow +3U8SjA3PtuLLbNEB8FDGi2MCsoDGfmXdOZqJPJdxSbLWl5/385irsUKQDnDK9xr5 +tYVAjPLK4tkdtBgGB+Yv2bRYjPdqKiNrE2AuuFN8ESqoir0gOWbGgpmdDpVhG1az +Y/Dyv1JcteXo/s3PsIZOXXDQEK7fdr9o/QWY62KJCIQXPZU7K4g2aWLbMN8pWabt +3mpBeCeiLz0+miSwHFSfTg/weegogrfeBtSV6zFcBSG0nz73JT1U6U4ecDAsuk23 +nmLnm3t+n3MTZU18WxTiQrq0n5gOr1XoGduGQYBBS/bhFoQoWvVQ+gaCaR1hF4ap +U5vTjYmdIv6Hq/Gl3sNpH324NVTQ2JIHzdItyaZiTugr89+7YxPxpL9pwJJyztdy +31l4AvAot9vEJWH6wPC5v66MQrqcJRtdT8BuEJ2RFKkqP0wN66JC7qhtm4v5oVgp +tblGcP4oWHMqAZuYUbgJYh5sEXMsO2tbp2ckKOR10ev+Yzq8vQ9AYFSOLNkFAIbA +lxv0DJonU288A8Rei3WYU9PfYiYWK7cP/I40xtxOJe3cQEhQTBJwT6K1sv7Q0HAa +hs5P2u45XqJh2waqJkeoeri0p20WnSfcWmov0OIMtxWQMT6Yb62v+aKk+nqlurIz +BmvJvgZJtnhlJW7WfbSF3kDD8WZbmabJ+rfPclx5/Hyh0JfaHSJDa9Vd8518/wp4 +Tcptcq7GC93St7PG6RTg4nZzrguwdzBVeDGB0BjP4xI/tzEkk0MgFGAL6JDa/FLv +5L8MOjeCLwWO9OtVjt02amc26SMmpEIyzh5f/eXWDBILnZAgbnieqyQm2+KsvQ87 +9aQdLlC4RvO73f+5Ckygf6vrIW/n8HVmHmLv+qeudVgIiYZVz3/GtiFJjuayMr/D +SgvrzNyRw8SQWn5V0ORy/3u86ZfraIq3falIFJGZDG9rdgYoBNHzhMeOXL+fqqHa +egvOQbfA4jpmtbWUxeqLqs1bY8T9hGW8lrRm7TofsuxDPOz+VajF/+lqWrvXp6+8 +Vp10Ig42X88TUroWRrOSXUkR45Xjq/XG5M5mbZQqBygWSqQJ9LrTzu9yqhYsqziB +tnwXVpudK/9GK7OKEshJ0s/HsLFHAFRBPJnVP0cXTEg9EczgGBLLT6wAj5zy0dxz +Pe8Y46K6wUUHP4Y9IQmJ+i/dBfiaquSNKKdqMU7sT5cd +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem deleted file mode 100644 index 06bcd28..0000000 --- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIw3sKoAeJu8kCAggA -MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEWBBB/MRVI6fUEUiqwEb+tcClNBIIE -0JH3R2rIt9cTB0FcsWjoHKFtVy1DTtHZUwk5FlHXm00ngB46gIDzAbTdow6WpspV -H3wJgwU//AAE4bwuZ/AcQlRz2M+OuO3GT47EhjKvXiS3OjrIvkXp24LCS3lSbFV+ -dGc6A2CXlSHF9c/umrKlRtVpSXsnBlVhggVyI/1RidBmCeF2i2205bt/Z2mjODo3 -SlSZjZ8GeFOnm/0zSBxgltbemgfsNMo1QOFRTXblzRE9Ldc5DCPgyCNDHOVUugO3 -lrf9Wyak2oiUtCG5cApaeDTedQv61YK+Zt/ptJmXps/N0nskb3X40ngs+buDuAVP -7uUTxP8ZkvQdVcWD/FNweAPssAGxDcWhacVxeuXdDb+ktjZuHnYJ06lC5nTdJAi3 -zRuvXpYNPQNBfU2MwYV4P4g67ltqdtfZcOiqMIqtb0rWu+dfS0cVPUZHBhHATFbA -Tvo0GtUKuhLzGP4Zr6RSJVlxkjbNtfrE3lS1b5HwaE04F6iagRdH1b6f00FfFXAr -oTFz4/ykkY9q7w3yTLfX/8B5EUbcXLzJBZrAWA1RmsV6aiAvgh94587QprRrL6dD -gcCTjLeVIFw4QNQvzkroErWQbEsZ33cAFB/qJDSEd1FgEMh4LsbHwGP8M/iQNaV1 -WWgh43j3XjwAC2f17okd/+1WxhwpugEJ8EeSfY3oONtyE8sAXRhPLpR1eouRqTmY -5032TNhf9hzNIvJ1eYwehCZfZkvuqJxGe6rXbV579qSThzUpfz6BYylS+xcf6nJP -JniG1RodX/AkkicmKja4fNcp7JDDsmBPU9pLOfr8SodUlimGEQ8PGNNYIrOjKbHe -BICi0ZDSxgt+pPUfjeF9VIcYHF7vUj15ovbd7uJSshmEIIxdX2YDzOjoJHYevsyZ -uZm2ONA90R9szgJMWP2ChKXaNF0UySaG3hueWDRa7GJMPRjpCvcwhAw29YHSvNOq -MbQmyyjFDAk07BFXvXSahSXODe0HPVTbyT8eP2SO7VMPuOWdxH9+adOl8KPCx0L7 -kwiPgnRhAGaevOZs8M80EEOC6JLR9hM9LVCHWnXD41NvGgCSmu8SwzKzKB3KBVas -aSb8XW7IuNFZh2o6FfmDKUp0uXoifWVWe96ertJrHckRbTd4ZpjK2bWChh3WxE9s -0EYG8PAu/NSW7ARPgXZ43f/nYieSQd01zty8Vj4io2gVpQDm0YtZrv/a+gW3HSQj -mBmdDOsQmpP9gfCnOJOILlE/+ouVYiGeSMFbKc1tde1FBtwt0RGQVM7KoRb7itNe -AntBerIDERzq83iXvalzYdB2qw9yzZwvf5hGvNn+rDCD3aZTrr6if9QrrVeDYcTd -TTOVeQx2RgtXv4xdiV4epS8e7xOgLZphC52E4WTRoBz1qEJRHGj1HX8REJ7Q47HK -cZr5IZdLuIulvPPWcY/KLw437h7njAMM2rT0HqL5yZA5Bcnpj/SCQGRHew7OacSK -p1WKw2C/R6MTGDFplefr/f3NUT4quWybfHQG3L3zqjSbKBS0pVPlA4SPwhSgev3P -v+sShYuWwLTiVfzep/nBRcz2W3CHtHI2oahjEI9Vm/7WSdjxl7tSrHlsy7JbVuOA -3PF6QbG2JWgnyfmmgtK86iTchMlxBgWe5S5lz6kZNUXN ------END ENCRYPTED PRIVATE KEY----- \ No newline at end of file diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der new file mode 100644 index 0000000..fc1ccb3 Binary files /dev/null and b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der differ diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem new file mode 100644 index 0000000..0a36a71 --- /dev/null +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI8i+OtR0wbD0CAggA +MAwGCCqGSIb3DQIKBQAwHQYJYIZIAWUDBAEWBBBHvOq1294P18bekzyYVp4QBIIE +0AJnZHjPZcPYKdSNaNfPfc2s+UmTgYeLCun5sd+9KIYyozJ2ljZTijsdp/hItWTu +DmHrfLTLV8mtL/OFJ83u0rDoHVfSrDLwFMAy/nmbtlLYPFEfU9MQ8s2OtvKuobmI +b3x7b+MrTlG5ConptsQQw5tl3dza9DZGfHUnO2EzXorytSMLFCGeQskzbN7Y/Sbf +2+IL5yoifcfPddTbKDyTa77K2516tK2+WTU/VUfv2r5d5SiivZLuMjIYrbneHYoq +hW30BZozCqJKJ5G2jwNjLUjPirA6qtS0Y1tIb5rRjZ0pSy1X5oIQL2laZLrDo9gP +/Ud8m1k2nv9Uv9HPM+G4xCMSiJVaptYPyzFQACcSdA/BVUdBC0EwzIj2nbaoAlM0 ++sZ2Asbohnds/AsDz+/b6MaMKg9Onoort0zF/HtpSII6+WSmvGOaV2469JEIvZlU +JIn1YugpDPIe6/B35J9sYfvVNKVsvJntCKxmcz6Nw2VvPKXC3o/bseBqAhLKDMZZ +Hr3id3O7bN2ng3lKuGofmQeMYnW4zb4coXytdc/XCvf63xE0NsUEBFuRMpc9iocC +2RMBEzNyE4tnigI61T/zkpwgBic1p/isGoXMdPWl+Z+IAIYgyxOVwO9g78yVW9tp +1xF9WzJrGHKNT9RLmINyo3jt/wRj8Q+T0EG45cDQcHwpyXdNS614hUCIaeTvQcR9 +8F+f4D8IvL+GJt2EtbqL+D687X/hptNehpFf+uxGiHQfrtOvYS/ArNrewa1ts9nq +SMAE7Hb7MzFdnhDqRFBa+//H1jvNkDx3qXfb1/MNE8pR6vjcueKKQ0BzlrNX1O2C +oz0OCMeDfXZhWdYmNjLNcdbonrvq5Z9nOUEdw2lNWELT4lOAmqgA/xBFdQa4glCx +WS1r6DyjgTdGlPbcGugRuTcYXNx6iikWzoS1369maz+WV9qW7r8kA1Fs7WUiYnOb +I1E06yQKVANe+t2SQYN2jPK3EsFFOBxG9tlcXbZVxvx9m6XJR7f7YnLPN+b0f1qF +cT2c5IhK5pKRiZds82lWBnk+eli+qUXILIBbDvBmY4PyPk+kyewAHI1HWBfoSH/3 +aLIV6JPgwjAJKnr0++jUqETID/yGyLHNNy1u4ALyAfbFVU//RGmwAxhrBNPdVVGb +rBfKL+VL8Hu/m5XWXez0nHKyD8J1i/XO1OutBsXYxEn6Xnu9rJn8F6nJ+XB3zt6K +QdkUp85t3GM0wyizuPRWJrSVfYyjV41yEBXqe2lgqTT9dpvpgIRtvUeq83e8PD/3 +6qKoeTv+3cppCFZ3vLArGvsvRTcbfc3YEzXxz6gc/1HTzd8UpCnA/9+jepG3IzRL +1bLs8QVzIBAT/UpuC6QWUdAR/JZMEFLU5FnRh6oXuh2Zys66Ot7LyNhnGlSEPlXI +polURx0bew+QigBGiH7NpyMgRi9Wh+1HOA/wsAp4X7O+DhaX6vdiDbQoilN1LclU +TRFShpuaxwRA1ek2Jz3JLn7wCsGaVXrd2v/CgrxofCWzGjR2RWj9hAkV4eoJ3G6A +x3DhMRrqXc/O3ON9TyhKBZP1g35In5bZmBUv/o+7eYV7KDETxPwsD3A+dCqUJObU +kyZehu2DsfyZFI98SnecRpb0M0vi6ZZueCykOVec6xkX +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem deleted file mode 100644 index eb2ee14..0000000 --- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIcVlPn8HF5kcCAggA -MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBA6UHwbVfKyYQwiCmyTPE/QBIIE -0Na0hdMyQvJvRUKDvR9Gds0VrwRjHq+WBCDcHfJJRS5RiSCWnOCifZHA/zYoYZ4j -rHnuzmheOuGZWjUkdZQ8kVKFGGCKQjHKHTlfDhVv/SQzwYYWVRyaubDC2SKYORKf -zCFzLjr8RCwBo0ubh9q+QvPrmvy/jZYHYruU7vGseS4vKnWwnXey0ii8L2qD71Fo -uH6WAMRc6xHzm1W2WSnFZvZFLwCmGg/LlHc34TdCgXyX8dhJsIAwlwuCStFWs194 -A5h5ZrLiDdpGCThn47H0jx8kzVcoY+dwuJXgNfzAbzDgbRyzCpQx7Fulzf36iyPO -fq1OrF0+DUSrEv1GJTXT4/1xlpaZgR2RT7in7jCSE7XyATBLRrL9nKAQCmLAARnb -ITLWUPMmxJJDLLn9faBt7ZpyRzLRqGMT6nRNBouAg8DWqqcRvBLfi3TxoQ/KS2BJ -HMtyTfSQpghAsUUqraquSfyLoA1+b47gO+H/grQIMMnfThGiUx9MLOGFAvQ3Um8R -aoTm8X8RuAH3BALA0m9isRww/yA/dw/03jtByDYMeQ/NAHAgL1proXqsojHIYN5v -6vesHcATHGiFnPY0kqKVyIN1G8n5Gji5P875GPq00WN2kPMLiBG9woq9yZ+l5HYu -ofpdtpQRgJJSmEBJgpvwxoJKTUa9mYN29klYiv97AwWj2D2VsJvjG+IlfVybUB26 -mkenc3Hve2V2JueYh8Oijl1j+plc61tYJ0WQloZHQWHSqCJkXEMqUX6DZZyxREix -8kUuWabSkxSq1uRxf7iG442oaer5mhktpbEMWyA22mJLfXBwNaULqlhZGdeqKz4N -zwE0vg1rug1ooLX/s85n6h0FMD+ANbbNU18hQaxmjiCETPp0txAVWpaGAQZsYkW2 -ff+Aj5Mer/qB/K/TBh+7c5PkwcpTTCF/HQ2XF3B30lsBhFmsbXBkvxThhgZkGHfO -EQrxsgc9pwQrM3WT70ZI3uMrN5DfK7Dp+AVwIIBlEeai6FEMpZkg/4tPYK4GkwWP -ZEzSBoUETO9up3NwKuYWS3VOAmsOO8qRXw9bynV2WxMZ8NTWDmSKX+MqYz28ejjK -/5EYX3uW1NVjz608QbzT3XxNtX9B/FTPT9OlK8IxeiOjfDG2fqe3k7bYBZGVC2/M -aCaVPTND8xHsodxIoYbEbF29YSV/FLtw1eQ3LpwDN5OCzXpiZ65A4PxnB3iPHoNl -8o76h2dcksN+NKsdjnRH95b9V8CVlc8QwLBSCWk5bkfTXLeSkDM14jpJ0+BCuAyD -bdCo+R32ItDlke/L6d+CtVbyhDJigdl9w9XKBJ3f9XKw6Q4RnuCNQf3fqo1h+vVs -Ia4Mau6XSKyyZtEH5F0mO0iwpYBxPz6S9u36WnI6ot2Ep8AlfjBTRbH0g/luPjaz -9Jiah0i9p79L3wMNJHfqkdkUvJyLKu0rTy23L0sw3Eg9rx2TErrlIWugoAi0peia -36sC82X78xIzOCq1XwaIojnyB0fqxJDn93BI9dKhnBzWP54oY/ckq+ixb1oBQ0Kx -sLWcOwbT/yprpo36ZMy1DcxjjVyEfRmzwJJ65qFk48XJ4JIswdmaFfYbZ8yQyRiy -coJGwITg1bspV4krBAspArmqN3D4LviHXojUMxD6Sx8R ------END ENCRYPTED PRIVATE KEY----- \ No newline at end of file diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der new file mode 100644 index 0000000..136cfb9 Binary files /dev/null and b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der differ diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem new file mode 100644 index 0000000..da2e90f --- /dev/null +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIhWg0Xe90dAcCAggA +MAwGCCqGSIb3DQIKBQAwHQYJYIZIAWUDBAEqBBCRE60k0URZBki+hlzaxgZgBIIE +0Hffn1sg3qNNUkFDHdbvU9E3+aaMJKWqDS4bUqGguT7Tz36TPM1drUZSFyWvPgNY +dXonxu+2h6jzRny0clPyp3kCbJEqgvyj0laKNAfV1fmJRVkIFiCMs0iBLQnyjAJb +IJ8hGxsnotdvmL3oTvHq0YawPXRXVDC4qeO+PzcDjSZ62E+Bz1bE2/tLif1BKd0k +QbccsD9pCyF8pauCAxgN2AWWdus3IzH+hWUf4DTT7AhCdYNijY+ZmBgKGkJoJWwl +aIZrPGJ7tNIDecQt86xLffKifI/b2dO5e3Q1NgNzHM77ncoeLr9nFSlsc2W3qA/A +gEDcuGj1ujchKK70Phfz50HMfnP3pCqLk8jDI78/TSvHDiblF68hsUbAsvbtHNu6 ++AXlDdSU2bcRyQRsjvaf2lMLt+qkUX+P640SKnXIYa1o9dv4+alE4XTZaimmOnao +DjYm6bTHAYcE//DW/LXt7V+q1KCPqpoHMR140vyjIRN8uEcPXyTka6lU34ypIhUb +N7ggLrXrCjh3nJo+nCtXOIMf9O9eD9I/0i8dktZFuTRj1sO/z9J/xFxHTdBG/BB5 +1MEmwriRubrw5Ud+uXnRq+lg5rW3n4+5TBvwYq/GLfyj36ojegbE8OdMfJJqCdd4 +zywMXwYiMi76gYAwEL60DWRn+3vud02QwY8hBXfiOPq2kxazvZM5SWy/1bPgStkn +fG9uzE8n/ABZA0XWuV8hNAcxYlS+0s3IguvvHogQtQMYTTg/D3OODpc0f/+y3O8N +qI5Iym1SrWpnF8vVFZsMblMDr+tbeCvYQ+HuaTc0L5cpAozoY7iCzuqwDHFrYTzC +rSZ70V+FQ956m4xkCBu6TrzqzhA8zfDFs3z9LfV62v9zLgUS8uCKSKWxznM0IdiE +ZnNrwaE1xsO5QN8LfvlO4NVVxN/ATie5tmlLndS4c2ZkswcR3WM6cW1buVaIPsz7 +lU7sbd/I9pWpzd3eZNkVrWpyWxvFQxBUNNC5IXcgRBZsGgVGRw35LBlWXKluKrVi +Z/FAf23dt3n2S4dtJ+Fd2+YL/YiK0lqtrm+GkSjmMvVQ57PJn8QvW359e4QsxDyN +wv6iEQDUqZcQ89ggdGdoSFFgBtFACc9iCKsu5AjTJl+Tql/A3FV7SwYDfZwQuT4e +gc4dZPuSSVd8cttUeFUmtrPCMx2nP7ZDVYFrZyK07eAIL89gv3bYWu8R/wMKNvzr +g0Ao0+AnfLJg11C8pAhJea1dxwu7g6LSpA+oCZov4RpqUnLKMCpPbypyFhSizZtF +evDMf+5aUAbe0+ZsCjUT+RftpzYCPV9uGhYhLMIFRP/7FCcHMrDn7CbAektm063U +EwP2O1rUrMhPWqRztx71cGBloeVPE8Ddwnsorr4M7EXihZcvNsLfz3N9NUopkU3M +sM2fEAnq2KMyrrwVGRSHvm70gUDpJeFanRBsI9z1Tr4r3utHIIQ+0u9pFPbQln0Q +4X4U7KbKC4leTYGMPMFOPXihiMTazNcs232stAYUYe6/DmVX/p2dJHvHux5qBGIW +Rbv7OuwazOsDqNfrqZTesENIGl/KPoNXiolp/YtG3DHQ1vDjEj/XTOVWWkBDXVgP +ut4Pi20hvFBwvEBtypAgi1VLcad5+dlrEwryewlLLw5h +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 67723c9..a8d6536 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -890,17 +890,29 @@ Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT -Parse RSA Key #99.3 (Generated with OpenSSL, PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA256, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128_sha256.pem":"PolarSSLTest":0 +Parse RSA Key #99.3 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem":"PolarSSLTest":0 -Parse RSA Key #99.4 (Generated with OpenSSL, PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA256, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192_sha256.pem":"PolarSSLTest":0 +Parse RSA Key #99.4 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem":"PolarSSLTest":0 -Parse RSA Key #99.5 (Generated with OpenSSL, PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA256, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256_sha256.pem":"PolarSSLTest":0 +Parse RSA Key #99.5 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem":"PolarSSLTest":0 + +Parse RSA Key #99.6 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384 DER, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der":"PolarSSLTest":0 + +Parse RSA Key #99.7 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384 DER, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der":"PolarSSLTest":0 + +Parse RSA Key #99.8 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384 DER, 2048-bit) +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0 Parse Public RSA Key #1 (PKCS#8 wrapped) depends_on:MBEDTLS_PEM_PARSE_C -- cgit v1.1 From 153586a3d56ea1ef19d24b899a7f9eac018b4ae0 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 12 Jan 2024 11:19:16 +0530 Subject: change values to ULL Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 660b73d..cd60333 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6337,15 +6337,15 @@ derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256 PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: PBKDF2-HMAC-SHA512, request too much capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_512) + 1:PSA_ERROR_INVALID_ARGUMENT +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_512) + 1:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * 16 + 1:PSA_ERROR_INVALID_ARGUMENT +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295ULL * 16 + 1:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: TLS 1.2 PRF SHA-256, request maximum capacity depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_256 @@ -6357,15 +6357,15 @@ derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):SIZE_MAX:PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA256, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA512, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295UL * PSA_HASH_LENGTH(PSA_ALG_SHA_512):PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_512):PSA_SUCCESS PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff -derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295UL * 16:PSA_SUCCESS +derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295ULL * 16:PSA_SUCCESS PSA key derivation: over capacity 42: output 42+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 -- cgit v1.1 From a90378c425a56af060f29ee1c9bdb6788e174ba6 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 12 Jan 2024 10:24:00 +0000 Subject: Restore previous version of rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem Signed-off-by: Ryan Everett --- .../rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem | 56 +++++++++++----------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem index f917af2..0d1b587 100644 --- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem +++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem @@ -1,30 +1,30 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI11AY9mDsg8QCAggA -MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECDzvZWW4smTrBIIEyG/U2B5LazZZ -rzLUN7V38xI1ZR6rcBJreOk0QmVOSk9QMh+Kq+LmFwnY2NY+xikAfRJKWUsjk+h4 -DzCWn+nsrvU2wK582XThWYwJ79BIwkweUWV9l1Nfw0vyx/FkcTHE+eGPdABBL4BO -o4uajZso7tYY2+jyPobqSn18j2TInKbHR7lB5l6OAX9FsV0pGKYBgKxa9LTj7ufD -70G5WLHJAfnTX/6+wWktDOMMCPTXij3qA0fyu835shMUWQ+KUx0Dyp2A6qeprV1Z -nklRzevWsA4pbNMe+GG3WrRj52YRVuwDJjgTeq5rIfyoyLGv0ZUZsa/KEP/oToe9 -CmFPHWA2RDpK4zD8lscsjsOj+B0UREcSw9CdL91rFZkr++PuI3A1/T+3M8DkjLiB -CvSVziZLyZaqUVd0UdXrHyGeFxIMAx8xfYGiLi/EEay2zEScGbQ2kU+N1Vpuyu39 -PoEmqNOchoEkLeMVTYTQDfK3LgYQXpvdLCQQG76AqRIbuY+ZfYYw8eWyJhm78Qwx -fAenH4i5AjgJcV/5xiLpj+1trdefaCSp0Z8XY7ng/xyNCOOdSbBOPl4JnD6snYaT -06dtpowP7gcN3bZQo/r2XsH8F1VPvjG2wZ38R7aHlF8vjCZ1gUtCuraoM9AAdVoW -zWiptA4Lc5CAp+kDa2Nf5gyL0lvN/IbWYE23/OMTECmwG+O/HNtvltmdmYB8Ze6A -pdlkftjf/NvFsHloJS76SreR0tpWM8rGnSqQdecWLutgWP7HiK6C77UYv3b71SVj -ga5uv2l67UAj9EPTizZvLJjn0ubylfCW4eaPkEJBaYW4uG/3BcWzpLRnGyq6csMC -/tly2Y1L9dBqyZMIMW/ZFm8/64K8IRaSu/8mMGxjQ7VHeU6JSDk3G4by8jdYjLA2 -Y3tWYaelX8oE02jrwv47PPFWft/P+3Gjwo8lFq0zQTAk2C1vHs44jLzsOxfizo6s -mzmGh54JFsdE1tlYoa515Id2I27vjCvK6XbbgguinHaIsRgaRnCyyqEjO22z2zP3 -RpJD7FdugvZDepLfII1H8+JlbyBEd2zByMIPehIeM/HWWN0ukAgIz6yardrCYiuU -hXTqTz6bzaZMRJauPt/gpSvAx8kTKr9nXH2VRiToUs3ABjT9DN1/mQ1RlA0NmK1i -qfsMRXWzckaKgmJ8fglxEY7UR6fOqt3325yVQ/x49AKBxBDO9wmfpHEO3aQY7+H5 -hP/5tuc81226VFbyTERtTaEb/I+7iiImcWtVW4bB/1DgCu1NTlay6XaHOoclxcEE -N+d/3wDjSrsUhAKcK42wNPa74eSZy9ElJ+33xC56tqxhvo6YdG7VFu3S8qnhaXf1 -ijcRCw7vr2ShGMAhnloz4T+IX3ZGrzkVSXQG+rpaFag0b1QxeS6w/V7F8u+wljnq -1BzIfEjnE3lpR1eiZ8Ygu/n4kb7n5gHZqd1C8QiFZOGczX3uKFbH3/HOS20A+/6R -3rkjCQ+Uyxl3+wVdyOSpUCqtLfJBx69CM/6lDBPrliQ6DE94xKFrNEogG3IE36rW -oSCJcveg3cdbrHSqc+3m36FbQl2YKy8hgBwhrym2xHZ/ZS+acUQsN/V3VvEym3N6 -QXFLn3yqnmpr1g+yqXfQwA== +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIYFcs8Uhn2poCAggA +MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECKCBLl+C+3nCBIIEyEnIPlXdh1e3 ++cnyhX7dCRzR/NsygcRBJUPdwRUMAaOo/t+oZxFmHnblchxQ+pFoHrI9GVwg8uID +meEHlzSSKt8kOTvJ3C148jRFJy61YH6k5GEN+z5ihS9uTszaXRUlEsGfP1/SzWY9 +ME+pX+0kwJ4az87mYKyNUwK4U5d65Ic30pvRJc4unvFtRz6wtwqU+EV283pXHfyc +VNgQFjb1IPHEz/PSuE9p94mQvdIbVmuK2dRiMag/HcABvVhxzLldKyEHHhrHR0pa +gc41+3HVjz0b6RPE24zNrxA9bU+1URGwlkIlh7Jpc/ZuYRj6LQ33xUdYZcMZw0b4 +pSFJcUgX+GUXLyWLqhIxxc+GIeL2Vt5G0ea5KEqxOvSj2bJV2/JA0KtmrcIjX5Kz +d/9bAvxatcqIikVNVkQpUc1glKiIBfVrmyJ4XUlX9i5F3cgl18zrYUI4zPSBn8o5 +yxSfCuIMx+3zS4BiyugGNOclIbpLMjQuMrXxrt7S+QlXfdbXvyNfxa3qfqf7/P2k +ykxl0z1bjvkck6XoFGXdb13isUEtY2NjujZKZe55BLGqr7FsIIQSTAHilwMpK+CV +fA1EL4ck1+7FV+l8fJ0nN1Li1xOnDeAFuO2m91uibNMYPvRSoX9c+HQKXCdGfiuk +5tfNaq8bbXeIJ/P8wTjMZqI2l6HZRuXvvmRHN2zZ4BSsT3+61xtvSTISEimDSm5T +hYY583LG5lpFoOC0Y4EUw/ltmQpKW7AGkLg7SyC9oKvoeWM4c2t8HrL3iKPXtkwd +A/iEfZTxzmR57u+ZMlbws0evPiZQml8voJnuT6qwbos7g7V/Pc3Rj+b84JZcI2Jz +D89/VudIHfFDTXC/gcSRG4bd0glILJHT9FOCAlX5TEuRyeWasoVOV+m3Pi8vQM1u +tCsjE9UdoIdhoI5j94VhzHApdD4fePcQW9DysYa2R10gWIZKUvhUHH3FWLR2X2gK +Wiz5YkhEGXBRtDHd4cx8EM1bJMKwFyYXjXTPGfGlGiPt8b9u4F++IlsKcgGgPIvh +2rIm4jHuN3LRRlFkJ5B0kuOOxZ6GBfxasS+Ix4DZoIfqZsGNI5Wu2ikGZOKxX7Ij +G9RvcdpVV8C2Y+M9qI2+x93WAtQ+NRJo4/+gJ0O9bVUhjjAmIHu2bMtbvr9aPJhd +OpB9VQxB3c5mEXkNOV52oOGnIGVjbJMb4e3/MRpWtTFVcX6r200Gn6Hn3MnWZXdd +H7pOpAowTcTlFcbJ0WWjfZygj5HKKUOFzPYNnXKizjzQhF6yK0mphKFY+8tpFQqB +mV/1HlWJTSsAmh/FN21B2qq+KRiwMdpzKIEKC47mK+dzzo1mrTqmExvbiaLG8upr +KMb/lEnSCasiZKTh71J3+5vUE+Nw73rYNZcdh7fj+GBK9KJ3hdKwYc/9yyQx1Lua +4aXnUM6vQAsV+OLYNQE8vXMRtuftbPbV9sqiBLPIc/0P2EJ9mbEye8FM+koHUCKo +xtJe5SK36DMwAas6tjimouVgWTcAdbq9r8jQlCJ1WxXPUcCJdv6pFQUGKQ+34TMK +uWOhErUNRdqel9DthU5ig5dZs2DqlzbRzWYosZc1B6Q4/nua2JiBi8IeqtPILr2a +JYJ9DNzxn07lcFHiVgrJuA== -----END ENCRYPTED PRIVATE KEY----- -- cgit v1.1 From 86d5347930557f2d0de6d30292d100a08968e757 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 12 Jan 2024 10:31:31 +0000 Subject: Mention PK parse in changelog Signed-off-by: Ryan Everett --- ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt index e00c1e0..7f0fbc7 100644 --- a/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt +++ b/ChangeLog.d/add-aes-cbc-to-pkcs5-pbes2.txt @@ -1,3 +1,3 @@ Features * Add support for using AES-CBC 128, 192, and 256 bit schemes - with PKCS#5 PBES2. + with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse. -- cgit v1.1 From d1100b0b45170261b8e37933d1b89bcda3cbd9f4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 21 Nov 2023 13:02:39 +0100 Subject: Disable ticket module when useless Disable ticket module if either the TLS server or the support for session tickets is not enabled at build time as in that case the ticket module is not used by the TLS library. Signed-off-by: Ronald Cron --- include/mbedtls/config_adjust_ssl.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/config_adjust_ssl.h b/include/mbedtls/config_adjust_ssl.h index 5dd331c..39c7b3b 100644 --- a/include/mbedtls/config_adjust_ssl.h +++ b/include/mbedtls/config_adjust_ssl.h @@ -34,6 +34,10 @@ #undef MBEDTLS_SSL_PROTO_DTLS #endif +#if !(defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)) +#undef MBEDTLS_SSL_TICKET_C +#endif + #if !defined(MBEDTLS_SSL_PROTO_DTLS) #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY #undef MBEDTLS_SSL_DTLS_CONNECTION_ID -- cgit v1.1 From ce72763f78891e8a6e46bdabaf792a97dc6358e1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 08:06:41 +0100 Subject: ssl_ticket.c: Remove client code ssl_ticket.c is a server module. Signed-off-by: Ronald Cron --- library/ssl_ticket.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index cd730fb..d0bd495 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -504,11 +504,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, ticket_age = mbedtls_ms_time() - session->ticket_creation_time; } #endif -#if defined(MBEDTLS_SSL_CLI_C) - if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { - ticket_age = mbedtls_ms_time() - session->ticket_reception_time; - } -#endif mbedtls_ms_time_t ticket_lifetime = (mbedtls_ms_time_t) ctx->ticket_lifetime * 1000; -- cgit v1.1 From 3c3e2e62f699c285931f80229307db4c6753adcb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 08:10:34 +0100 Subject: ssl_ticket.c: Remove TLS server guard The ticket module is removed from the build if the TLS server is not in the build now thus no need for the guard. Signed-off-by: Ronald Cron --- library/ssl_ticket.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index d0bd495..b47af86 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -499,12 +499,9 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { /* Check for expiration */ mbedtls_ms_time_t ticket_age = -1; -#if defined(MBEDTLS_SSL_SRV_C) if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { ticket_age = mbedtls_ms_time() - session->ticket_creation_time; } -#endif - mbedtls_ms_time_t ticket_lifetime = (mbedtls_ms_time_t) ctx->ticket_lifetime * 1000; -- cgit v1.1 From e34f124ff107783c31c18308af8fd9febc2b74eb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 08:14:07 +0100 Subject: ssl_ticket.c: Remove pedantic server endpoint check When calculating the ticket age, remove the check that the endpoint is a server. The module is supposed to be used only server side. Furthermore, if such check was necessary, it should be at the beginning of all ssl_ticket.c APIs. As there is no such protection in any API, just remove the check. Signed-off-by: Ronald Cron --- library/ssl_ticket.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index b47af86..e47cf42 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -498,10 +498,8 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { /* Check for expiration */ - mbedtls_ms_time_t ticket_age = -1; - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - ticket_age = mbedtls_ms_time() - session->ticket_creation_time; - } + mbedtls_ms_time_t ticket_age = mbedtls_ms_time() - + session->ticket_creation_time; mbedtls_ms_time_t ticket_lifetime = (mbedtls_ms_time_t) ctx->ticket_lifetime * 1000; -- cgit v1.1 From ba5165e09a4f38db594384a446566257cad1fcde Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 21 Nov 2023 13:53:18 +0100 Subject: ssl_ticket.c: Fix ticket lifetime enforcement Take into account that the lifetime of tickets can be changed through the mbedtls_ssl_ticket_rotate() API. Signed-off-by: Ronald Cron --- include/mbedtls/ssl_ticket.h | 4 ++++ library/ssl_ticket.c | 17 ++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index 6d59c12..5842049 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -50,6 +50,10 @@ typedef struct mbedtls_ssl_ticket_key { #if defined(MBEDTLS_HAVE_TIME) mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ #endif + /*! Lifetime of the key in seconds. This is also the lifetime of the + * tickets created under that key. + */ + uint32_t MBEDTLS_PRIVATE(lifetime); #if !defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */ #else diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index e47cf42..1ea7a50 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -75,6 +75,10 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx, #if defined(MBEDTLS_HAVE_TIME) key->generation_time = mbedtls_time(NULL); #endif + /* The lifetime of a key is the configured lifetime of the tickets when + * the key is created. + */ + key->lifetime = ctx->ticket_lifetime; if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) { return ret; @@ -116,16 +120,17 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx) #if !defined(MBEDTLS_HAVE_TIME) ((void) ctx); #else - if (ctx->ticket_lifetime != 0) { + mbedtls_ssl_ticket_key * const key = ctx->keys + ctx->active; + if (key->lifetime != 0) { mbedtls_time_t current_time = mbedtls_time(NULL); - mbedtls_time_t key_time = ctx->keys[ctx->active].generation_time; + mbedtls_time_t key_time = key->generation_time; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; #endif if (current_time >= key_time && - (uint64_t) (current_time - key_time) < ctx->ticket_lifetime) { + (uint64_t) (current_time - key_time) < key->lifetime) { return 0; } @@ -198,6 +203,8 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx, #if defined(MBEDTLS_HAVE_TIME) key->generation_time = mbedtls_time(NULL); #endif + key->lifetime = lifetime; + return 0; } @@ -331,7 +338,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket, key = &ctx->keys[ctx->active]; - *ticket_lifetime = ctx->ticket_lifetime; + *ticket_lifetime = key->lifetime; memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES); @@ -515,7 +522,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, mbedtls_time_t current_time = mbedtls_time(NULL); if (current_time < session->start || - (uint32_t) (current_time - session->start) > ctx->ticket_lifetime) { + (uint32_t) (current_time - session->start) > key->lifetime) { ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; goto cleanup; } -- cgit v1.1 From 17ef8dfddb998a7eab9de8cdfd0ff5c3b6e069fa Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 10:29:42 +0100 Subject: ssl_session: Define unconditionally the endpoint field The endpoint field is needed to serialize/deserialize a session in TLS 1.2 the same way it is needed in the TLS 1.3 case: client specific fields that should not be in the serialized version on server side if both TLS client and server are enabled in the TLS library. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 2 +- library/ssl_tls12_client.c | 1 + library/ssl_tls12_server.c | 1 + library/ssl_tls13_client.c | 4 +--- library/ssl_tls13_server.c | 4 ---- 5 files changed, 4 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3629526..0be81af 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1199,6 +1199,7 @@ struct mbedtls_ssl_session { * or resuming a session instead of the configured minor TLS version. */ mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); + uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ #if defined(MBEDTLS_HAVE_TIME) mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< start time of current session */ @@ -1228,7 +1229,6 @@ struct mbedtls_ssl_session { #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) - uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */ diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 0c5af87..5469850 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1268,6 +1268,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl) ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf, ssl->conf->transport); ssl->session_negotiate->tls_version = ssl->tls_version; + ssl->session_negotiate->endpoint = ssl->conf->endpoint; if (ssl->tls_version < ssl->conf->min_tls_version || ssl->tls_version > ssl->conf->max_tls_version) { diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 5a9f6ca..e433627 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1161,6 +1161,7 @@ read_record_header: ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf, ssl->conf->transport); ssl->session_negotiate->tls_version = ssl->tls_version; + ssl->session_negotiate->endpoint = ssl->conf->endpoint; if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2")); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5c668bd..1bfac58 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1476,10 +1476,8 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, return SSL_SERVER_HELLO_TLS1_2; } -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl->session_negotiate->endpoint = ssl->conf->endpoint; ssl->session_negotiate->tls_version = ssl->tls_version; -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + ssl->session_negotiate->endpoint = ssl->conf->endpoint; handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6e2866a..fa1f478 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1437,12 +1437,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, * We negotiate TLS 1.3. */ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; - -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - /* Store minor version for later use with ticket serialization. */ ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; ssl->session_negotiate->endpoint = ssl->conf->endpoint; -#endif /* * We are negotiating the version 1.3 of the protocol. Do what we have -- cgit v1.1 From 7b1921ac571ad3eb2f2b552b8d07896c8e6e2a7d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Nov 2023 12:31:56 +0100 Subject: Add endpoint in TLS 1.2 session serialization data Signed-off-by: Ronald Cron --- library/ssl_tls.c | 8 ++++++-- tests/include/test/ssl_helpers.h | 1 + tests/src/test_helpers/ssl_helpers.c | 3 +++ tests/suites/test_suite_ssl.function | 17 ++++++----------- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8c1e372..9fabda4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8942,6 +8942,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( * * struct { * uint64 start_time; + * uint8 endpoint; * uint8 ciphersuite[2]; // defined by the standard * uint8 session_id_len; // at most 32 * opaque session_id[32]; @@ -8988,13 +8989,15 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, /* * Basic mandatory fields */ - used += 2 /* ciphersuite */ + used += 1 /* endpoint */ + + 2 /* ciphersuite */ + 1 /* id_len */ + sizeof(session->id) + sizeof(session->master) + 4; /* verify_result */ if (used <= buf_len) { + *p++ = session->endpoint; MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); p += 2; @@ -9129,10 +9132,11 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, /* * Basic mandatory fields */ - if (2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) { + if (1 + 2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + session->endpoint = *p++; session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); p += 2; diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index d03c624..ec00fd5 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -531,6 +531,7 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, */ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, int ticket_len, + int endpoint_type, const char *crt_file); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 3d8937d..8f20fa6 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -1636,12 +1636,15 @@ exit: #if defined(MBEDTLS_SSL_PROTO_TLS1_2) int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, int ticket_len, + int endpoint_type, const char *crt_file) { #if defined(MBEDTLS_HAVE_TIME) session->start = mbedtls_time(NULL) - 42; #endif session->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + session->endpoint = endpoint_type == MBEDTLS_SSL_IS_CLIENT ? + MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER; session->ciphersuite = 0xabcd; session->id_len = sizeof(session->id); memset(session->id, 66, session->id_len); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8a03d1b..b116705 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1941,7 +1941,6 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, USE_PSA_INIT(); /* Prepare a dummy session to work on */ - ((void) endpoint_type); ((void) tls_version); ((void) ticket_len); ((void) crt_file); @@ -1955,7 +1954,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( - &original, ticket_len, crt_file) == 0); + &original, ticket_len, endpoint_type, crt_file) == 0); } #endif @@ -1995,6 +1994,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, #endif TEST_ASSERT(original.tls_version == restored.tls_version); + TEST_ASSERT(original.endpoint == restored.endpoint); TEST_ASSERT(original.ciphersuite == restored.ciphersuite); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { @@ -2053,7 +2053,6 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - TEST_ASSERT(original.endpoint == restored.endpoint); TEST_ASSERT(original.ciphersuite == restored.ciphersuite); TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add); TEST_ASSERT(original.ticket_flags == restored.ticket_flags); @@ -2123,7 +2122,6 @@ void ssl_serialize_session_load_save(int ticket_len, char *crt_file, USE_PSA_INIT(); /* Prepare a dummy session to work on */ - ((void) endpoint_type); ((void) ticket_len); ((void) crt_file); @@ -2138,7 +2136,7 @@ void ssl_serialize_session_load_save(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( - &session, ticket_len, crt_file) == 0); + &session, ticket_len, endpoint_type, crt_file) == 0); break; #endif default: @@ -2197,7 +2195,6 @@ void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file, USE_PSA_INIT(); /* Prepare dummy session and get serialized size */ - ((void) endpoint_type); ((void) ticket_len); ((void) crt_file); @@ -2211,7 +2208,7 @@ void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( - &session, ticket_len, crt_file) == 0); + &session, ticket_len, endpoint_type, crt_file) == 0); break; #endif default: @@ -2257,7 +2254,6 @@ void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file, USE_PSA_INIT(); /* Prepare serialized session data */ - ((void) endpoint_type); ((void) ticket_len); ((void) crt_file); @@ -2272,7 +2268,7 @@ void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( - &session, ticket_len, crt_file) == 0); + &session, ticket_len, endpoint_type, crt_file) == 0); break; #endif @@ -2329,7 +2325,6 @@ void ssl_session_serialize_version_check(int corrupt_major, mbedtls_ssl_session_init(&session); USE_PSA_INIT(); - ((void) endpoint_type); switch (tls_version) { #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -2341,7 +2336,7 @@ void ssl_session_serialize_version_check(int corrupt_major, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( - &session, 0, NULL) == 0); + &session, 0, endpoint_type, NULL) == 0); break; #endif -- cgit v1.1 From feb577a949a95d7e55b18898a52a45edd4645ff3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Nov 2023 12:34:43 +0100 Subject: Fix TLS 1.2 session serialization on server side Signed-off-by: Ronald Cron --- library/ssl_tls.c | 66 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9fabda4..7d371bf 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9059,20 +9059,22 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, * Session ticket if any, plus associated data */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) - used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { + used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ - if (used <= buf_len) { - *p++ = MBEDTLS_BYTE_2(session->ticket_len); - *p++ = MBEDTLS_BYTE_1(session->ticket_len); - *p++ = MBEDTLS_BYTE_0(session->ticket_len); + if (used <= buf_len) { + *p++ = MBEDTLS_BYTE_2(session->ticket_len); + *p++ = MBEDTLS_BYTE_1(session->ticket_len); + *p++ = MBEDTLS_BYTE_0(session->ticket_len); - if (session->ticket != NULL) { - memcpy(p, session->ticket, session->ticket_len); - p += session->ticket_len; - } + if (session->ticket != NULL) { + memcpy(p, session->ticket, session->ticket_len); + p += session->ticket_len; + } - MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); - p += 4; + MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); + p += 4; + } } #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ @@ -9241,33 +9243,35 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, * Session ticket and associated data */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) - if (3 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); - p += 3; - - if (session->ticket_len != 0) { - if (session->ticket_len > (size_t) (end - p)) { + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { + if (3 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - session->ticket = mbedtls_calloc(1, session->ticket_len); - if (session->ticket == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; + session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); + p += 3; + + if (session->ticket_len != 0) { + if (session->ticket_len > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + session->ticket = mbedtls_calloc(1, session->ticket_len); + if (session->ticket == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; + } + + memcpy(session->ticket, p, session->ticket_len); + p += session->ticket_len; } - memcpy(session->ticket, p, session->ticket_len); - p += session->ticket_len; - } + if (4 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - if (4 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; } - - session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ /* -- cgit v1.1 From d1c106c787eacbf42563e4c2360d59c1bd861a37 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 09:14:02 +0100 Subject: Define ticket creation time in TLS 1.2 case as well The purpose of this change is to eventually base the calculation in ssl_ticket.c of the ticket age when parsing a ticket on the ticket creation time both in TLS 1.2 and TLS 1.3 case. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 17 +++++++++-------- programs/ssl/ssl_server2.c | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0be81af..542340b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1228,6 +1228,12 @@ struct mbedtls_ssl_session { uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< ticket lifetime hint */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_HAVE_TIME) + /*! Time in milliseconds when the ticket was created. */ + mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_creation_time); +#endif + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ @@ -1238,15 +1244,10 @@ struct mbedtls_ssl_session { char *MBEDTLS_PRIVATE(hostname); /*!< host name binded with tickets */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_HAVE_TIME) -#if defined(MBEDTLS_SSL_CLI_C) - mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_reception_time); /*!< time when ticket was received. */ +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C) + /*! Time in milliseconds when the last ticket was received. */ + mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_reception_time); #endif -#if defined(MBEDTLS_SSL_SRV_C) - mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_creation_time); /*!< time when ticket was created. */ -#endif -#endif /* MBEDTLS_HAVE_TIME */ - #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_EARLY_DATA) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 598d38c..1216ba1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1420,7 +1420,6 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, return MBEDTLS_ERR_SSL_INVALID_MAC; case 2: return MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case 3: /* Creation time in the future. */ session->ticket_creation_time = mbedtls_ms_time() + 1000; @@ -1430,6 +1429,7 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, session->ticket_creation_time = mbedtls_ms_time() - (7 * 24 * 3600 * 1000 + 1000); break; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case 5: /* Ticket is valid, but client age is below the lower bound of the tolerance window. */ session->ticket_age_add += MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + 4 * 1000; -- cgit v1.1 From c57f86e1322bc18e5a817ea0b087d82e273af8fb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 09:50:01 +0100 Subject: Add ticket creation time to TLS 1.2 session serialization Signed-off-by: Ronald Cron --- library/ssl_tls.c | 32 ++++++++++++++++++++++++++++---- tests/src/test_helpers/ssl_helpers.c | 14 +++++++++++--- tests/suites/test_suite_ssl.function | 28 +++++----------------------- 3 files changed, 44 insertions(+), 30 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7d371bf..8fc4d4d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8951,6 +8951,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert * opaque ticket<0..2^24-1>; // length 0 means no ticket * uint32 ticket_lifetime; + * uint64 ticket_creation_time; * uint8 mfl_code; // up to 255 according to standard * uint8 encrypt_then_mac; // 0 or 1 * } serialized_session_tls12; @@ -9058,7 +9059,8 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, /* * Session ticket if any, plus associated data */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ @@ -9076,7 +9078,18 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, p += 4; } } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + used += 8; + + if (used <= buf_len) { + MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); + p += 8; + } + } +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ /* * Misc extension-related info @@ -9242,7 +9255,8 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, /* * Session ticket and associated data */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { if (3 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -9272,7 +9286,17 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); p += 4; } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (8 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; + } +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ /* * Misc extension-related info diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 8f20fa6..c0c5ca4 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -1639,6 +1639,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, int endpoint_type, const char *crt_file) { + (void) ticket_len; + #if defined(MBEDTLS_HAVE_TIME) session->start = mbedtls_time(NULL) - 42; #endif @@ -1710,7 +1712,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */ session->verify_result = 0xdeadbeef; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) if (ticket_len != 0) { session->ticket = mbedtls_calloc(1, ticket_len); if (session->ticket == NULL) { @@ -1720,9 +1723,14 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, } session->ticket_len = ticket_len; session->ticket_lifetime = 86401; -#else - (void) ticket_len; +#endif /* MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_HAVE_TIME) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + session->ticket_creation_time = mbedtls_ms_time() - 42; + } #endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) session->mfl_code = 1; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index b116705..bcddba2 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1972,26 +1972,13 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, * Make sure both session structures are identical */ #if defined(MBEDTLS_HAVE_TIME) - switch (tls_version) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SRV_C) - case MBEDTLS_SSL_VERSION_TLS1_3: - TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); - break; -#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - case MBEDTLS_SSL_VERSION_TLS1_2: - TEST_ASSERT(original.start == restored.start); - break; -#endif - - default: - /* should never happen */ - TEST_ASSERT(0); - break; + if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { + TEST_ASSERT(original.start == restored.start); } - - +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) + TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); #endif +#endif /* MBEDTLS_HAVE_TIME */ TEST_ASSERT(original.tls_version == restored.tls_version); TEST_ASSERT(original.endpoint == restored.endpoint); @@ -2070,11 +2057,6 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, original.max_early_data_size == restored.max_early_data_size); #endif -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (endpoint_type == MBEDTLS_SSL_IS_SERVER) { - TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); - } -#endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) { #if defined(MBEDTLS_HAVE_TIME) -- cgit v1.1 From 3c0072b58e1a6ff4678ef79ff367e6dae848278b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 22 Nov 2023 10:00:14 +0100 Subject: ssl_ticket.c: Base ticket age check on the ticket creation time Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 45 ++++++++++++++++++++++++++++++++++++++++++++- library/ssl_ticket.c | 37 +++++++++++++------------------------ library/ssl_tls12_server.c | 3 +++ library/ssl_tls13_server.c | 7 +++---- 4 files changed, 63 insertions(+), 29 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 542340b..f4b96d8 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1230,7 +1230,22 @@ struct mbedtls_ssl_session { #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_HAVE_TIME) - /*! Time in milliseconds when the ticket was created. */ + /*! When a ticket is created by a TLS server as part of an established TLS + * session, the ticket creation time may need to be saved for the ticket + * module to be able to check the ticket age when the ticket is used. + * That's the purpose of this field. + * Before creating a new ticket, an Mbed TLS server set this field with + * its current time in milliseconds. This time may then be saved in the + * session ticket data by the session ticket writing function and + * recovered by the ticket parsing function later when the ticket is used. + * The ticket module may then use this time to compute the ticket age and + * determine if it has expired or not. + * The Mbed TLS implementations of the session ticket writing and parsing + * functions save and retrieve the ticket creation time as part of the + * session ticket data. The session ticket parsing function relies on + * the mbedtls_ssl_session_get_ticket_creation_time() API to get the + * ticket creation time from the session ticket data. + */ mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_creation_time); #endif @@ -2573,6 +2588,34 @@ void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, mbedtls_ssl_ticket_write_t *f_ticket_write, mbedtls_ssl_ticket_parse_t *f_ticket_parse, void *p_ticket); + +#if defined(MBEDTLS_HAVE_TIME) +/** + * \brief Get the creation time of a session ticket. + * + * \note See the documentation of \c ticket_creation_time for information about + * the intended usage of this function. + * + * \param session SSL session + * \param ticket_creation_time On exit, holds the ticket creation time in + * milliseconds. + * + * \return 0 on success, + * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid. + */ +static inline int mbedtls_ssl_session_get_ticket_creation_time( + mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time) +{ + if (session == NULL || ticket_creation_time == NULL || + session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + *ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time); + + return 0; +} +#endif /* MBEDTLS_HAVE_TIME */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ /** diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 1ea7a50..5da3887 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -502,33 +502,22 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, } #if defined(MBEDTLS_HAVE_TIME) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - /* Check for expiration */ - mbedtls_ms_time_t ticket_age = mbedtls_ms_time() - - session->ticket_creation_time; - mbedtls_ms_time_t ticket_lifetime = - (mbedtls_ms_time_t) ctx->ticket_lifetime * 1000; - - if (ticket_age < 0 || ticket_age > ticket_lifetime) { - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; - goto cleanup; - } + mbedtls_ms_time_t ticket_creation_time, ticket_age; + mbedtls_ms_time_t ticket_lifetime = + (mbedtls_ms_time_t) ctx->ticket_lifetime * 1000; + + ret = mbedtls_ssl_session_get_ticket_creation_time(session, + &ticket_creation_time); + if (ret != 0) { + goto cleanup; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { - /* Check for expiration */ - mbedtls_time_t current_time = mbedtls_time(NULL); - if (current_time < session->start || - (uint32_t) (current_time - session->start) > key->lifetime) { - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; - goto cleanup; - } + ticket_age = mbedtls_ms_time() - ticket_creation_time; + if (ticket_age < 0 || ticket_age > ticket_lifetime) { + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; + goto cleanup; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_HAVE_TIME */ +#endif cleanup: #if defined(MBEDTLS_THREADING_C) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index e433627..38f322c 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4282,6 +4282,9 @@ static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) * 10 . 9+n ticket content */ +#if defined(MBEDTLS_HAVE_TIME) + ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time(); +#endif if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, ssl->session_negotiate, ssl->out_msg + 10, diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index fa1f478..ceb07ba 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3140,10 +3140,6 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg")); -#if defined(MBEDTLS_HAVE_TIME) - session->ticket_creation_time = mbedtls_ms_time(); -#endif - /* Set ticket_flags depends on the advertised psk key exchange mode */ mbedtls_ssl_tls13_session_clear_ticket_flags( session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); @@ -3278,6 +3274,9 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2); /* Generate ticket and ticket_lifetime */ +#if defined(MBEDTLS_HAVE_TIME) + session->ticket_creation_time = mbedtls_ms_time(); +#endif ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, session, p + 9 + ticket_nonce_size + 2, -- cgit v1.1 From 40a4ab0e0c7ff17f19f8783b9d4ad3ae5b96fa42 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Jan 2024 10:21:30 +0100 Subject: ssl_tls.c: Factorize save/load of endpoint and ciphersuite Move the save/load of session endpoint and ciphersuite that are common to TLS 1.2 and TLS 1.3 serialized data from the specialized ssl_{tls12,tls13}_session_{save,load} functions to ssl__session_{save,load}. Signed-off-by: Ronald Cron --- library/ssl_tls.c | 64 ++++++++++++++++++++++--------------------------------- 1 file changed, 26 insertions(+), 38 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8fc4d4d..806cc03 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2449,8 +2449,6 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( * } ClientOnlyData; * * struct { - * uint8 endpoint; - * uint8 ciphersuite[2]; * uint32 ticket_age_add; * uint8 ticket_flags; * opaque resumption_key<0..255>; @@ -2476,11 +2474,9 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session, size_t hostname_len = (session->hostname == NULL) ? 0 : strlen(session->hostname) + 1; #endif - size_t needed = 1 /* endpoint */ - + 2 /* ciphersuite */ - + 4 /* ticket_age_add */ - + 1 /* ticket_flags */ - + 1; /* resumption_key length */ + size_t needed = 4 /* ticket_age_add */ + + 1 /* ticket_flags */ + + 1; /* resumption_key length */ *olen = 0; if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { @@ -2523,14 +2519,12 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session, return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; } - p[0] = session->endpoint; - MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 1); - MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 3); - p[7] = session->ticket_flags; + MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0); + p[4] = session->ticket_flags; /* save resumption_key */ - p[8] = session->resumption_key_len; - p += 9; + p[5] = session->resumption_key_len; + p += 6; memcpy(p, session->resumption_key, session->resumption_key_len); p += session->resumption_key_len; @@ -2589,17 +2583,15 @@ static int ssl_tls13_session_load(mbedtls_ssl_session *session, const unsigned char *p = buf; const unsigned char *end = buf + len; - if (end - p < 9) { + if (end - p < 6) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - session->endpoint = p[0]; - session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 1); - session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 3); - session->ticket_flags = p[7]; + session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0); + session->ticket_flags = p[4]; /* load resumption_key */ - session->resumption_key_len = p[8]; - p += 9; + session->resumption_key_len = p[5]; + p += 6; if (end - p < session->resumption_key_len) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -3777,11 +3769,16 @@ static int ssl_session_save(const mbedtls_ssl_session *session, } /* - * TLS version identifier + * TLS version identifier, endpoint, ciphersuite */ - used += 1; + used += 1 /* TLS version */ + + 1 /* endpoint */ + + 2; /* ciphersuite */ if (used <= buf_len) { *p++ = MBEDTLS_BYTE_0(session->tls_version); + *p++ = session->endpoint; + MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); + p += 2; } /* Forward to version-specific serialization routine. */ @@ -3864,12 +3861,15 @@ static int ssl_session_load(mbedtls_ssl_session *session, } /* - * TLS version identifier + * TLS version identifier, endpoint, ciphersuite */ - if (1 > (size_t) (end - p)) { + if (4 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++); + session->endpoint = *p++; + session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; /* Dispatch according to TLS version. */ remaining_len = (size_t) (end - p); @@ -8942,8 +8942,6 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( * * struct { * uint64 start_time; - * uint8 endpoint; - * uint8 ciphersuite[2]; // defined by the standard * uint8 session_id_len; // at most 32 * opaque session_id[32]; * opaque master[48]; // fixed length in the standard @@ -8990,18 +8988,12 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, /* * Basic mandatory fields */ - used += 1 /* endpoint */ - + 2 /* ciphersuite */ - + 1 /* id_len */ + used += 1 /* id_len */ + sizeof(session->id) + sizeof(session->master) + 4; /* verify_result */ if (used <= buf_len) { - *p++ = session->endpoint; - MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); - p += 2; - *p++ = MBEDTLS_BYTE_0(session->id_len); memcpy(p, session->id, 32); p += 32; @@ -9147,14 +9139,10 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, /* * Basic mandatory fields */ - if (1 + 2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) { + if (1 + 32 + 48 + 4 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - session->endpoint = *p++; - session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; - session->id_len = *p++; memcpy(session->id, p, 32); p += 32; -- cgit v1.1 From 32294044e14cf166e77b3d4e3bbaac156700808c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 10:07:55 +0100 Subject: Generalize mbedtls_pk_setup_opaque beyond MBEDTLS_USE_PSA_CRYPTO It's useful in applications that want to use some PSA opaque keys regardless of whether all pk operations go through PSA. Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 064b7d2..738e0ab 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -163,7 +163,7 @@ There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it * It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded. * It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object. -* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority concern: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.) +* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. This is not a priority concern, since we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA. However, this function is useful to use specific PSA keys in X.509/TLS regardless of whether X.509/TLS use the PSA API for all cryptographic operations, so this is a wart in the current API. It therefore appears that we need two ways to “convert” a PSA key to PK: @@ -305,6 +305,8 @@ Based on the [gap analysis](#using-a-psa-key-as-a-pk-context): [ACTION] Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`. +[ACTION] Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly. + [OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? #### API to convert between signature formats -- cgit v1.1 From 89ca6c7e72b351cf63f321031b94661d7185f4fd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 10:08:56 +0100 Subject: typo Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 738e0ab..79b08aa 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -290,7 +290,7 @@ int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, * `pk` must be initialized, but not set up. * It is an error if the key is neither a key pair nor a public key. * It is an error if the key is not exportable. -* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS)` as a type, and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse). +* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse). * Once this function returns, the pk object is completely independent of the PSA key. * Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`). For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today. * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. [ACTION] Convey this in the documentation. -- cgit v1.1 From 5a64c426936997fb0128635548e147af977ae1b5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 10:09:16 +0100 Subject: Reference ongoing work Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 79b08aa..e37f50f 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -126,7 +126,7 @@ Since there is no algorithm that can be used with multiple types, and PSA keys h This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`. - This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_of_psa`, which were introduced into the public API after Mbed TLS 3.5. + This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_from_psa`, which were introduced into the public API between Mbed TLS 3.5 and 3.6 ([#8664](https://github.com/Mbed-TLS/mbedtls/pull/8664)). * Selecting A **DHM group**. -- cgit v1.1 From bbff303fe13a070e630353ac3e1658f584119fe0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 11:47:44 +0100 Subject: crypto_config: define feature macros for DH keys Signed-off-by: Valerio Setti --- include/psa/crypto_config.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 5bf00f4..36e937a 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -109,6 +109,12 @@ #define PSA_WANT_ECC_SECP_R1_384 1 #define PSA_WANT_ECC_SECP_R1_521 1 +#define PSA_WANT_DH_RFC7919_2048 1 +#define PSA_WANT_DH_RFC7919_3072 1 +#define PSA_WANT_DH_RFC7919_4096 1 +#define PSA_WANT_DH_RFC7919_6144 1 +#define PSA_WANT_DH_RFC7919_8192 1 + #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_PASSWORD 1 #define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 -- cgit v1.1 From 42a025dc9cc26e5f185e3edf6811268c7702a30c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 12:35:15 +0100 Subject: Reference filed issues All PK-related actions are now covered. Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index e37f50f..873fc39 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -255,7 +255,7 @@ To allow the full flexibility around policies, and make the creation of a persis This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases. -[ACTION] Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`. +[ACTION] [#8708](https://github.com/Mbed-TLS/mbedtls/issues/8708) Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`. ``` int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, @@ -280,7 +280,7 @@ int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, Based on the [gap analysis](#using-a-psa-key-as-a-pk-context): -[ACTION] Implement `mbedtls_pk_copy_from_psa` as described below. +[ACTION] [#8709](https://github.com/Mbed-TLS/mbedtls/issues/8709) Implement `mbedtls_pk_copy_from_psa` as described below. ``` int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, @@ -293,7 +293,7 @@ int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, * The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse). * Once this function returns, the pk object is completely independent of the PSA key. * Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`). For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today. - * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. [ACTION] Convey this in the documentation. + * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation. * [OPEN] How do we distinguish between signature-only and encryption-only RSA keys? Do we just allow both (e.g. a PSS key gets generalized into a PSS/OAEP key)? * [OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? @@ -303,9 +303,9 @@ int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, Based on the [gap analysis](#using-a-psa-key-as-a-pk-context): -[ACTION] Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`. +[ACTION] [#8712](https://github.com/Mbed-TLS/mbedtls/issues/8712) Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`. -[ACTION] Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly. +[ACTION] [#8710](https://github.com/Mbed-TLS/mbedtls/issues/8710) Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly. [OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? -- cgit v1.1 From 702d9f65f681f9b493c774a0fdd61ccf9e23a305 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 12:58:25 +0100 Subject: Resolve several open questions as nothing special to do Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 873fc39..7fe03d7 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -81,7 +81,11 @@ Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap a #### Need for error code conversion -[OPEN] Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use. +Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use. + +Mbed TLS needs these conversions because it has many functions that expose one API (legacy/API) but are implemented on top of the other API. Most applications would convert legacy and PSA error code to their own error codes, and converting between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` is not particularly helpful for that. Application code might need such conversion functions when implementing an X.509 or TLS callback (returning `MBEDTLS_ERR_xxx`) on top of PSA functions, but this is a very limited use case. + +Conclusion: no need for public error code conversion functions. ### Hash gap analysis @@ -172,7 +176,7 @@ It therefore appears that we need two ways to “convert” a PSA key to PK: Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable. -[OPEN] Is `mbedtls_pk_setup_opaque` ok or do we want to tweak it? +After some discussion, have not identified anything we want to change in the behavior of `mbedtls_pk_setup_opaque`. We only want to generalize it to non-`MBEDTLS_USE_PSA_CRYPTO` and to document it better. #### Signature formats @@ -238,6 +242,7 @@ Based on the [gap analysis](#asymmetric-cryptography-metadata): * No further work is needed about ECC specifically. We have just added adequate functions. * No further work is needed about DHM specifically. There is no good way to translate the relevant information. * [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm. + Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_copy_from_psa` do the job. #### API to create a PSA key from a PK context @@ -292,12 +297,10 @@ int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, * It is an error if the key is not exportable. * The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse). * Once this function returns, the pk object is completely independent of the PSA key. -* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`). For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today. +* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`) if that is a matching operation type (sign/verify, encrypt/decrypt), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`). + * For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today. + * For an RSA key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode. * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation. - * [OPEN] How do we distinguish between signature-only and encryption-only RSA keys? Do we just allow both (e.g. a PSS key gets generalized into a PSS/OAEP key)? - * [OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`? - -[OPEN] Should there be a way to use a different algorithm? This can be resolved by `psa_copy_key` on the input to tweak the policy if needed. #### API to create a PK object that wraps a PSA key -- cgit v1.1 From d5b04a0c639f7f148f33c3e224b0731fea3f1dc0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 14:29:21 +0100 Subject: Add a usage parameter to mbedtls_pk_get_psa_attributes Let the user specify whether to use the key as a sign/verify key, an encrypt/decrypt key or a key agreement key. Also let the user indicate if they just want the public part when the input is a key pair. Based on a discussion in https://github.com/Mbed-TLS/mbedtls/pull/8682#discussion_r1444936480 Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 7fe03d7..3039968 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -264,6 +264,7 @@ This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not ``` int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, + psa_key_usage_flags_t usage, psa_key_attributes_t *attributes); int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, const psa_key_attributes_t *attributes, @@ -271,11 +272,21 @@ int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, ``` * `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default). + * [OPEN] Or should it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OPAQUE`. But that's an uncommon use case. It's probably less surprising if this function leaves the lifetime-related alone, since its job is to set the type-related and policy-related attributes. * `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context. - * The key type is a key pair if the context contains a private key, and a public key if the context only contains a public key. -* `mbedtls_pk_get_psa_attributes` sets all the potentially applicable usage flags: `EXPORT`, `COPY`; `VERIFY_HASH | VERIFY_MESSAGE` or `ENCRYPT` as applicable for both public keys and key pairs; `SIGN` or `DECRYPT` as applicable for a key pair. -* [OPEN] What is the default algorithm for `mbedtls_pk_get_psa_attributes`? Suggestion: assume signature by default. For RSA, either `PSA_RSA_PKCS1_V15_SIGN(PSA_ALG_ANY_HASH)` or `PSA_ALG_RSA_PSS(hash_alg)` depending on the RSA context's padding mode. For ECC, `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. -* [OPEN] Or does `mbedtls_pk_get_psa_attributes` need an extra argument that conveys some kind of policy for RSA keys and, independently, some kind of policy for ECC keys? + * The key type is a key pair if the context contains a private key and the indicated usage is a private-key usage. The key type is a public key if the context only contains a public key, in which case a private-key usage is an error. +* `mbedtls_pk_get_psa_attributes` sets the usage flags based on the `usage` parameter. It extends the usage to other usage that is possible: + * `EXPORT` and `COPY` are always set. + * If `SIGN_{HASH,MESSAGE}` is set then so is `VERIFY_{HASH,MESSAGE}`. + * If `DECRYPT` is set then so is `ENCRYPT`. + * It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type. +* `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`. + * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage. + * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.) + * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`. + * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`. + * For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed. + * Public-key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key type, and remove private-key usage flags from the usage flags read from the existing key. * `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key). * The key type can be a public key even if the private key is available. * `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks. -- cgit v1.1 From dd77343381161e09a63b4694001da3957e27d3a7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Jan 2024 14:33:32 +0100 Subject: Open question for ECDSA signature that can be resolved during implementation Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index 3039968..fb00705 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -339,3 +339,5 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, * These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`. * The input and output buffers can overlap. + +[OPEN] Should these functions rely on the ASN.1 module? To be decided when implementing. -- cgit v1.1 From fecef8bc8ed50051463a901f544c02095a9f72ca Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 12:06:40 +0100 Subject: config_adjust: fix adjustments between legacy and PSA Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_from_psa.h | 35 +++++++++++++++++++++++++ include/mbedtls/config_adjust_psa_from_legacy.h | 11 +++++++- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 691fed6..3d2293d 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -440,6 +440,41 @@ /* End of ECC section */ +#if defined(PSA_WANT_DH_RFC7919_2048) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1 +#define MBEDTLS_DHM_C +#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */ +#endif /* PSA_WANT_DH_RFC7919_2048 */ + +#if defined(PSA_WANT_DH_RFC7919_3072) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1 +#define MBEDTLS_DHM_C +#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */ +#endif /* PSA_WANT_DH_RFC7919_3072 */ + +#if defined(PSA_WANT_DH_RFC7919_4096) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1 +#define MBEDTLS_DHM_C +#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */ +#endif /* PSA_WANT_DH_RFC7919_4096 */ + +#if defined(PSA_WANT_DH_RFC7919_6144) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1 +#define MBEDTLS_DHM_C +#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */ +#endif /* PSA_WANT_DH_RFC7919_6144 */ + +#if defined(PSA_WANT_DH_RFC7919_8192) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1 +#define MBEDTLS_DHM_C +#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */ +#endif /* PSA_WANT_DH_RFC7919_8192 */ + #if defined(PSA_WANT_ALG_FFDH) #if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 diff --git a/include/mbedtls/config_adjust_psa_from_legacy.h b/include/mbedtls/config_adjust_psa_from_legacy.h index b841875..3456615 100644 --- a/include/mbedtls/config_adjust_psa_from_legacy.h +++ b/include/mbedtls/config_adjust_psa_from_legacy.h @@ -81,13 +81,22 @@ #define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 #define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1 #define PSA_WANT_ALG_FFDH 1 -#define PSA_WANT_DH_FAMILY_RFC7919 1 +#define PSA_WANT_DH_RFC7919_2048 1 +#define PSA_WANT_DH_RFC7919_3072 1 +#define PSA_WANT_DH_RFC7919_4096 1 +#define PSA_WANT_DH_RFC7919_6144 1 +#define PSA_WANT_DH_RFC7919_8192 1 #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1 +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1 +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1 +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1 +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1 +#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1 #endif /* MBEDTLS_DHM_C */ #if defined(MBEDTLS_GCM_C) -- cgit v1.1 From 4ed8daa929c9ccf6a401fb39caa8c41c31154a35 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 12:16:14 +0100 Subject: psa_crypto_ffdh: add guards for enabled domain parameters Signed-off-by: Valerio Setti --- library/psa_crypto_ffdh.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c index a57f02e..6cc086e 100644 --- a/library/psa_crypto_ffdh.c +++ b/library/psa_crypto_ffdh.c @@ -35,58 +35,78 @@ static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size, return PSA_ERROR_INVALID_ARGUMENT; } +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048) static const unsigned char dhm_P_2048[] = MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN; - static const unsigned char dhm_P_3072[] = - MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN; - static const unsigned char dhm_P_4096[] = - MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN; - static const unsigned char dhm_P_6144[] = - MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN; - static const unsigned char dhm_P_8192[] = - MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN; static const unsigned char dhm_G_2048[] = MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072) + static const unsigned char dhm_P_3072[] = + MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN; static const unsigned char dhm_G_3072[] = MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096) + static const unsigned char dhm_P_4096[] = + MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN; static const unsigned char dhm_G_4096[] = MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144) + static const unsigned char dhm_P_6144[] = + MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN; static const unsigned char dhm_G_6144[] = MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192) + static const unsigned char dhm_P_8192[] = + MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN; static const unsigned char dhm_G_8192[] = MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */ switch (key_size) { +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048) case sizeof(dhm_P_2048): dhm_P = dhm_P_2048; dhm_G = dhm_G_2048; dhm_size_P = sizeof(dhm_P_2048); dhm_size_G = sizeof(dhm_G_2048); break; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072) case sizeof(dhm_P_3072): dhm_P = dhm_P_3072; dhm_G = dhm_G_3072; dhm_size_P = sizeof(dhm_P_3072); dhm_size_G = sizeof(dhm_G_3072); break; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096) case sizeof(dhm_P_4096): dhm_P = dhm_P_4096; dhm_G = dhm_G_4096; dhm_size_P = sizeof(dhm_P_4096); dhm_size_G = sizeof(dhm_G_4096); break; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144) case sizeof(dhm_P_6144): dhm_P = dhm_P_6144; dhm_G = dhm_G_6144; dhm_size_P = sizeof(dhm_P_6144); dhm_size_G = sizeof(dhm_G_6144); break; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192) case sizeof(dhm_P_8192): dhm_P = dhm_P_8192; dhm_G = dhm_G_8192; dhm_size_P = sizeof(dhm_P_8192); dhm_size_G = sizeof(dhm_G_8192); break; +#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */ default: return PSA_ERROR_INVALID_ARGUMENT; } -- cgit v1.1 From de504130090b952e3eb4e95522b057b36fb32ca0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 12:21:55 +0100 Subject: crypto_sizes: adjust PSA_VENDOR_FFDH_MAX_KEY_BITS based on the supported groups Signed-off-by: Valerio Setti --- include/psa/crypto_sizes.h | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 836c28c..635ee98 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -224,10 +224,20 @@ #endif /* The maximum size of an DH key on this implementation, in bits. - * - * Note that an implementation may set different size limits for different - * operations, and does not need to accept all key sizes up to the limit. */ + * This is a vendor-specific macro.*/ +#if defined(PSA_WANT_DH_RFC7919_8192) #define PSA_VENDOR_FFDH_MAX_KEY_BITS 8192u +#elif defined(PSA_WANT_DH_RFC7919_6144) +#define PSA_VENDOR_FFDH_MAX_KEY_BITS 6144u +#elif defined(PSA_WANT_DH_RFC7919_4096) +#define PSA_VENDOR_FFDH_MAX_KEY_BITS 4096u +#elif defined(PSA_WANT_DH_RFC7919_3072) +#define PSA_VENDOR_FFDH_MAX_KEY_BITS 3072u +#elif defined(PSA_WANT_DH_RFC7919_2048) +#define PSA_VENDOR_FFDH_MAX_KEY_BITS 2048u +#else +#define PSA_VENDOR_FFDH_MAX_KEY_BITS 0u +#endif /* The maximum size of an ECC key on this implementation, in bits. * This is a vendor-specific macro. */ -- cgit v1.1 From ecaf7c5690b7a82e73f8803b04fb9c2266451d65 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 12:30:30 +0100 Subject: ssl_tls: add guards for enabled DH key types Signed-off-by: Valerio Setti --- library/ssl_tls13_generic.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 47fa65c..a20e28a 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1539,26 +1539,36 @@ static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id( uint16_t tls_id, size_t *bits, psa_key_type_t *key_type) { switch (tls_id) { +#if defined(PSA_WANT_DH_RFC7919_2048) case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048: *bits = 2048; *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); return PSA_SUCCESS; +#endif /* PSA_WANT_DH_RFC7919_2048 */ +#if defined(PSA_WANT_DH_RFC7919_3072) case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072: *bits = 3072; *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); return PSA_SUCCESS; +#endif /* PSA_WANT_DH_RFC7919_3072 */ +#if defined(PSA_WANT_DH_RFC7919_4096) case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096: *bits = 4096; *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); return PSA_SUCCESS; +#endif /* PSA_WANT_DH_RFC7919_4096 */ +#if defined(PSA_WANT_DH_RFC7919_6144) case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144: *bits = 6144; *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); return PSA_SUCCESS; +#endif /* PSA_WANT_DH_RFC7919_6144 */ +#if defined(PSA_WANT_DH_RFC7919_8192) case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192: *bits = 8192; *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); return PSA_SUCCESS; +#endif /* PSA_WANT_DH_RFC7919_8192 */ default: return PSA_ERROR_NOT_SUPPORTED; } -- cgit v1.1 From e8683ce9eff13f054d602e9c60023f09420e9396 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 12:34:06 +0100 Subject: ssl_test_lib: add guards for enabled DH groups Signed-off-by: Valerio Setti --- programs/ssl/ssl_test_lib.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index b49dd67..650fbfb 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -515,17 +515,31 @@ static const struct { #endif #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \ defined(PSA_WANT_ALG_FFDH) +#if defined(PSA_WANT_DH_RFC7919_2048) { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", 1 }, - { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 1 }, - { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 1 }, - { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 1 }, - { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 1 }, -#else +#else /* PSA_WANT_DH_RFC7919_2048 */ { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", 0 }, +#endif /* PSA_WANT_DH_RFC7919_2048 */ +#if defined(PSA_WANT_DH_RFC7919_3072) + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 1 }, +#else /* PSA_WANT_DH_RFC7919_3072 */ { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 0 }, +#endif /* PSA_WANT_DH_RFC7919_3072 */ +#if defined(PSA_WANT_DH_RFC7919_4096) + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 1 }, +#else /* PSA_WANT_DH_RFC7919_4096 */ { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 0 }, +#endif /* PSA_WANT_DH_RFC7919_4096 */ +#if defined(PSA_WANT_DH_RFC7919_6144) + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 1 }, +#else /* PSA_WANT_DH_RFC7919_6144 */ { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 0 }, +#endif /* PSA_WANT_DH_RFC7919_6144 */ +#if defined(PSA_WANT_DH_RFC7919_8192) + { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 1 }, +#else /* PSA_WANT_DH_RFC7919_8192 */ { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 0 }, +#endif /* PSA_WANT_DH_RFC7919_8192 */ #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_FFDH */ { 0, NULL, 0 }, }; -- cgit v1.1 From 504a10254c3867d3241052e251a4820e2580d92e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 15:19:30 +0100 Subject: psa_crypto: do not validate DH groups which are not enabled Signed-off-by: Valerio Setti --- library/psa_crypto.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a8baa6b..9173757 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -129,12 +129,30 @@ int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg) defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) static int psa_is_dh_key_size_valid(size_t bits) { - if (bits != 2048 && bits != 3072 && bits != 4096 && - bits != 6144 && bits != 8192) { - return 0; + switch (bits) { +#if defined(PSA_WANT_DH_RFC7919_2048) + case 2048: + return 1; +#endif /* PSA_WANT_DH_RFC7919_2048 */ +#if defined(PSA_WANT_DH_RFC7919_3072) + case 3072: + return 1; +#endif /* PSA_WANT_DH_RFC7919_3072 */ +#if defined(PSA_WANT_DH_RFC7919_4096) + case 4096: + return 1; +#endif /* PSA_WANT_DH_RFC7919_4096 */ +#if defined(PSA_WANT_DH_RFC7919_6144) + case 6144: + return 1; +#endif /* PSA_WANT_DH_RFC7919_6144 */ +#if defined(PSA_WANT_DH_RFC7919_8192) + case 8192: + return 1; +#endif /* PSA_WANT_DH_RFC7919_8192 */ + default: + return 0; } - - return 1; } #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT || MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY || @@ -577,7 +595,7 @@ psa_status_t psa_import_key_into_slot( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) if (PSA_KEY_TYPE_IS_DH(type)) { if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) { - return PSA_ERROR_INVALID_ARGUMENT; + return PSA_ERROR_NOT_SUPPORTED; } return mbedtls_psa_ffdh_import_key(attributes, data, data_length, -- cgit v1.1 From 6bed64ec75599106f9aff9326f1a2d8080b15bde Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 15:21:44 +0100 Subject: all.sh: add new component with only DH 2048 bits. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..0b2a36a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2374,6 +2374,26 @@ component_test_depends_py_pkalgs_psa () { tests/scripts/depends.py pkalgs } +component_test_psa_crypto_config_ffdh_2048_only () { + msg "build: full config - only DH 2048" + + scripts/config.py full + + # Disable all DH groups other than 2048. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 + + make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full config - only DH 2048" + make test + + msg "ssl-opt: full config - only DH 2048" + tests/ssl-opt.sh -f "ffdh" +} + component_build_no_pk_rsa_alt_support () { msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s -- cgit v1.1 From 48a847afb7d34b26050904fc3155a55852e45cb4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 15:22:47 +0100 Subject: tests: add guards for DH groups Signed-off-by: Valerio Setti --- scripts/mbedtls_dev/psa_information.py | 2 +- tests/suites/test_suite_psa_crypto.data | 132 ++++++++++++++++---------------- 2 files changed, 67 insertions(+), 67 deletions(-) diff --git a/scripts/mbedtls_dev/psa_information.py b/scripts/mbedtls_dev/psa_information.py index b21a0cf..6080386 100644 --- a/scripts/mbedtls_dev/psa_information.py +++ b/scripts/mbedtls_dev/psa_information.py @@ -82,7 +82,7 @@ def automatic_dependencies(*expressions: str) -> List[str]: """ used = set() for expr in expressions: - used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|KEY_TYPE)_\w+', expr)) + used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|DH_FAMILY|KEY_TYPE)_\w+', expr)) used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY) return sorted(psa_want_symbol(name) for name in used) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 1bd8b65..b1bc678 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -507,167 +507,167 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:P import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:0:PSA_SUCCESS:0 PSA import/export FFDH RFC7919 2048 key pair: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 2048 public key: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048 import_export:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 3072 key pair: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072 import_export:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E963":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:3072:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 3072 public key: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072 import_export:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C853":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:3072:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 4096 key pair: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096 import_export:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C65533":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:4096:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 4096 public key: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096 import_export:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:4096:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 6144 key pair: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144 import_export:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:6144:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 6144 public key: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144 import_export:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:6144:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 8192 key pair: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192 import_export:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 8192 public key: good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192 import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1 PSA import/export FFDH RFC7919 2048 key pair: export not permitterd -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_NOT_PERMITTED:1 PSA import/export FFDH RFC7919 2040 key pair: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048 import_with_data:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 2040 public key: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048 import_with_data:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):2048:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 3064 key pair: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072 import_with_data:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E9":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 3064 public key: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072 import_with_data:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C8":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):3072:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 4088 key pair: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096 import_with_data:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C655":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 4088 public key: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096 import_with_data:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):4096:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 6136 key pair: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144 import_with_data:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF1852":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 6136 public key: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144 import_with_data:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE688":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):6144:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 8184 key pair: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192 import_with_data:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE38788122":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 8184 public key: import invalid key length -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192 import_with_data:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F02811":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):8192:PSA_ERROR_INVALID_ARGUMENT PSA import/export FFDH RFC7919 2048 key pair: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 2048 public key: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048 import_export:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 3072 key pair: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072 import_export:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E963":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:3072:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 3072 public key: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072 import_export:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C853":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:3072:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 4096 key pair: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096 import_export:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C65533":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:4096:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 4096 public key: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096 import_export:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:4096:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 6144 key pair: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144 import_export:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:6144:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 6144 public key: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144 import_export:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:6144:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 8192 key pair: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192 import_export:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:8192:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export FFDH RFC7919 8192 public key: export buffer to small -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192 import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA import/export-public FFDH RFC7919 public key 2048 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048 import_export_public_key:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0" PSA import/export-public FFDH RFC7919 key pair 2048 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048 import_export_public_key:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"AA396C4E08F47E499243FF17B3E0D019415A52FB6E31FCA71B2B9F46FE84E3A611757DD414A21E1BE8A8FFD60479348245918F7D771EC4A78733F627F72CE0FE1717EE3950B4DB7982577A332CC66C3F3EEB79CD604568644FD3EDAE35A08F3C75C7A99E1A24CB8B56CF7D102984568C0D93BAB9C760F22BB2AC3BEE62E532010E6EEB5A3FB2ABE1EEE1562C1C8D9AC8F781B7283C846B435F4BD4F437EE4D60B97B6EF6ECE675F199E6A40EEFFDC8C65F2973B662782FD2069AEFC026560FA57DE67474AD1A5C8837FF0644F6D0E79161DE5AC38B4837818A5EC38D335D6ECCCC1F9FC676D3548BA30635C5DB24C02BF86977E401E47C3262B81C84C340D729" PSA import/export-public FFDH RFC7919 public key 3072 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072 import_export_public_key:"8B6C629D0251EAA04FF127A9E2D748D744813E6F158F7BA3E4BBC50F928F9EFD689A7DDDA44023F0177DBDA344B2A9B9FED648F911118EA3C4ADBB6D3B1A85880BA80DD28B6E6FBB766D1B6858618013AAFA5A8FD4290E7D52FFD75682CB0EDD99B7AD314F4F4780F00114C344BA0574AD59975DD4FB0A93A46F1BBE98A52C21735381BCB8D3886F0345C4ABDFAD2C1B877E910D64AB4F57CCB419E386E3C81BD09E5755F88E7EA724967AD1C2E8D7AC2B2417CD6B0EB9C1366B413A461BF3249316B71912496EBA269A38E90CB324BA06BEA3B555D5E0D62EF817B2503017AD3D120EAC0CD61FB0A5C71E1C50FEEC90F4CFB11890AF21C2F1EDB501B2BB44AE3CED3C64204033144F293F696FEE4468623B3EFA405C2C00B9CD040B52442DA32C3C23E33930E4129390A5BCD061198C75AFE7DA8FF0EADA0DE931A5233C7C46D36C02B855315084CCDA54BFD155CEEA2C0C17AFB80987C54680828E1B9B2F6D2BB5FA3F7E70455CE8B66AC2D54762BB6D76CF6CE345BCD6CD2AF6A56010F512":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"8B6C629D0251EAA04FF127A9E2D748D744813E6F158F7BA3E4BBC50F928F9EFD689A7DDDA44023F0177DBDA344B2A9B9FED648F911118EA3C4ADBB6D3B1A85880BA80DD28B6E6FBB766D1B6858618013AAFA5A8FD4290E7D52FFD75682CB0EDD99B7AD314F4F4780F00114C344BA0574AD59975DD4FB0A93A46F1BBE98A52C21735381BCB8D3886F0345C4ABDFAD2C1B877E910D64AB4F57CCB419E386E3C81BD09E5755F88E7EA724967AD1C2E8D7AC2B2417CD6B0EB9C1366B413A461BF3249316B71912496EBA269A38E90CB324BA06BEA3B555D5E0D62EF817B2503017AD3D120EAC0CD61FB0A5C71E1C50FEEC90F4CFB11890AF21C2F1EDB501B2BB44AE3CED3C64204033144F293F696FEE4468623B3EFA405C2C00B9CD040B52442DA32C3C23E33930E4129390A5BCD061198C75AFE7DA8FF0EADA0DE931A5233C7C46D36C02B855315084CCDA54BFD155CEEA2C0C17AFB80987C54680828E1B9B2F6D2BB5FA3F7E70455CE8B66AC2D54762BB6D76CF6CE345BCD6CD2AF6A56010F512" PSA import/export-public FFDH RFC7919 key pair 3072 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072 import_export_public_key:"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"c6dbc8151d22313ab19feea7be0f22f798ff9bec21e9da9b5020b6028395d4a3258f3db0cee7adda3f56864863d4c565498d59b205bcbcc3fc098d78efd4e6b4e09b97971c6fd00cd2fa63bb0b3c7380cc1c19fbb34d077fda61c4a71c254242aa5870786b5d0fd3cb179f64f737eb7ab83b57ca70f93955f49b43869ca2ea441650f48a516137229be2926b02129de4089c9d129df7d76848ecda1bcecda1cf95df195e8e388ee70fac0f1c4d9b38e745b067ee88b32e6d59cb159a95852f18b121f85fedfbb6a2c6962ed70cc1ae471813e1bdc053abacccd1eec79359a6f15ec55d92bbf3890b912fbbb2c029407e1493315394a290f4ce81c0d9dccfbab386b745145cb173b9e08f018d309200691b72acafb313cebf483ff8810080bce9516aa5382a18c3c10965a33176d93d8c51f83d6fca7f606200bb7c779a891fd65dd7ed6972f6835f4e94d928f89f1d0ee204b1ef073a761c65241a76f254695ac31842600aa0753c94e6c805c24ed101bbb26c96928db1166a91c7fea8bc3b90" PSA import/export-public FFDH RFC7919 public key 4096 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096 import_export_public_key:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B" PSA import/export-public FFDH RFC7919 key pair 4096 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096 import_export_public_key:"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"e0c2e35be32adb92560e6557d07ba9bab295792063a2724f9e381e9f2644423e73efeb074ddee70388444bc1a67edfe496a6c38eafff45ec500278f9b896a6fb1de4a59461e6fcf1de17867018e0c362876ae107fd4287383989a4ab41cd44844b103cf58085aa52b49527df433446fa5c4665037475e8f78c8d64d5d60a462603d292d02c539329e9d48c25e05083fa98fd6a513c84f0e2ced9121c2f5922559abb5e2fe3081e6bf2256d6043af211a70fe48e371bf683b953f199821fe0fbe924151dc772e72db53492ba5613bcf5661b7ed419fa02f332443be5f8b97908800077306abf6fd796afdbbdbc2badb21501ccee5ed67635b3cf37819f5d1db5370d77960ac0535a029b0af1bf634679367d35db0e7f38bbe0a022392efefc6b8ccf1e9f53bd7ac28012f6bf5e3701476606eb4649c64377b1e0c418840486bb4a286ebaf685449061ee375487e9e9164d0a7c9327c7b667b1933dc3adb11358e76457d594c19b88e8a689107c641d3503a7639159f3cdae7f58398204d29895e84fb82e192b796866c27d8373a36c5c062a445f6fd515e561d7c2328e7424057229689fe7851432f706f21e114f74d21ca3b01f1aa57d2743f28f8dbfa5ef5c584de2012d82ee978bb7cd713001237e76b5ee12e3cc51393cbcfe1717cefdf885022f18e66661097fe1ce91d0508e1931cf3774bd83d8f068711e09943b82355" PSA import/export-public FFDH RFC7919 public key 6144 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144 import_export_public_key:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D" PSA import/export-public FFDH RFC7919 key pair 6144 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144 import_export_public_key:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D" PSA import/export-public FFDH RFC7919 public key 8192 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192 import_export_public_key:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187" PSA import/export-public FFDH RFC7919 key pair 8192 good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192 import_export_public_key:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187" PSA import: reject raw data key of length 0 @@ -7080,35 +7080,35 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_ raw_key_agreement:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):"1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d":"9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0":"07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d" PSA raw key agreement: FFDH 2048 bits -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"718ab2b5da3bc6e7767a98fb2c172bd74003fae2acffbc9a53d9b358401c1c748da36cab277e9397bc5eeec3010321d0f882d959eb097adddc99745526b213e30dc0df9fb1e4cd3fc27bfb1d6e89c715373439a66b9a13aa1334c84799827c17be1c36c1bc02fe60ea698da790fe4d2af710a435a1aae7fb11cd2a90a17ad87dde4f154b325dc47d8ea107a29d10a3bfa17149a1f9e8a1f7b680bfdca90fb0913c0b681670d904de49d7d000d24060330d4d2e4a2381d78c49e272d313174218561ceeb37e2ef824905d0fa42d13d49a73018411aeb749f7f4fc765bdc6db58bcebd995d4c949b0061f20759e1263d8f9ba3fd56afda07c178997256bb7d5230" PSA raw key agreement: FFDH 2048 bits (shared secred with leading zeros) -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"9156de25da686a831ca0645bfb49df73e4a126ab864393e943b3d12b7ad32cbf21709268bf918c4e03e9a3b54bd230d88f1ceaa2810fae5fd4091d31e76153daaf0da9168a7b39fa85acf618622efd1f70d5866e518f256d0ff90a0c468c41a329fb1dd837b18a4300be0f25b108fe7210705cdc0436df84592c1a8b372c5028d67ed5231f846452c942a5f087b3830aa139b0b045a7ae38903497e4ddd0585ce20504ff70e13dbadf77a73d5514eb9c38feeae3cb773311b360f8304f67cf3f2282e4aad47f1494b5823ae2196a23ca426426bef427e4056df1f9144b20bf0b1f6da451f8eead38fdc5bb71074e4d43e21bc6fa787a681c0ef92c633d73b348":"8a73c0f5d874a2afb718efa66f78c80adf713562145a9f5a1df5f2bb9ead8827eb518a769dc089364768b27b2e49ca465ec7c0710b3054ae256aec25de72bd435b3ede0e17ab50cc8ed102fa6a83a9f09454e59e218b894ee130fbd772fb95a83aba29c6b270daba1f3842b2eae2ad1eafe7945888a55cb459547d6cb0b276d25218df8948a86e49f3fefae9c5b30ca8a7fd1bac1c3a5cb4dedfbcbb5c6e5bafbdf8ffcb37d245260d00658450fad1ced83b5afedc43def222c7196f0531e101b3a777e5f5141597fe8c093485d0c8cc752b03e7f551ef3648b1da330fe3ba5dbbb9f11c1a44ef6c0c9c492b6140391254abb7ae8d3e77b4655ab6dd155ba2a1":"00a376f5bed9c27cfa7fa6e01ecd4094b6a189a6184270ea22cb5b2649a6c4b33682e0625536f7d61722fe85381d8ead8b283496db84f8e6b2eb7c5b015eb15c9bfa5eae290612e2aef4014d6bdce902f5907f73f6722d827b73297d14aa677ed1b75bc26785bb32cf60bed1d9467b2ac069ebe48ee9196bdbaa4565f9cfbff3c31e812c58d65bd5b4c45751d1439930d2ea237030307623a0b149a21077397ec5e2c50610c01f76cdec43ff2f9177a0b3a2b18de2a787d42b6f8bdacdcce49a6884f38c5a729e54ce616da439fc9fd6d7d266188b79e40800f22b8c21adcb1f8ffd2f5225e3dc4c485dc4df8184c04f0dea3b2c3f9b04e42e229fe1a24a77ba" PSA raw key agreement: FFDH 3072 bits -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"ff5de4e90966aadab8299ddbf8169af2c0d8d0d99a17b4a2e62ff55b36a69fe4566a775970dd0c2904465884b75b67756b0d04b68838e80d8bc84a741cd67d735ba7aec9b55a30cce1df81203fd5deb57bbec027846eb010054b4d5b911041f721358fc8acfc9c5f06d76932f42103adcde97d5607d93303a94fa9f9caea7108ce67a9ce866ef11b2b4ea8c2acb27340735ee8c64e7516e17bff3cf3ede166767f30cada892997f6b5309fc2cca54364678b93d044b4d8e5570e1f64127fcc21d8724fff275290d803df5fa413ec2f5231ce75a58f14a467cb80cc3c4f1f0a4a62ecc17c65f2723d3f7f804b2a02c91adbfea1b2bbbc9cf9a38df29da92a71375447c81c55b8fb4086f71d57e3260da06e08393f6329aa35e673a75545dee66d01e0c7243412c6e2043a984849b67095be3fb3bf39fff291639c57e44fda5d7c1898327c40c1815e88efe0330b4481e462d30e235f607dc9e53d99521f527d65bf3edb4d0332d6d074e652e84a2ffc5d75d1734b55f3b446db122af2a502f8a0" PSA raw key agreement: FFDH 3072 bits (shared secred with leading zeros) -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"1c357f078144dbbf6815e798fbc6d98037a65bbd01961c6eb82d1f97bd0993132cfbba209e95e8a231e3bed2616b41119cc5a2f97d5da71ac2d6d0a6617a4e7b5d61857627cbfa57161de3aa6a2afac23f50e4a35dca1a82376879e695892a88323af1c0728eb1a76b2d3a1684df3f91ced0728f954d5349981cec5e309137f6d4e837d22f24a13fbd7985e2169b61aae812a68a1a4b3427b1e9f8612002b5fd711b9c9518c777c4e554a5109c9f079b929d5895df748a24d659d39e787076a1f1d9237a89b52c296644165d2625c541ff5052371093046f4b6abc28d3d2fbb4eb1cd2aa3d393a030f71c7050681b017febccd3bb947c6dbecf6fca28adb2a0f06e7cd9a6aa6eda160f0a3098bdd7a719f31beda56ffa0e26a212834d0da1f53e0739ef3ddbd119ff61b497d420585e3a8ea7cc3370829297da76edd3fb701d8efff6116dd87e6e542e82a76ab76cf5a75eb4638e817679fe06a5a3f04e67a101d154f4c2ccbf70b8bec0e5663fdd838ac0f4a4da02f0071e514b6c6d0ff3358":"17ec74c211f655be646c2f006056230208dcff38644efc429591562f3869f867e7b79cdfb3e426fef60ca77d9fc80ea39e21ec060321bab3c7820177eba4242d0cd9f0301e4da7146608409add169ed05dfda2702a437f3e2b8cd162a0e50da2682433d50c37cc1aeabc5c7cd8fdd359381a8d192af00d7f41b8c049b1e552b832224b40f9d85c4307f0b76b0e2605858fb33e594ac1d0c04d358209ad47133e76fa8dafd0f2370b1944a4780138618eaf66f6d4961c584aa7a34bcc1c78bbd15e7f5a2b8beaa8f66819dc04eabe08b24cabfe69e2b78a12470162ba6703bbbcf34890b8af761d36c33e3b72f631dbc5dd6f1fbafca18a8498623ea00bd9aa6b426da30e2ebc27075eb589b237d1dc54e215a6b6ec40220f14e320b72c5f702ee496b53a63edd5620294d9be88a862544c561b4e175ff3c094ab3adacc579334cb95fa2d29b17fa483ba50d6270b6478ce4f26b564bec6ae82a60e2c15456c4610b6567ba7d91218b59a670c517179d30d743751ae3c3e777ec1f29af890b2ec":"00abc3c15e3f8156a2785949d76c96c22fffb49b0701c29fb6711b51af0ce2851a8b469b4cb25750e2c35938f848f31f179470e3271eb6b8780ad5d757a2c1353f825baf55e5c76fbf4c73d2f0cdab409e8c4f85c3001da101cc97bea764c72e844cfad5f00cb8a81a5bfce5a4bf62b68ff2d13515064b17f23b7f6e6a65440856715d2696fa1957cc022b29e38fdbb8c2a0a54e22595ed66bc4c74c36d525b60900c7427274a9d60ea289a04715a677fb9c71eb1dbb38e30f30b2af8fa24f18a5a13e9f6ee83aeb4ec3f9452986399e2673ada70826b0a84cf446a21cce41e5119bf50798bc5fc9ffca9febe4ffc9d64f1b8abae11c7c8f5da0da2288b0f7a8aed286af03d06cdb1914fc50054bdd46c289c18b14297c4254b39ab5fd719264841b981c6531a80ebc8a59ebdfec9ae0413f3f9795622fad3bd34778e539ae104b8a85918401b10a3802a81db413bddac66f83b6428a33fe5c217a2d0feef50c8ef933d6e3d0f10d8b8630c52c89ae78385716efbfb855729ad0e5ef39828e6b" PSA raw key agreement: FFDH 4096 bits -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"262392693c8ca0da404d0195742df69a6b87d22984765c91e3c9dbbc0293960cf1f9deb7a25998a91f8c6b9756224435fc143f31690af35eb211acffec542c8f8fbea3c9112d666639d40a699467bb195815b8b816363ca44baa4df22eca425fa9ab1471ddf045f4e252090663c1c536dd29623c324c7e18b694f83a6c655fb3d95d5a9831ccc9978f66916e95aff49d973f322e2b43f5632a19d79d615a56539aa2ec8f4441bbf4f8016f8c23407e371e9de212c6f1d7d3ca4093c2648451eef68c03aa251547e94046d5fbdffb5cdc0f713bc390111d6727fc1d11243046203ad6632d91c1df3efa77ce530ff26376a208349f2b18628422c9ae13ef84f4a15c1e05ce5fb92ff55547943db4727d091308deb85f54acb94d14411049924b79da131e736a9af42a3fa7139d0357925f430c6cd4330b01ff66f5f8cca26f4230d562f45d5f75bd6d133114449205263c5631f3d561e2ed81e6aa54376094757cbb6f6857c03574e9f6042dc80ea78be470b836c5371a3fae8c119f67c28f856fe70c2affb46574a4356e995a45bdf35e50a6f3a2556d3d1d7c42db8e63430933ffc4783d571908a1270a3cd20d87678cc288ccc183c7cd7512587536a8e15267dd5af0ad3b501ecebc0ecd9ecfd410ce356f9305e4a32cfcafa676da5b5a9ed9b13a5e4cfc06e87310ccdc3ed988699610d7d3125de13a8ac0b59f782859f0b1" PSA raw key agreement: FFDH 4096 bits (shared secred with leading zeros) -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"d39cf86d9d81011fc48d3bd489decd4cd520ba87e469b5899fae777109ff7b43c8c809814521a8d66ac33099c9bd2a8567a202c21a8b5457603ac1ce95ea9ae705efd69fb7c514295059938d818bb65b7c881d1ef9541346be2131143f51db13109e9a4fdff1ef2208839c89eb1c1d52018c77c33f5b7e73a747002997c75f4a3dcf15e7cd73938ece0cdefc9fcfa2c4b1c3416eb2fecc00ce328b0b2bead58493b3e8c25d3c0a675bf6ce2363917d1e74a7987a464709fcfcd1b512b67dc1023ade2cc027109169ffcb51625fbb0c607946a6009811be07047024bb6e517f388a99a08f2c73b7e0b779d8469797eb3153f2e5ddde2931a8f97c586e20c5e521b84d015a52f8e13d5fa34c32bc118b62d34cf157f1db40423f384a16a78c7e1569a5d754db6216f6412abfa7c440586c506d5be88d5172a311b8f16f70a06162dbab6ee09fea55c47f6538d3775d236cfa50824f5c8bafa44bcd9424aa620ef17466413f35aa6e6eb5c8d8a26a7ffd6e8bda2dc5ada4b296885635fc8a73933de059ff403fb0a322bf6daba24330a7be204c307f44260b4d34000d2142f79654360af82179f9d5e18e8f47c7d94a10fd077f011bdef578a2b57d5a382ca404f67fd3c59d95a3481f1311c7454bb45acba1e1c30acb6a9fbda70aea30a9ca76471dc46e504abae9a06eb9a8cfed83143cffef3c530b03185609a55484aaf9f677":"b7baa37aca4cd56e4107c3e428a7a568adbf678e741ad89f157f66803370618abfd8ec7c159d84a741c276ea119eaf2ec1bc4431a073d92de3dbca1287a37522b2ca4ef8c0a0fa76c1dd5f665d498ae62e5e2925b6d921d797d76d86e27ac8286643c19a2a2b1361fe7dd772766e9511127fd0cf92ad98099a9e1760ad969be0a7df4936f1b37455cbfe3a1ac9b3b83205594f018bb5f64970371d4e5396f4c5e8cf0cffaa4525ee811b39632551af470efc435fab26e3cbd643feb0113bf56fd4bced3ad743e55be2eaefa7d36833f56af570ff773a3a3cf649b1ef62fb300c4c5a70d70e4d6ba1ca405483f036092f5b9f94960306515fcd4a0d8a086d826c105924d05ce5ee3dd7c62d61d1a460772b169fd943824e0efffdde3f27439e112766780bca7b4c82a2c8fac1d18894fcbd40ea5f7f23aa27024870404cf1832cfa025df193f31aa275fc685fb348c321a2186adf32c9cd203cb4b1c49b8afffbfe11e1d443711a5a1da302fa0e52b5143e6ae7aa40ed4828d03a17443f04061f56c2d3b83298d617cd3a78cd84233dda83c4e541e9b98f0f4e7fed504f888ac929f0f3e00e3569e0f0aa95dd811297efa8af84c645d59bb6c2e968c1ba77772d858ff2d7448b65c723f6a87604ce938b670b612b3eebaa795593be2cac1d631c1b7d9baccb2cbebda6019eb42469ae4209a953f48c3cd438cd1b7b06c8c54819":"0053ad8c14e1ec87d76bf9127e084beaead313bf93f0f241442316af144097077da91c83d68c78692dd952036731624ec8ea8bf8bf85f7a278289f667bd5d92a6aa2e41337ee9e6089f8ead48ff7e179c80bedc10fa6e6e0c1511f33afe96f0890e6ef9b6f981f8337e60ada56ce0ed30ab1f6f8b72a3234cbc77db017c470d549173ae203cf73b4a5901a4edf713a866069bc7790e799becde1a088e8c3e3c41ac8f9c9abf8561af51f738577e183197c85e5d3ea5bfc6471577e7daa5cd3ed53f7e72849890d2d1f8ff0a830a1ce6283dd61e5e04b25183b42074e193cfde4ed2e35b25fb57715f74290a612d21e404394d9bc4116952cf962c14149287cf71d7c8bc26a9eac0231a0dfc4ed68fad9ceb195f82ca0012c8c9ff4350bb0a2da913af26fb0f0940541dc3ad788d3cc8512e0dfdf7e5f9604437492ed8b52c5b0eabfa04231a90abbf1b29298f33b55c4e94fe7af4aa94b572d4a7f4cd67de41b90f3224b9ce57d6656835560a8c8d22496d8dd15ac37866dc1b04cdbc23847e5f2bd8d1a5639c6e91612ceba11bd1125a75dbed89f01ba738bd27ca0a788fddcec35b823f986d5be1acc037f56d236eebedf8ec50e831f532194a62740ef45b49511abbe51b7179ec04b1aa752c0182dbef3e099579fdfe2624848bfa1c389a06039bff756d4cc0cb9cb4cc2fd382336afce62a20975409e0fc5a45e7a83416c" PSA raw key agreement: FFDH 6144 bits -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"ede0361026e81a9ad960f674de49449f12ee33c2dda7028c6b7fad7f8f8a7edc495621a6d13e47847873a954adfe7bb6a2ed7c9bc21f3b57458d9116ff4ed06cfca40e2002a70bca91a9a9e0475dd74be7d58453d3cc155ee0b0be20197e14674a7a6f8d903e211cbdbdad1e3383d0d1ae6b4d56837671589d8f151acb34bb4d1cdda55a0f9d1f70e80c61553fd0152bc871e930054efe763fdcd1f8fd1702afa61b3471e7a504612c58ab05ed581b34e2a884c5dd8d2aa919855351719e2cb290d00f0b161c104415f5579731072c1382508421c8d674113b2fe25a0e979455c8f145285ed3d32b744153d3ffab7625a3173440f026ecc62d9dd1bbdff6136f5d9d5245ff307eabfa91f6a10e7cf62a889975c0afd2f707eb8a43c2499c05029ca613edae2741f8e56b186a6390fbb0962323ed6c492620c1c8a24f9a89f15c00bd7263423e714db0fe0381556a15a8e4d1b7383d52fd524425e0200f9d410833330253306b1c23c15c08310bfc12b48131c120db8444d34dd951c5fd6df44e0eecbe92ad5f13641600db68d1d2c7d8ff460058c09d89d4febf2fcaacb40c900e19e4dc868a24ec61361c452541a0fb13da53d61b59806e0598985031e161a2e887420e4c6ce217587c72cd3a7b3085d2383112e1066277ed63e82ec16ac6dc7ce0ade255f30275b9798d4476f31d8d237c4d79b13da9dc6ceed7fe626e4da6eb6cfd234b8fdec4fd4520898b13a77aa034361c0d63edef55595e3e638b48c1c00e8c683c8cffd9fac2a33f73e04aff1f4624669057c7faf51f996e3d64bea3097b4810f99c8f078887be2440f67b249467eb26a03210b4d2baeaa8dc9746a14a6cfb45297e121eef8540eb438270403105c11ef4fed87127545b81e37ee1f942605a5a46253752351dee91d0a171031defa9dd20cbb942e3940fa43542f6fbcb0980f6ef2b36297527f7c0d47e36ea203ab924e937ca10e9d9e64c6419a061a300f86ffed0e2e72a1f73310efc00118dd315a6b01e19406471e071e4c153e2216d525195357fedf3d1f12d2c1ca659bbd1a6d1fa28b6bfb648deec17f8a894" PSA raw key agreement: FFDH 6144 bits (shared secred with leading zeros) -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"8bc903e9b5b0742e86d657f64082205c1d50268b8d1d9260e5474e8b686e63adfab13484cc24e35b6f43f5e998fcd7d92c4aece9eb30b0f51b7a2200911e6d38b41da23f04e37697b6a7ac053d15676b75538aefb6693be8eda8b7d07b7611fbc9673e98d8580131cd3462d8851ab00f5831497cb89b4fdfd597a4fc84a9fe1a28ca3ceb17b70334af2414fff73584f2a21fda89c10e2b23a4b454ea4cd6d901312e52a557d45b9350dc8e8b08eb31a73095f014efebf1336ea2c4938fd477f90da212c92eeba483d784b377514c3afb7e34f8dbd6d4ca281aa0bb9167d6d96894b225deccfee7453739becb849c1f381720a59836df967d6525876509515014e46b0a8b27afd304b5db238dfdbe14afb8fb1433b05a00654abede04978f84116e4e3e3a6bdc9ef558dbc1a9cc5c5ba1ee4bd8654845f04106d3b1b48b3208d109aa96609cad246e543d94683b8963e13597dc4aec21b0959e7e6d73efc91ff2b9b52f0e9189f0619264b9893f9289dd8e9bd6d3cbccf079ab8fbd525151e704bd517ee8f29505046620048a684883e6fb858ce7b9e72ea35ae4ad7ded04f39e37a3056b6b695ef2032cb5cf99e22ce5500ba0315aff86516c42b1288c94b46dc0548c7ba07c2b2ca8423b9ba4782c1d4626589ae2b325917484f8eda07f2071276d3fb78bb71a5c501396302eacd1b07b28487c580c5ec5be236e1ad4fcc434325b24a2409c236a85f7b9e0e66f6548a1814c519919d8215b0370b9b3256aa10a28a05f0d2265f6fa7842dfbc67c8f32e9fe12d0df647665ba9809349e5ef6911a4755330d004de03e598cbd7e2b80c259d9d66050177df8984263a7c53abb5ea3157945b727fbf1866649260e321a7ad5eaea41639b35ed6e98b74ab679eab93e5873857342fbb55cda604f57222555631741aa97d74b5eff885aa45ce5a25d34841aa0ea4ea317267e86c45f713c81c3de81cd6eb252053544a5dcacd9f7388704bda8acf83276975f03bffd403eaf199a7a1367d2e6b40c7d94e23679b6520eb40b5d61f5f56c6939f21a4f1dc00f13b5cdcaaf827c760a6e4a9c5601961":"b3795eb1aead05ed8b950e0a00fa12ac0ce4679e6f7715ffd8b5df04e5b068c82210482d3a377b224dc7aec1dfb7e4d635b9fbc22a5534b6a4cb50d3c39cd0dd5e0ec45ea69a3296b83ce89b5cc0c5e15e4934212e8c33ed23939912d0cd738eaa949f763450d5a07fb1540207065f1159a55af7f80bc48c49f88164cd4492b0020902c78295dacfe593fedc1914ddefebf45b5eccd6830681a80c853a3f2389798c391aab3baafd578ad0bf0dfe5b63fd05835e215c6850c0f61e48698053fec9281f0a11b45cc4e259b310a9720456c481031e0467401afeade395ab9b664d9fdb42f953aaf9fb6501c2e105868201ef26d58d31d473c676c751bd892a84a59441f92f7b6ba49a7e385b3d13f806e701a7c339d37e5596414631ed95908c7118f45250acb68f6f2d9ea4bfcb85dc75d21a03a5dc2b86d41cc55753a72a185ce94d20cb897f8759b4ba41e56fe9cf6edf7ee733581589b319e85300b7f479b093030e2d345584e2934dafddda62701404b628b2f25a15992b7ded6271fecb37b817316a908ede803285da3b57986196d59b164692384d469c09b4551b37862d588294a022db7deca641ae90f9a96d75612d55b673213419a450f7ccf78a2fdad291f6c905b5e1a0bbe90baec1c2706d7d81ea8f6d68d350004ea00f24009f6121650547e84b3edb66d969af206f5011ededee736eafe4100e4625ced482caf2cdf6b4465927d8fb138bebaeff652d6afa0fbfd03ea03cf70e80bd95ade41443b85bfa1c56f770f123ba3666412cc2c6997de49e90d7d9fa1722894d6c4f7dfa349e9a9c400eb59b4ce4f6a64763359ed1bf2327f552052070bd4bd2fc1a816e8eddf72645e7fb0ef10bf9c5dee2b386ee2258c99f8ec5b91d8e043b9411870c6f02d2df7863359e46e732e3ffc398993a232d812f934737c503f9d3532d4126c72d5dabf8ff9d6da214fb9571ad180935cb6d01ec1404c85346d9ca858adff2a8ae87ae2d9b99c3ea1557a801703bade1d349410304dfaca488cd5b90086dbee91d60c7dba504721fd54b38fa0835cf70b2f48837430476d5fe8349ad1f2f38":"00e17befd66905acec575c87804c61c047abc9a724db6337e34975980eb0395cf4da8c956c823fa23c52b901bb58a9d26eff282dc6a0f588d71a1636bb919ca1d564f400d7a8e909cc9c59cbaf18f09d5a2101a7afd32687657a3cd1b00148cc84411ff3f07609acc8c07eed678162d1d69280f1072674dfc1d6819d45d8710e2be12402b06b846d68f4088895ce64243f24156c1be33031dac21fb60916ebfdc3939a6bcb012c66c7ef748e30f43bcc08e13c5dea85703a4928166501bb1eec25e61ba5c187531bd982fb310e56656cadfe4f7f756c8b71062388d50cbb70a7d07220912891c4c736ef1ec6390d4bc12803f20c8f1ffa7f41996ce3c8ab792753165fc25d2c1b373f5664c38ed688b4d096a34bf2669e8245bb55ad4c0ad51206fd082969bef351c271b103aa1592889536a2b9ed18e02035a457735317bdca6b7f7104af64d30270c732cfff302d7b82c1a602f16194ea62290c1ed35e93911a62743b3d1bee83c01669320408f2219f2d53c926acf014150ab47ddcee73c6159b368ab26f4da25c5440f79fb898473bdc2b7c333cff7cc5f8332b43ba1a49c327bc5b5ad9459afabf5e9c8421cee51ec0a6821e7af83af0ba2857ef2dd1417b250e2e1e14045883a26e3c70404c53998daf94d8452ade76e0e886324cc6301cdd40d04be33c59ba11bb7e5ef62186647d3891b221bd955e109f5b9b3dc625b44cbc3359e8b2dc4b90171d4a0a47537e095e0108827b3228e6ba325e935a2eb2eb82985443c7691ac208d55ca8d7200adef6c9b9e224190f672efbba75554a4c72af539c70d0bb7af67ada46a2c46311a91bd67d7ce724581695f6b4b2c0a58cd23b84873a76556bf573e447fcf583395895600aca30340ba327b44df33b1aa5c51f515c542c37fd9dba35534f94383300c23ceb8426e46ada509e03dd06fc2ea3fc6b973ef02dd6cb6adc36d76158c21dd8975c0eaa3d50082b53d328acd5894a1229c27aabd513ff6d8de6e2e780ef8342182182f85a89e6697452166f4e012a6f3f137c8d2a5e279e1f490995d9618f177acfac9f16f65bb89c2087e7b5" PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: capacity=8160 @@ -7140,51 +7140,51 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"3bf511eebadf44c1f7b0282a1262fe4ddd9da23bb1555cfda591ac46b088c4417883c010f6e37cd6942c63bd8a65d8648c736bf8330b539760e18db13888d992":"" PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 256+0 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27ada":"" PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 255+1 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27a":"da" PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 1+255 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f":"6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27ada" PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 256+0 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73dc6":"" PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 255+1 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73d":"c6" PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 1+255 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9":"f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73dc6" PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 256+0 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de87":"" PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 255+1 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de":"87" PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 1+255 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01":"ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de87" PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 256+0 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"105d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce08c":"" PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 255+1 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"105d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce0":"8c" PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 1+255 -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"10":"5d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce08c" PSA generate random: 0 bytes @@ -7345,23 +7345,23 @@ PSA generate key: RSA, e=2 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"02":PSA_ERROR_INVALID_ARGUMENT PSA generate key: FFDH, 2048 bits, good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_2048 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0 PSA generate key: FFDH, 3072 bits, good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_3072 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0 PSA generate key: FFDH, 4096 bits, good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_4096 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0 PSA generate key: FFDH, 6144 bits, good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_6144 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0 PSA generate key: FFDH, 8192 bits, good -depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_8192 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0 PSA generate key: FFDH, 1024 bits, invalid bits -- cgit v1.1 From 1161b44981deb1d12203bb68453a42c61b0702b6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 15:53:11 +0100 Subject: crypto_config_test_driver_extension: support accelaration of DH groups Signed-off-by: Valerio Setti --- .../drivers/crypto_config_test_driver_extension.h | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index 768a9a6..dac07ac 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -192,6 +192,46 @@ #endif #endif +#if defined(PSA_WANT_DH_RFC7919_2048) +#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) +#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_2048 +#else +#define MBEDTLS_PSA_ACCEL_DH_RFC7919_2048 +#endif +#endif + +#if defined(PSA_WANT_DH_RFC7919_3072) +#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) +#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_3072 +#else +#define MBEDTLS_PSA_ACCEL_DH_RFC7919_3072 +#endif +#endif + +#if defined(PSA_WANT_DH_RFC7919_4096) +#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) +#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_4096 +#else +#define MBEDTLS_PSA_ACCEL_DH_RFC7919_4096 +#endif +#endif + +#if defined(PSA_WANT_DH_RFC7919_6144) +#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) +#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_6144 +#else +#define MBEDTLS_PSA_ACCEL_DH_RFC7919_6144 +#endif +#endif + +#if defined(PSA_WANT_DH_RFC7919_8192) +#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) +#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_8192 +#else +#define MBEDTLS_PSA_ACCEL_DH_RFC7919_8192 +#endif +#endif + #if defined(PSA_WANT_ALG_FFDH) #if defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) #undef MBEDTLS_PSA_ACCEL_ALG_FFDH -- cgit v1.1 From 78aa0bc1d93aae9c326c2fc20f90983f2798139a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 15:53:46 +0100 Subject: all.sh: fix tests with accelerated FFDH Explicitly accelerate also DH groups in those tests. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 0b2a36a..d2c9273 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -907,6 +907,18 @@ helper_get_psa_curve_list () { echo "$loc_list" } +# Helper returning the list of supported DH groups from CRYPTO_CONFIG_H, +# without the "PSA_WANT_" prefix. This becomes handy for accelerating DH groups +# in the following helpers. +helper_get_psa_dh_group_list () { + loc_list="" + for item in $(sed -n 's/^#define PSA_WANT_\(DH_RFC7919_[0-9]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do + loc_list="$loc_list $item" + done + + echo "$loc_list" +} + # Get the list of uncommented PSA_WANT_KEY_TYPE_xxx_ from CRYPTO_CONFIG_H. This # is useful to easily get a list of key type symbols to accelerate. # The function accepts a single argument which is the key type: ECC, DH, RSA. @@ -2573,7 +2585,8 @@ component_test_psa_crypto_config_accel_ffdh () { # Algorithms and key types to accelerate loc_accel_list="ALG_FFDH \ - $(helper_get_psa_key_type_list "DH")" + $(helper_get_psa_key_type_list "DH") \ + $(helper_get_psa_dh_group_list)" # Configure # --------- @@ -3105,6 +3118,7 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum() { # PSA sides, and also disable the key exchanges that depend on DHM. scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" + scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" scripts/config.py unset MBEDTLS_DHM_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -3159,7 +3173,8 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { if [ "$test_target" = "ECC_DH" ]; then loc_accel_list="$loc_accel_list \ ALG_FFDH \ - $(helper_get_psa_key_type_list "DH")" + $(helper_get_psa_key_type_list "DH") \ + $(helper_get_psa_dh_group_list)" fi # Configure -- cgit v1.1 From 3e2c61dca2cb27c54f33ab1591802d8961a97f59 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 4 Jan 2024 16:20:20 +0000 Subject: Create quiet wrappers for make and cmake Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 44 ++++++++++++++++++++++++++++++++++++++++++++ tests/scripts/quiet/make | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100755 tests/scripts/quiet/cmake create mode 100755 tests/scripts/quiet/make diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake new file mode 100755 index 0000000..ea1474f --- /dev/null +++ b/tests/scripts/quiet/cmake @@ -0,0 +1,44 @@ +#! /usr/bin/env bash +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# +# This swallows the output of the wrapped tool, unless there is an error. +# This helps reduce excess logging in the CI. + +# If you are debugging a build / CI issue, you can get complete unsilenced logs +# by un-commenting the following line (or setting VERBOSE_LOGS in your environment): +# VERBOSE_LOGS=1 + +# don't silence invocations containing these arguments +NO_SILENCE=" --version " + +TOOL=$(basename "$0") + +# Locate original tool +ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) + +if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then + ${ORIGINAL_TOOL} "$@" + EXIT_STATUS=$? +else + # Display the command being invoked - if it succeeds, this is all that will + # be displayed. + echo "${TOOL} $@" + + # Run original command and capture output & exit status + TMPFILE=$(mktemp /tmp/quiet-${TOOL}.XXXXXX) + ${ORIGINAL_TOOL} "$@" > ${TMPFILE} 2>&1 + EXIT_STATUS=$? + + if [[ $EXIT_STATUS -ne 0 ]]; then + # On error, display the full output + cat ${TMPFILE} + fi + + # Remove tmpfile + rm ${TMPFILE} +fi + +# Propagate the exit status +exit $EXIT_STATUS diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make new file mode 100755 index 0000000..633758a --- /dev/null +++ b/tests/scripts/quiet/make @@ -0,0 +1,44 @@ +#! /usr/bin/env bash +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# +# This swallows the output of the wrapped tool, unless there is an error. +# This helps reduce excess logging in the CI. + +# If you are debugging a build / CI issue, you can get complete unsilenced logs +# by un-commenting the following line (or setting VERBOSE_LOGS in your environment): +# VERBOSE_LOGS=1 + +# don't silence invocations containing these arguments +NO_SILENCE=" --version | test " + +TOOL=$(basename "$0") + +# Locate original tool +ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) + +if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then + ${ORIGINAL_TOOL} "$@" + EXIT_STATUS=$? +else + # Display the command being invoked - if it succeeds, this is all that will + # be displayed. + echo "${TOOL} $@" + + # Run original command and capture output & exit status + TMPFILE=$(mktemp /tmp/quiet-${TOOL}.XXXXXX) + ${ORIGINAL_TOOL} "$@" > ${TMPFILE} 2>&1 + EXIT_STATUS=$? + + if [[ $EXIT_STATUS -ne 0 ]]; then + # On error, display the full output + cat ${TMPFILE} + fi + + # Remove tmpfile + rm ${TMPFILE} +fi + +# Propagate the exit status +exit $EXIT_STATUS -- cgit v1.1 From ad4b70586353411a9853bfcbe2967e3e60fe39a6 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 16 Jan 2024 17:33:27 +0000 Subject: Use quiet make wrappers from all.sh Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..9274c7b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -131,6 +131,25 @@ pre_check_environment () { } pre_initialize_variables () { + special_options="--list-components|--list-all-components|-h|--help" + if [[ ! "$@" =~ $special_options ]]; then + # skip wrappers for "special options" which don't actually run any tests + + # Pick up "quiet" wrappers for make and cmake, which don't output very much + # unless there is an error. This reduces logging overhead in the CI. + # + # Note that the cmake wrapper breaks unless we use an absolute path here. + export PATH=${PWD}/tests/scripts/quiet:$PATH + if [[ ! -x ${PWD}/tests/scripts/quiet/make ]]; then + echo "can't find quiet/make" + exit 1 + fi + if [[ ! -x ${PWD}/tests/scripts/quiet/cmake ]]; then + echo "can't find quiet/cmake" + exit 1 + fi + fi + if in_mbedtls_repo; then CONFIG_H='include/mbedtls/mbedtls_config.h' else @@ -6246,7 +6265,7 @@ run_component () { # Preliminary setup pre_check_environment -pre_initialize_variables +pre_initialize_variables "$@" pre_parse_command_line "$@" pre_check_git -- cgit v1.1 From 5f8e2a2b5faca5790bc06aefc21ea0d50d9bbee2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 16 Jan 2024 17:33:34 +0000 Subject: Spelling fix Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9274c7b..1694ee9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -231,7 +231,7 @@ pre_initialize_variables () { # defined in this script whose name starts with "component_". ALL_COMPONENTS=$(compgen -A function component_ | sed 's/component_//') - # Delay determinig SUPPORTED_COMPONENTS until the command line options have a chance to override + # Delay determining SUPPORTED_COMPONENTS until the command line options have a chance to override # the commands set by the environment } -- cgit v1.1 From 5c745fa7dae42759d2e0d095d4a2edb21784de14 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 17 Jan 2024 09:59:10 +0000 Subject: Pacify check_files Signed-off-by: Dave Rodgman --- tests/scripts/check_files.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py index 65fbc9f..4483f55 100755 --- a/tests/scripts/check_files.py +++ b/tests/scripts/check_files.py @@ -173,6 +173,8 @@ class ShebangIssueTracker(FileIssueTracker): b'sh': 'sh', } + path_exemptions = re.compile(r'tests/scripts/quiet/.*') + def is_valid_shebang(self, first_line, filepath): m = re.match(self._shebang_re, first_line) if not m: -- cgit v1.1 From 05754d8e85ca3cfa896fe59d28302e9dbabf7861 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 18 Jan 2024 09:47:00 +0100 Subject: ssl-opt: add DH groups requirements in test cases using FFDH Signed-off-by: Valerio Setti --- tests/ssl-opt.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 26c5a79..fd2fc0a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13614,6 +13614,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_3072 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -13638,6 +13639,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_3072 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072" \ @@ -13656,6 +13658,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_4096 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -13680,6 +13683,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_4096 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096" \ @@ -13698,6 +13702,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_6144 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -13721,6 +13726,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_6144 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \ @@ -13739,6 +13745,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_8192 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -13763,6 +13770,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_8192 client_needs_more_time 4 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \ -- cgit v1.1 From 18371ee08f8438f1412cae4739b0985fda7890e0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 18 Jan 2024 09:49:39 +0100 Subject: generate_tls13_compat_tests: add DH group dependency when FFDH is used "tls13-compat.sh" is also updated in this commit using the python script. Signed-off-by: Valerio Setti --- tests/opt-testcases/tls13-compat.sh | 165 +++++++++++++++++++++++++++ tests/scripts/generate_tls13_compat_tests.py | 16 ++- 2 files changed, 180 insertions(+), 1 deletion(-) diff --git a/tests/opt-testcases/tls13-compat.sh b/tests/opt-testcases/tls13-compat.sh index 1190a87..9cf2550 100755 --- a/tests/opt-testcases/tls13-compat.sh +++ b/tests/opt-testcases/tls13-compat.sh @@ -363,6 +363,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -380,6 +381,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -397,6 +399,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -415,6 +418,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -777,6 +781,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -794,6 +799,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -811,6 +817,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -829,6 +836,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1191,6 +1199,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1208,6 +1217,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1225,6 +1235,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1243,6 +1254,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1605,6 +1617,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1622,6 +1635,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1639,6 +1653,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -1657,6 +1672,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -2019,6 +2035,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -2036,6 +2053,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -2053,6 +2071,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -2071,6 +2090,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -2473,6 +2493,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2492,6 +2513,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2511,6 +2533,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2531,6 +2554,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2935,6 +2959,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2954,6 +2979,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2973,6 +2999,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -2993,6 +3020,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3397,6 +3425,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3416,6 +3445,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3435,6 +3465,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3455,6 +3486,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3859,6 +3891,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3878,6 +3911,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3897,6 +3931,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3917,6 +3952,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -4321,6 +4357,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -4340,6 +4377,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -4359,6 +4397,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -4379,6 +4418,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -4764,6 +4804,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -4782,6 +4823,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -4800,6 +4842,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -4819,6 +4862,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -5202,6 +5246,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -5220,6 +5265,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -5238,6 +5284,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -5257,6 +5304,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -5640,6 +5688,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -5658,6 +5707,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -5676,6 +5726,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -5695,6 +5746,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -6078,6 +6130,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -6096,6 +6149,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -6114,6 +6168,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -6133,6 +6188,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -6516,6 +6572,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -6534,6 +6591,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -6552,6 +6610,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -6571,6 +6630,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -6996,6 +7056,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -7016,6 +7077,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -7036,6 +7098,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -7057,6 +7120,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -7482,6 +7546,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -7502,6 +7567,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -7522,6 +7588,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -7543,6 +7610,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -7968,6 +8036,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -7988,6 +8057,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -8008,6 +8078,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -8029,6 +8100,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -8454,6 +8526,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -8474,6 +8547,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -8494,6 +8568,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -8515,6 +8590,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -8940,6 +9016,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -8960,6 +9037,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -8980,6 +9058,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -9001,6 +9080,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -9548,11 +9628,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -9574,11 +9656,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -9600,11 +9684,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -9627,12 +9713,14 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -10184,11 +10272,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -10210,11 +10300,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -10236,11 +10328,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -10263,12 +10357,14 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -10820,11 +10916,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -10846,11 +10944,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -10872,11 +10972,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -10899,12 +11001,14 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -11456,11 +11560,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -11482,11 +11588,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -11508,11 +11616,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -11535,12 +11645,14 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -12092,11 +12204,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ @@ -12118,11 +12232,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ @@ -12144,11 +12260,13 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ @@ -12171,12 +12289,14 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ @@ -12258,6 +12378,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR secp256r1 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -12333,6 +12454,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR secp384r1 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -12408,6 +12530,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR secp521r1 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -12483,6 +12606,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR x25519 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -12558,6 +12682,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR x448 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ @@ -12716,6 +12841,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -12801,6 +12927,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -12886,6 +13013,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -12971,6 +13099,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -13056,6 +13185,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -13232,6 +13362,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR secp256r1 -> ffdhe2048" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ @@ -13323,6 +13454,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR secp384r1 -> ffdhe2048" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ @@ -13414,6 +13546,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR secp521r1 -> ffdhe2048" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ @@ -13505,6 +13638,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR x25519 -> ffdhe2048" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ @@ -13596,6 +13730,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR x448 -> ffdhe2048" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ @@ -13615,6 +13750,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp256r1" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ @@ -13634,6 +13770,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp384r1" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ @@ -13653,6 +13790,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp521r1" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ @@ -13672,6 +13810,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> x25519" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ @@ -13691,6 +13830,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> x448" \ "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ @@ -13792,6 +13932,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR secp256r1 -> ffdhe2048" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ @@ -13893,6 +14034,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR secp384r1 -> ffdhe2048" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ @@ -13994,6 +14136,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR secp521r1 -> ffdhe2048" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ @@ -14095,6 +14238,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR x25519 -> ffdhe2048" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ @@ -14196,6 +14340,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR x448 -> ffdhe2048" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ @@ -14217,6 +14362,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp256r1" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ @@ -14238,6 +14384,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp384r1" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ @@ -14259,6 +14406,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp521r1" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ @@ -14280,6 +14428,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> x25519" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ @@ -14301,6 +14450,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> x448" \ "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ @@ -14418,12 +14568,14 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR secp256r1 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ @@ -14544,12 +14696,14 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR secp384r1 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ @@ -14670,12 +14824,14 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR secp521r1 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ @@ -14796,12 +14952,14 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR x25519 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ @@ -14922,12 +15080,14 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR x448 -> ffdhe2048" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ @@ -14954,6 +15114,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp256r1" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ @@ -14980,6 +15141,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp384r1" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ @@ -15006,6 +15168,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp521r1" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ @@ -15032,6 +15195,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> x25519" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ @@ -15058,6 +15222,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH +requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> x448" \ "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ diff --git a/tests/scripts/generate_tls13_compat_tests.py b/tests/scripts/generate_tls13_compat_tests.py index fdb264d..8b28590 100755 --- a/tests/scripts/generate_tls13_compat_tests.py +++ b/tests/scripts/generate_tls13_compat_tests.py @@ -353,6 +353,19 @@ class MbedTLSBase(TLSProgram): ret += ["groups={named_groups}".format(named_groups=named_groups)] return ret + #pylint: disable=missing-function-docstring + def add_ffdh_group_requirements(self, requirement_list): + if 'ffdhe2048' in self._named_groups: + requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') + if 'ffdhe3072' in self._named_groups: + requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') + if 'ffdhe4096' in self._named_groups: + requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') + if 'ffdhe6144' in self._named_groups: + requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') + if 'ffdhe8192' in self._named_groups: + requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') + def pre_checks(self): ret = ['requires_config_enabled MBEDTLS_DEBUG_C', 'requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED'] @@ -365,13 +378,14 @@ class MbedTLSBase(TLSProgram): 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') ec_groups = ['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448'] - ffdh_groups = ['ffdhe2048'] + ffdh_groups = ['ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192'] if any(x in ec_groups for x in self._named_groups): ret.append('requires_config_enabled PSA_WANT_ALG_ECDH') if any(x in ffdh_groups for x in self._named_groups): ret.append('requires_config_enabled PSA_WANT_ALG_FFDH') + self.add_ffdh_group_requirements(ret) return ret -- cgit v1.1 From d929106f361297a9a495545307f0e6183aa88b12 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 09:48:06 +0100 Subject: ssl_ciphersuites: move internal functions declarations to a private header Signed-off-by: Valerio Setti --- include/mbedtls/ssl_ciphersuites.h | 139 -------------------------------- library/ssl_ciphersuites_internal.h | 154 ++++++++++++++++++++++++++++++++++++ library/ssl_misc.h | 1 + 3 files changed, 155 insertions(+), 139 deletions(-) create mode 100644 library/ssl_ciphersuites_internal.h diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 8cecbb6..f755ef3 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -463,18 +463,6 @@ const int *mbedtls_ssl_list_ciphersuites(void); const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(const char *ciphersuite_name); const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite_id); -#if defined(MBEDTLS_PK_C) -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info); -#if defined(MBEDTLS_USE_PSA_CRYPTO) -psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info); -psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info); -#endif -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info); -#endif - -int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info); -int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info); - static inline const char *mbedtls_ssl_ciphersuite_get_name(const mbedtls_ssl_ciphersuite_t *info) { return info->MBEDTLS_PRIVATE(name); @@ -482,133 +470,6 @@ static inline const char *mbedtls_ssl_ciphersuite_get_name(const mbedtls_ssl_cip size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info); -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) -static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_DHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - case MBEDTLS_KEY_EXCHANGE_ECJPAKE: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) -static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - case MBEDTLS_KEY_EXCHANGE_RSA: - case MBEDTLS_KEY_EXCHANGE_PSK: - case MBEDTLS_KEY_EXCHANGE_RSA_PSK: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) -static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ - -static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_RSA: - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - return 1; - - default: - return 0; - } -} - -static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_RSA: - case MBEDTLS_KEY_EXCHANGE_RSA_PSK: - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - return 1; - - default: - return 0; - } -} - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) -static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_DHE_PSK: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */ - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) -static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */ - -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) -static inline int mbedtls_ssl_ciphersuite_uses_server_signature( - const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ - #ifdef __cplusplus } #endif diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h new file mode 100644 index 0000000..27ff721 --- /dev/null +++ b/library/ssl_ciphersuites_internal.h @@ -0,0 +1,154 @@ +/** + * \file ssl_ciphersuites_internal.h + * + * \brief Internal part of the public "ssl_ciphersuites.h". + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ +#ifndef MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H +#define MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H + +#include "mbedtls/pk.h" + +#if defined(MBEDTLS_PK_C) +mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info); +#if defined(MBEDTLS_USE_PSA_CRYPTO) +psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info); +psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info); +#endif /* MBEDTLS_PK_C */ + +int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info); +int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info); + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) +static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_DHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: + return 1; + + default: + return 0; + } +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) +static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + case MBEDTLS_KEY_EXCHANGE_RSA: + case MBEDTLS_KEY_EXCHANGE_PSK: + case MBEDTLS_KEY_EXCHANGE_RSA_PSK: + return 1; + + default: + return 0; + } +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) +static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + return 1; + + default: + return 0; + } +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ + +static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_RSA: + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + return 1; + + default: + return 0; + } +} + +static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_RSA: + case MBEDTLS_KEY_EXCHANGE_RSA_PSK: + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + return 1; + + default: + return 0; + } +} + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) +static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_DHE_PSK: + return 1; + + default: + return 0; + } +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */ + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) +static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + return 1; + + default: + return 0; + } +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */ + +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) +static inline int mbedtls_ssl_ciphersuite_uses_server_signature( + const mbedtls_ssl_ciphersuite_t *info) +{ + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + return 1; + + default: + return 0; + } +} +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ + +#endif /* MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 96afe76..7cbc6af 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -44,6 +44,7 @@ #endif #include "mbedtls/pk.h" +#include "ssl_ciphersuites_internal.h" #include "pk_internal.h" #include "common.h" -- cgit v1.1 From a184fd0516b5a059d9e9a0ab3912345385ff9b72 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 11 Jan 2024 10:05:00 +0000 Subject: programs/dh_client/server: Replaced mbedtls_sha1 with mbedtls_sha256 Signed-off-by: Minos Galanakis --- programs/pkey/dh_client.c | 16 ++++++++-------- programs/pkey/dh_server.c | 15 +++++++-------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 0cb1562..d8fc86f 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -14,8 +14,7 @@ #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \ defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \ - defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \ - defined(MBEDTLS_MD_CAN_SHA1) + defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/net_sockets.h" #include "mbedtls/aes.h" #include "mbedtls/dhm.h" @@ -30,18 +29,19 @@ #define SERVER_NAME "localhost" #define SERVER_PORT "11999" +#define MBEDTLS_MD_CAN_SHA256_MAX_SIZE 32 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ - !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \ - !defined(MBEDTLS_SHA1_C) + !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) + int main(void) { mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C " "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n"); + "MBEDTLS_CTR_DRBG_C not defined.\n"); mbedtls_exit(0); } @@ -65,7 +65,7 @@ int main(void) unsigned char *p, *end; unsigned char buf[2048]; - unsigned char hash[32]; + unsigned char hash[MBEDTLS_MD_CAN_SHA256_MAX_SIZE]; const char *pers = "dh_client"; mbedtls_entropy_context entropy; @@ -187,13 +187,13 @@ int main(void) goto exit; } - if ((ret = mbedtls_sha1(buf, (int) (p - 2 - buf), hash)) != 0) { + if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) { mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret); goto exit; } if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256, - 32, hash, p)) != 0) { + MBEDTLS_MD_CAN_SHA256_MAX_SIZE, hash, p)) != 0) { mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret); goto exit; } diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index adddbf2..11c2b28 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -14,8 +14,7 @@ #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \ defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \ - defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \ - defined(MBEDTLS_MD_CAN_SHA1) + defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/net_sockets.h" #include "mbedtls/aes.h" #include "mbedtls/dhm.h" @@ -30,18 +29,18 @@ #define SERVER_PORT "11999" #define PLAINTEXT "==Hello there!==" +#define MBEDTLS_MD_CAN_SHA256_MAX_SIZE 32 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ - !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \ - !defined(MBEDTLS_SHA1_C) + !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) int main(void) { mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C " "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n"); + "MBEDTLS_CTR_DRBG_C not defined.\n"); mbedtls_exit(0); } #else @@ -57,7 +56,7 @@ int main(void) mbedtls_net_context listen_fd, client_fd; unsigned char buf[2048]; - unsigned char hash[32]; + unsigned char hash[MBEDTLS_MD_CAN_SHA256_MAX_SIZE]; unsigned char buf2[2]; const char *pers = "dh_server"; @@ -186,7 +185,7 @@ int main(void) /* * 5. Sign the parameters and send them */ - if ((ret = mbedtls_sha1(buf, n, hash)) != 0) { + if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) { mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret); goto exit; } @@ -195,7 +194,7 @@ int main(void) buf[n + 1] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len)); if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, NULL, NULL, MBEDTLS_MD_SHA256, - 32, hash, buf + n + 2)) != 0) { + MBEDTLS_MD_CAN_SHA256_MAX_SIZE, hash, buf + n + 2)) != 0) { mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret); goto exit; } -- cgit v1.1 From f4dfd1c8a5282ea0a9d0641d2fd6dd0649a5c92f Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 16:06:15 +0000 Subject: programs/dh_client/server: Added entropy source to `mbedtls_rsa_pkcs1_sign()` Signed-off-by: Minos Galanakis --- programs/pkey/dh_server.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 11c2b28..7d7618b 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -193,8 +193,9 @@ int main(void) buf[n] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len) >> 8); buf[n + 1] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len)); - if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, NULL, NULL, MBEDTLS_MD_SHA256, - MBEDTLS_MD_CAN_SHA256_MAX_SIZE, hash, buf + n + 2)) != 0) { + if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg, + MBEDTLS_MD_SHA256, MBEDTLS_MD_CAN_SHA256_MAX_SIZE, + hash, buf + n + 2)) != 0) { mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret); goto exit; } -- cgit v1.1 From b6a96195fb188d9e0e0bc4b4e2c70a78db116d03 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 14:34:14 +0000 Subject: programs_dh_client/server: Updated programs to use `mbedtls_rsa_get_len()` Signed-off-by: Minos Galanakis --- programs/pkey/dh_client.c | 16 +++++++++------- programs/pkey/dh_server.c | 7 ++++--- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index d8fc86f..774051c 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -66,6 +66,7 @@ int main(void) unsigned char *p, *end; unsigned char buf[2048]; unsigned char hash[MBEDTLS_MD_CAN_SHA256_MAX_SIZE]; + mbedtls_mpi N, E; const char *pers = "dh_client"; mbedtls_entropy_context entropy; @@ -78,6 +79,8 @@ int main(void) mbedtls_dhm_init(&dhm); mbedtls_aes_init(&aes); mbedtls_ctr_drbg_init(&ctr_drbg); + mbedtls_mpi_init(&N); + mbedtls_mpi_init(&E); /* * 1. Setup the RNG @@ -106,16 +109,13 @@ int main(void) } mbedtls_rsa_init(&rsa); - - if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 || - (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) { + if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 || + (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 || + (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) { mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret); fclose(f); goto exit; } - - rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3; - fclose(f); /* @@ -182,7 +182,7 @@ int main(void) p += 2; - if ((n = (size_t) (end - p)) != rsa.MBEDTLS_PRIVATE(len)) { + if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) { mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n"); goto exit; } @@ -273,6 +273,8 @@ exit: mbedtls_dhm_free(&dhm); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); + mbedtls_mpi_free(&N); + mbedtls_mpi_free(&E); mbedtls_exit(exit_code); } diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 7d7618b..0c6cebc 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -190,8 +190,9 @@ int main(void) goto exit; } - buf[n] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len) >> 8); - buf[n + 1] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len)); + const size_t rsa_key_len = mbedtls_rsa_get_len(&rsa); + buf[n] = (unsigned char) (rsa_key_len >> 8); + buf[n + 1] = (unsigned char) (rsa_key_len); if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_MD_SHA256, MBEDTLS_MD_CAN_SHA256_MAX_SIZE, @@ -200,7 +201,7 @@ int main(void) goto exit; } - buflen = n + 2 + rsa.MBEDTLS_PRIVATE(len); + buflen = n + 2 + rsa_key_len; buf2[0] = (unsigned char) (buflen >> 8); buf2[1] = (unsigned char) (buflen); -- cgit v1.1 From ee757d35dfaf370792408b7232d31783e9f94653 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 15:06:20 +0000 Subject: programs_rsa_encrypt/decrypt: Updated programs to use `mbedtls_rsa_get_len()` Signed-off-by: Minos Galanakis --- programs/pkey/rsa_decrypt.c | 2 +- programs/pkey/rsa_encrypt.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index 76bfddf..a84af50 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -133,7 +133,7 @@ int main(int argc, char *argv[]) fclose(f); - if (i != rsa.MBEDTLS_PRIVATE(len)) { + if (i != mbedtls_rsa_get_len(&rsa)) { mbedtls_printf("\n ! Invalid RSA signature format\n\n"); goto exit; } diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 4bbb54e..6538f8a 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -126,7 +126,7 @@ int main(int argc, char *argv[]) goto exit; } - for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) { + for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) { mbedtls_fprintf(f, "%02X%s", buf[i], (i + 1) % 16 == 0 ? "\r\n" : " "); } -- cgit v1.1 From 992f0b8427d88dd3dd6e232406cc8271c3b32407 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 15:07:24 +0000 Subject: programs_rsa_rsa_sign: Updated program to use `mbedtls_rsa_get_len()` Signed-off-by: Minos Galanakis --- programs/pkey/rsa_sign.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index 9d8ebe3..e14953b 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -131,7 +131,7 @@ int main(int argc, char *argv[]) goto exit; } - for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) { + for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) { mbedtls_fprintf(f, "%02X%s", buf[i], (i + 1) % 16 == 0 ? "\r\n" : " "); } -- cgit v1.1 From 6e92df12c272a6a8ba328e1de1f5290442345989 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 15:13:47 +0000 Subject: programs_rsa_rsa_verify: Updated program to use `mbedtls_rsa_get_len()` Signed-off-by: Minos Galanakis --- programs/pkey/rsa_verify.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index e7d72fd..4a9af77 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -37,11 +37,14 @@ int main(int argc, char *argv[]) int exit_code = MBEDTLS_EXIT_FAILURE; size_t i; mbedtls_rsa_context rsa; + mbedtls_mpi N, E; unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; mbedtls_rsa_init(&rsa); + mbedtls_mpi_init(&N); + mbedtls_mpi_init(&E); if (argc != 2) { mbedtls_printf("usage: rsa_verify \n"); @@ -62,15 +65,13 @@ int main(int argc, char *argv[]) goto exit; } - if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 || - (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) { + if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 || + (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 || + (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) { mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret); fclose(f); goto exit; } - - rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3; - fclose(f); /* @@ -91,7 +92,7 @@ int main(int argc, char *argv[]) fclose(f); - if (i != rsa.MBEDTLS_PRIVATE(len)) { + if (i != mbedtls_rsa_get_len(&rsa)) { mbedtls_printf("\n ! Invalid RSA signature format\n\n"); goto exit; } @@ -124,6 +125,8 @@ int main(int argc, char *argv[]) exit: mbedtls_rsa_free(&rsa); + mbedtls_mpi_free(&N); + mbedtls_mpi_free(&E); mbedtls_exit(exit_code); } -- cgit v1.1 From 7c8448842dd461e69290c794e70662ab2e25c5f3 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Jan 2024 17:03:58 +0000 Subject: programs_dh_client/server: Updated to query digest size using `mbedtls_md_info_from_type()`. Signed-off-by: Minos Galanakis --- programs/pkey/dh_client.c | 13 +++++++++---- programs/pkey/dh_server.c | 14 ++++++++++---- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 774051c..1b5ba40 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -29,7 +29,6 @@ #define SERVER_NAME "localhost" #define SERVER_PORT "11999" -#define MBEDTLS_MD_CAN_SHA256_MAX_SIZE 32 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ @@ -60,12 +59,12 @@ int main(void) int ret = 1; int exit_code = MBEDTLS_EXIT_FAILURE; - size_t n, buflen; + size_t n, buflen, mdlen; mbedtls_net_context server_fd; unsigned char *p, *end; unsigned char buf[2048]; - unsigned char hash[MBEDTLS_MD_CAN_SHA256_MAX_SIZE]; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; mbedtls_mpi N, E; const char *pers = "dh_client"; @@ -187,13 +186,19 @@ int main(void) goto exit; } + mdlen = mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); + if (mdlen == 0) { + mbedtls_printf(" failed\n ! Invalid digest type\n\n"); + goto exit; + } + if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) { mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret); goto exit; } if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256, - MBEDTLS_MD_CAN_SHA256_MAX_SIZE, hash, p)) != 0) { + mdlen, hash, p)) != 0) { mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret); goto exit; } diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 0c6cebc..11c28fb 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -29,7 +29,6 @@ #define SERVER_PORT "11999" #define PLAINTEXT "==Hello there!==" -#define MBEDTLS_MD_CAN_SHA256_MAX_SIZE 32 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ @@ -52,11 +51,11 @@ int main(void) int ret = 1; int exit_code = MBEDTLS_EXIT_FAILURE; - size_t n, buflen; + size_t n, buflen, mdlen; mbedtls_net_context listen_fd, client_fd; unsigned char buf[2048]; - unsigned char hash[MBEDTLS_MD_CAN_SHA256_MAX_SIZE]; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; unsigned char buf2[2]; const char *pers = "dh_server"; @@ -185,6 +184,13 @@ int main(void) /* * 5. Sign the parameters and send them */ + + mdlen = mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); + if (mdlen == 0) { + mbedtls_printf(" failed\n ! Invalid digest type\n\n"); + goto exit; + } + if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) { mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret); goto exit; @@ -195,7 +201,7 @@ int main(void) buf[n + 1] = (unsigned char) (rsa_key_len); if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg, - MBEDTLS_MD_SHA256, MBEDTLS_MD_CAN_SHA256_MAX_SIZE, + MBEDTLS_MD_SHA256, mdlen, hash, buf + n + 2)) != 0) { mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret); goto exit; -- cgit v1.1 From b4f5076270c4636934aa1114d08ba19eca9b673d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 10:24:52 +0100 Subject: debug: move internal functions declarations to an internal header file Signed-off-by: Valerio Setti --- include/mbedtls/debug.h | 159 +----------------------------- library/debug.c | 2 +- library/debug_internal.h | 172 +++++++++++++++++++++++++++++++++ library/ssl_client.c | 2 +- library/ssl_msg.c | 2 +- library/ssl_tls.c | 2 +- library/ssl_tls12_client.c | 2 +- library/ssl_tls12_server.c | 2 +- library/ssl_tls13_client.c | 2 +- library/ssl_tls13_generic.c | 2 +- library/ssl_tls13_keys.c | 2 +- library/ssl_tls13_server.c | 2 +- tests/suites/test_suite_debug.function | 2 +- 13 files changed, 184 insertions(+), 169 deletions(-) create mode 100644 library/debug_internal.h diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 922e5be..424ed4b 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -149,165 +149,8 @@ extern "C" { */ void mbedtls_debug_set_threshold(int threshold); -/** - * \brief Print a message to the debug output. This function is always used - * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl - * context, file and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the message has occurred in - * \param line line number the message has occurred at - * \param format format specifier, in printf format - * \param ... variables used by the format specifier - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6); - -/** - * \brief Print the return value of a function to the debug output. This - * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, - * which supplies the ssl context, file and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param text the name of the function that returned the error - * \param ret the return code value - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, int ret); - -/** - * \brief Output a buffer of size len bytes to the debug output. This function - * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, - * which supplies the ssl context, file and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param text a name or label for the buffer being dumped. Normally the - * variable or buffer name - * \param buf the buffer to be outputted - * \param len length of the buffer - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, const char *text, - const unsigned char *buf, size_t len); - -#if defined(MBEDTLS_BIGNUM_C) -/** - * \brief Print a MPI variable to the debug output. This function is always - * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the - * ssl context, file and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param text a name or label for the MPI being output. Normally the - * variable name - * \param X the MPI variable - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_mpi *X); -#endif - -#if defined(MBEDTLS_ECP_LIGHT) -/** - * \brief Print an ECP point to the debug output. This function is always - * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the - * ssl context, file and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param text a name or label for the ECP point being output. Normally the - * variable name - * \param X the ECP point - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_ecp_point *X); -#endif - -#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) -/** - * \brief Print a X.509 certificate structure to the debug output. This - * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, - * which supplies the ssl context, file and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param text a name or label for the certificate being output - * \param crt X.509 certificate structure - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const char *text, const mbedtls_x509_crt *crt); -#endif - -/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function - only works for the built-in implementation. */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \ - defined(MBEDTLS_ECDH_C) -typedef enum { - MBEDTLS_DEBUG_ECDH_Q, - MBEDTLS_DEBUG_ECDH_QP, - MBEDTLS_DEBUG_ECDH_Z, -} mbedtls_debug_ecdh_attr; - -/** - * \brief Print a field of the ECDH structure in the SSL context to the debug - * output. This function is always used through the - * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file - * and line number parameters. - * - * \param ssl SSL context - * \param level error level of the debug message - * \param file file the error has occurred in - * \param line line number the error has occurred in - * \param ecdh the ECDH context - * \param attr the identifier of the attribute being output - * - * \attention This function is intended for INTERNAL usage within the - * library only. - */ -void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, - const char *file, int line, - const mbedtls_ecdh_context *ecdh, - mbedtls_debug_ecdh_attr attr); -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED && - MBEDTLS_ECDH_C */ - #ifdef __cplusplus } #endif -#endif /* debug.h */ +#endif /* MBEDTLS_DEBUG_H */ diff --git a/library/debug.c b/library/debug.c index a9d58e5..c36ed3c 100644 --- a/library/debug.c +++ b/library/debug.c @@ -11,7 +11,7 @@ #include "mbedtls/platform.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include diff --git a/library/debug_internal.h b/library/debug_internal.h new file mode 100644 index 0000000..4523b46 --- /dev/null +++ b/library/debug_internal.h @@ -0,0 +1,172 @@ +/** + * \file debug_internal.h + * + * \brief Internal part of the public "debug.h". + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ +#ifndef MBEDTLS_DEBUG_INTERNAL_H +#define MBEDTLS_DEBUG_INTERNAL_H + +#include "mbedtls/debug.h" + +/** + * \brief Print a message to the debug output. This function is always used + * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl + * context, file and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the message has occurred in + * \param line line number the message has occurred at + * \param format format specifier, in printf format + * \param ... variables used by the format specifier + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6); + +/** + * \brief Print the return value of a function to the debug output. This + * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro, + * which supplies the ssl context, file and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the error has occurred in + * \param line line number the error has occurred in + * \param text the name of the function that returned the error + * \param ret the return code value + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *text, int ret); + +/** + * \brief Output a buffer of size len bytes to the debug output. This function + * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro, + * which supplies the ssl context, file and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the error has occurred in + * \param line line number the error has occurred in + * \param text a name or label for the buffer being dumped. Normally the + * variable or buffer name + * \param buf the buffer to be outputted + * \param len length of the buffer + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, const char *text, + const unsigned char *buf, size_t len); + +#if defined(MBEDTLS_BIGNUM_C) +/** + * \brief Print a MPI variable to the debug output. This function is always + * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the + * ssl context, file and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the error has occurred in + * \param line line number the error has occurred in + * \param text a name or label for the MPI being output. Normally the + * variable name + * \param X the MPI variable + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *text, const mbedtls_mpi *X); +#endif + +#if defined(MBEDTLS_ECP_LIGHT) +/** + * \brief Print an ECP point to the debug output. This function is always + * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the + * ssl context, file and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the error has occurred in + * \param line line number the error has occurred in + * \param text a name or label for the ECP point being output. Normally the + * variable name + * \param X the ECP point + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *text, const mbedtls_ecp_point *X); +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) +/** + * \brief Print a X.509 certificate structure to the debug output. This + * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro, + * which supplies the ssl context, file and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the error has occurred in + * \param line line number the error has occurred in + * \param text a name or label for the certificate being output + * \param crt X.509 certificate structure + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *text, const mbedtls_x509_crt *crt); +#endif + +/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function + only works for the built-in implementation. */ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \ + defined(MBEDTLS_ECDH_C) +typedef enum { + MBEDTLS_DEBUG_ECDH_Q, + MBEDTLS_DEBUG_ECDH_QP, + MBEDTLS_DEBUG_ECDH_Z, +} mbedtls_debug_ecdh_attr; + +/** + * \brief Print a field of the ECDH structure in the SSL context to the debug + * output. This function is always used through the + * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file + * and line number parameters. + * + * \param ssl SSL context + * \param level error level of the debug message + * \param file file the error has occurred in + * \param line line number the error has occurred in + * \param ecdh the ECDH context + * \param attr the identifier of the attribute being output + * + * \attention This function is intended for INTERNAL usage within the + * library only. + */ +void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const mbedtls_ecdh_context *ecdh, + mbedtls_debug_ecdh_attr attr); +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED && + MBEDTLS_ECDH_C */ + +#endif /* MBEDTLS_DEBUG_INTERNAL_H */ diff --git a/library/ssl_client.c b/library/ssl_client.c index d585ca5..6d988a8 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -12,7 +12,7 @@ #include -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 6579c96..5753cf9 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -18,7 +18,7 @@ #include "mbedtls/ssl.h" #include "ssl_misc.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8c1e372..bd1380a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -20,7 +20,7 @@ #include "ssl_debug_helpers.h" #include "ssl_misc.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 0c5af87..c3a8037 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -14,7 +14,7 @@ #include "mbedtls/ssl.h" #include "ssl_client.h" #include "ssl_misc.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/constant_time.h" diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 5a9f6ca..f242faa 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -13,7 +13,7 @@ #include "mbedtls/ssl.h" #include "ssl_misc.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "constant_time_internal.h" diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5c668bd..86dd0ec 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -11,7 +11,7 @@ #include -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 47fa65c..202631f 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -12,7 +12,7 @@ #include #include "mbedtls/error.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/oid.h" #include "mbedtls/platform.h" #include "mbedtls/constant_time.h" diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 9b775ec..d79e70c 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -13,7 +13,7 @@ #include #include "mbedtls/hkdf.h" -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6e2866a..29c9f6c 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -9,7 +9,7 @@ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" #include "mbedtls/constant_time.h" diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index b961040..eeefc95 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -1,5 +1,5 @@ /* BEGIN_HEADER */ -#include "mbedtls/debug.h" +#include "debug_internal.h" #include "string.h" #include "mbedtls/pk.h" -- cgit v1.1 From 25b282ebfe5cb84e73d6194e83dc8d6c5d9a25e4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 10:55:32 +0100 Subject: x509: move internal functions declarations to a private header Signed-off-by: Valerio Setti --- include/mbedtls/pkcs7.h | 1 - include/mbedtls/x509.h | 197 +------------------------- library/pkcs7.c | 2 +- library/ssl_misc.h | 1 + library/x509.c | 2 +- library/x509_create.c | 2 +- library/x509_crl.c | 1 + library/x509_crt.c | 1 + library/x509_csr.c | 1 + library/x509_internal.h | 213 +++++++++++++++++++++++++++++ library/x509write.c | 1 + library/x509write_crt.c | 1 + library/x509write_csr.c | 2 +- tests/suites/test_suite_pkcs7.function | 1 + tests/suites/test_suite_x509parse.function | 1 + tests/suites/test_suite_x509write.function | 1 + 16 files changed, 228 insertions(+), 200 deletions(-) create mode 100644 library/x509_internal.h diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 70b25a9..e9b4822 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -41,7 +41,6 @@ #include "mbedtls/build_info.h" #include "mbedtls/asn1.h" -#include "mbedtls/x509.h" #include "mbedtls/x509_crt.h" /** diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index e2e0667..be63612 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -307,6 +307,7 @@ typedef struct mbedtls_x509_san_list { mbedtls_x509_san_list; /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */ +/** \} addtogroup x509_module */ /** * \brief Store the certificate DN in printable form into buf; @@ -321,201 +322,7 @@ mbedtls_x509_san_list; */ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); -/** - * \brief Return the next relative DN in an X509 name. - * - * \note Intended use is to compare function result to dn->next - * in order to detect boundaries of multi-valued RDNs. - * - * \param dn Current node in the X509 name - * - * \return Pointer to the first attribute-value pair of the - * next RDN in sequence, or NULL if end is reached. - */ -static inline mbedtls_x509_name *mbedtls_x509_dn_get_next( - mbedtls_x509_name *dn) -{ - while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) { - dn = dn->next; - } - return dn->next; -} - -/** - * \brief Store the certificate serial in printable form into buf; - * no more than size characters will be written. - * - * \param buf Buffer to write to - * \param size Maximum size of buffer - * \param serial The X509 serial to represent - * - * \return The length of the string written (not including the - * terminated nul byte), or a negative error code. - */ -int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial); - -/** - * \brief Compare pair of mbedtls_x509_time. - * - * \param t1 mbedtls_x509_time to compare - * \param t2 mbedtls_x509_time to compare - * - * \return < 0 if t1 is before t2 - * 0 if t1 equals t2 - * > 0 if t1 is after t2 - */ -int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); - -#if defined(MBEDTLS_HAVE_TIME_DATE) -/** - * \brief Fill mbedtls_x509_time with provided mbedtls_time_t. - * - * \param tt mbedtls_time_t to convert - * \param now mbedtls_x509_time to fill with converted mbedtls_time_t - * - * \return \c 0 on success - * \return A non-zero return value on failure. - */ -int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now); -#endif /* MBEDTLS_HAVE_TIME_DATE */ - -/** - * \brief Check a given mbedtls_x509_time against the system time - * and tell if it's in the past. - * - * \note Intended usage is "if( is_past( valid_to ) ) ERROR". - * Hence the return value of 1 if on internal errors. - * - * \param to mbedtls_x509_time to check - * - * \return 1 if the given time is in the past or an error occurred, - * 0 otherwise. - */ -int mbedtls_x509_time_is_past(const mbedtls_x509_time *to); - -/** - * \brief Check a given mbedtls_x509_time against the system time - * and tell if it's in the future. - * - * \note Intended usage is "if( is_future( valid_from ) ) ERROR". - * Hence the return value of 1 if on internal errors. - * - * \param from mbedtls_x509_time to check - * - * \return 1 if the given time is in the future or an error occurred, - * 0 otherwise. - */ -int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); - -/** - * \brief This function parses an item in the SubjectAlternativeNames - * extension. Please note that this function might allocate - * additional memory for a subject alternative name, thus - * mbedtls_x509_free_subject_alt_name has to be called - * to dispose of this additional memory afterwards. - * - * \param san_buf The buffer holding the raw data item of the subject - * alternative name. - * \param san The target structure to populate with the parsed presentation - * of the subject alternative name encoded in \p san_buf. - * - * \note Supported GeneralName types, as defined in RFC 5280: - * "rfc822Name", "dnsName", "directoryName", - * "uniformResourceIdentifier" and "hardware_module_name" - * of type "otherName", as defined in RFC 4108. - * - * \note This function should be called on a single raw data of - * subject alternative name. For example, after successful - * certificate parsing, one must iterate on every item in the - * \c crt->subject_alt_names sequence, and pass it to - * this function. - * - * \warning The target structure contains pointers to the raw data of the - * parsed certificate, and its lifetime is restricted by the - * lifetime of the certificate. - * - * \return \c 0 on success - * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported - * SAN type. - * \return Another negative value for any other failure. - */ -int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, - mbedtls_x509_subject_alternative_name *san); -/** - * \brief Unallocate all data related to subject alternative name - * - * \param san SAN structure - extra memory owned by this structure will be freed - */ -void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); - -/** \} addtogroup x509_module */ - -/* - * Internal module functions. You probably do not want to use these unless you - * know you do. - */ -int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, - mbedtls_x509_name *cur); -int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, - mbedtls_x509_buf *alg); -int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end, - mbedtls_x509_buf *alg, mbedtls_x509_buf *params); -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) -int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, - mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md, - int *salt_len); -#endif -int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig); -int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, - void **sig_opts); -int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, - mbedtls_x509_time *t); -int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end, - mbedtls_x509_buf *serial); -int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, - mbedtls_x509_buf *ext, int tag); -#if !defined(MBEDTLS_X509_REMOVE_INFO) -int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, - mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, - const void *sig_opts); -#endif -int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name); int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); -int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, - int critical, const unsigned char *val, - size_t val_len); -int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start, - mbedtls_asn1_named_data *first); -int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, - mbedtls_asn1_named_data *first); -int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, - const char *oid, size_t oid_len, - unsigned char *sig, size_t size, - mbedtls_pk_type_t pk_alg); -int mbedtls_x509_get_ns_cert_type(unsigned char **p, - const unsigned char *end, - unsigned char *ns_cert_type); -int mbedtls_x509_get_key_usage(unsigned char **p, - const unsigned char *end, - unsigned int *key_usage); -int mbedtls_x509_get_subject_alt_name(unsigned char **p, - const unsigned char *end, - mbedtls_x509_sequence *subject_alt_name); -int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p, - const unsigned char *end, - mbedtls_x509_sequence *subject_alt_name); -int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, - const mbedtls_x509_sequence - *subject_alt_name, - const char *prefix); -int mbedtls_x509_info_cert_type(char **buf, size_t *size, - unsigned char ns_cert_type); -int mbedtls_x509_info_key_usage(char **buf, size_t *size, - unsigned int key_usage); - -int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions, - const mbedtls_x509_san_list *san_list); /** * \brief This function parses a CN string as an IP address. @@ -547,4 +354,4 @@ size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst); } #endif -#endif /* x509.h */ +#endif /* MBEDTLS_X509_H */ diff --git a/library/pkcs7.c b/library/pkcs7.c index 0869c2e..3aac662 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -7,7 +7,7 @@ #include "mbedtls/build_info.h" #if defined(MBEDTLS_PKCS7_C) #include "mbedtls/pkcs7.h" -#include "mbedtls/x509.h" +#include "x509_internal.h" #include "mbedtls/asn1.h" #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 7cbc6af..101b204 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -45,6 +45,7 @@ #include "mbedtls/pk.h" #include "ssl_ciphersuites_internal.h" +#include "x509_internal.h" #include "pk_internal.h" #include "common.h" diff --git a/library/x509.c b/library/x509.c index b7b71f3..f97fb44 100644 --- a/library/x509.c +++ b/library/x509.c @@ -19,7 +19,7 @@ #if defined(MBEDTLS_X509_USE_C) -#include "mbedtls/x509.h" +#include "x509_internal.h" #include "mbedtls/asn1.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" diff --git a/library/x509_create.c b/library/x509_create.c index f7a17e7..839b5df 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -9,7 +9,7 @@ #if defined(MBEDTLS_X509_CREATE_C) -#include "mbedtls/x509.h" +#include "x509_internal.h" #include "mbedtls/asn1write.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" diff --git a/library/x509_crl.c b/library/x509_crl.c index fdbad23..7901992 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -20,6 +20,7 @@ #if defined(MBEDTLS_X509_CRL_PARSE_C) #include "mbedtls/x509_crl.h" +#include "x509_internal.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" diff --git a/library/x509_crt.c b/library/x509_crt.c index 4e7672e..730f6ef 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -22,6 +22,7 @@ #if defined(MBEDTLS_X509_CRT_PARSE_C) #include "mbedtls/x509_crt.h" +#include "x509_internal.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" diff --git a/library/x509_csr.c b/library/x509_csr.c index 79b1589..813d644 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -20,6 +20,7 @@ #if defined(MBEDTLS_X509_CSR_PARSE_C) #include "mbedtls/x509_csr.h" +#include "x509_internal.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" diff --git a/library/x509_internal.h b/library/x509_internal.h new file mode 100644 index 0000000..e1be393 --- /dev/null +++ b/library/x509_internal.h @@ -0,0 +1,213 @@ +/** + * \file x509.h + * + * \brief Internal part of the public "x509.h". + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ +#ifndef MBEDTLS_X509_INTERNAL_H +#define MBEDTLS_X509_INTERNAL_H +#include "mbedtls/private_access.h" + +#include "mbedtls/build_info.h" + +#include "mbedtls/x509.h" +#include "mbedtls/asn1.h" +#include "mbedtls/pk.h" + +#if defined(MBEDTLS_RSA_C) +#include "mbedtls/rsa.h" +#endif + +/** + * \brief Return the next relative DN in an X509 name. + * + * \note Intended use is to compare function result to dn->next + * in order to detect boundaries of multi-valued RDNs. + * + * \param dn Current node in the X509 name + * + * \return Pointer to the first attribute-value pair of the + * next RDN in sequence, or NULL if end is reached. + */ +static inline mbedtls_x509_name *mbedtls_x509_dn_get_next( + mbedtls_x509_name *dn) +{ + while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) { + dn = dn->next; + } + return dn->next; +} + +/** + * \brief Store the certificate serial in printable form into buf; + * no more than size characters will be written. + * + * \param buf Buffer to write to + * \param size Maximum size of buffer + * \param serial The X509 serial to represent + * + * \return The length of the string written (not including the + * terminated nul byte), or a negative error code. + */ +int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial); + +/** + * \brief Compare pair of mbedtls_x509_time. + * + * \param t1 mbedtls_x509_time to compare + * \param t2 mbedtls_x509_time to compare + * + * \return < 0 if t1 is before t2 + * 0 if t1 equals t2 + * > 0 if t1 is after t2 + */ +int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); + +#if defined(MBEDTLS_HAVE_TIME_DATE) +/** + * \brief Fill mbedtls_x509_time with provided mbedtls_time_t. + * + * \param tt mbedtls_time_t to convert + * \param now mbedtls_x509_time to fill with converted mbedtls_time_t + * + * \return \c 0 on success + * \return A non-zero return value on failure. + */ +int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now); +#endif /* MBEDTLS_HAVE_TIME_DATE */ + +/** + * \brief Check a given mbedtls_x509_time against the system time + * and tell if it's in the past. + * + * \note Intended usage is "if( is_past( valid_to ) ) ERROR". + * Hence the return value of 1 if on internal errors. + * + * \param to mbedtls_x509_time to check + * + * \return 1 if the given time is in the past or an error occurred, + * 0 otherwise. + */ +int mbedtls_x509_time_is_past(const mbedtls_x509_time *to); + +/** + * \brief Check a given mbedtls_x509_time against the system time + * and tell if it's in the future. + * + * \note Intended usage is "if( is_future( valid_from ) ) ERROR". + * Hence the return value of 1 if on internal errors. + * + * \param from mbedtls_x509_time to check + * + * \return 1 if the given time is in the future or an error occurred, + * 0 otherwise. + */ +int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); + +/** + * \brief This function parses an item in the SubjectAlternativeNames + * extension. Please note that this function might allocate + * additional memory for a subject alternative name, thus + * mbedtls_x509_free_subject_alt_name has to be called + * to dispose of this additional memory afterwards. + * + * \param san_buf The buffer holding the raw data item of the subject + * alternative name. + * \param san The target structure to populate with the parsed presentation + * of the subject alternative name encoded in \p san_buf. + * + * \note Supported GeneralName types, as defined in RFC 5280: + * "rfc822Name", "dnsName", "directoryName", + * "uniformResourceIdentifier" and "hardware_module_name" + * of type "otherName", as defined in RFC 4108. + * + * \note This function should be called on a single raw data of + * subject alternative name. For example, after successful + * certificate parsing, one must iterate on every item in the + * \c crt->subject_alt_names sequence, and pass it to + * this function. + * + * \warning The target structure contains pointers to the raw data of the + * parsed certificate, and its lifetime is restricted by the + * lifetime of the certificate. + * + * \return \c 0 on success + * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported + * SAN type. + * \return Another negative value for any other failure. + */ +int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, + mbedtls_x509_subject_alternative_name *san); +/** + * \brief Unallocate all data related to subject alternative name + * + * \param san SAN structure - extra memory owned by this structure will be freed + */ +void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); + +int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, + mbedtls_x509_name *cur); +int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, + mbedtls_x509_buf *alg); +int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end, + mbedtls_x509_buf *alg, mbedtls_x509_buf *params); +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) +int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, + mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md, + int *salt_len); +#endif +int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig); +int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, + mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, + void **sig_opts); +int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, + mbedtls_x509_time *t); +int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end, + mbedtls_x509_buf *serial); +int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, + mbedtls_x509_buf *ext, int tag); +#if !defined(MBEDTLS_X509_REMOVE_INFO) +int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, + mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, + const void *sig_opts); +#endif +int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name); +int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, + int critical, const unsigned char *val, + size_t val_len); +int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start, + mbedtls_asn1_named_data *first); +int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, + mbedtls_asn1_named_data *first); +int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, + const char *oid, size_t oid_len, + unsigned char *sig, size_t size, + mbedtls_pk_type_t pk_alg); +int mbedtls_x509_get_ns_cert_type(unsigned char **p, + const unsigned char *end, + unsigned char *ns_cert_type); +int mbedtls_x509_get_key_usage(unsigned char **p, + const unsigned char *end, + unsigned int *key_usage); +int mbedtls_x509_get_subject_alt_name(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name); +int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p, + const unsigned char *end, + mbedtls_x509_sequence *subject_alt_name); +int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, + const mbedtls_x509_sequence + *subject_alt_name, + const char *prefix); +int mbedtls_x509_info_cert_type(char **buf, size_t *size, + unsigned char ns_cert_type); +int mbedtls_x509_info_key_usage(char **buf, size_t *size, + unsigned int key_usage); + +int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions, + const mbedtls_x509_san_list *san_list); + +#endif /* MBEDTLS_X509_INTERNAL_H */ diff --git a/library/x509write.c b/library/x509write.c index d434df5..4704900 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -8,6 +8,7 @@ #if defined(MBEDTLS_X509_CSR_WRITE_C) || defined(MBEDTLS_X509_CRT_WRITE_C) #include "mbedtls/x509_crt.h" +#include "x509_internal.h" #include "mbedtls/asn1write.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 44b6b17..2a1a5e2 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -16,6 +16,7 @@ #if defined(MBEDTLS_X509_CRT_WRITE_C) #include "mbedtls/x509_crt.h" +#include "x509_internal.h" #include "mbedtls/asn1write.h" #include "mbedtls/error.h" #include "mbedtls/oid.h" diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 254da69..0a36202 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -14,7 +14,7 @@ #if defined(MBEDTLS_X509_CSR_WRITE_C) -#include "mbedtls/x509.h" +#include "x509_internal.h" #include "mbedtls/x509_csr.h" #include "mbedtls/asn1write.h" #include "mbedtls/error.h" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 65384a8..4c8bf23 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -4,6 +4,7 @@ #include "mbedtls/x509.h" #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" +#include "x509_internal.h" #include "mbedtls/oid.h" #include "sys/types.h" #include "sys/stat.h" diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index c2a2f55..66477e0 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -4,6 +4,7 @@ #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" #include "mbedtls/x509_csr.h" +#include "x509_internal.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "mbedtls/base64.h" diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 503d976..765866b 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -2,6 +2,7 @@ #include "mbedtls/bignum.h" #include "mbedtls/x509_crt.h" #include "mbedtls/x509_csr.h" +#include "x509_internal.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "mbedtls/rsa.h" -- cgit v1.1 From 639d5678b5466bff184b9fc3199fea2202d2dc73 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 17 Jan 2024 11:04:56 +0100 Subject: pk: move mbedtls_pk_load_file to pk_internal Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 8 -------- library/pk_internal.h | 4 ++++ library/x509_internal.h | 2 +- tests/suites/test_suite_pkwrite.function | 2 +- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 27768bd..2fdcaef 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -1042,14 +1042,6 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, const mbedtls_pk_context *key); #endif /* MBEDTLS_PK_WRITE_C */ -/* - * Internal module functions. You probably do not want to use these unless you - * know you do. - */ -#if defined(MBEDTLS_FS_IO) -int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n); -#endif - #if defined(MBEDTLS_USE_PSA_CRYPTO) /** * \brief Turn an EC or RSA key into an opaque one. diff --git a/library/pk_internal.h b/library/pk_internal.h index 025ee8b..9cab6a5 100644 --- a/library/pk_internal.h +++ b/library/pk_internal.h @@ -144,4 +144,8 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( int (*f_rng)(void *, unsigned char *, size_t), void *p_rng); #endif +#if defined(MBEDTLS_FS_IO) +int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n); +#endif + #endif /* MBEDTLS_PK_INTERNAL_H */ diff --git a/library/x509_internal.h b/library/x509_internal.h index e1be393..15e097a 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -15,7 +15,7 @@ #include "mbedtls/x509.h" #include "mbedtls/asn1.h" -#include "mbedtls/pk.h" +#include "pk_internal.h" #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index 733909e..c760090 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -1,5 +1,5 @@ /* BEGIN_HEADER */ -#include "mbedtls/pk.h" +#include "pk_internal.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "psa/crypto_sizes.h" -- cgit v1.1 From db8915287e183e642254565f9058ace93aabcf8a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 16 Jan 2024 13:32:31 +0000 Subject: programs_dh_client/server: Changed mdlen type to unsigned integer. Signed-off-by: Minos Galanakis --- programs/pkey/dh_client.c | 5 +++-- programs/pkey/dh_server.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 1b5ba40..e846914 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -59,7 +59,8 @@ int main(void) int ret = 1; int exit_code = MBEDTLS_EXIT_FAILURE; - size_t n, buflen, mdlen; + unsigned int mdlen; + size_t n, buflen; mbedtls_net_context server_fd; unsigned char *p, *end; @@ -186,7 +187,7 @@ int main(void) goto exit; } - mdlen = mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); + mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); if (mdlen == 0) { mbedtls_printf(" failed\n ! Invalid digest type\n\n"); goto exit; diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 11c28fb..c08b0dc 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -51,7 +51,8 @@ int main(void) int ret = 1; int exit_code = MBEDTLS_EXIT_FAILURE; - size_t n, buflen, mdlen; + unsigned int mdlen; + size_t n, buflen; mbedtls_net_context listen_fd, client_fd; unsigned char buf[2048]; @@ -185,7 +186,7 @@ int main(void) * 5. Sign the parameters and send them */ - mdlen = mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); + mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); if (mdlen == 0) { mbedtls_printf(" failed\n ! Invalid digest type\n\n"); goto exit; -- cgit v1.1 From 42151380aff54e6f76ee428a2bc57ec825bd3a6f Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 19 Jan 2024 13:36:57 +0000 Subject: programs_dh_client/server: Updated config guards. Adjusted to use `MBEDTLS_SHA256_C` instead of `MBEDTLS_MD_CAN_SHA256` since the former is being used in accelerated driver configurations. Signed-off-by: Minos Galanakis --- programs/pkey/dh_client.c | 11 +++++------ programs/pkey/dh_server.c | 10 +++++----- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index e846914..165cee2 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -13,13 +13,13 @@ #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \ defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \ - defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \ + defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/net_sockets.h" #include "mbedtls/aes.h" #include "mbedtls/dhm.h" #include "mbedtls/rsa.h" -#include "mbedtls/sha1.h" +#include "mbedtls/sha256.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" @@ -32,15 +32,14 @@ #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ - !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ + !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) - int main(void) { mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C " "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C not defined.\n"); + "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n"); mbedtls_exit(0); } @@ -194,7 +193,7 @@ int main(void) } if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret); + mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret); goto exit; } diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index c08b0dc..91bac0e 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -13,13 +13,13 @@ #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \ defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \ - defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \ + defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/net_sockets.h" #include "mbedtls/aes.h" #include "mbedtls/dhm.h" #include "mbedtls/rsa.h" -#include "mbedtls/sha1.h" +#include "mbedtls/sha256.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" @@ -32,14 +32,14 @@ #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \ - !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ + !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) int main(void) { mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C " "and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C not defined.\n"); + "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n"); mbedtls_exit(0); } #else @@ -193,7 +193,7 @@ int main(void) } if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret); + mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret); goto exit; } -- cgit v1.1 From 85ea3e623b0f9f9d84928cc3b191f345dfdf0e66 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 19 Jan 2024 15:57:22 +0000 Subject: Set preferences before finding Threads in CMake Signed-off-by: Paul Elliott --- programs/aes/CMakeLists.txt | 2 ++ programs/cipher/CMakeLists.txt | 2 ++ programs/fuzz/CMakeLists.txt | 2 ++ programs/hash/CMakeLists.txt | 2 ++ programs/pkey/CMakeLists.txt | 2 ++ programs/psa/CMakeLists.txt | 2 ++ programs/random/CMakeLists.txt | 2 ++ programs/ssl/CMakeLists.txt | 2 ++ programs/test/CMakeLists.txt | 2 ++ programs/test/cmake_subproject/CMakeLists.txt | 2 ++ programs/util/CMakeLists.txt | 2 ++ programs/x509/CMakeLists.txt | 2 ++ tests/CMakeLists.txt | 2 ++ 13 files changed, 26 insertions(+) diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt index 457a0fc..8174102 100644 --- a/programs/aes/CMakeLists.txt +++ b/programs/aes/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(executables diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt index c047dd6..b497e8a 100644 --- a/programs/cipher/CMakeLists.txt +++ b/programs/cipher/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(executables diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index a0eba0f..97b8fd2 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt index 3d6989c..504a405 100644 --- a/programs/hash/CMakeLists.txt +++ b/programs/hash/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(executables diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index e2fb404..2f55c61 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(executables_mbedtls diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt index d86f29e..dd1b1a2 100644 --- a/programs/psa/CMakeLists.txt +++ b/programs/psa/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(executables diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt index a4c99f5..c1184d1 100644 --- a/programs/random/CMakeLists.txt +++ b/programs/random/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(executables diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index 8ffa854..8047b9f 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -1,4 +1,6 @@ set(THREADS_USE_PTHREADS_WIN32 true) +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index a726045..3709276 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt index dd23d61..2f8ab2a 100644 --- a/programs/test/cmake_subproject/CMakeLists.txt +++ b/programs/test/cmake_subproject/CMakeLists.txt @@ -1,5 +1,7 @@ cmake_minimum_required(VERSION 3.5.1) +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) # Test the target renaming support by adding a prefix to the targets built diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt index 920f69e..6a8659e 100644 --- a/programs/util/CMakeLists.txt +++ b/programs/util/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt index c507de2..e41b406 100644 --- a/programs/x509/CMakeLists.txt +++ b/programs/x509/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 68bc57f..cb54ea4 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -1,3 +1,5 @@ +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs -- cgit v1.1 From a8f6192f9a382d93b8418be29bfccef1ec9bd6f8 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 19 Jan 2024 16:41:05 +0000 Subject: Remove unneeded lines from fuzz/Makefile Signed-off-by: Paul Elliott --- programs/fuzz/Makefile | 3 --- 1 file changed, 3 deletions(-) diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile index afe80b7..828e518 100644 --- a/programs/fuzz/Makefile +++ b/programs/fuzz/Makefile @@ -1,11 +1,8 @@ MBEDTLS_TEST_PATH:=../../tests -LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../../tests/include -I../../include -D_FILE_OFFSET_BITS=64 MBEDTLS_PATH := ../.. include ../../scripts/common.make -LOCAL_CFLAGS += $(patsubst -I../%,-I../../%,$(THIRDPARTY_INCLUDES)) - DEP=${MBEDLIBS} ifdef FUZZINGENGINE -- cgit v1.1 From ed3ba3cc8e23c0776ca23293a25d747b7183e10e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 19 Jan 2024 16:44:23 +0000 Subject: Fix documentation typos. Signed-off-by: Paul Elliott --- tests/include/test/threading_helpers.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/include/test/threading_helpers.h b/tests/include/test/threading_helpers.h index 9b7ced5..ba965c8 100644 --- a/tests/include/test/threading_helpers.h +++ b/tests/include/test/threading_helpers.h @@ -40,16 +40,16 @@ typedef struct mbedtls_test_thread_t { /** * \brief Set your alternate threading implementation - * function pointers fgr test threads. If used, - * this function must be called once in the main thread + * function pointers for test threads. If used, this + * function must be called once in the main thread * before any other MbedTLS function is called. * * \note These functions are part of the testing API only and * thus not considered part of the public API of * MbedTLS and thus may change without notice. * - * \param thread_create The thread create function implementation - * \param thread_join The thread join function implementation + * \param thread_create The thread create function implementation. + * \param thread_join The thread join function implementation. */ void mbedtls_test_thread_set_alt(int (*thread_create)(mbedtls_test_thread_t *thread, -- cgit v1.1 From e2f66620211cc16f54183d5b230c90ada22330ad Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 19 Jan 2024 20:22:24 +0000 Subject: Make test data static now it has accessors Signed-off-by: Paul Elliott --- tests/src/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 1bad819..724fb59 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -24,7 +24,7 @@ static mbedtls_platform_context platform_ctx; #endif -mbedtls_test_info_t mbedtls_test_info; +static mbedtls_test_info_t mbedtls_test_info; #ifdef MBEDTLS_THREADING_C mbedtls_threading_mutex_t mbedtls_test_info_mutex; -- cgit v1.1 From 3d2db89d5cd878d59be8edaab87e177f11e0ac00 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 19 Jan 2024 20:42:56 +0000 Subject: Access the test data mutex via accessor Remove the use of extern and instead use an accessor to get the address of the test info mutex (defined only if MBEDTLS_TEST_MUTEX_USAGE is defined, to hopefully stop more general usage) Signed-off-by: Paul Elliott --- tests/include/test/helpers.h | 16 +++++++++++++++- tests/src/helpers.c | 10 +++++++++- tests/src/threading_helpers.c | 4 +--- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 73459d9..f2fb62d 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -37,6 +37,7 @@ #if defined(MBEDTLS_THREADING_C) && defined(MBEDTLS_THREADING_PTHREAD) && \ defined(MBEDTLS_TEST_HOOKS) +#include "mbedtls/threading.h" #define MBEDTLS_TEST_MUTEX_USAGE #endif @@ -230,8 +231,21 @@ void mbedtls_test_set_step(unsigned long step); */ void mbedtls_test_info_reset(void); +#ifdef MBEDTLS_TEST_MUTEX_USAGE /** - * \brief Record the current test case as a failure if two integers + * \brief Get the test info data mutex. + * + * \note This is designed only to be used by threading_helpers to avoid a + * deadlock, not for general access to this mutex. + * + * \return The test info data mutex. + */ +mbedtls_threading_mutex_t *mbedtls_test_get_info_mutex(void); + +#endif /* MBEDTLS_TEST_MUTEX_USAGE */ + +/** + * \brief Record the current test case as a failure if two integers * have a different value. * * This function is usually called via the macro diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 724fb59..d0c75b0 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -288,7 +288,15 @@ void mbedtls_test_increment_case_uses_negative_0(void) #endif /* MBEDTLS_THREADING_C */ } -#endif +#endif /* MBEDTLS_BIGNUM_C */ + +#ifdef MBEDTLS_TEST_MUTEX_USAGE +mbedtls_threading_mutex_t *mbedtls_test_get_info_mutex(void) +{ + return &mbedtls_test_info_mutex; +} + +#endif /* MBEDTLS_TEST_MUTEX_USAGE */ /*----------------------------------------------------------------------------*/ /* Helper Functions */ diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index 0894700..165e350 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -117,8 +117,6 @@ static void mbedtls_test_mutex_usage_error(mbedtls_threading_mutex_t *mutex, * mbedtls_test_mutex_usage_check() will mark it as failed. */ } -extern mbedtls_threading_mutex_t mbedtls_test_info_mutex; - static int mbedtls_test_mutex_can_test(mbedtls_threading_mutex_t *mutex) { /* If we attempt to run tests on this mutex then we are going to run into a @@ -127,7 +125,7 @@ static int mbedtls_test_mutex_can_test(mbedtls_threading_mutex_t *mutex) * reporting that failure, as we already hold the mutex at that point. * 2. Given the 'global' position of the initialization and free of this * mutex, it will be shown as leaked on the first test run. */ - if (mutex == &mbedtls_test_info_mutex) { + if (mutex == mbedtls_test_get_info_mutex()) { return 0; } -- cgit v1.1 From 297c6089159e0a8c0195ca18777ce904b83fedcd Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 19 Jan 2024 08:15:33 +0100 Subject: tls13: cli: Fix setting of early data transform Fix setting of early data transform when we do not send dummy CCS for middlebox compatibility. Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index a3d33a3..76f0f18 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1236,10 +1236,6 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) const mbedtls_ssl_ciphersuite_t *ciphersuite_info; if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { -#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state( - ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); -#endif MBEDTLS_SSL_DEBUG_MSG( 1, ("Set hs psk for early data when writing the first psk")); @@ -1294,6 +1290,15 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) return ret; } +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); +#else + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to early data keys for outbound traffic")); + mbedtls_ssl_set_outbound_transform( + ssl, ssl->handshake->transform_earlydata); +#endif } #endif /* MBEDTLS_SSL_EARLY_DATA */ return 0; @@ -3067,19 +3072,19 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) } break; +#if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); if (ret == 0) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); -#if defined(MBEDTLS_SSL_EARLY_DATA) MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early data keys for outbound traffic")); mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_earlydata); -#endif } break; +#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) -- cgit v1.1 From 77abfe67db1ff1bdae3ff1c93e7878e8ee0826f8 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Jan 2024 11:17:31 +0100 Subject: ssl_helpers.c: Add ticket write/parse test functions Add ticket write/parse test functions as defined by mbedtls_ssl_ticket_write/parse_t. They are intended to be used in negative testing involving tickets. Signed-off-by: Ronald Cron --- tests/include/test/ssl_helpers.h | 10 ++++++++++ tests/src/test_helpers/ssl_helpers.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index d03c624..1f41966 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -589,6 +589,16 @@ int mbedtls_test_tweak_tls13_certificate_msg_vector_len( int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args); #endif /* MBEDTLS_TEST_HOOKS */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +int mbedtls_test_ticket_write( + void *p_ticket, const mbedtls_ssl_session *session, + unsigned char *start, const unsigned char *end, + size_t *tlen, uint32_t *ticket_lifetime); + +int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, + unsigned char *buf, size_t len); +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + #define ECJPAKE_TEST_PWD "bla" #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 2368a76..b13d7e3 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2419,4 +2419,34 @@ int mbedtls_test_tweak_tls13_certificate_msg_vector_len( return 0; } #endif /* MBEDTLS_TEST_HOOKS */ + +/* Functions for session ticket tests */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +int mbedtls_test_ticket_write( + void *p_ticket, const mbedtls_ssl_session *session, + unsigned char *start, const unsigned char *end, + size_t *tlen, uint32_t *lifetime) +{ + int ret; + ((void) p_ticket); + + if ((ret = mbedtls_ssl_session_save(session, start, end - start, + tlen)) != 0) { + return ret; + } + + /* Maximum ticket lifetime as defined in RFC 8446 */ + *lifetime = 7 * 24 * 3600; + + return 0; +} + +int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, + unsigned char *buf, size_t len) +{ + ((void) p_ticket); + + return mbedtls_ssl_session_load(session, buf, len); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #endif /* MBEDTLS_SSL_TLS_C */ -- cgit v1.1 From d903a86e52f21a65b45fa27699aabfe2d9a8cd81 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 15 Jan 2024 15:57:17 +0100 Subject: tests: tls13: Add session resume with ticket unit test This aims to provide a basis for negative testing around TLS 1.3 ticket, replacing eventually the negative tests done in ssl-opt.sh using the dummy_ticket option. Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 ++ tests/suites/test_suite_ssl.function | 93 ++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index de998e3..37895f0 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3270,3 +3270,6 @@ ssl_ecjpake_set_password:1 Test Elliptic curves' info parsing elliptic_curve_get_properties + +TLS 1.3 resume session with ticket +tls13_resume_session_with_ticket diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8a03d1b..9ca2058 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3519,3 +3519,96 @@ exit: MD_OR_USE_PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +void tls13_resume_session_with_ticket() +{ + int ret = -1; + unsigned char buf[64]; + mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options client_options; + mbedtls_test_handshake_test_options server_options; + mbedtls_ssl_session saved_session; + + /* + * Test set-up + */ + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); + mbedtls_ssl_session_init(&saved_session); + + MD_OR_USE_PSA_INIT(); + + client_options.pk_alg = MBEDTLS_PK_ECDSA; + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL, + NULL); + TEST_EQUAL(ret, 0); + + server_options.pk_alg = MBEDTLS_PK_ECDSA; + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL, + NULL); + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + /* + * Run initial handshake: ephemeral key exchange mode, certificate with + * RSA key, signed with PKCS15, verified with PKCS21. Then, get the ticket + * sent by the server at the end of its handshake sequence. + */ + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER) == 0); + + do { + ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); + } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET); + + /* + * Save client session and reset the SSL context of the two endpoints. + */ + ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); + TEST_EQUAL(ret, 0); + + /* + * Set saved session on client side and handshake using the ticket + * included in that session. + */ + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_WRAPUP) == 0); + + TEST_EQUAL(server_ep.ssl.handshake->resume, 1); + TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1); + TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); + mbedtls_ssl_session_free(&saved_session); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From ec3408d70769163b890ac7bc0c628dde8cc9ae7a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 16 Jan 2024 17:50:40 +0100 Subject: tests: ssl: Move setting of debug callback Move the setting of the debug callback to the endpoint initialization function. That way, no need to repeat it in various testing scenarios. Signed-off-by: Ronald Cron --- tests/src/test_helpers/ssl_helpers.c | 39 +++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index b13d7e3..5195746 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -841,6 +841,23 @@ int mbedtls_test_ssl_endpoint_init( } #endif +#if defined(MBEDTLS_DEBUG_C) +#if defined(MBEDTLS_SSL_SRV_C) + if (endpoint_type == MBEDTLS_SSL_IS_SERVER && + options->srv_log_fun != NULL) { + mbedtls_ssl_conf_dbg(&(ep->conf), options->srv_log_fun, + options->srv_log_obj); + } +#endif +#if defined(MBEDTLS_SSL_CLI_C) + if (endpoint_type == MBEDTLS_SSL_IS_CLIENT && + options->cli_log_fun != NULL) { + mbedtls_ssl_conf_dbg(&(ep->conf), options->cli_log_fun, + options->cli_log_obj); + } +#endif +#endif /* MBEDTLS_DEBUG_C */ + ret = mbedtls_test_ssl_endpoint_certificate_init(ep, options->pk_alg, options->opaque_alg, options->opaque_alg2, @@ -1977,6 +1994,12 @@ void mbedtls_test_ssl_perform_handshake( mbedtls_test_message_socket_init(&server_context); mbedtls_test_message_socket_init(&client_context); +#if defined(MBEDTLS_DEBUG_C) + if (options->cli_log_fun || options->srv_log_fun) { + mbedtls_debug_set_threshold(4); + } +#endif + /* Client side */ if (options->dtls != 0) { TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, @@ -2000,14 +2023,6 @@ void mbedtls_test_ssl_perform_handshake( set_ciphersuite(&client.conf, options->cipher, forced_ciphersuite); } -#if defined(MBEDTLS_DEBUG_C) - if (options->cli_log_fun) { - mbedtls_debug_set_threshold(4); - mbedtls_ssl_conf_dbg(&client.conf, options->cli_log_fun, - options->cli_log_obj); - } -#endif - /* Server side */ if (options->dtls != 0) { TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, @@ -2072,14 +2087,6 @@ void mbedtls_test_ssl_perform_handshake( } #endif /* MBEDTLS_SSL_RENEGOTIATION */ -#if defined(MBEDTLS_DEBUG_C) - if (options->srv_log_fun) { - mbedtls_debug_set_threshold(4); - mbedtls_ssl_conf_dbg(&server.conf, options->srv_log_fun, - options->srv_log_obj); - } -#endif - TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket), &(server.socket), BUFFSIZE) == 0); -- cgit v1.1 From a8dd81b4dee78a4063f33e76702362740298813c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 16 Jan 2024 17:50:52 +0100 Subject: tests: tls13: Add early data unit test This aims to provide a basis for negative testing around TLS 1.3 early data. Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 + tests/suites/test_suite_ssl.function | 157 +++++++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 37895f0..c06c0a7 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3273,3 +3273,6 @@ elliptic_curve_get_properties TLS 1.3 resume session with ticket tls13_resume_session_with_ticket + +TLS 1.3 early data +tls13_early_data diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 9ca2058..a898249 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,6 +12,48 @@ #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ + defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ + defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA256) && \ + defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \ + defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS) +/* + * The implementation of the function should be based on + * mbedtls_ssl_write_early_data() eventually. The current version aims at + * removing the dependency on mbedtls_ssl_write_early_data() for the + * development and testing of reading early data. + */ +static int write_early_data(mbedtls_ssl_context *ssl, + unsigned char *buf, size_t len) +{ + int ret = mbedtls_ssl_get_max_out_record_payload(ssl); + + TEST_ASSERT(ret > 0); + TEST_ASSERT(len <= (size_t) ret); + + ret = mbedtls_ssl_flush_output(ssl); + TEST_EQUAL(ret, 0); + TEST_EQUAL(ssl->out_left, 0); + + ssl->out_msglen = len; + ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; + if (len > 0) { + memcpy(ssl->out_msg, buf, len); + } + + ret = mbedtls_ssl_write_record(ssl, 1); + TEST_EQUAL(ret, 0); + + ret = len; + +exit: + return ret; +} +#endif + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -3612,3 +3654,118 @@ exit: MD_OR_USE_PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +void tls13_early_data() +{ + int ret = -1; + unsigned char buf[64]; + const char *early_data = "This is early data."; + size_t early_data_len = strlen(early_data); + mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options client_options; + mbedtls_test_handshake_test_options server_options; + mbedtls_ssl_session saved_session; + mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; + + /* + * Test set-up + */ + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); + mbedtls_ssl_session_init(&saved_session); + + MD_OR_USE_PSA_INIT(); + + client_options.pk_alg = MBEDTLS_PK_ECDSA; + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL, + NULL); + TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); + + server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; + server_options.srv_log_obj = &server_pattern; + server_pattern.pattern = early_data; + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL, + NULL); + TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + /* + * Run initial handshake: ephemeral key exchange mode, certificate with + * RSA key, signed with PKCS15, verified with PKCS21. Then, get the ticket + * sent by the server at the end of its handshake sequence. + */ + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER) == 0); + + do { + ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); + } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET); + + /* + * Save client session and reset the SSL context of the two endpoints. + */ + ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); + TEST_EQUAL(ret, 0); + + /* + * Set saved session on client side and start handshake using the ticket + * included in that session. + */ + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + mbedtls_debug_set_threshold(3); + + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_SERVER_HELLO) == 0); + + TEST_ASSERT(client_ep.ssl.early_data_status != + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + TEST_EQUAL(server_pattern.counter, 0); + + ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data, + early_data_len); + TEST_EQUAL(ret, early_data_len); + + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_CLIENT_FINISHED) == 0); + + TEST_EQUAL(server_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + TEST_EQUAL(server_pattern.counter, 1); + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); + mbedtls_ssl_session_free(&saved_session); + mbedtls_debug_set_threshold(0); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From f8fdbb517457c5a90d9011a68467da7e8bdf7a22 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 22 Jan 2024 09:13:41 +0100 Subject: tests: tls13: Run early data test only in TLS 1.3 only config Temporary workaround to not run the early data test in Windows-2013 where there is an issue with mbedtls_vsnprintf(). Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a898249..234181d 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,7 +12,8 @@ #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ +#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ + defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ @@ -3655,7 +3656,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ void tls13_early_data() { int ret = -1; -- cgit v1.1 From 6425a188dfeeb831c71d47a835006fce8dad08ce Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Mon, 22 Jan 2024 11:39:34 +0000 Subject: Add a client view of the multipart contexts In case MBEDTLS_PSA_CRYPTO_CLIENT is defined and MBEDTLS_PSA_CRYPTO_C is not, a client view of the multipart operation contexts is provided through an handle object that allows mapping to the corresponding service side data structures. Signed-off-by: Antonio de Angelis --- include/psa/crypto_platform.h | 10 ++++++++++ include/psa/crypto_struct.h | 21 ++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 4d03435..a871ee1 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -89,4 +89,14 @@ typedef struct { } mbedtls_psa_external_random_context_t; #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +/** The type of the client handle used in context structures + * + * When a client view of the multipart context structures is required, + * this handle is used to keep a mapping with the service side of the + * context which contains the actual data. + */ +typedef uint32_t mbedtls_psa_client_handle_t; +#endif + #endif /* PSA_CRYPTO_PLATFORM_H */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 3a19618..b43215d 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -68,6 +68,9 @@ extern "C" { #include "psa/crypto_driver_contexts_primitives.h" struct psa_hash_operation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -76,6 +79,7 @@ struct psa_hash_operation_s { * any driver (i.e. the driver context is not active, in use). */ unsigned int MBEDTLS_PRIVATE(id); psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx); +#endif }; #define PSA_HASH_OPERATION_INIT { 0, { 0 } } @@ -86,6 +90,9 @@ static inline struct psa_hash_operation_s psa_hash_operation_init(void) } struct psa_cipher_operation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -100,6 +107,7 @@ struct psa_cipher_operation_s { uint8_t MBEDTLS_PRIVATE(default_iv_length); psa_driver_cipher_context_t MBEDTLS_PRIVATE(ctx); +#endif }; #define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } } @@ -114,6 +122,9 @@ static inline struct psa_cipher_operation_s psa_cipher_operation_init(void) #include "psa/crypto_driver_contexts_composites.h" struct psa_mac_operation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -124,6 +135,7 @@ struct psa_mac_operation_s { uint8_t MBEDTLS_PRIVATE(mac_size); unsigned int MBEDTLS_PRIVATE(is_sign) : 1; psa_driver_mac_context_t MBEDTLS_PRIVATE(ctx); +#endif }; #define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } } @@ -134,7 +146,9 @@ static inline struct psa_mac_operation_s psa_mac_operation_init(void) } struct psa_aead_operation_s { - +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -156,6 +170,7 @@ struct psa_aead_operation_s { unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1; psa_driver_aead_context_t MBEDTLS_PRIVATE(ctx); +#endif }; #define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, { 0 } } @@ -170,10 +185,14 @@ static inline struct psa_aead_operation_s psa_aead_operation_init(void) #include "psa/crypto_driver_contexts_key_derivation.h" struct psa_key_derivation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else psa_algorithm_t MBEDTLS_PRIVATE(alg); unsigned int MBEDTLS_PRIVATE(can_output_key) : 1; size_t MBEDTLS_PRIVATE(capacity); psa_driver_key_derivation_context_t MBEDTLS_PRIVATE(ctx); +#endif }; /* This only zeroes out the first byte in the union, the rest is unspecified. */ -- cgit v1.1 From bf4b5ed7a4e02358cb008bb43c20f5f3c309b7c1 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Mon, 22 Jan 2024 20:43:54 +0800 Subject: Add back restriction on AD length of GCM Fixes: bd513bb53d80276431161e5a64a2ae61740c4e68 Signed-off-by: Chien Wong --- library/gcm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index c677ca4..b31003f 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -354,9 +354,12 @@ int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx, { const unsigned char *p; size_t use_len, offset; + uint64_t new_add_len; - /* IV is limited to 2^64 bits, so 2^61 bytes */ - if ((uint64_t) add_len >> 61 != 0) { + /* AD is limited to 2^64 bits, ie 2^61 bytes + * Also check for possible overflow */ + new_add_len = ctx->add_len + add_len; + if (new_add_len < ctx->add_len || new_add_len >> 61 != 0) { return MBEDTLS_ERR_GCM_BAD_INPUT; } -- cgit v1.1 From 858bc65d7485b8af9c49e96d0cf0bf803606a120 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Mon, 22 Jan 2024 20:47:26 +0800 Subject: Add comment on impossible overflows Signed-off-by: Chien Wong --- library/gcm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/gcm.c b/library/gcm.c index b31003f..337145b 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -542,6 +542,9 @@ int mbedtls_gcm_finish(mbedtls_gcm_context *ctx, (void) output_size; *output_length = 0; + /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes + * and AD length is restricted to 2^64 bits, ie 2^61 bytes so neither of + * the two multiplications would overflow. */ orig_len = ctx->len * 8; orig_add_len = ctx->add_len * 8; -- cgit v1.1 From 90d18343ceb1e74c3284bcc0870d6f3d3914503e Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Mon, 22 Jan 2024 13:15:37 +0000 Subject: Update the initialization macros The initializatio macros need to be updated to support the case where the crypto client view of the structures is being initialized Signed-off-by: Antonio de Angelis --- include/psa/crypto_struct.h | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index b43215d..cc7731a 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -81,8 +81,11 @@ struct psa_hash_operation_s { psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx); #endif }; - +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_HASH_OPERATION_INIT { 0 } +#else #define PSA_HASH_OPERATION_INIT { 0, { 0 } } +#endif static inline struct psa_hash_operation_s psa_hash_operation_init(void) { const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT; @@ -110,7 +113,11 @@ struct psa_cipher_operation_s { #endif }; +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_CIPHER_OPERATION_INIT { 0 } +#else #define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } } +#endif static inline struct psa_cipher_operation_s psa_cipher_operation_init(void) { const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT; @@ -138,7 +145,11 @@ struct psa_mac_operation_s { #endif }; +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_MAC_OPERATION_INIT { 0 } +#else #define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } } +#endif static inline struct psa_mac_operation_s psa_mac_operation_init(void) { const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT; @@ -173,7 +184,11 @@ struct psa_aead_operation_s { #endif }; +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_AEAD_OPERATION_INIT { 0 } +#else #define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, { 0 } } +#endif static inline struct psa_aead_operation_s psa_aead_operation_init(void) { const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT; @@ -195,8 +210,12 @@ struct psa_key_derivation_s { #endif }; +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_KEY_DERIVATION_OPERATION_INIT { 0 } +#else /* This only zeroes out the first byte in the union, the rest is unspecified. */ #define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } } +#endif static inline struct psa_key_derivation_s psa_key_derivation_operation_init( void) { -- cgit v1.1 From 8eb310c7e6663d28154b3de838d81cee6e61daa9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 22 Jan 2024 16:22:57 +0100 Subject: all.sh: add accelerated and reference components for HMAC Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..63f6129 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3655,6 +3655,68 @@ component_test_psa_crypto_config_reference_hash_use_psa() { tests/ssl-opt.sh } +# Auxiliary function to build config for hashes with and without drivers +config_psa_crypto_hmac_use_psa () { + driver_only="$1" + # start with config full for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + + # Direct dependencies of MD_C. We disable them also in the reference + # component to work with the same set of features. + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_HKDF_C + # Dependencies of HMAC_DRBG + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA +} + +component_test_psa_crypto_config_accel_hmac() { + msg "test: full with accelerated hmac" + + loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ + ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ + ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + # Configure + # --------- + + config_psa_crypto_hmac_use_psa 1 + + # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT + # is still enabled though. + scripts/config.py unset MBEDTLS_MD_C + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Ensure that built-in support for HMAC is disabled. + not grep mbedtls_md_hmac library/md.o + + # Run the tests + # ------------- + + msg "test: full with accelerated hmac" + make test +} + +component_test_psa_crypto_config_reference_hmac() { + msg "test: full without accelerated hmac" + + config_psa_crypto_hmac_use_psa 0 + + make + + msg "test: full without accelerated hmac" + make test +} + component_test_psa_crypto_config_accel_des () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" -- cgit v1.1 From 20cea94fd405c2d321f2fe305f4f340d35e370e0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 22 Jan 2024 16:23:25 +0100 Subject: analyze_outcomes: add task for HMAC coverage Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 6503f9a..9d441c7 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -240,6 +240,41 @@ KNOWN_TASKS = { } } }, + 'analyze_driver_vs_reference_hmac': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_config_reference_hmac', + 'component_driver': 'test_psa_crypto_config_accel_hmac', + 'ignored_suites': [ + # This suite tests builtins directly, but these are missing + # in the accelerated case. + 'psa_crypto_low_hash.generated', + ], + 'ignored_tests': { + 'test_suite_md': [ + # Builtin HMAC is not supported in the accelerate component. + re.compile('.*HMAC.*'), + # Following tests make use of functions which are not available + # when MD_C is disabled, as it happens in the accelerated + # test component. + re.compile('generic .* Hash file .*'), + 'MD list', + ], + 'test_suite_md.psa': [ + # "legacy only" tests require hash algorithms to be NOT + # accelerated, but this of course false for the accelerated + # test component. + re.compile('PSA dispatch .* legacy only'), + ], + 'test_suite_platform': [ + # Incompatible with sanitizers (e.g. ASan). If the driver + # component uses a sanitizer but the reference component + # doesn't, we have a PASS vs SKIP mismatch. + 'Check mbedtls_calloc overallocation', + ], + } + } + }, 'analyze_driver_vs_reference_cipher_aead_cmac': { 'test_function': do_analyze_driver_vs_reference, 'args': { -- cgit v1.1 From e35117640dbf171ca482646c393e03889d6724a1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 22 Jan 2024 16:28:23 +0100 Subject: cert_[req/write]: add MD_C dependency Both programs use mbedtls_md_info_from_string() which is only available as long as MBEDTLS_MD_C is enabled. Signed-off-by: Valerio Setti --- programs/x509/cert_req.c | 3 ++- programs/x509/cert_write.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index 6ae43a9..dcfd176 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -14,7 +14,8 @@ #if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ - !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) + !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) || \ + !defined(MBEDTLS_MD_C) int main(void) { mbedtls_printf("MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or " diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index bf25c4c..0b2575e 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -15,7 +15,7 @@ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ - !defined(MBEDTLS_PEM_WRITE_C) + !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_MD_C) int main(void) { mbedtls_printf("MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " -- cgit v1.1 From 1626cc767bee7eeee9913a8bea47cfa74f2b9ae3 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 22 Jan 2024 16:29:46 +0100 Subject: test_suite_entropy: relax MD_C dependency to MD_LIGHT Signed-off-by: Valerio Setti --- tests/suites/test_suite_entropy.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function index ed9f3ac..5ac65fc 100644 --- a/tests/suites/test_suite_entropy.function +++ b/tests/suites/test_suite_entropy.function @@ -447,7 +447,7 @@ void entropy_nv_seed_std_io() } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MD_C:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PLATFORM_NV_SEED_ALT */ +/* BEGIN_CASE depends_on:MBEDTLS_MD_LIGHT:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PLATFORM_NV_SEED_ALT */ void entropy_nv_seed(data_t *read_seed) { #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) -- cgit v1.1 From fd49a46a36dff40be6ceff28bc500d6d541a532f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 08:35:11 +0100 Subject: pkparse: rename RSA key and pubkey parsing functions Signed-off-by: Valerio Setti --- library/pkparse.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 5f95545..4dd3276 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -764,9 +764,9 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, * publicExponent INTEGER -- e * } */ -static int pk_get_rsapubkey(unsigned char **p, - const unsigned char *end, - mbedtls_rsa_context *rsa) +static int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, + unsigned char **p, + const unsigned char *end) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len; @@ -911,7 +911,7 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, #if defined(MBEDTLS_RSA_C) if (pk_alg == MBEDTLS_PK_RSA) { - ret = pk_get_rsapubkey(p, end, mbedtls_pk_rsa(*pk)); + ret = mbedtls_rsa_pubkey_parse(mbedtls_pk_rsa(*pk), p, end); } else #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) @@ -976,9 +976,9 @@ static int asn1_get_nonzero_mpi(unsigned char **p, /* * Parse a PKCS#1 encoded private RSA key */ -static int pk_parse_key_pkcs1_der(mbedtls_rsa_context *rsa, - const unsigned char *key, - size_t keylen) +static int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, + const unsigned char *key, + size_t keylen) { int ret, version; size_t len; @@ -1348,7 +1348,7 @@ static int pk_parse_key_pkcs8_unencrypted_der( #if defined(MBEDTLS_RSA_C) if (pk_alg == MBEDTLS_PK_RSA) { - if ((ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), p, len)) != 0) { + if ((ret = mbedtls_rsa_key_parse(mbedtls_pk_rsa(*pk), p, len)) != 0) { mbedtls_pk_free(pk); return ret; } @@ -1538,8 +1538,8 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk, if (ret == 0) { pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || - (ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), - pem.buf, pem.buflen)) != 0) { + (ret = mbedtls_rsa_key_parse(mbedtls_pk_rsa(*pk), + pem.buf, pem.buflen)) != 0) { mbedtls_pk_free(pk); } @@ -1679,7 +1679,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk, pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); if (mbedtls_pk_setup(pk, pk_info) == 0 && - pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), key, keylen) == 0) { + mbedtls_rsa_key_parse(mbedtls_pk_rsa(*pk), key, keylen) == 0) { return 0; } @@ -1754,7 +1754,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, return ret; } - if ((ret = pk_get_rsapubkey(&p, p + pem.buflen, mbedtls_pk_rsa(*ctx))) != 0) { + if ((ret = mbedtls_rsa_pubkey_parse(mbedtls_pk_rsa(*ctx), &p, p + pem.buflen)) != 0) { mbedtls_pk_free(ctx); } @@ -1801,7 +1801,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, } p = (unsigned char *) key; - ret = pk_get_rsapubkey(&p, p + keylen, mbedtls_pk_rsa(*ctx)); + ret = mbedtls_rsa_pubkey_parse(mbedtls_pk_rsa(*ctx), &p, p + keylen); if (ret == 0) { return ret; } -- cgit v1.1 From 429cd50ac8ce62351e26da900f7f610005fd929f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 09:10:22 +0100 Subject: pkwrite: split pk_write_rsa_der() with a dedicated function for non-opaque RSA key Signed-off-by: Valerio Setti --- library/pkwrite.c | 179 +++++++++++++++++++++++++++--------------------------- 1 file changed, 89 insertions(+), 90 deletions(-) diff --git a/library/pkwrite.c b/library/pkwrite.c index 1f0d399..8930525 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -62,13 +62,12 @@ * publicExponent INTEGER -- e * } */ -static int pk_write_rsa_pubkey(unsigned char **p, unsigned char *start, - const mbedtls_pk_context *pk) +static int mbedtls_rsa_pubkey_write(unsigned char **p, unsigned char *start, + const mbedtls_rsa_context *rsa) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; mbedtls_mpi T; - mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); mbedtls_mpi_init(&T); @@ -100,113 +99,113 @@ end_of_export: return (int) len; } -static int pk_write_rsa_der(unsigned char **p, unsigned char *buf, - const mbedtls_pk_context *pk) +static int mbedtls_rsa_key_write(unsigned char **p, unsigned char *start, + const mbedtls_rsa_context *rsa) { size_t len = 0; int ret; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) { - uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE]; - size_t tmp_len = 0; - - if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - *p -= tmp_len; - memcpy(*p, tmp, tmp_len); - len += tmp_len; - mbedtls_platform_zeroize(tmp, sizeof(tmp)); - } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - { - mbedtls_mpi T; /* Temporary holding the exported parameters */ - mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); + mbedtls_mpi T; /* Temporary holding the exported parameters */ - /* - * Export the parameters one after another to avoid simultaneous copies. - */ + /* + * Export the parameters one after another to avoid simultaneous copies. + */ - mbedtls_mpi_init(&T); + mbedtls_mpi_init(&T); - /* Export QP */ - if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export QP */ + if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export DQ */ - if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export DQ */ + if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export DP */ - if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export DP */ + if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export Q */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, - &T, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export Q */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export P */ - if ((ret = mbedtls_rsa_export(rsa, NULL, &T, - NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export P */ + if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export D */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, - NULL, &T, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export D */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export E */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, - NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export E */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; - /* Export N */ - if ((ret = mbedtls_rsa_export(rsa, &T, NULL, - NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export N */ + if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; end_of_export: - mbedtls_mpi_free(&T); - if (ret < 0) { - return ret; - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, - buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); + mbedtls_mpi_free(&T); + if (ret < 0) { + return ret; } + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + return (int) len; } + +static int pk_write_rsa_der(unsigned char **p, unsigned char *buf, + const mbedtls_pk_context *pk) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) { + uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE]; + size_t len = 0, tmp_len = 0; + + if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + *p -= tmp_len; + memcpy(*p, tmp, tmp_len); + len += tmp_len; + mbedtls_platform_zeroize(tmp, sizeof(tmp)); + + return (int) len; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + return mbedtls_rsa_key_write(p, buf, mbedtls_pk_rsa(*pk)); +} #endif /* MBEDTLS_RSA_C */ /****************************************************************************** @@ -543,7 +542,7 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, #if defined(MBEDTLS_RSA_C) if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) { - MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, key)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_pubkey_write(p, start, mbedtls_pk_rsa(*key))); } else #endif #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) -- cgit v1.1 From 019c2a7817c702f5d7826bc14badf2a5c7a36c4d Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Tue, 23 Jan 2024 21:38:06 +0800 Subject: Handle sizeof(size_t) > sizeof(uint64_t) Signed-off-by: Chien Wong --- library/gcm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index 337145b..033cb59 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -358,7 +358,12 @@ int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx, /* AD is limited to 2^64 bits, ie 2^61 bytes * Also check for possible overflow */ - new_add_len = ctx->add_len + add_len; +#if SIZE_MAX > 0xFFFFFFFFFFFFFFFFULL + if (add_len > 0xFFFFFFFFFFFFFFFFULL) { + return MBEDTLS_ERR_GCM_BAD_INPUT; + } +#endif + new_add_len = ctx->add_len + (uint64_t) add_len; if (new_add_len < ctx->add_len || new_add_len >> 61 != 0) { return MBEDTLS_ERR_GCM_BAD_INPUT; } -- cgit v1.1 From b328c449329e92fe4bbc92890f81dbc363c01ad4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 10:48:45 +0100 Subject: pk/rsa: move RSA parse/write private/public key functions to rsa module These functions are meant to be used internally, so their prototype declaration is kept into rsa_internal.h. Signed-off-by: Valerio Setti --- library/pkparse.c | 252 +-------------------------------- library/pkwrite.c | 136 +----------------- library/rsa.c | 373 +++++++++++++++++++++++++++++++++++++++++++++++++ library/rsa_internal.h | 43 ++++++ 4 files changed, 422 insertions(+), 382 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 4dd3276..2708c8c 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -28,6 +28,7 @@ /* Key types */ #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" +#include "rsa_internal.h" #endif /* Extended formats */ @@ -757,68 +758,6 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ -#if defined(MBEDTLS_RSA_C) -/* - * RSAPublicKey ::= SEQUENCE { - * modulus INTEGER, -- n - * publicExponent INTEGER -- e - * } - */ -static int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, - unsigned char **p, - const unsigned char *end) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len; - - if ((ret = mbedtls_asn1_get_tag(p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); - } - - if (*p + len != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - - /* Import N */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); - } - - if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, - NULL, 0, NULL, 0)) != 0) { - return MBEDTLS_ERR_PK_INVALID_PUBKEY; - } - - *p += len; - - /* Import E */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); - } - - if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, - NULL, 0, *p, len)) != 0) { - return MBEDTLS_ERR_PK_INVALID_PUBKEY; - } - - *p += len; - - if (mbedtls_rsa_complete(rsa) != 0 || - mbedtls_rsa_check_pubkey(rsa) != 0) { - return MBEDTLS_ERR_PK_INVALID_PUBKEY; - } - - if (*p != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - - return 0; -} -#endif /* MBEDTLS_RSA_C */ - /* Get a PK algorithm identifier * * AlgorithmIdentifier ::= SEQUENCE { @@ -944,195 +883,6 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, return ret; } -#if defined(MBEDTLS_RSA_C) -/* - * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. - * - * The value zero is: - * - never a valid value for an RSA parameter - * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). - * - * Since values can't be omitted in PKCS#1, passing a zero value to - * rsa_complete() would be incorrect, so reject zero values early. - */ -static int asn1_get_nonzero_mpi(unsigned char **p, - const unsigned char *end, - mbedtls_mpi *X) -{ - int ret; - - ret = mbedtls_asn1_get_mpi(p, end, X); - if (ret != 0) { - return ret; - } - - if (mbedtls_mpi_cmp_int(X, 0) == 0) { - return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; - } - - return 0; -} - -/* - * Parse a PKCS#1 encoded private RSA key - */ -static int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, - const unsigned char *key, - size_t keylen) -{ - int ret, version; - size_t len; - unsigned char *p, *end; - - mbedtls_mpi T; - mbedtls_mpi_init(&T); - - p = (unsigned char *) key; - end = p + keylen; - - /* - * This function parses the RSAPrivateKey (PKCS#1) - * - * RSAPrivateKey ::= SEQUENCE { - * version Version, - * modulus INTEGER, -- n - * publicExponent INTEGER, -- e - * privateExponent INTEGER, -- d - * prime1 INTEGER, -- p - * prime2 INTEGER, -- q - * exponent1 INTEGER, -- d mod (p-1) - * exponent2 INTEGER, -- d mod (q-1) - * coefficient INTEGER, -- (inverse of q) mod p - * otherPrimeInfos OtherPrimeInfos OPTIONAL - * } - */ - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); - } - - end = p + len; - - if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); - } - - if (version != 0) { - return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; - } - - /* Import N */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, - NULL, NULL)) != 0) { - goto cleanup; - } - - /* Import E */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, - NULL, &T)) != 0) { - goto cleanup; - } - - /* Import D */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, - &T, NULL)) != 0) { - goto cleanup; - } - - /* Import P */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, - NULL, NULL)) != 0) { - goto cleanup; - } - - /* Import Q */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, - NULL, NULL)) != 0) { - goto cleanup; - } - -#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) - /* - * The RSA CRT parameters DP, DQ and QP are nominally redundant, in - * that they can be easily recomputed from D, P and Q. However by - * parsing them from the PKCS1 structure it is possible to avoid - * recalculating them which both reduces the overhead of loading - * RSA private keys into memory and also avoids side channels which - * can arise when computing those values, since all of D, P, and Q - * are secret. See https://eprint.iacr.org/2020/055 for a - * description of one such attack. - */ - - /* Import DP */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { - goto cleanup; - } - - /* Import DQ */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { - goto cleanup; - } - - /* Import QP */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { - goto cleanup; - } - -#else - /* Verify existence of the CRT params */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { - goto cleanup; - } -#endif - - /* rsa_complete() doesn't complete anything with the default - * implementation but is still called: - * - for the benefit of alternative implementation that may want to - * pre-compute stuff beyond what's provided (eg Montgomery factors) - * - as is also sanity-checks the key - * - * Furthermore, we also check the public part for consistency with - * mbedtls_pk_parse_pubkey(), as it includes size minima for example. - */ - if ((ret = mbedtls_rsa_complete(rsa)) != 0 || - (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { - goto cleanup; - } - - if (p != end) { - ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); - } - -cleanup: - - mbedtls_mpi_free(&T); - - if (ret != 0) { - /* Wrap error code if it's coming from a lower level */ - if ((ret & 0xff80) == 0) { - ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); - } else { - ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; - } - - mbedtls_rsa_free(rsa); - } - - return ret; -} -#endif /* MBEDTLS_RSA_C */ - #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) /* * Parse a SEC1 encoded private EC key diff --git a/library/pkwrite.c b/library/pkwrite.c index 8930525..91529eb 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -32,6 +32,9 @@ #if defined(MBEDTLS_PEM_WRITE_C) #include "mbedtls/pem.h" #endif +#if defined(MBEDTLS_RSA_C) +#include "rsa_internal.h" +#endif #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" @@ -56,135 +59,6 @@ * Internal functions for RSA keys. ******************************************************************************/ #if defined(MBEDTLS_RSA_C) -/* - * RSAPublicKey ::= SEQUENCE { - * modulus INTEGER, -- n - * publicExponent INTEGER -- e - * } - */ -static int mbedtls_rsa_pubkey_write(unsigned char **p, unsigned char *start, - const mbedtls_rsa_context *rsa) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - mbedtls_mpi T; - - mbedtls_mpi_init(&T); - - /* Export E */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export N */ - if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - -end_of_export: - - mbedtls_mpi_free(&T); - if (ret < 0) { - return ret; - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); - - return (int) len; -} - -static int mbedtls_rsa_key_write(unsigned char **p, unsigned char *start, - const mbedtls_rsa_context *rsa) -{ - size_t len = 0; - int ret; - - mbedtls_mpi T; /* Temporary holding the exported parameters */ - - /* - * Export the parameters one after another to avoid simultaneous copies. - */ - - mbedtls_mpi_init(&T); - - /* Export QP */ - if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export DQ */ - if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export DP */ - if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export Q */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export P */ - if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export D */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export E */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - - /* Export N */ - if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; - -end_of_export: - - mbedtls_mpi_free(&T); - if (ret < 0) { - return ret; - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); - - return (int) len; -} - static int pk_write_rsa_der(unsigned char **p, unsigned char *buf, const mbedtls_pk_context *pk) { @@ -204,7 +78,7 @@ static int pk_write_rsa_der(unsigned char **p, unsigned char *buf, return (int) len; } #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return mbedtls_rsa_key_write(p, buf, mbedtls_pk_rsa(*pk)); + return mbedtls_rsa_key_write(mbedtls_pk_rsa(*pk), buf, p); } #endif /* MBEDTLS_RSA_C */ @@ -542,7 +416,7 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, #if defined(MBEDTLS_RSA_C) if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) { - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_pubkey_write(p, start, mbedtls_pk_rsa(*key))); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_pubkey_write(mbedtls_pk_rsa(*key), start, p)); } else #endif #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) diff --git a/library/rsa.c b/library/rsa.c index 2b9f85b..a18c4b1 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -31,6 +31,7 @@ #include "rsa_alt_helpers.h" #include "rsa_internal.h" #include "mbedtls/oid.h" +#include "mbedtls/asn1write.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include "constant_time_internal.h" @@ -659,6 +660,378 @@ size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx) return ctx->len; } +/* + * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. + * + * The value zero is: + * - never a valid value for an RSA parameter + * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). + * + * Since values can't be omitted in PKCS#1, passing a zero value to + * rsa_complete() would be incorrect, so reject zero values early. + */ +static int asn1_get_nonzero_mpi(unsigned char **p, + const unsigned char *end, + mbedtls_mpi *X) +{ + int ret; + + ret = mbedtls_asn1_get_mpi(p, end, X); + if (ret != 0) { + return ret; + } + + if (mbedtls_mpi_cmp_int(X, 0) == 0) { + return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + } + + return 0; +} + +/* + * Parse a PKCS#1 encoded private RSA key + */ +int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) +{ + int ret, version; + size_t len; + unsigned char *p, *end; + + mbedtls_mpi T; + mbedtls_mpi_init(&T); + + p = (unsigned char *) key; + end = p + keylen; + + /* + * This function parses the RSAPrivateKey (PKCS#1) + * + * RSAPrivateKey ::= SEQUENCE { + * version Version, + * modulus INTEGER, -- n + * publicExponent INTEGER, -- e + * privateExponent INTEGER, -- d + * prime1 INTEGER, -- p + * prime2 INTEGER, -- q + * exponent1 INTEGER, -- d mod (p-1) + * exponent2 INTEGER, -- d mod (q-1) + * coefficient INTEGER, -- (inverse of q) mod p + * otherPrimeInfos OtherPrimeInfos OPTIONAL + * } + */ + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + } + + end = p + len; + + if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + } + + if (version != 0) { + return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; + } + + /* Import N */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, + NULL, NULL)) != 0) { + goto cleanup; + } + + /* Import E */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, + NULL, &T)) != 0) { + goto cleanup; + } + + /* Import D */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, + &T, NULL)) != 0) { + goto cleanup; + } + + /* Import P */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, + NULL, NULL)) != 0) { + goto cleanup; + } + + /* Import Q */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, + NULL, NULL)) != 0) { + goto cleanup; + } + +#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) + /* + * The RSA CRT parameters DP, DQ and QP are nominally redundant, in + * that they can be easily recomputed from D, P and Q. However by + * parsing them from the PKCS1 structure it is possible to avoid + * recalculating them which both reduces the overhead of loading + * RSA private keys into memory and also avoids side channels which + * can arise when computing those values, since all of D, P, and Q + * are secret. See https://eprint.iacr.org/2020/055 for a + * description of one such attack. + */ + + /* Import DP */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { + goto cleanup; + } + + /* Import DQ */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { + goto cleanup; + } + + /* Import QP */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { + goto cleanup; + } + +#else + /* Verify existence of the CRT params */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { + goto cleanup; + } +#endif + + /* rsa_complete() doesn't complete anything with the default + * implementation but is still called: + * - for the benefit of alternative implementation that may want to + * pre-compute stuff beyond what's provided (eg Montgomery factors) + * - as is also sanity-checks the key + * + * Furthermore, we also check the public part for consistency with + * mbedtls_pk_parse_pubkey(), as it includes size minima for example. + */ + if ((ret = mbedtls_rsa_complete(rsa)) != 0 || + (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { + goto cleanup; + } + + if (p != end) { + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + +cleanup: + + mbedtls_mpi_free(&T); + + if (ret != 0) { + /* Wrap error code if it's coming from a lower level */ + if ((ret & 0xff80) == 0) { + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + } else { + ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + } + + mbedtls_rsa_free(rsa); + } + + return ret; +} + +/* + * RSAPublicKey ::= SEQUENCE { + * modulus INTEGER, -- n + * publicExponent INTEGER -- e + * } + */ +int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, + const unsigned char *end) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len; + + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + } + + if (*p + len != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + + /* Import N */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + } + + if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, + NULL, 0, NULL, 0)) != 0) { + return MBEDTLS_ERR_PK_INVALID_PUBKEY; + } + + *p += len; + + /* Import E */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + } + + if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, + NULL, 0, *p, len)) != 0) { + return MBEDTLS_ERR_PK_INVALID_PUBKEY; + } + + *p += len; + + if (mbedtls_rsa_complete(rsa) != 0 || + mbedtls_rsa_check_pubkey(rsa) != 0) { + return MBEDTLS_ERR_PK_INVALID_PUBKEY; + } + + if (*p != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + + return 0; +} + +int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, + unsigned char **p) +{ + size_t len = 0; + int ret; + + mbedtls_mpi T; /* Temporary holding the exported parameters */ + + /* + * Export the parameters one after another to avoid simultaneous copies. + */ + + mbedtls_mpi_init(&T); + + /* Export QP */ + if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export DQ */ + if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export DP */ + if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export Q */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export P */ + if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export D */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export E */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export N */ + if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + +end_of_export: + + mbedtls_mpi_free(&T); + if (ret < 0) { + return ret; + } + + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + return (int) len; +} + +/* + * RSAPublicKey ::= SEQUENCE { + * modulus INTEGER, -- n + * publicExponent INTEGER -- e + * } + */ +int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, + unsigned char **p) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + mbedtls_mpi T; + + mbedtls_mpi_init(&T); + + /* Export E */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export N */ + if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + +end_of_export: + + mbedtls_mpi_free(&T); + if (ret < 0) { + return ret; + } + + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + return (int) len; +} #if defined(MBEDTLS_GENPRIME) diff --git a/library/rsa_internal.h b/library/rsa_internal.h index 4081ac6..dee787f 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -16,6 +16,49 @@ #include "mbedtls/rsa.h" +/** + * \brief + * + * \param rsa + * \param key + * \param keylen + * \return int + */ +int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); + +/** + * \brief + * + * \param rsa + * \param p + * \param end + * \return int + */ +int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, + const unsigned char *end); + +/** + * \brief + * + * \param p + * \param start + * \param rsa + * \return int + */ +int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, + unsigned char **p); + +/** + * \brief + * + * \param p + * \param start + * \param rsa + * \return int + */ +int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, + unsigned char **p); + #if defined(MBEDTLS_PKCS1_V21) /** * \brief This function is analogue to \c mbedtls_rsa_rsassa_pss_sign(). -- cgit v1.1 From 8e6093dd9f54f1278ee4df1472376ef2e5d01386 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 15:19:07 +0100 Subject: test_suite_rsa: add some basic testing of new parse/write priv/pub keys Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 12 ++++++++++++ tests/suites/test_suite_rsa.function | 31 +++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 0a60f31..de5e569 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -615,3 +615,15 @@ rsa_pkcs1_encrypt_bad_rng:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_RSA_PKCS_V1 RSA Selftest depends_on:MBEDTLS_SELF_TEST rsa_selftest: + +RSA parse/write PKCS#1 private key - 1024 bits +rsa_import_pkcs1_key:0:"3082025d020100028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb702030100010281801e97247066217ff6303881341a259c4bcd3e147f87f1a714045e80a06b541847e2ce54a78801d21b302fd33f616d6ed7cfa8a262ef5e23257a1642b5fc5a61577f7dba2324e687a10b25751c78996e72d5a8c3bc4e33e4a2a96b2b44b6685e85c37200a34381269250b59f65468ea4288713c4ae3e0e064e524a53a5d7e1ec91024100cbd11d9aad72bfb8db4e6bc7c6910661b3f38fbfa368d6dba0cd6c9aa3a716c03fa374bf8b2e7ba73a216d6ded9468fbaa3d130ee376190cc41ef30419a7da1d024100c7c0e189209483f36ee00a67474960c6ddf0d3a63ca0c76955fe9f358435a5e5318c35397c4245042e0dfabf8decedfd36e4d211349b8ecc4c1baac83f30d4e3024008e692f2644cb48eb01516a3dcca0c8b4bbe81328f424ecfbc8ffc042ccd6932f014854eb017519315f8cbbc973979f4339503360d3ce50f27a96a576d7f65090241009c9b4ef74870c7a6b215ba7250446a385fc6b0d8d30da669a23f172948f71a923f2f528738316894a75ad46d1be3568ec05bd38a23b995d1fc1570e6c00c13cb0241008716c9fa7d2295f34f5849b7c593d1adcec72556ed1044cd79c868c890620b143874a8208a65b7c5e235ccaae4c2492107af513fb2cbb682a3e8119af028f7a8" + +RSA parse/write PKCS#1 public key - 1024 bits +rsa_import_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001" + +RSA parse/write PKCS#1 private key - 2048 bits +rsa_import_pkcs1_key:0:"308204a40201000282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d102030100010282010100d25c964f769d3aad0210ac04da5c90a9136b27e41a47108a86d0beff6341330640bf4dddb39e82134b97a12da58ae3165988f94ad4687148cfc6f5c4e6a7804316d3eddf496f807f4c7b17ffe9e3a1e3a2408c857bf32ff2137584284242a7a96c1780229f7bd7aca82d10f2afc48d4620e1e35e35fa52be3e97b16dad6e84dbdfab4e7e21c7c2e5e5cd1c936f6c221e806bd14afa77b3eefc62e984aa2d391da408aaec0dbd2eade3023ebac77e3416cd67491d60053d317c6c8665be5c33961c379309d37d0a653d1859a6abfe195644d474739dbc44f62e623505f9460d9d8defafb12f4149d5baaf798f1345f565430cd7c096c24ca8d02d13fe90c20c5102818100f116cfdbfc0d5b3528cbfada1b21d4292ff188d41a4b22e658a9e29f610adf5fcb3329b0f567ba5029195fd648d06cc2174638f2f18ff0e0251e283e0a0b1f792751925efb617af3405083245c673dae77edc811fd668769d28ac1bee36261658a32f56a5e1b9b9e4f4fa7da55adeeb08c92f1de89f6186bd9c6d1e721638d2d02818100ea51e8798225e4ee77aa08e2f5ee0f8b847edd4c34d9bf7b8cf339b61d5bd22d504c5ab5f17572850f39018736474a449186e783dfda35da95902c8eaaec4bebb8ab6c057c678f37cd53fc1a12e5ace83d2a44d72195d565b3e8c12f89f2523fe37e52adbafde783be361fcd1f021aaaabf860febd8c5726c7089622ccca73b50281807d8248b7d76204a78a13970650b5adc3bb67dcb9beee7abebc4dc4e3001c2ee9a9d97accdb1523137431f78890e3a09af28ee63ae3b2f1cd5ec57261c9ccbc97cff651630d2f5458aa94bf910061e6e49b1eb8d754ba39a8c7a8e0f04564041c5e73e4fb78fe9a673216dfe57451563fa70f20c79fbef43bc166160463877609028180693b0fa44206b2a145ac5f014e60f32a3cfe9c73b4e8754e0f26cc2c35531f38aa6f1fedc5da70ebc0c261255003041f771b96ad6ac29c9ce5be31c4808e4e2a366d05be10f89121065d49428c6a0914e32330774ce5f5480f5be02671551a0b07279c09d9885d8894cbc9cc5cb89d3138b9fb156c1ab2a8ff89a3a34d453e6102818100aff57dd813fd064d8d1a5e8c7ea7e534dff6963a9b5b1c4da12219268c0500288901bbd36edb8071679bcd9d0d8deacfaa52e4b3659f4a69a5c5322f104524f83eb4b94bf6f02b5ad7c2ccd9bc5688f4e18ff2a70ae7638a83f2f87d8ecc9e0eebf2283f809670c8a0b79e1a576a6c9c04d4d71b75647c818a23873cdc0d77bf" + +RSA parse/write PKCS#1 public key - 2048 bits +rsa_import_pkcs1_key:1:"3082010a0282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d10203010001" diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 37bed6d..315d4f6 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1,6 +1,7 @@ /* BEGIN_HEADER */ #include "mbedtls/rsa.h" #include "rsa_alt_helpers.h" +#include "rsa_internal.h" /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -1371,6 +1372,36 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void rsa_import_pkcs1_key(int is_public, data_t *input) +{ + mbedtls_rsa_context rsa_ctx; + unsigned char *input_start = input->x; + unsigned char *input_end = input->x + input->len; + unsigned char *output_buf = NULL; + unsigned char *output_start; + unsigned char *output_end; + + TEST_CALLOC(output_buf, input->len); + output_start = output_buf; + output_end = output_buf + input->len; + + mbedtls_rsa_init(&rsa_ctx); + + if (is_public) { + TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &input_start, input_end), 0); + TEST_EQUAL(mbedtls_rsa_pubkey_write(&rsa_ctx, output_start, &output_end), input->len); + } else { + TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), 0); + TEST_EQUAL(mbedtls_rsa_key_write(&rsa_ctx, output_start, &output_end), input->len); + } + +exit: + mbedtls_free(output_buf); + mbedtls_rsa_free(&rsa_ctx); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void rsa_selftest() { -- cgit v1.1 From b054e449c9fa3af059cac13f5028855d401e9a3c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 16:12:27 +0100 Subject: test_suite_psa_crypto: remove tests for importing an RSA key in PEM format This feature was an unofficial extension which was never documented. Now that we are removing the PK dependency in order to use only functions from RSA module, PEM support is unavailable. Therefore we explicitly remove it. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto.data | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index eda6f5d..45cb839 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -496,16 +496,6 @@ PSA import/export RSA keypair: policy forbids export (sign), opaque depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:0:PSA_ERROR_NOT_PERMITTED:1 -# Test PEM import. Note that this is not a PSA feature, it's an Mbed TLS -# extension which we may drop in the future. -PSA import/export RSA public key: import PEM -depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PEM_PARSE_C -import_export:"2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d4947664d413047435371475349623344514542415155414134474e4144434269514b4267514376425830356275685074312f6274634b7850482f6c706c53710a69714a4843315165346636777353306c7835635255784a4a34524b574b41517475376242494e46454e5354765441357548596c57377249486576456a536433750a355553447641624378686c497a514b7941756557727232553036664c2b466e43775947634d6b79344b357a545474346d4f69712f2f6b637a384865476e6f5a670a3939614454615539615137336d46397277774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a00":PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:0:PSA_SUCCESS:0 - -PSA import/export RSA keypair: import PEM -depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PEM_PARSE_C -import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:0:PSA_SUCCESS:0 - PSA import/export FFDH RFC7919 2048 key pair: good depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1 -- cgit v1.1 From 7b7ffd3bb9cf91d944b00d13d75cd69dd357452d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 16:14:18 +0100 Subject: psa_crypt_rsa: remove dependency from the PK module Use new functions from the RSA module to parse and write private and public keys in PKCS#1 format. Signed-off-by: Valerio Setti --- library/psa_crypto_rsa.c | 48 ++++++++++++++++-------------------------------- 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 7b58ea2..7da6012 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -24,8 +24,7 @@ #include #include -#include -#include "pk_wrap.h" +#include "rsa_internal.h" #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \ @@ -62,50 +61,40 @@ psa_status_t mbedtls_psa_rsa_load_representation( mbedtls_rsa_context **p_rsa) { psa_status_t status; - mbedtls_pk_context ctx; size_t bits; - mbedtls_pk_init(&ctx); + + *p_rsa = mbedtls_calloc(1, sizeof(mbedtls_rsa_context)); + if (*p_rsa == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + mbedtls_rsa_init(*p_rsa); /* Parse the data. */ if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { - status = mbedtls_to_psa_error( - mbedtls_pk_parse_key(&ctx, data, data_length, NULL, 0, - mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE)); + status = mbedtls_to_psa_error(mbedtls_rsa_key_parse(*p_rsa, data, data_length)); } else { - status = mbedtls_to_psa_error( - mbedtls_pk_parse_public_key(&ctx, data, data_length)); + unsigned char *p = (unsigned char *) data; + unsigned char *end = (unsigned char *) (data + data_length); + status = mbedtls_to_psa_error(mbedtls_rsa_pubkey_parse(*p_rsa, &p, end)); } if (status != PSA_SUCCESS) { goto exit; } - /* We have something that the pkparse module recognizes. If it is a - * valid RSA key, store it. */ - if (mbedtls_pk_get_type(&ctx) != MBEDTLS_PK_RSA) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto exit; - } - /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS * supports non-byte-aligned key sizes, but not well. For example, * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */ - bits = PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(mbedtls_pk_rsa(ctx))); + bits = PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(*p_rsa)); if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) { status = PSA_ERROR_NOT_SUPPORTED; goto exit; } - status = psa_check_rsa_key_byte_aligned(mbedtls_pk_rsa(ctx)); + status = psa_check_rsa_key_byte_aligned(*p_rsa); if (status != PSA_SUCCESS) { goto exit; } - /* Copy out the pointer to the RSA context, and reset the PK context - * such that pk_free doesn't free the RSA context we just grabbed. */ - *p_rsa = mbedtls_pk_rsa(ctx); - ctx.pk_info = NULL; - exit: - mbedtls_pk_free(&ctx); return status; } #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || @@ -168,20 +157,15 @@ psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type, size_t *data_length) { int ret; - mbedtls_pk_context pk; - uint8_t *pos = data + data_size; - - mbedtls_pk_init(&pk); - pk.pk_info = &mbedtls_rsa_info; - pk.pk_ctx = rsa; + uint8_t *end = data + data_size; /* PSA Crypto API defines the format of an RSA key as a DER-encoded * representation of the non-encrypted PKCS#1 RSAPrivateKey for a * private key and of the RFC3279 RSAPublicKey for a public key. */ if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { - ret = mbedtls_pk_write_key_der(&pk, data, data_size); + ret = mbedtls_rsa_key_write(rsa, data, &end); } else { - ret = mbedtls_pk_write_pubkey(&pos, data, &pk); + ret = mbedtls_rsa_pubkey_write(rsa, data, &end); } if (ret < 0) { -- cgit v1.1 From d6d6a76e46526a396bc2fb4a2b0ab239b26db5d6 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 23 Jan 2024 18:24:21 +0000 Subject: Add ..._GOTO_RETURN macro Signed-off-by: Ryan Everett --- library/psa_crypto_core.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 7b16724..85eeb1a 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -20,6 +20,9 @@ #include "psa/crypto.h" #include "psa/crypto_se_driver.h" +#if defined(MBEDTLS_THREADING_C) +#include "mbedtls/threading.h" +#endif /** * Tell if PSA is ready for this hash. @@ -111,6 +114,50 @@ typedef struct { } key; } psa_key_slot_t; +typedef enum { + PSA_MUTEX_LOCK = 0, + PSA_MUTEX_UNLOCK, +} psa_mutex_operation_t; + +/** If threading is enabled: perform a lock or unlock operation on the + * key slot mutex. + * Call with parameter PSA_MUTEX_LOCK to perform a lock operation. + * Call with parameter PSA_MUTEX_UNLOCK to perform an unlock operation. + * Returns PSA_ERROR_SERVICE_FAILURE if the operation fails + * and status was PSA_SUCCESS. + * If threading is not enabled, do nothing. + * + * Assumptions: + * psa_status_t status exists. + * op is PSA_MUTEX_LOCK or PSA_MUTEX_UNLOCK. + */ +#if defined(MBEDTLS_THREADING_C) +#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_RETURN(op) \ + do \ + { \ + if (op == PSA_MUTEX_LOCK) { \ + if (mbedtls_mutex_lock( \ + &mbedtls_threading_key_slot_mutex) != 0) { \ + if (status == PSA_SUCCESS) { \ + return PSA_ERROR_SERVICE_FAILURE; \ + } \ + return status; \ + } \ + } \ + if (op == PSA_MUTEX_UNLOCK) { \ + if (mbedtls_mutex_unlock( \ + &mbedtls_threading_key_slot_mutex) != 0) { \ + if (status == PSA_SUCCESS) { \ + return PSA_ERROR_SERVICE_FAILURE; \ + } \ + return status; \ + } \ + } \ + } while (0); +#else +#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_RETURN(op) do { } while (0) +#endif + /* A mask of key attribute flags used only internally. * Currently there aren't any. */ #define PSA_KA_MASK_INTERNAL_ONLY ( \ -- cgit v1.1 From 90afb132e067b57a2bbc12c986ac5112e91fc201 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 23 Jan 2024 18:24:36 +0000 Subject: Add ..._GOTO_EXIT macro Signed-off-by: Ryan Everett --- library/psa_crypto_core.h | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 85eeb1a..8b5ac26 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -158,6 +158,46 @@ typedef enum { #define PSA_KEY_SLOT_MUTEX_LOCKFUNC_RETURN(op) do { } while (0) #endif +/** If threading is enabled: perform a lock or unlock operation on the + * key slot mutex. + * Call with parameter PSA_MUTEX_LOCK to perform a lock operation. + * Call with parameter PSA_MUTEX_UNLOCK to perform an unlock operation. + * This will goto the exit label if the operation fails, + * setting status to PSA_SERVICE_FAILURE if status was PSA_SUCCESS. + * If threading is not enabled, do nothing. + * + * Assumptions: + * psa_status_t status exists. + * Label exit: exists. + * op is PSA_MUTEX_LOCK or PSA_MUTEX_UNLOCK. + */ +#if defined(MBEDTLS_THREADING_C) +#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_GOTO_EXIT(op) \ + do \ + { \ + if (op == PSA_MUTEX_LOCK) { \ + if (mbedtls_mutex_lock( \ + &mbedtls_threading_key_slot_mutex) != 0) { \ + if (status == PSA_SUCCESS) { \ + status = PSA_ERROR_SERVICE_FAILURE; \ + } \ + goto exit; \ + } \ + } \ + if (op == PSA_MUTEX_UNLOCK) { \ + if (mbedtls_mutex_unlock( \ + &mbedtls_threading_key_slot_mutex) != 0) { \ + if (status == PSA_SUCCESS) { \ + status = PSA_ERROR_SERVICE_FAILURE; \ + } \ + goto exit; \ + } \ + } \ + } while (0); +#else +#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_GOTO_EXIT(op) do { } while (0) +#endif + /* A mask of key attribute flags used only internally. * Currently there aren't any. */ #define PSA_KA_MASK_INTERNAL_ONLY ( \ -- cgit v1.1 From 0b17255da123b0b8717534d25c1c1adcb9ba5cab Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Jan 2024 14:11:26 +0100 Subject: Introduce mbedtls_pk_get_psa_attributes Follow the specification in https://github.com/Mbed-TLS/mbedtls/pull/8657 as of dd77343381161e09a63b4694001da3957e27d3a7, i.e. https://github.com/Mbed-TLS/mbedtls/blob/dd77343381161e09a63b4694001da3957e27d3a7/docs/architecture/psa-migration/psa-legacy-bridges.md#api-to-create-a-psa-key-from-a-pk-context This commit introduces the function declaration, its documentation, the definition without the interesting parts and a negative unit test function. Subsequent commits will add RSA, ECC and PK_OPAQUE support. Signed-off-by: Gilles Peskine --- include/mbedtls/pk.h | 116 +++++++++++++++++++++++++++++++++++- library/pk.c | 26 +++++++- tests/suites/test_suite_pk.data | 5 ++ tests/suites/test_suite_pk.function | 62 +++++++++++++++++++ 4 files changed, 207 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 27768bd..a43b949 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -28,7 +28,7 @@ #include "mbedtls/ecdsa.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #include "psa/crypto.h" #endif @@ -484,6 +484,120 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, psa_key_usage_t usage); #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +/** + * \brief Determine valid PSA attributes that can be used to + * import a key into PSA. + * + * The attributes determined by this function are suitable + * for calling mbedtls_pk_import_into_psa() to create + * a PSA key with the same key material. + * + * The typical flow of operations involving this function is + * ``` + * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + * int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + * if (ret != 0) ...; // error handling omitted + * // Tweak attributes if desired + * psa_key_id_t key_id = 0; + * ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + * if (ret != 0) ...; // error handling omitted + * ``` + * + * \note This function does not support RSA-alt contexts + * (set up with mbedtls_pk_setup_rsa_alt()). + * + * \param[in] pk The PK context to use. It must have been set up. + * It can either contain a key pair or just a public key. + * \param usage A single `PSA_KEY_USAGE_xxx` flag among the following: + * - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a + * key pair. The output \p attributes will contain a + * key pair type, and the usage policy will allow + * #PSA_KEY_USAGE_ENCRYPT as well as + * #PSA_KEY_USAGE_DECRYPT. + * - #PSA_KEY_USAGE_DERIVE: \p pk must contain a + * key pair. The output \p attributes will contain a + * key pair type. + * - #PSA_KEY_USAGE_ENCRYPT: The output + * \p attributes will contain a public key type. + * - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a + * key pair. The output \p attributes will contain a + * key pair type, and the usage policy will allow + * #PSA_KEY_USAGE_VERIFY_HASH as well as + * #PSA_KEY_USAGE_SIGN_HASH. + * - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a + * key pair. The output \p attributes will contain a + * key pair type, and the usage policy will allow + * #PSA_KEY_USAGE_VERIFY_MESSAGE as well as + * #PSA_KEY_USAGE_SIGN_MESSAGE. + * - #PSA_KEY_USAGE_VERIFY_HASH: The output + * \p attributes will contain a public key type. + * - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output + * \p attributes will contain a public key type. + * \param[out] attributes + * On success, valid attributes to import the key into PSA. + * - The lifetime and key identifier are unchanged. If the + * attribute structure was initialized or reset before + * calling this function, this will result in a volatile + * key. Call psa_set_key_identifier() before or after this + * function if you wish to create a persistent key. Call + * psa_set_key_lifetime() before or after this function if + * you wish to import the key in a secure element. + * - The key type and bit-size are determined by the contents + * of the PK context. If the PK context contains a key + * pair, the key type can be either a key pair type or + * the corresponding public key type, depending on + * \p usage. If the PK context contains a public key, + * the key type is a public key type. + * - The key's policy is determined by the key type and + * the \p usage parameter. The usage always allows + * \p usage, exporting and copying the key, and + * possibly other permissions as documented for the + * \p usage parameter. + * The permitted algorithm is determined as follows + * based on the #mbedtls_pk_type_t type of \p pk, + * the chosen \p usage and other factors: + * - #MBEDTLS_PK_RSA with whose underlying + * #mbedtls_rsa_context has the padding mode + * #MBEDTLS_RSA_PKCS_V15: + * #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) + * if \p usage is SIGN/VERIFY, and + * #PSA_ALG_RSA_PKCS1V15_CRYPT + * if \p usage is ENCRYPT/DECRYPT. + * - #MBEDTLS_PK_RSA with whose underlying + * #mbedtls_rsa_context has the padding mode + * #MBEDTLS_RSA_PKCS_V21 and the digest type + * corresponding to the PSA algorithm \c hash: + * #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH) + * if \p usage is SIGN/VERIFY, and + * #PSA_ALG_RSA_OAEP(\c hash) + * if \p usage is ENCRYPT/DECRYPT. + * - #MBEDTLS_PK_RSA_ALT: not supported. + * - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY + * if \p usage is SIGN/VERIFY: + * #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH) + * if #MBEDTLS_ECDSA_DETERMINISTIC is enabled, + * otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH). + * - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY + * if \p usage is DERIVE: + * #PSA_ALG_ECDH. + * - #MBEDTLS_PK_OPAQUE: same as the algorithm policy + * set for the underlying PSA key, except that + * sign/decrypt flags are removed if the type is + * set to a public key type. + * Note that the enrollment algorithm set with + * psa_set_key_enrollment_algorithm() is not copied. + * + * \return 0 on success. + * #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + * a key of the type identified in \p attributes. + * Another error code on other failures. + */ +int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, + psa_key_usage_t usage, + psa_key_attributes_t *attributes); +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ + /** * \brief Verify signature (including padding if relevant). * diff --git a/library/pk.c b/library/pk.c index 61ac0df..bde561a 100644 --- a/library/pk.c +++ b/library/pk.c @@ -29,7 +29,7 @@ #include "mbedtls/ecdsa.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #include "psa_util_internal.h" #include "md_psa.h" #endif @@ -378,6 +378,30 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, + psa_key_usage_t usage, + psa_key_attributes_t *attributes) +{ + mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk); + + switch (pk_type) { +#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) + case MBEDTLS_PK_RSA_ALT: + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; +#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ + + default: + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + + usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + psa_set_key_usage_flags(attributes, usage); + + return 0; +} +#endif + /* * Helper for mbedtls_pk_sign and mbedtls_pk_verify */ diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index af1e20c..e8ffff4 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -680,3 +680,8 @@ pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512 PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512 depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512 + +PSA attributes for pk: NONE (bad) +pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA + +# There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt(). diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 226598c..0ac84a2 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -162,6 +162,33 @@ size_t mbedtls_rsa_key_len_func(void *ctx) } #endif /* MBEDTLS_RSA_C */ +#if defined(MBEDTLS_PSA_CRYPTO_C) +static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, + mbedtls_pk_context *pk, psa_key_type_t *psa_type) +{ + int ok = 0; + + if (pk_type == MBEDTLS_PK_NONE) { + return 1; + } + TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0); + + switch (pk_type) { + default: + TEST_FAIL("Unknown PK type in test data"); + break; + } + + if (!want_pair) { + *psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type); + } + ok = 1; + +exit: + return ok; +} +#endif + #if defined(MBEDTLS_USE_PSA_CRYPTO) /* @@ -1263,6 +1290,14 @@ void pk_rsa_alt() TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT); TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0); +#if defined(MBEDTLS_PSA_CRYPTO_C) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&alt, + PSA_KEY_USAGE_ENCRYPT, + &attributes), + MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); +#endif /* MBEDTLS_PSA_CRYPTO_C */ + /* Test signature */ #if SIZE_MAX > UINT_MAX TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX, @@ -1569,3 +1604,30 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ +void pk_get_psa_attributes_fail(int pk_type, int from_pair, + int usage_arg, + int expected_ret) +{ + mbedtls_pk_context pk; + mbedtls_pk_init(&pk); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_usage_t usage = usage_arg; + + MD_OR_USE_PSA_INIT(); + + psa_key_type_t expected_psa_type; + if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) { + goto exit; + } + + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), + expected_ret); + +exit: + mbedtls_pk_free(&pk); + psa_reset_key_attributes(&attributes); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From 1f97e73114a37bab4655100890680592cdba8204 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Jan 2024 14:14:24 +0100 Subject: mbedtls_pk_get_psa_attributes: force enrollment algorithm off This avoids a possible gotcha when if the application code reuses an existing attribute structure. Signed-off-by: Gilles Peskine --- library/pk.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/pk.c b/library/pk.c index bde561a..706d5d3 100644 --- a/library/pk.c +++ b/library/pk.c @@ -397,6 +397,12 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; psa_set_key_usage_flags(attributes, usage); +#if defined(MBEDTLS_PSA_CRYPTO_C) + /* Assume that we have all Mbed TLS attributes. When + * MBEDTLS_PSA_CRYPTO_CLIENT is enabled but not MBEDTLS_PSA_CRYPTO_C, + * we only assume standard PSA functions. */ + psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE); +#endif return 0; } -- cgit v1.1 From 6ea18361dfcedd70e8cf3e2bb9925b0cfd73428e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Jan 2024 14:16:27 +0100 Subject: mbedtls_pk_get_psa_attributes: RSA support Add code and unit tests for MBEDTLS_PK_RSA in mbedtls_pk_get_psa_attributes(). Signed-off-by: Gilles Peskine --- library/pk.c | 64 ++++++++++++++++ tests/suites/test_suite_pk.data | 104 +++++++++++++++++++++++++ tests/suites/test_suite_pk.function | 149 ++++++++++++++++++++++++++++++++++++ 3 files changed, 317 insertions(+) diff --git a/library/pk.c b/library/pk.c index 706d5d3..1485bd7 100644 --- a/library/pk.c +++ b/library/pk.c @@ -379,6 +379,27 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(MBEDTLS_RSA_C) +static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa, + int want_crypt) +{ + if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { + if (want_crypt) { + mbedtls_md_type_t md_type = mbedtls_rsa_get_md_alg(rsa); + return PSA_ALG_RSA_OAEP(mbedtls_md_psa_alg_from_type(md_type)); + } else { + return PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH); + } + } else { + if (want_crypt) { + return PSA_ALG_RSA_PKCS1V15_CRYPT; + } else { + return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH); + } + } +} +#endif /* MBEDTLS_RSA_C */ + int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, psa_key_usage_t usage, psa_key_attributes_t *attributes) @@ -386,6 +407,49 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk); switch (pk_type) { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_PK_RSA: + int want_crypt = 0; + int want_private = 0; + switch (usage) { + case PSA_KEY_USAGE_SIGN_MESSAGE: + usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + want_private = 1; + break; + case PSA_KEY_USAGE_SIGN_HASH: + usage |= PSA_KEY_USAGE_VERIFY_HASH; + want_private = 1; + break; + case PSA_KEY_USAGE_DECRYPT: + usage |= PSA_KEY_USAGE_ENCRYPT; + want_private = 1; + want_crypt = 1; + break; + case PSA_KEY_USAGE_VERIFY_MESSAGE: + case PSA_KEY_USAGE_VERIFY_HASH: + break; + case PSA_KEY_USAGE_ENCRYPT: + want_crypt = 1; + break; + default: + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + /* Detect the presence of a private key in a way that works both + * in CRT and non-CRT configurations. */ + mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); + int has_private = (mbedtls_rsa_check_privkey(rsa) == 0); + if (want_private && !has_private) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + psa_set_key_type(attributes, (want_private ? + PSA_KEY_TYPE_RSA_KEY_PAIR : + PSA_KEY_TYPE_RSA_PUBLIC_KEY)); + psa_set_key_bits(attributes, mbedtls_mpi_bitlen(&rsa->N)); + psa_set_key_algorithm(attributes, + psa_algorithm_for_rsa(rsa, want_crypt)); + break; +#endif /* MBEDTLS_RSA_C */ + #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) case MBEDTLS_PK_RSA_ALT: return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index e8ffff4..bc0de71 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -685,3 +685,107 @@ PSA attributes for pk: NONE (bad) pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA # There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt(). + +PSA attributes for pk: RSA v15 pair DECRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT + +PSA attributes for pk: RSA v21 SHA-256 pair DECRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) + +PSA attributes for pk: RSA v21 SHA-512 pair DECRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) + +PSA attributes for pk: RSA v15 pair->public ENCRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT + +PSA attributes for pk: RSA v21 SHA-256 pair->public ENCRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) + +PSA attributes for pk: RSA v21 SHA-512 pair->public ENCRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) + +PSA attributes for pk: RSA v15 public ENCRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT + +PSA attributes for pk: RSA v21 SHA-256 public ENCRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) + +PSA attributes for pk: RSA v21 SHA-512 public ENCRYPT +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) + +PSA attributes for pk: RSA v15 public DECRYPT (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: RSA v15 pair SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v21 SHA-256 pair SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v15 pair SIGN_HASH +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v21 SHA-256 pair SIGN_HASH +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v15 pair->public VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v15 pair->public VERIFY_HASH +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_HASH +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v15 public VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v21 SHA-256 public VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v15 public VERIFY_HASH +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v21 SHA-256 public VERIFY_HASH +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) + +PSA attributes for pk: RSA v15 public SIGN_MESSAGE (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: RSA v15 public SIGN_HASH (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: RSA v15 pair DERIVE (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: RSA v15 public DERIVE (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 0ac84a2..d6902b4 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -174,6 +174,30 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0); switch (pk_type) { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_PK_RSA: + { + *psa_type = PSA_KEY_TYPE_RSA_KEY_PAIR; + mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); + if (want_pair) { + TEST_EQUAL(mbedtls_rsa_gen_key( + rsa, + mbedtls_test_rnd_std_rand, NULL, + MBEDTLS_RSA_GEN_KEY_MIN_BITS, 65537), 0); + } else { + unsigned char N[PSA_BITS_TO_BYTES(MBEDTLS_RSA_GEN_KEY_MIN_BITS)] = { 0xff }; + N[sizeof(N) - 1] = 0x03; + const unsigned char E[1] = {0x03}; + TEST_EQUAL(mbedtls_rsa_import_raw(rsa, + N, sizeof(N), + NULL, 0, NULL, 0, NULL, 0, + E, sizeof(E)), 0); + TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); + } + break; + } +#endif /* MBEDTLS_RSA_C */ + default: TEST_FAIL("Unknown PK type in test data"); break; @@ -1606,6 +1630,131 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ +void pk_get_psa_attributes(int pk_type, int from_pair, + int usage_arg, + int to_pair, int expected_alg) +{ + mbedtls_pk_context pk; + mbedtls_pk_init(&pk); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_usage_t usage = usage_arg; + + MD_OR_USE_PSA_INIT(); + + psa_key_type_t expected_psa_type = 0; + if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) { + goto exit; + } + if (!to_pair) { + expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type); + } + + psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE; //TODO: diversity + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; //TODO: diversity + psa_set_key_id(&attributes, key_id); + psa_set_key_lifetime(&attributes, lifetime); + + psa_key_usage_t expected_usage = usage; + /* Usage implied universally */ + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + /* Usage implied by mbedtls_pk_get_psa_attributes() */ + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_HASH; + } + if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_DECRYPT) { + expected_usage |= PSA_KEY_USAGE_ENCRYPT; + } + expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0); + + TEST_EQUAL(psa_get_key_lifetime(&attributes), lifetime); + TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), + key_id)); + TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type); + TEST_EQUAL(psa_get_key_bits(&attributes), + mbedtls_pk_get_bitlen(&pk)); + TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); + TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); + TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); + +exit: + mbedtls_pk_free(&pk); + psa_reset_key_attributes(&attributes); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 */ +void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, + int usage_arg, + int to_pair, int expected_alg) +{ + mbedtls_pk_context pk; + mbedtls_pk_init(&pk); + psa_key_usage_t usage = usage_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + MD_OR_USE_PSA_INIT(); + + psa_key_type_t expected_psa_type = 0; + if (!pk_setup_for_type(MBEDTLS_PK_RSA, from_pair, &pk, &expected_psa_type)) { + goto exit; + } + mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk); + TEST_EQUAL(mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_type), 0); + if (!to_pair) { + expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type); + } + + psa_key_usage_t expected_usage = usage; + /* Usage implied universally */ + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + /* Usage implied by mbedtls_pk_get_psa_attributes() */ + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_HASH; + } + if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_DECRYPT) { + expected_usage |= PSA_KEY_USAGE_ENCRYPT; + } + expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0); + + TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE); + TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), + MBEDTLS_SVC_KEY_ID_INIT)); + TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type); + TEST_EQUAL(psa_get_key_bits(&attributes), + mbedtls_pk_get_bitlen(&pk)); + TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); + TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); + TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); + +exit: + mbedtls_pk_free(&pk); + psa_reset_key_attributes(&attributes); + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ void pk_get_psa_attributes_fail(int pk_type, int from_pair, int usage_arg, int expected_ret) -- cgit v1.1 From ace7c7721ef30ae1bf1e218f1ff69720277f2f9d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Jan 2024 17:47:54 +0100 Subject: mbedtls_pk_get_psa_attributes: ECC support Add code and unit tests for MBEDTLS_PK_ECxxx in mbedtls_pk_get_psa_attributes(). This commit only supports built-in ECC (MBEDTLS_ECP_C). A subsequent commit will handle driver-only ECC. Signed-off-by: Gilles Peskine --- library/pk.c | 72 ++++++++++++++-- tests/suites/test_suite_pk.data | 168 ++++++++++++++++++++++++++++++++++++ tests/suites/test_suite_pk.function | 30 ++++++- 3 files changed, 262 insertions(+), 8 deletions(-) diff --git a/library/pk.c b/library/pk.c index 1485bd7..432fbcf 100644 --- a/library/pk.c +++ b/library/pk.c @@ -406,22 +406,28 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, { mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk); + psa_key_usage_t more_usage = usage; + if (usage == PSA_KEY_USAGE_SIGN_MESSAGE) { + more_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } else if (usage == PSA_KEY_USAGE_SIGN_HASH) { + more_usage |= PSA_KEY_USAGE_VERIFY_HASH; + } else if (usage == PSA_KEY_USAGE_DECRYPT) { + more_usage |= PSA_KEY_USAGE_ENCRYPT; + } + more_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + switch (pk_type) { #if defined(MBEDTLS_RSA_C) case MBEDTLS_PK_RSA: + { int want_crypt = 0; int want_private = 0; switch (usage) { case PSA_KEY_USAGE_SIGN_MESSAGE: - usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; - want_private = 1; - break; case PSA_KEY_USAGE_SIGN_HASH: - usage |= PSA_KEY_USAGE_VERIFY_HASH; want_private = 1; break; case PSA_KEY_USAGE_DECRYPT: - usage |= PSA_KEY_USAGE_ENCRYPT; want_private = 1; want_crypt = 1; break; @@ -448,8 +454,61 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, psa_set_key_algorithm(attributes, psa_algorithm_for_rsa(rsa, want_crypt)); break; + } #endif /* MBEDTLS_RSA_C */ +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + { + int sign_ok = (pk_type != MBEDTLS_PK_ECKEY_DH); + int derive_ok = (pk_type != MBEDTLS_PK_ECDSA); + mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); + int has_private = (ec->d.n != 0); + size_t bits = 0; + psa_ecc_family_t family = + mbedtls_ecc_group_to_psa(ec->grp.id, &bits); + int want_private = 0; + psa_algorithm_t alg = 0; + switch (usage) { + case PSA_KEY_USAGE_SIGN_MESSAGE: + case PSA_KEY_USAGE_SIGN_HASH: + want_private = 1; + /* FALLTHROUGH */ + case PSA_KEY_USAGE_VERIFY_MESSAGE: + case PSA_KEY_USAGE_VERIFY_HASH: + if (!sign_ok) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) + alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH); +#else + alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH); +#endif + break; + case PSA_KEY_USAGE_DERIVE: + want_private = 1; + alg = PSA_ALG_ECDH; + if (!derive_ok) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + break; + default: + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + if (want_private && !has_private) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + psa_set_key_type(attributes, (want_private ? + PSA_KEY_TYPE_ECC_KEY_PAIR(family) : + PSA_KEY_TYPE_ECC_PUBLIC_KEY(family))); + psa_set_key_bits(attributes, bits); + psa_set_key_algorithm(attributes, alg); + break; + } +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ + #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) case MBEDTLS_PK_RSA_ALT: return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; @@ -459,8 +518,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; - psa_set_key_usage_flags(attributes, usage); + psa_set_key_usage_flags(attributes, more_usage); #if defined(MBEDTLS_PSA_CRYPTO_C) /* Assume that we have all Mbed TLS attributes. When * MBEDTLS_PSA_CRYPTO_CLIENT is enabled but not MBEDTLS_PSA_CRYPTO_C, diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index bc0de71..f0903e3 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -789,3 +789,171 @@ pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_ PSA attributes for pk: RSA v15 public DERIVE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY pair DECRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH pair DECRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA pair DECRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY public DECRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public DECRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA public DECRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY pair ENCRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH pair ENCRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA pair ENCRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY public ENCRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public ENCRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA public ENCRYPT (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY pair DERIVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH + +PSA attributes for pk: ECKEY_DH pair DERIVE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH + +PSA attributes for pk: ECDSA pair DERIVE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY public DERIVE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public DERIVE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA public DERIVE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY pair SIGN_MESSAGE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECDSA pair SIGN_MESSAGE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECKEY pair SIGN_HASH +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECDSA pair SIGN_HASH +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECKEY pair->public VERIFY_HASH +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECDSA pair->public VERIFY_HASH +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECKEY public VERIFY_MESSAGE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECDSA public VERIFY_MESSAGE +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECKEY public VERIFY_HASH +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECDSA public VERIFY_HASH +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) + +PSA attributes for pk: ECKEY public SIGN_MESSAGE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA public SIGN_MESSAGE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY public SIGN_HASH (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECDSA public SIGN_HASH (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH pair SIGN_HASH (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH pair VERIFY_MESSAGE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH pair VERIFY_HASH (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public SIGN_MESSAGE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public SIGN_HASH (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public VERIFY_MESSAGE (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index d6902b4..90c5044 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -187,7 +187,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, } else { unsigned char N[PSA_BITS_TO_BYTES(MBEDTLS_RSA_GEN_KEY_MIN_BITS)] = { 0xff }; N[sizeof(N) - 1] = 0x03; - const unsigned char E[1] = {0x03}; + const unsigned char E[1] = { 0x03 }; TEST_EQUAL(mbedtls_rsa_import_raw(rsa, N, sizeof(N), NULL, 0, NULL, 0, NULL, 0, @@ -198,6 +198,23 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, } #endif /* MBEDTLS_RSA_C */ +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + { + mbedtls_ecp_group_id grp_id = mbedtls_ecp_grp_id_list()[0]; + size_t bits; + *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits)); + TEST_EQUAL(pk_genkey(pk, grp_id), 0); + if (!want_pair) { + mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); + mbedtls_mpi_free(&ec->d); + } + break; + } +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ + default: TEST_FAIL("Unknown PK type in test data"); break; @@ -1674,6 +1691,17 @@ void pk_get_psa_attributes(int pk_type, int from_pair, } expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) + /* When the resulting algorithm is ECDSA, the compile-time configuration + * can cause it to be either deterministic or randomized ECDSA. + * Rather than have two near-identical sets of test data depending on + * the configuration, always use randomized in the test data and + * tweak the expected result here. */ + if (expected_alg == PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)) { + expected_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH); + } +#endif + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0); TEST_EQUAL(psa_get_key_lifetime(&attributes), lifetime); -- cgit v1.1 From 94e3a873ce061b51f54746629ad9ce529fa5222e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Jan 2024 19:23:39 +0100 Subject: mbedtls_pk_get_psa_attributes: test bad usage value Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index f0903e3..ee348a3 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -686,6 +686,36 @@ pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ # There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt(). +# Bad usage due to not specifying sign/crypt/derive. +PSA attributes for pk: RSA usage=0 (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:0:MBEDTLS_ERR_PK_TYPE_MISMATCH + +# Bad usage due to not specifying sign/crypt/derive. +PSA attributes for pk: RSA usage=EXPORT (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +# This usage could make sense, but is not currently supported. +PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH + +# Bad usage due to not specifying more than one of sign/crypt/derive. +PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + +# This usage could make sense, but is not currently supported. +PSA attributes for pk: RSA usage=SIGN_MESSAGE|SIGN_HASH (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +# This usage could make sense, but is not currently supported. +PSA attributes for pk: RSA usage=SIGN_MESSAGE|VERIFY_MESSAGE (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH + PSA attributes for pk: RSA v15 pair DECRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT -- cgit v1.1 From 758d8c7631ce0d9a737a586add0e6c26f0872e5c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2024 20:53:21 +0100 Subject: mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_OPAQUE Signed-off-by: Gilles Peskine --- library/pk.c | 52 ++++++++++++++++ tests/suites/test_suite_pk.data | 114 ++++++++++++++++++++++++++++++++++++ tests/suites/test_suite_pk.function | 54 +++++++++++++++++ 3 files changed, 220 insertions(+) diff --git a/library/pk.c b/library/pk.c index 432fbcf..783b488 100644 --- a/library/pk.c +++ b/library/pk.c @@ -514,6 +514,58 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + case MBEDTLS_PK_OPAQUE: + { + psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + status = psa_get_key_attributes(pk->priv_id, &old_attributes); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + psa_key_type_t old_type = psa_get_key_type(&old_attributes); + switch (usage) { + case PSA_KEY_USAGE_SIGN_MESSAGE: + case PSA_KEY_USAGE_SIGN_HASH: + case PSA_KEY_USAGE_VERIFY_MESSAGE: + case PSA_KEY_USAGE_VERIFY_HASH: + if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type) || + old_type == PSA_KEY_TYPE_RSA_KEY_PAIR)) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + break; + case PSA_KEY_USAGE_DECRYPT: + case PSA_KEY_USAGE_ENCRYPT: + if (old_type != PSA_KEY_TYPE_RSA_KEY_PAIR) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + break; + case PSA_KEY_USAGE_DERIVE: + if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type))) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + break; + break; + default: + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + psa_key_type_t new_type = old_type; + /* Opaque keys are always key pairs, so we don't need a check + * on the input if the required usage is private. We just need + * to adjust the type correctly if the required usage is public. */ + if (usage == PSA_KEY_USAGE_VERIFY_MESSAGE || + usage == PSA_KEY_USAGE_VERIFY_HASH || + usage == PSA_KEY_USAGE_ENCRYPT) { + new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type); + } + more_usage = psa_get_key_usage_flags(&old_attributes); + psa_set_key_type(attributes, new_type); + psa_set_key_bits(attributes, psa_get_key_bits(&old_attributes)); + psa_set_key_algorithm(attributes, psa_get_key_algorithm(&old_attributes)); + break; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + default: return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index ee348a3..55350b6 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -987,3 +987,117 @@ pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_MESSAGE:MB PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:0 + +PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE + +PSA attributes for pk: opaque RSA pair, SIGN|VERIFY & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE + +PSA attributes for pk: opaque RSA pair, SIGN|DECRYPT & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT + +PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT + +# For a PK_OPAQUE key, mbedtls_pk_get_psa_attributes() ignores the input +# key's algorithm policy. Just this time, test with a few different algorithms. +PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [0] +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:0 + +PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [raw] +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:0 + +PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [v15] +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:0 + +PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [PSS] +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:0 + +PSA attributes for pk: opaque RSA pair, DECRYPT & DECRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_DECRYPT + +PSA attributes for pk: opaque RSA pair, DECRYPT|... & DECRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT + +PSA attributes for pk: opaque RSA pair, ... & DERIVE (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 + +PSA attributes for pk: opaque RSA pair, ... & EXPORT (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 + +PSA attributes for pk: opaque RSA pair->public, 0 & VERIFY_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:0 + +PSA attributes for pk: opaque RSA pair->public, 0 & VERIFY_HASH +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:0 + +PSA attributes for pk: opaque RSA pair->public, 0 & ENCRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:0 + +PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:0 + +PSA attributes for pk: opaque ECC pair, SIGN_MESSAGE & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE + +PSA attributes for pk: opaque ECC pair, SIGN|VERIFY & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE + +PSA attributes for pk: opaque ECC pair, SIGN|DECRYPT & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT + +PSA attributes for pk: opaque ECC pair, SIGN|... & SIGN_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT + +PSA attributes for pk: opaque ECC pair, 0 & SIGN_HASH +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:0 + +PSA attributes for pk: opaque ECC pair, ... & DERIVE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE + +PSA attributes for pk: opaque ECC pair, ... & DECRYPT (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 + +PSA attributes for pk: opaque ECC pair, ... & EXPORT (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDH:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 + +PSA attributes for pk: opaque ECC pair->public, 0 & VERIFY_MESSAGE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:0 + +PSA attributes for pk: opaque ECC pair->public, 0 & VERIFY_HASH +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:0 + +PSA attributes for pk: opaque ECC pair->public, 0 & ENCRYPT (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0 diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 90c5044..930d015 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1808,3 +1808,57 @@ exit: MD_OR_USE_PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ +void pk_get_psa_attributes_opaque(int o_type_arg, int o_bits_arg, + int o_usage_arg, int o_alg_arg, + int usage_arg, + int expected_ret, + int to_pair, int expected_usage_arg) +{ + mbedtls_pk_context pk; + mbedtls_pk_init(&pk); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t o_type = o_type_arg; + size_t bits = o_bits_arg; + psa_key_usage_t o_usage = o_usage_arg; + psa_algorithm_t alg = o_alg_arg; + psa_key_usage_t usage = usage_arg; + psa_key_usage_t expected_usage = expected_usage_arg; + + USE_PSA_INIT(); + + psa_set_key_type(&attributes, o_type); + psa_set_key_bits(&attributes, bits); + psa_set_key_usage_flags(&attributes, o_usage); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_enrollment_algorithm(&attributes, 42); + //TODO: test with persistent key + PSA_ASSERT(psa_generate_key(&attributes, &key_id)); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); + + psa_key_type_t expected_psa_type = + to_pair ? o_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(o_type); + + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), + expected_ret); + + if (expected_ret == 0) { + TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE); + TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), + MBEDTLS_SVC_KEY_ID_INIT)); + TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type); + TEST_EQUAL(psa_get_key_bits(&attributes), bits); + TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); + TEST_EQUAL(psa_get_key_algorithm(&attributes), alg); + TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); + } + +exit: + mbedtls_pk_free(&pk); + psa_destroy_key(key_id); + psa_reset_key_attributes(&attributes); + USE_PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From 7354f1e17870e528361f274aa4634441719e4b70 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 11:06:02 +0100 Subject: Allow building with MBEDTLS_PK_USE_PSA_EC_DATA && MBEDTLS_ECP_C This isn't officially supported, but it's convenient to build the library this way for quick testing. Signed-off-by: Gilles Peskine --- library/ssl_tls12_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 0c5af87..b4b5781 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2005,9 +2005,9 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; } -#if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk); -#endif /* MBEDTLS_ECP_C */ +#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */ #if defined(MBEDTLS_USE_PSA_CRYPTO) uint16_t tls_id = 0; -- cgit v1.1 From f3dbc98d967289f9de9b5f89c2e187e6d6468a35 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 11:05:34 +0100 Subject: mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_USE_PSA_EC_DATA Signed-off-by: Gilles Peskine --- library/pk.c | 13 +++++++++++++ tests/suites/test_suite_pk.function | 36 +++++++++++++++++++++++++----------- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/library/pk.c b/library/pk.c index 783b488..c34da99 100644 --- a/library/pk.c +++ b/library/pk.c @@ -464,11 +464,24 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, { int sign_ok = (pk_type != MBEDTLS_PK_ECKEY_DH); int derive_ok = (pk_type != MBEDTLS_PK_ECDSA); +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + status = psa_get_key_attributes(pk->priv_id, &old_attributes); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + psa_key_type_t old_type = psa_get_key_type(&old_attributes); + int has_private = PSA_KEY_TYPE_IS_KEY_PAIR(old_type); + size_t bits = psa_get_key_bits(&old_attributes); + psa_ecc_family_t family = PSA_KEY_TYPE_ECC_GET_FAMILY(old_type); +#else mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); int has_private = (ec->d.n != 0); size_t bits = 0; psa_ecc_family_t family = mbedtls_ecc_group_to_psa(ec->grp.id, &bits); +#endif int want_private = 0; psa_algorithm_t alg = 0; switch (usage) { diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 930d015..e522ea7 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -111,7 +111,14 @@ static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits) mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) { int ret; -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + ret = pk_genkey_ec(pk, curve_or_keybits); + if (ret != 0) { + return ret; + } + + return 0; +#else ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, curve_or_keybits); if (ret != 0) { return ret; @@ -120,16 +127,7 @@ static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits) &mbedtls_pk_ec_rw(*pk)->d, &mbedtls_pk_ec_rw(*pk)->Q, mbedtls_test_rnd_std_rand, NULL); -#endif /* MBEDTLS_ECP_C */ - -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - ret = pk_genkey_ec(pk, curve_or_keybits); - if (ret != 0) { - return ret; - } - - return 0; -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ +#endif /* MBEDTLS_ECP_C && !MBEDTLS_PK_USE_PSA_EC_DATA */ } #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ @@ -208,8 +206,24 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits)); TEST_EQUAL(pk_genkey(pk, grp_id), 0); if (!want_pair) { +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_key_attributes_t pub_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_type(&pub_attributes, + PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type)); + psa_set_key_usage_flags(&pub_attributes, + PSA_KEY_USAGE_EXPORT | + PSA_KEY_USAGE_COPY | + PSA_KEY_USAGE_VERIFY_MESSAGE | + PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&pub_attributes, PSA_ALG_ECDSA_ANY); + PSA_ASSERT(psa_destroy_key(pk->priv_id)); + PSA_ASSERT(psa_import_key(&pub_attributes, + pk->pub_raw, pk->pub_raw_len, + &pk->priv_id)); +#else mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); mbedtls_mpi_free(&ec->d); +#endif } break; } -- cgit v1.1 From c09df2f24c85623a426501f0fa6ef659cb57fbd4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 17:03:31 +0100 Subject: Unify want_private detection This commit makes the code arguably slightly simpler and fixes the build with clang -Wimplicit-fallthrough. No intended semantic change. Signed-off-by: Gilles Peskine --- library/pk.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/library/pk.c b/library/pk.c index c34da99..60891a0 100644 --- a/library/pk.c +++ b/library/pk.c @@ -416,24 +416,23 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, } more_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + int want_private = !(usage == PSA_KEY_USAGE_VERIFY_MESSAGE || + usage == PSA_KEY_USAGE_VERIFY_HASH || + usage == PSA_KEY_USAGE_ENCRYPT); + switch (pk_type) { #if defined(MBEDTLS_RSA_C) case MBEDTLS_PK_RSA: { - int want_crypt = 0; - int want_private = 0; + int want_crypt = 0; /* 0: encrypt/decrypt; 1: sign/verify */ switch (usage) { case PSA_KEY_USAGE_SIGN_MESSAGE: case PSA_KEY_USAGE_SIGN_HASH: - want_private = 1; - break; - case PSA_KEY_USAGE_DECRYPT: - want_private = 1; - want_crypt = 1; - break; case PSA_KEY_USAGE_VERIFY_MESSAGE: case PSA_KEY_USAGE_VERIFY_HASH: + /* Nothing to do. */ break; + case PSA_KEY_USAGE_DECRYPT: case PSA_KEY_USAGE_ENCRYPT: want_crypt = 1; break; @@ -482,13 +481,10 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, psa_ecc_family_t family = mbedtls_ecc_group_to_psa(ec->grp.id, &bits); #endif - int want_private = 0; psa_algorithm_t alg = 0; switch (usage) { case PSA_KEY_USAGE_SIGN_MESSAGE: case PSA_KEY_USAGE_SIGN_HASH: - want_private = 1; - /* FALLTHROUGH */ case PSA_KEY_USAGE_VERIFY_MESSAGE: case PSA_KEY_USAGE_VERIFY_HASH: if (!sign_ok) { @@ -501,7 +497,6 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, #endif break; case PSA_KEY_USAGE_DERIVE: - want_private = 1; alg = PSA_ALG_ECDH; if (!derive_ok) { return MBEDTLS_ERR_PK_TYPE_MISMATCH; @@ -566,9 +561,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, /* Opaque keys are always key pairs, so we don't need a check * on the input if the required usage is private. We just need * to adjust the type correctly if the required usage is public. */ - if (usage == PSA_KEY_USAGE_VERIFY_MESSAGE || - usage == PSA_KEY_USAGE_VERIFY_HASH || - usage == PSA_KEY_USAGE_ENCRYPT) { + if (!want_private) { new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type); } more_usage = psa_get_key_usage_flags(&old_attributes); -- cgit v1.1 From 51860149f4c3b1bf2d7f9be0b4de9304f41d0a61 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 17:45:33 +0100 Subject: Allow context types with an ALT version to be linked in Doxygen In our tests, we run `tests/scripts/doxygen.sh`, which checks that `doxygen` runs without warnings after `scripts/config.py realfull`. In this configuration, alternative implementations such as `MBEDTLS_RSA_ALT` are enabled, which allows the documentation to contain references to the `MBEDTLS_xxx_ALT` symbol itself. However, this disables context types that alternative implementations must define in their header, such as `mbedtls_rsa_context`. See https://github.com/Mbed-TLS/mbedtls/issues/4518 As a partial fix, allow `tests/scripts/doxygen.sh` to see dummy definitions of the context type. This way, we can use both `#MBEDTLS_RSA_ALT` and `#mbedtls_rsa_context` cross-references in our documentation. This is not ideal, because `doxygen.sh` isn't testing for errors in the documentation of the affected context types, but it's cheap progress. Signed-off-by: Gilles Peskine --- doxygen/mbedtls.doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 89048f2..b64c892 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -6,7 +6,7 @@ EXTRACT_ALL = YES EXTRACT_PRIVATE = YES EXTRACT_STATIC = YES CASE_SENSE_NAMES = NO -INPUT = ../include input +INPUT = ../include input ../tests/include/alt-dummy FILE_PATTERNS = *.h RECURSIVE = YES EXCLUDE_SYMLINKS = YES -- cgit v1.1 From 55effd9456aef0648ceacc0812164a98d4d5ce29 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 18:07:36 +0100 Subject: Fix the build with MBEDTLS_RSA_ALT Signed-off-by: Gilles Peskine --- library/pk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pk.c b/library/pk.c index 60891a0..1911325 100644 --- a/library/pk.c +++ b/library/pk.c @@ -449,7 +449,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, psa_set_key_type(attributes, (want_private ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY)); - psa_set_key_bits(attributes, mbedtls_mpi_bitlen(&rsa->N)); + psa_set_key_bits(attributes, mbedtls_pk_get_bitlen(pk)); psa_set_key_algorithm(attributes, psa_algorithm_for_rsa(rsa, want_crypt)); break; -- cgit v1.1 From cb05ce30e990f7e60c47b18af95cf21c8213a614 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 23 Jan 2024 19:25:10 +0000 Subject: Minor fixes to locking macros Signed-off-by: Ryan Everett --- library/psa_crypto_core.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 8b5ac26..0e9f83f 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -144,7 +144,7 @@ typedef enum { return status; \ } \ } \ - if (op == PSA_MUTEX_UNLOCK) { \ + else if (op == PSA_MUTEX_UNLOCK) { \ if (mbedtls_mutex_unlock( \ &mbedtls_threading_key_slot_mutex) != 0) { \ if (status == PSA_SUCCESS) { \ @@ -163,7 +163,7 @@ typedef enum { * Call with parameter PSA_MUTEX_LOCK to perform a lock operation. * Call with parameter PSA_MUTEX_UNLOCK to perform an unlock operation. * This will goto the exit label if the operation fails, - * setting status to PSA_SERVICE_FAILURE if status was PSA_SUCCESS. + * setting status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS. * If threading is not enabled, do nothing. * * Assumptions: @@ -184,7 +184,7 @@ typedef enum { goto exit; \ } \ } \ - if (op == PSA_MUTEX_UNLOCK) { \ + else if (op == PSA_MUTEX_UNLOCK) { \ if (mbedtls_mutex_unlock( \ &mbedtls_threading_key_slot_mutex) != 0) { \ if (status == PSA_SUCCESS) { \ -- cgit v1.1 From 00f3085163a22318b3122c640cbf2b9bc2a2f5a1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 20:25:34 +0100 Subject: Missing dependency for MBEDTLS_PK_ECDSA Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 55350b6..8951e72 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -829,7 +829,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DECRYPT (bad) @@ -841,7 +841,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair ENCRYPT (bad) @@ -853,7 +853,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public ENCRYPT (bad) @@ -865,7 +865,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DERIVE @@ -877,7 +877,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECDSA pair DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DERIVE (bad) @@ -889,7 +889,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair SIGN_MESSAGE @@ -897,7 +897,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair SIGN_HASH @@ -905,7 +905,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE @@ -913,7 +913,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_HASH @@ -921,7 +921,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_MESSAGE @@ -929,7 +929,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_HASH @@ -937,7 +937,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public SIGN_MESSAGE (bad) @@ -945,7 +945,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public SIGN_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public SIGN_HASH (bad) @@ -953,7 +953,7 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public SIGN_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad) -- cgit v1.1 From 64996c3be901c62636cfa2d88e92f2c31118bef5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2024 20:25:47 +0100 Subject: Disable MBEDTLS_PSA_CRYPTO_CLIENT in no-PSA builds When building without PSA crypto functions, disable MBEDTLS_PSA_CRYPTO_CLIENT as well as MBEDTLS_PSA_CRYPTO_C. With just MBEDTLS_PSA_CRYPTO_CLIENT, PSA crypto API functions are supposed to exist at link time but be provided by a third party. Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..13338d4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1552,6 +1552,7 @@ component_test_full_no_cipher_no_psa_crypto () { scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C # Disable features that depend on PSA_CRYPTO_C @@ -2430,11 +2431,12 @@ component_build_dhm_alt () { make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib } -component_test_no_use_psa_crypto_full_cmake_asan() { - # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh - msg "build: cmake, full config minus MBEDTLS_USE_PSA_CRYPTO, ASan" +component_test_no_psa_crypto_full_cmake_asan() { + # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh + msg "build: cmake, full config minus PSA crypto, ASan" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C @@ -2445,7 +2447,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() { CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)" + msg "test: main suites (full minus PSA crypto)" make test # Note: ssl-opt.sh has some test cases that depend on -- cgit v1.1 From dccfd3612dece912f4e0d7c59add685642154fae Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 17:07:59 +0100 Subject: rsa: update return values of priv/pub parse/write functions The goal is to remove usage of PK return values in order to completely eliminate that dependency. This commit also updates pkparse and test_suite_x509parse to align with this change in return values. Signed-off-by: Valerio Setti --- library/pkparse.c | 3 +-- library/rsa.c | 36 +++++++++++------------------- tests/suites/test_suite_x509parse.data | 10 ++++----- tests/suites/test_suite_x509parse.function | 1 + 4 files changed, 20 insertions(+), 30 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 2708c8c..17df101 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -1556,8 +1556,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, return ret; } mbedtls_pk_free(ctx); - if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, - MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))) { + if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { return ret; } #endif /* MBEDTLS_RSA_C */ diff --git a/library/rsa.c b/library/rsa.c index a18c4b1..4ff7afa 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -682,7 +682,7 @@ static int asn1_get_nonzero_mpi(unsigned char **p, } if (mbedtls_mpi_cmp_int(X, 0) == 0) { - return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } return 0; @@ -721,17 +721,17 @@ int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, si */ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + return ret; } end = p + len; if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + return ret; } if (version != 0) { - return MBEDTLS_ERR_PK_KEY_INVALID_VERSION; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } /* Import N */ @@ -823,8 +823,7 @@ int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, si } if (p != end) { - ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } cleanup: @@ -832,13 +831,6 @@ cleanup: mbedtls_mpi_free(&T); if (ret != 0) { - /* Wrap error code if it's coming from a lower level */ - if ((ret & 0xff80) == 0) { - ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); - } else { - ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; - } - mbedtls_rsa_free(rsa); } @@ -859,46 +851,44 @@ int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + return ret; } if (*p + len != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } /* Import N */ if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + return ret; } if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, NULL, 0, NULL, 0)) != 0) { - return MBEDTLS_ERR_PK_INVALID_PUBKEY; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } *p += len; /* Import E */ if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + return ret; } if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, NULL, 0, *p, len)) != 0) { - return MBEDTLS_ERR_PK_INVALID_PUBKEY; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } *p += len; if (mbedtls_rsa_complete(rsa) != 0 || mbedtls_rsa_check_pubkey(rsa) != 0) { - return MBEDTLS_ERR_PK_INVALID_PUBKEY; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } if (*p != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } return 0; diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 261c220..6e20125 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1774,15 +1774,15 @@ x509parse_crt:"307d3068a0030201008204deadbeef300d06092a864886f70d01010b0500300c3 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring length) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring tag) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400310000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400310000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv RSA modulus) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0302ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0302ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT ASN1 (TBS, inv SubPubKeyInfo, total length mismatch) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 @@ -1790,11 +1790,11 @@ x509parse_crt:"3081893074a0030201008204deadbeef300d06092a864886f70d01010b0500300 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, check failed) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY +x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA X509 CRT ASN1 (TBS, inv SubPubKeyInfo, check failed, expanded length notation) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY +x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA # We expect an extension parsing error here because the IssuerID is optional. # Hence, if we find an ASN.1 tag doesn't match the IssuerID, we assume the diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index c2a2f55..a54c165 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -9,6 +9,7 @@ #include "mbedtls/base64.h" #include "mbedtls/error.h" #include "mbedtls/pk.h" +#include "mbedtls/rsa.h" #include "string.h" #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 -- cgit v1.1 From 2ddabb34d60a4e5b674db573fb68228bd81ec913 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 17:11:44 +0100 Subject: config_adjust_legacy: do not auto-enable PK when RSA is enabled in PSA Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_crypto.h | 9 --------- include/mbedtls/config_adjust_legacy_from_psa.h | 3 --- 2 files changed, 12 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 696266c..818a8c6 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -324,15 +324,6 @@ #define MBEDTLS_PSA_CRYPTO_CLIENT #endif /* MBEDTLS_PSA_CRYPTO_C */ -/* The PK wrappers need pk_write/pk_parse functions to format RSA key objects - * when they are dispatching to the PSA API. This happens under MBEDTLS_USE_PSA_CRYPTO, - * and even under just MBEDTLS_PSA_CRYPTO_C in psa_crypto_rsa.c. */ -#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C) -#define MBEDTLS_PK_C -#define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PK_PARSE_C -#endif - /* Helpers to state that each key is supported either on the builtin or PSA side. */ #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521) #define MBEDTLS_ECP_HAVE_SECP521R1 diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 691fed6..e3980e9 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -671,9 +671,6 @@ #define MBEDTLS_RSA_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_OID_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PK_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */ -- cgit v1.1 From c6d7f53adca48df0ca4e3894d09c89874cf30dc9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 17:12:35 +0100 Subject: all.sh: update common_test_psa_crypto_config_accel_ecc_some_curves() Do not disable RSA_C and related modules because now it does not automatically re-enable PK module. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..f0a0058 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2752,12 +2752,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { scripts/config.py unset MBEDTLS_PK_C scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - # We need to disable RSA too or PK will be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 # Disable modules that are accelerated - some will be re-enabled scripts/config.py unset MBEDTLS_ECDSA_C -- cgit v1.1 From 18dd00052e37f315f865e04861521c89e2b502bb Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Jan 2024 17:59:10 +0100 Subject: pk_wrap: use RSA module functions to write priv/pub key in RSA wrappers Signed-off-by: Valerio Setti --- library/pk_wrap.c | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index c232650..ff8eeb1 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -32,6 +32,7 @@ #if defined(MBEDTLS_RSA_C) #include "pkwrite.h" +#include "rsa_internal.h" #endif #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) @@ -69,9 +70,9 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - mbedtls_pk_context key; int key_len; unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; + unsigned char *p = buf + sizeof(buf); psa_algorithm_t psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg)); size_t rsa_len = mbedtls_rsa_get_len(rsa); @@ -86,11 +87,7 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, return MBEDTLS_ERR_RSA_VERIFY_FAILED; } - /* mbedtls_pk_write_pubkey_der() expects a full PK context; - * re-construct one to make it happy */ - key.pk_info = &mbedtls_rsa_info; - key.pk_ctx = rsa; - key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf)); + key_len = mbedtls_rsa_pubkey_write(rsa, buf, &p); if (key_len <= 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } @@ -172,14 +169,15 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - mbedtls_pk_context key; int key_len; unsigned char *buf = NULL; + unsigned char *p; + buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES); if (buf == NULL) { return MBEDTLS_ERR_PK_ALLOC_FAILED; } - mbedtls_pk_info_t pk_info = mbedtls_rsa_info; + p = buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES; *sig_len = mbedtls_rsa_get_len(rsa_ctx); if (sig_size < *sig_len) { @@ -187,11 +185,7 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg, return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; } - /* mbedtls_pk_write_key_der() expects a full PK context; - * re-construct one to make it happy */ - key.pk_info = &pk_info; - key.pk_ctx = rsa_ctx; - key_len = mbedtls_pk_write_key_der(&key, buf, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES); + key_len = mbedtls_rsa_key_write(rsa_ctx, buf, &p); if (key_len <= 0) { mbedtls_free(buf); return MBEDTLS_ERR_PK_BAD_INPUT_DATA; @@ -282,9 +276,9 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - mbedtls_pk_context key; int key_len; unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES]; + unsigned char *p = buf + sizeof(buf); ((void) f_rng); ((void) p_rng); @@ -299,11 +293,7 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - /* mbedtls_pk_write_key_der() expects a full PK context; - * re-construct one to make it happy */ - key.pk_info = &mbedtls_rsa_info; - key.pk_ctx = rsa; - key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf)); + key_len = mbedtls_rsa_key_write(rsa, buf, &p); if (key_len <= 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } @@ -368,9 +358,9 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - mbedtls_pk_context key; int key_len; unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; + unsigned char *p = buf + sizeof(buf); ((void) f_rng); ((void) p_rng); @@ -385,11 +375,7 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; } - /* mbedtls_pk_write_pubkey_der() expects a full PK context; - * re-construct one to make it happy */ - key.pk_info = &mbedtls_rsa_info; - key.pk_ctx = rsa; - key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf)); + key_len = mbedtls_rsa_pubkey_write(rsa, buf, &p); if (key_len <= 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } -- cgit v1.1 From a5f36fcaae40c0b2b3723781cbde77095b485284 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 10:49:02 +0100 Subject: rsa: write documentation of new functions for parse/writing RSA priv/pub keys Signed-off-by: Valerio Setti --- library/rsa.c | 16 +++++------ library/rsa_internal.h | 73 ++++++++++++++++++++++++++++++++++++-------------- 2 files changed, 60 insertions(+), 29 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 4ff7afa..e0c38c3 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -688,9 +688,6 @@ static int asn1_get_nonzero_mpi(unsigned char **p, return 0; } -/* - * Parse a PKCS#1 encoded private RSA key - */ int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) { int ret, version; @@ -837,18 +834,19 @@ cleanup: return ret; } -/* - * RSAPublicKey ::= SEQUENCE { - * modulus INTEGER, -- n - * publicExponent INTEGER -- e - * } - */ int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, const unsigned char *end) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len; + /* + * RSAPublicKey ::= SEQUENCE { + * modulus INTEGER, -- n + * publicExponent INTEGER -- e + * } + */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { return ret; diff --git a/library/rsa_internal.h b/library/rsa_internal.h index dee787f..62972c6 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -17,44 +17,77 @@ #include "mbedtls/rsa.h" /** - * \brief + * \brief Parse a PKCS#1 (ASN.1) encoded private RSA key. * - * \param rsa - * \param key - * \param keylen - * \return int + * \param rsa The RSA context where parsed data will be stored. + * \param key The buffer that contains the key. + * \param keylen The length of the key buffer in bytes. + * + * \return 0 in success + * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. + * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of invalid version. */ int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); /** - * \brief + * \brief Parse a PKCS#1 (ASN.1) encoded public RSA key. + * + * \param rsa The RSA context where parsed data will be stored. + * \param p Beginning of the buffer containing the key to be parsed. + * On successful return, the referenced pointer will be + * updated in order to point to the end of the parsed data. + * \param end End of the buffer containing the key to be parsed. * - * \param rsa - * \param p - * \param end - * \return int + * \return 0 on success. + * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. + * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of importing or + * priv/pub validation errors. */ int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, const unsigned char *end); /** - * \brief + * \brief Write a PKCS#1 (ASN.1) encoded private RSA key. + * + * \param rsa The RSA context which contains the data to be written. + * \param start Beginning of the buffer that will be filled with the + * private key. + * \param p End of the buffer that will be filled with the private key. + * On successful return, the referenced pointer will be + * updated in order to point to the beginning of written data. * - * \param p - * \param start - * \param rsa - * \return int + * \return On success, the number of bytes written to the output buffer + * (i.e. a value > 0). + * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA is the RSA context does not + * cointain valid. + * \return MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the + * output buffer. + * + * \note The output buffer is filled backward, i.e. starting from its + * end and moving toward its start. */ int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, unsigned char **p); /** - * \brief + * \brief Parse a PKCS#1 (ASN.1) encoded public RSA key. + * + * \param rsa The RSA context which contains the data to be written. + * \param start Beginning of the buffer that will be filled with the + * private key. + * \param p End of the buffer that will be filled with the private key. + * On successful return, the referenced pointer will be + * updated in order to point to the beginning of written data. + * + * \return On success, the number of bytes written to the output buffer + * (i.e. a value > 0). + * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA is the RSA context does not + * cointain valid. + * \return MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the + * output buffer. * - * \param p - * \param start - * \param rsa - * \return int + * \note The output buffer is filled backward, i.e. starting from its + * end and moving toward its start. */ int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, unsigned char **p); -- cgit v1.1 From 99ff1f505b706006c75c3d2047e7b19ed5f6ac81 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Wed, 24 Jan 2024 20:44:01 +0800 Subject: Add test cases on GCM AD, input, IV length Signed-off-by: Chien Wong --- tests/suites/test_suite_gcm.function | 107 ++++++++++++++++++++++++++++++++++ tests/suites/test_suite_gcm.misc.data | 12 ++++ 2 files changed, 119 insertions(+) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 599c926..07a6e45 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -153,6 +153,20 @@ exit: mbedtls_free(output); } +static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key, + size_t key_bits, const uint8_t *iv, size_t iv_len, + int starts_ret) +{ + int mode = MBEDTLS_GCM_ENCRYPT; + mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES; + + mbedtls_gcm_init(ctx); + TEST_EQUAL(mbedtls_gcm_setkey(ctx, valid_cipher, key, key_bits), 0); + TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len)); +exit: + /* empty */ +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -478,6 +492,99 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void gcm_invalid_iv_len(void) +{ + mbedtls_gcm_context ctx; + uint8_t b16[16] = { 0 }; + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT); + mbedtls_gcm_free(&ctx); + +#if SIZE_MAX >= UINT64_MAX + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT); + mbedtls_gcm_free(&ctx); +#endif + + goto exit; /* To suppress error that exit is defined but not used */ +exit: + /* empty */ +} +/* END_CASE */ + +/* BEGIN_CASE */ +/* + * Test if GCM rejects total ad_len >= 2^61 bytes. + * Also test if GCM handles potential total ad_len overflow properly. + + * Only testable on platforms where sizeof(size_t) >= 8. + */ +void gcm_add_len_too_long(void) +{ +#if SIZE_MAX >= UINT64_MAX + mbedtls_gcm_context ctx; + uint8_t b16[16] = { 0 }; + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1ULL << 61), + MBEDTLS_ERR_GCM_BAD_INPUT); + mbedtls_gcm_free(&ctx); + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0); + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, (1ULL << 61) - 1), + MBEDTLS_ERR_GCM_BAD_INPUT); + mbedtls_gcm_free(&ctx); + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0); + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT); + +exit: + mbedtls_gcm_free(&ctx); +#endif +} +/* END_CASE */ + +/* BEGIN_CASE */ +/* + * Test if GCM rejects total input length > 2^36 - 32 bytes. + * Also test if GCM handles potential total input length overflow properly. + + * Only testable on platforms where sizeof(size_t) >= 8. + */ +void gcm_input_len_too_long(void) +{ +#if SIZE_MAX >= UINT64_MAX + mbedtls_gcm_context ctx; + uint8_t b16[16] = { 0 }; + size_t out_len; + uint64_t len_max = (1ULL << 36) - 32; + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, b16, len_max + 1, + &out_len), + MBEDTLS_ERR_GCM_BAD_INPUT); + mbedtls_gcm_free(&ctx); + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, b16, 1, &out_len), 0); + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, b16, len_max, &out_len), + MBEDTLS_ERR_GCM_BAD_INPUT); + mbedtls_gcm_free(&ctx); + + gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, b16, 1, &out_len), 0); + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, b16, UINT64_MAX, + &out_len), + MBEDTLS_ERR_GCM_BAD_INPUT); + +exit: + mbedtls_gcm_free(&ctx); +#endif +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */ void gcm_selftest() { diff --git a/tests/suites/test_suite_gcm.misc.data b/tests/suites/test_suite_gcm.misc.data index f22b7a3..57f05ca 100644 --- a/tests/suites/test_suite_gcm.misc.data +++ b/tests/suites/test_suite_gcm.misc.data @@ -1,2 +1,14 @@ GCM - Invalid parameters gcm_invalid_param: + +GCM - Invalid IV length +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +gcm_invalid_iv_len: + +GCM - Additional data length too long +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +gcm_add_len_too_long: + +GCM - Input length too long +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +gcm_input_len_too_long: -- cgit v1.1 From cd89b0b536741f6ad91e2884988abba47be88554 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 14:24:55 +0100 Subject: all.sh: disable legacy hash support in test_psa_crypto_config_accel_hmac() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 15 +++++++++++---- tests/scripts/analyze_outcomes.py | 3 +++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 63f6129..e2b44d8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3661,6 +3661,17 @@ config_psa_crypto_hmac_use_psa () { # start with config full for maximum coverage (also enables USE_PSA) helper_libtestdriver1_adjust_config "full" + if [ "$driver_only" -eq 1 ]; then + # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT + # is still enabled though (for ENTROPY_C among others). + scripts/config.py unset MBEDTLS_MD_C + # Disable also the builtin hashes since they are supported by the driver + # and MD module is able to perform PSA dispathing. + scripts/config.py unset-all MBEDTLS_SHA + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + fi + # Direct dependencies of MD_C. We disable them also in the reference # component to work with the same set of features. scripts/config.py unset MBEDTLS_PKCS7_C @@ -3685,10 +3696,6 @@ component_test_psa_crypto_config_accel_hmac() { config_psa_crypto_hmac_use_psa 1 - # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT - # is still enabled though. - scripts/config.py unset MBEDTLS_MD_C - # Build # ----- diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 9d441c7..b6e26d4 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -246,6 +246,9 @@ KNOWN_TASKS = { 'component_ref': 'test_psa_crypto_config_reference_hmac', 'component_driver': 'test_psa_crypto_config_accel_hmac', 'ignored_suites': [ + # These suites require legacy hash support, which is disabled + # in the accelerate component. + 'shax', 'mdx', # This suite tests builtins directly, but these are missing # in the accelerated case. 'psa_crypto_low_hash.generated', -- cgit v1.1 From 3877d4858b666b6596743a8fcfdb7b1c6ea54ec5 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 24 Jan 2024 13:26:26 +0000 Subject: Refactor macros Signed-off-by: Ryan Everett --- library/psa_crypto_core.h | 99 ++++++++++++++--------------------------------- 1 file changed, 29 insertions(+), 70 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 0e9f83f..dc376d7 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -114,88 +114,47 @@ typedef struct { } key; } psa_key_slot_t; -typedef enum { - PSA_MUTEX_LOCK = 0, - PSA_MUTEX_UNLOCK, -} psa_mutex_operation_t; - -/** If threading is enabled: perform a lock or unlock operation on the - * key slot mutex. - * Call with parameter PSA_MUTEX_LOCK to perform a lock operation. - * Call with parameter PSA_MUTEX_UNLOCK to perform an unlock operation. +#if defined(MBEDTLS_THREADING_C) + +/** Perform a mutex operation and return immediately upon failure. + * * Returns PSA_ERROR_SERVICE_FAILURE if the operation fails * and status was PSA_SUCCESS. - * If threading is not enabled, do nothing. * * Assumptions: * psa_status_t status exists. - * op is PSA_MUTEX_LOCK or PSA_MUTEX_UNLOCK. - */ -#if defined(MBEDTLS_THREADING_C) -#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_RETURN(op) \ - do \ - { \ - if (op == PSA_MUTEX_LOCK) { \ - if (mbedtls_mutex_lock( \ - &mbedtls_threading_key_slot_mutex) != 0) { \ - if (status == PSA_SUCCESS) { \ - return PSA_ERROR_SERVICE_FAILURE; \ - } \ - return status; \ - } \ - } \ - else if (op == PSA_MUTEX_UNLOCK) { \ - if (mbedtls_mutex_unlock( \ - &mbedtls_threading_key_slot_mutex) != 0) { \ - if (status == PSA_SUCCESS) { \ - return PSA_ERROR_SERVICE_FAILURE; \ - } \ - return status; \ - } \ - } \ + * f is a mutex operation which returns 0 upon success. + */ +#define PSA_THREADING_CHK_RET(f) \ + do \ + { \ + if ((f) != 0) { \ + if (status == PSA_SUCCESS) { \ + return PSA_ERROR_SERVICE_FAILURE; \ + } \ + return status; \ + } \ } while (0); -#else -#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_RETURN(op) do { } while (0) -#endif -/** If threading is enabled: perform a lock or unlock operation on the - * key slot mutex. - * Call with parameter PSA_MUTEX_LOCK to perform a lock operation. - * Call with parameter PSA_MUTEX_UNLOCK to perform an unlock operation. - * This will goto the exit label if the operation fails, - * setting status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS. - * If threading is not enabled, do nothing. +/** Perform a mutex operation and goto exit on failure. + * + * Sets status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS. * * Assumptions: * psa_status_t status exists. * Label exit: exists. - * op is PSA_MUTEX_LOCK or PSA_MUTEX_UNLOCK. - */ -#if defined(MBEDTLS_THREADING_C) -#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_GOTO_EXIT(op) \ - do \ - { \ - if (op == PSA_MUTEX_LOCK) { \ - if (mbedtls_mutex_lock( \ - &mbedtls_threading_key_slot_mutex) != 0) { \ - if (status == PSA_SUCCESS) { \ - status = PSA_ERROR_SERVICE_FAILURE; \ - } \ - goto exit; \ - } \ - } \ - else if (op == PSA_MUTEX_UNLOCK) { \ - if (mbedtls_mutex_unlock( \ - &mbedtls_threading_key_slot_mutex) != 0) { \ - if (status == PSA_SUCCESS) { \ - status = PSA_ERROR_SERVICE_FAILURE; \ - } \ - goto exit; \ - } \ - } \ + * f is a mutex operation which returns 0 upon success. + */ +#define PSA_THREADING_CHK_GOTO_EXIT(f) \ + do \ + { \ + if ((f) != 0) { \ + if (status == PSA_SUCCESS) { \ + status = PSA_ERROR_SERVICE_FAILURE; \ + } \ + goto exit; \ + } \ } while (0); -#else -#define PSA_KEY_SLOT_MUTEX_LOCKFUNC_GOTO_EXIT(op) do { } while (0) #endif /* A mask of key attribute flags used only internally. -- cgit v1.1 From 667cad5b81a448c08daaebee6a96ce1bad833ee5 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Wed, 24 Jan 2024 13:34:46 +0000 Subject: Put the id field at the end of the psa_key_attributes_s structure Putting the id at the of the psa_key_attributes_s structure allows for a more efficient marshalling of the parameters around a transport channel which provides separation between a client view and a service view of the key parameters. Signed-off-by: Antonio de Angelis --- include/psa/crypto_struct.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 3a19618..606d282 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -239,18 +239,17 @@ typedef struct { psa_key_type_t MBEDTLS_PRIVATE(type); psa_key_bits_t MBEDTLS_PRIVATE(bits); psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); - mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); psa_key_policy_t MBEDTLS_PRIVATE(policy); psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); + mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); } psa_core_key_attributes_t; #define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0, \ PSA_KEY_LIFETIME_VOLATILE, \ - MBEDTLS_SVC_KEY_ID_INIT, \ - PSA_KEY_POLICY_INIT, 0 } + PSA_KEY_POLICY_INIT, 0, \ + MBEDTLS_SVC_KEY_ID_INIT } struct psa_key_attributes_s { - psa_core_key_attributes_t MBEDTLS_PRIVATE(core); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ @@ -268,12 +267,13 @@ struct psa_key_attributes_s { */ void *MBEDTLS_PRIVATE(domain_parameters); size_t MBEDTLS_PRIVATE(domain_parameters_size); + psa_core_key_attributes_t MBEDTLS_PRIVATE(core); }; #if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0 } +#define PSA_KEY_ATTRIBUTES_INIT { 0, NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT } #else -#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0 } +#define PSA_KEY_ATTRIBUTES_INIT { NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT } #endif static inline struct psa_key_attributes_s psa_key_attributes_init(void) -- cgit v1.1 From 9f521056bc39533621f3f6b1a1986675035942b7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 15:44:24 +0100 Subject: driver-only-builds: add documentation for HMAC acceleration Signed-off-by: Valerio Setti --- docs/driver-only-builds.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index f59420e..e4c30bd 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -105,7 +105,26 @@ provided by a driver or built-in, you should use the following macros: - for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from `psa/crypto.h`; - for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from - `mbedtls/md.h`. + `mbedtls/config_adjust_legacy_crypto.h`. + +### HMAC + +In addition to accelerated hash operations, it is also possible to accelerate +HMAC by enabling and accelerating: +- HMAC algorithm and key type, i.e. `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_HMAC` and + `[PSA_WANT|MBEDTLS_PSA_ACCEL]KEY_TYPE_HMAC`. +- Required hash algorithm(s) as explained in [Hashes](#hashes) section. + +In such a build it is possible to disable legacy HMAC support by disabling +`MBEDTLS_MD_C` and still getting crypto operations, X.509 and TLS to work as +usual. Exceptions are: +- [Hashes](#hashes) are obviously valid here for the accelerated algorithms. +- Legacy HMAC support (`mbedtls_md_hmac_xxx()`) won't be possible. +- `MBEDTLS_PKCS[5|7]_C`, `MBEDTLS_HMAC_DRBG_C` and `MBEDTLS_HKDF_C` since they + depend on the legacy implementation of HMAC. + - disabling HMAC_DRBG_C cause deterministic ECDSA (i.e. + `MBEDTLS_DETERMINISTIC_ECDSA` on the legacy side and + `PSA_WANT_ALG_DETERMINISTIC_ECDSA` on the PSA one) to be not available. Elliptic-curve cryptography (ECC) --------------------------------- -- cgit v1.1 From b0498ef9955d378392701c5b14c83e47c644b9bc Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 15:55:33 +0100 Subject: adjust_legacy_from_psa: use intermediate symbol to enable builtin support Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_from_psa.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 3d2293d..9e6163f 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -443,40 +443,40 @@ #if defined(PSA_WANT_DH_RFC7919_2048) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1 -#define MBEDTLS_DHM_C +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */ #endif /* PSA_WANT_DH_RFC7919_2048 */ #if defined(PSA_WANT_DH_RFC7919_3072) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1 -#define MBEDTLS_DHM_C +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */ #endif /* PSA_WANT_DH_RFC7919_3072 */ #if defined(PSA_WANT_DH_RFC7919_4096) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1 -#define MBEDTLS_DHM_C +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */ #endif /* PSA_WANT_DH_RFC7919_4096 */ #if defined(PSA_WANT_DH_RFC7919_6144) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1 -#define MBEDTLS_DHM_C +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */ #endif /* PSA_WANT_DH_RFC7919_6144 */ #if defined(PSA_WANT_DH_RFC7919_8192) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1 -#define MBEDTLS_DHM_C +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */ #endif /* PSA_WANT_DH_RFC7919_8192 */ #if defined(PSA_WANT_ALG_FFDH) -#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS) #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 #define MBEDTLS_BIGNUM_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */ -- cgit v1.1 From 724a2abf0105a2d623a15bf9e59400517dd35e99 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 15:57:12 +0100 Subject: test_suite_psa_crypto: fix typo in description Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index b1bc678..a8c38db 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -546,7 +546,7 @@ PSA import/export FFDH RFC7919 8192 public key: good depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192 import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1 -PSA import/export FFDH RFC7919 2048 key pair: export not permitterd +PSA import/export FFDH RFC7919 2048 key pair: export not permitted depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_NOT_PERMITTED:1 -- cgit v1.1 From 75501f5ede68cbcc9651ed17c5eaee2bf31d6a00 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Jan 2024 16:49:17 +0100 Subject: psa_util: add raw<->DER ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 36 ++++++++ library/psa_util.c | 205 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 47724c6..912179b 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -176,6 +176,42 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK); } +#if defined(MBEDTLS_ASN1_WRITE_C) +/** Convert an ECDSA signature from raw format to DER ASN.1 one. + * + * \param raw Buffer that contains the signature in raw format. + * \param raw_len Length of raw buffer in bytes + * \param[out] der Buffer that will be filled with the converted DER + * output. It can overlap with raw buffer. + * \param der_size Size of the output der buffer in bytes. + * \param[out] der_len On success it contains the amount of valid data + * (in bytes) written to der buffer. It's undefined + * in case of failure. + * \param bits Size of each raw coordinate in bits. + */ +int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len, + size_t bits); +#endif /* MBEDTLS_ASN1_WRITE_C */ + +#if defined(MBEDTLS_ASN1_PARSE_C) +/** Convert an ECDSA signature from DER ASN.1 format to raw. + * + * \param der Buffer that contains the signature in DER format. + * \param der_len Size of the der buffer in bytes. + * \param[out] raw Buffer that will be filled with the converted raw + * signature. It can overlap with der buffer. + * \param raw_size Size of the raw buffer in bytes. + * \param[out] raw_len On success it is updated with the amount of valid + * data (in bytes) written to raw buffer. It's undefined + * in case of failure. + * \param bits Size of each raw coordinate in bits. + */ +int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len, + size_t bits); +#endif /* MBEDTLS_ASN1_PARSE_C */ + /**@}*/ #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_util.c b/library/psa_util.c index 41586e2..2c35db0 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -40,6 +40,10 @@ #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA) #include #endif +#if defined(MBEDTLS_ASN1_WRITE_C) +#include +#include +#endif /* PSA_SUCCESS is kept at the top of each error table since * it's the most common status when everything functions properly. */ @@ -330,4 +334,205 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, } #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ +#if defined(MBEDTLS_ASN1_WRITE_C) +/* + * Convert a single raw coordinate to DER ASN.1 format. + * Note: this function is similar to mbedtls_asn1_write_mpi(), but it doesn't + * depend on BIGNUM_C. + * Note: this function fills der_buf backward. + */ +static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len, + unsigned char *der_buf_start, + unsigned char *der_buf_end) +{ + unsigned char *p = der_buf_end; + int len = raw_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + /* Copy the raw coordinate to the end of der_buf. */ + if ((p - der_buf_start) < len) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + p -= len; + memcpy(p, raw_buf, len); + + /* ASN.1 DER encoding requires minimal length, so skip leading 0s. + * Provided input MPIs should not be 0, but as a failsafe measure, still + * detect that and return error in case. */ + while (*p == 0x00) { + ++p; + --len; + if (len == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + } + + /* If MSb is 1, ASN.1 requires that we prepend a 0. */ + if (*p & 0x80) { + if ((p - der_buf_start) < 1) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + --p; + *p = 0x00; + ++len; + } + + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der_buf_start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der_buf_start, MBEDTLS_ASN1_INTEGER)); + + return len; +} + +int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len, + size_t bits) +{ + unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; + unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; + const size_t coordinate_len = PSA_BITS_TO_BYTES(bits); + size_t len = 0; + unsigned char *p = der + der_size; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if (raw_len < 2 * coordinate_len) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + + /* Since raw and der buffers might overlap, dump r and s before starting + * the conversion. */ + memset(r, 0, sizeof(r)); + memcpy(r, raw, coordinate_len); + memset(s, 0, sizeof(s)); + memcpy(s, raw + coordinate_len, coordinate_len); + + /* der buffer will initially be written starting from its end so we pick s + * first and then r. */ + ret = convert_raw_to_der_single_int(s, coordinate_len, der, p); + if (ret < 0) { + return ret; + } + p -= ret; + len += ret; + + ret = convert_raw_to_der_single_int(r, coordinate_len, der, p); + if (ret < 0) { + return ret; + } + p -= ret; + len += ret; + + /* Add ASN.1 header (len + tag). */ + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + /* memmove the content of der buffer to its beginnig. */ + memmove(der, p, len); + *der_len = len; + + return 0; +} +#endif /* MBEDTLS_ASN1_WRITE_C */ + +#if defined(MBEDTLS_ASN1_PARSE_C) +/* + * Convert a single integer from ASN.1 DER format to raw. + * Note: der and raw buffers are not overlapping here. + */ +static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_len, + size_t coordinate_size) +{ + unsigned char *p = der; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t unpadded_len, padding_len = 0; + + /* Get the length of ASN.1 element (i.e. the integer we need to parse). */ + ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len, + MBEDTLS_ASN1_INTEGER); + if (ret != 0) { + return ret; + } + + /* Skip leading zeros */ + while (*p == 0x00) { + p++; + unpadded_len--; + /* It should never happen that the input number is all zeros. */ + if (unpadded_len == 0) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + } + + if (raw_len < coordinate_size) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + if (unpadded_len < coordinate_size) { + padding_len = coordinate_size - unpadded_len; + memset(raw, 0x00, padding_len); + } + memcpy(raw + padding_len, p, unpadded_len); + p += unpadded_len; + + return (int) (p - der); +} + +int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len, + size_t bits) +{ + unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE]; + unsigned char *p = (unsigned char *) der; + size_t data_len; + size_t coordinate_size = PSA_BITS_TO_BYTES(bits); + int ret; + + /* The output raw buffer should be at least twice the size of a raw + * coordinate in order to store r and s. */ + if (raw_size < coordinate_size * 2) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + + /* Check that the provided input DER buffer has the right header. */ + ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (ret != 0) { + return ret; + } + + memset(raw_tmp, 0, sizeof(raw_tmp)); + + /* Extract r */ + ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, sizeof(raw_tmp), + coordinate_size); + if (ret < 0) { + return ret; + } + p += ret; + data_len -= ret; + + /* Extract s */ + ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size, + sizeof(raw_tmp) - coordinate_size, + coordinate_size); + if (ret < 0) { + return ret; + } + p += ret; + data_len -= ret; + + /* Check that we consumed all the input der data. */ + if ((p - der) != (int) der_len) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + memcpy(raw, raw_tmp, 2 * coordinate_size); + *raw_len = 2 * coordinate_size; + + return 0; +} +#endif /* MBEDTLS_ASN1_PARSE_C */ + #endif /* MBEDTLS_PSA_CRYPTO_C */ -- cgit v1.1 From bd5b9c61fec431c305416cf851d2ac31ac69df6d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Jan 2024 16:49:48 +0100 Subject: pk_wrap: use PSA util functions for ECDSA conversion instead of PK ones Signed-off-by: Valerio Setti --- library/pk_wrap.c | 175 +++++++----------------------------------------------- 1 file changed, 21 insertions(+), 154 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index c232650..9a29d92 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -29,6 +29,7 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa_util_internal.h" #include "psa/crypto.h" +#include "mbedtls/psa_util.h" #if defined(MBEDTLS_RSA_C) #include "pkwrite.h" @@ -536,66 +537,6 @@ static size_t eckey_get_bitlen(mbedtls_pk_context *pk) #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) #if defined(MBEDTLS_USE_PSA_CRYPTO) -/* - * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of - * those integers and convert it to the fixed-length encoding expected by PSA. - */ -static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end, - unsigned char *to, size_t to_len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t unpadded_len, padding_len; - - if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len, - MBEDTLS_ASN1_INTEGER)) != 0) { - return ret; - } - - while (unpadded_len > 0 && **from == 0x00) { - (*from)++; - unpadded_len--; - } - - if (unpadded_len > to_len || unpadded_len == 0) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } - - padding_len = to_len - unpadded_len; - memset(to, 0x00, padding_len); - memcpy(to + padding_len, *from, unpadded_len); - (*from) += unpadded_len; - - return 0; -} - -/* - * Convert a signature from an ASN.1 sequence of two integers - * to a raw {r,s} buffer. Note: the provided sig buffer must be at least - * twice as big as int_size. - */ -static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end, - unsigned char *sig, size_t int_size) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t tmp_size; - - if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return ret; - } - - /* Extract r */ - if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) { - return ret; - } - /* Extract s */ - if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) { - return ret; - } - - return 0; -} - /* Common helper for ECDSA verify using PSA functions. */ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, psa_ecc_family_t curve, size_t curve_bits, @@ -607,6 +548,7 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits); + size_t converted_sig_len; unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE]; unsigned char *p; psa_status_t status; @@ -631,11 +573,15 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, } p = (unsigned char *) sig; - /* extract_ecdsa_sig's last parameter is the size - * of each integer to be parsed, so it's actually half - * the size of the signature. */ - if ((ret = extract_ecdsa_sig(&p, sig + sig_len, extracted_sig, - signature_len/2)) != 0) { + ret = mbedtls_ecdsa_der_to_raw(p, sig_len, extracted_sig, + sizeof(extracted_sig), &converted_sig_len, + curve_bits); + if (ret != 0) { + goto cleanup; + } + + if (converted_sig_len != signature_len) { + ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; goto cleanup; } @@ -646,10 +592,6 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, goto cleanup; } - if (p != sig + sig_len) { - ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; - goto cleanup; - } ret = 0; cleanup: @@ -751,90 +693,6 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) #if defined(MBEDTLS_USE_PSA_CRYPTO) -/* - * Simultaneously convert and move raw MPI from the beginning of a buffer - * to an ASN.1 MPI at the end of the buffer. - * See also mbedtls_asn1_write_mpi(). - * - * p: pointer to the end of the output buffer - * start: start of the output buffer, and also of the mpi to write at the end - * n_len: length of the mpi to read from start - */ -static int asn1_write_mpibuf(unsigned char **p, unsigned char *start, - size_t n_len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - - if ((size_t) (*p - start) < n_len) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - - len = n_len; - *p -= len; - memmove(*p, start, len); - - /* ASN.1 DER encoding requires minimal length, so skip leading 0s. - * Neither r nor s should be 0, but as a failsafe measure, still detect - * that rather than overflowing the buffer in case of a PSA error. */ - while (len > 0 && **p == 0x00) { - ++(*p); - --len; - } - - /* this is only reached if the signature was invalid */ - if (len == 0) { - return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; - } - - /* if the msb is 1, ASN.1 requires that we prepend a 0. - * Neither r nor s can be 0, so we can assume len > 0 at all times. */ - if (**p & 0x80) { - if (*p - start < 1) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - - *--(*p) = 0x00; - len += 1; - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, - MBEDTLS_ASN1_INTEGER)); - - return (int) len; -} - -/* Transcode signature from PSA format to ASN.1 sequence. - * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of - * MPIs, and in-place. - * - * [in/out] sig: the signature pre- and post-transcoding - * [in/out] sig_len: signature length pre- and post-transcoding - * [int] buf_len: the available size the in/out buffer - */ -static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len, - size_t buf_len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - const size_t rs_len = *sig_len / 2; - unsigned char *p = sig + buf_len; - - MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len)); - MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len)); - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); - - memmove(sig, p, len); - *sig_len = len; - - return 0; -} - /* Common helper for ECDSA sign using PSA functions. * Instead of extracting key's properties in order to check which kind of ECDSA * signature it supports, we try both deterministic and non-deterministic. @@ -845,6 +703,15 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + size_t key_bits = 0; + + status = psa_get_key_attributes(key_id, &key_attr); + if (status != PSA_SUCCESS) { + return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); + } + key_bits = psa_get_key_bits(&key_attr); + psa_reset_key_attributes(&key_attr); status = psa_sign_hash(key_id, PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)), @@ -863,7 +730,7 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, } done: - ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size); + ret = mbedtls_ecdsa_raw_to_der(sig, sig_size, sig, sig_size, sig_len, key_bits); return ret; } -- cgit v1.1 From aed21640bdc3a6a4c3ddbbfe7bbb24e60544ee8d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Jan 2024 16:50:30 +0100 Subject: test_suite_psa_crypto_util: add test function and data for ECDSA conversion functions Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 71 ++++++++++++++++++++++++ tests/suites/test_suite_psa_crypto_util.function | 44 +++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 tests/suites/test_suite_psa_crypto_util.data create mode 100644 tests/suites/test_suite_psa_crypto_util.function diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data new file mode 100644 index 0000000..ce942c8 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -0,0 +1,71 @@ +ECDSA Raw -> DER, 192bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 + +ECDSA Raw -> DER, 192bit, Raw data too short +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 192bit, DER buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30340218010101010101010101010101010101010101010101010101":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA Raw -> DER, 192bit, Null r +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"000000000000000000000000000000000000000000000000020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 192bit, Null s +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101000000000000000000000000000000000000000000000000":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 192bit, r with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"810101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30350219008101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 + +ECDSA Raw -> DER, 192bit, s with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101820202020202020202020202020202020202020202020202":"30350218010101010101010101010101010101010101010101010101021900820202020202020202020202020202020202020202020202":0 + +ECDSA DER -> Raw, 192bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":0 + +ECDSA DER -> Raw, 192bit, Raw buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA DER -> Raw, 192bit, Wrong sequence tag +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"403402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Invalid sequence length +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"30FF02180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_LENGTH + +ECDSA DER -> Raw, 192bit, Wrong integer tag +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303401180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Wrong r integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402170101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Wrong r integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402190101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Wrong s integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010217020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +ECDSA DER -> Raw, 192bit, Wrong s integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010219020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +ECDSA Raw -> DER, 256bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":0 + +ECDSA DER -> Raw, 256bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":0 diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function new file mode 100644 index 0000000..2a99073 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -0,0 +1,44 @@ +/* BEGIN_HEADER */ +#include +#include +#include +#include + +enum { + ECDSA_RAW_TO_DER = 0, + ECDSA_DER_TO_RAW, +}; +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_result, int exp_ret) +{ + unsigned char *tmp_buf = NULL; + size_t tmp_buf_len = exp_result->len; + size_t ret_len; + + TEST_CALLOC(tmp_buf, tmp_buf_len); + + if (direction == ECDSA_RAW_TO_DER) { + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + } else { + TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + } + + if (exp_ret == 0) { + ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); + } + +exit: + mbedtls_free(tmp_buf); +} +/* END_CASE */ -- cgit v1.1 From 84890c9be29e58bc3b7b9d3ed187bc64fa56e450 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Jan 2024 14:20:23 +0100 Subject: psa_util: improve description for ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 6 ++++-- library/psa_util.c | 51 ++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 46 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 912179b..ea0d5bb 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -177,7 +177,8 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa } #if defined(MBEDTLS_ASN1_WRITE_C) -/** Convert an ECDSA signature from raw format to DER ASN.1 one. +/** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 + * format (used by legacy crypto APIs). * * \param raw Buffer that contains the signature in raw format. * \param raw_len Length of raw buffer in bytes @@ -195,7 +196,8 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, #endif /* MBEDTLS_ASN1_WRITE_C */ #if defined(MBEDTLS_ASN1_PARSE_C) -/** Convert an ECDSA signature from DER ASN.1 format to raw. +/** Convert an ECDSA signature from DER ASN.1 format (used by legacy crypto + * APIs) to raw format (used by PSA APIs). * * \param der Buffer that contains the signature in DER format. * \param der_len Size of the der buffer in bytes. diff --git a/library/psa_util.c b/library/psa_util.c index 2c35db0..e16971b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -335,11 +335,25 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ #if defined(MBEDTLS_ASN1_WRITE_C) -/* - * Convert a single raw coordinate to DER ASN.1 format. - * Note: this function is similar to mbedtls_asn1_write_mpi(), but it doesn't - * depend on BIGNUM_C. - * Note: this function fills der_buf backward. +/** + * \brief Convert a single raw coordinate to DER ASN.1 format. The output der + * buffer is filled backward (i.e. starting from its end). + * + * \param raw_buf Buffer containing the raw coordinate to be + * converted. + * \param raw_len Length of raw_buf in bytes. + * \param der_buf_start Pointer to the beginning of the buffer which + * will be filled with the DER converted data. + * \param der_buf_end End of the buffer used to store the DER output. + * + * \return On success, the amount of data (in bytes) written to + * the DER buffer. + * \return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if the provided der + * buffer is too small to contain all the converted data. + * \return MBEDTLS_ERR_ASN1_INVALID_DATA if the input raw + * coordinate is null (i.e. all zeros). + * + * \warning Raw and der buffer must not be overlapping. */ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len, unsigned char *der_buf_start, @@ -436,9 +450,28 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, #endif /* MBEDTLS_ASN1_WRITE_C */ #if defined(MBEDTLS_ASN1_PARSE_C) -/* - * Convert a single integer from ASN.1 DER format to raw. - * Note: der and raw buffers are not overlapping here. +/** + * \brief Convert a single integer from ASN.1 DER format to raw. + * + * \param der Buffer containing the DER integer value to be + * converted. + * \param der_len Length of the der buffer in bytes. + * \param raw Output buffer that will be filled with the + * converted data. This should be at least + * coordinate_size bytes. + * \param raw_len Size (in bytes) of the output raw buffer. + * \param coordinate_size Size (in bytes) of a single coordinate in raw + * format. + * + * \return On success, the amount of DER data parsed from the + * provided der buffer. + * \return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the integer tag + * is missing in the der buffer. + * \return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the integer + * is null (i.e. all zeros) or if the output raw buffer + * is too small to contain the converted raw value. + * + * \warning Der and raw buffers must not be overlapping. */ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_len, @@ -466,7 +499,7 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } if (raw_len < coordinate_size) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return ERR_ASN1_BUF_TOO_SMALL; } if (unpadded_len < coordinate_size) { -- cgit v1.1 From 5713c8a5ac38990dc3747dc10b50a3b54a35a0c6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Jan 2024 15:48:37 +0100 Subject: psa_util: minor code improvements Signed-off-by: Valerio Setti --- library/psa_util.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index e16971b..c257d75 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -414,9 +414,7 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, /* Since raw and der buffers might overlap, dump r and s before starting * the conversion. */ - memset(r, 0, sizeof(r)); memcpy(r, raw, coordinate_len); - memset(s, 0, sizeof(s)); memcpy(s, raw + coordinate_len, coordinate_len); /* der buffer will initially be written starting from its end so we pick s @@ -481,6 +479,10 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t unpadded_len, padding_len = 0; + if (raw_len < coordinate_size) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + /* Get the length of ASN.1 element (i.e. the integer we need to parse). */ ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len, MBEDTLS_ASN1_INTEGER); @@ -498,10 +500,6 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } } - if (raw_len < coordinate_size) { - return ERR_ASN1_BUF_TOO_SMALL; - } - if (unpadded_len < coordinate_size) { padding_len = coordinate_size - unpadded_len; memset(raw, 0x00, padding_len); @@ -557,7 +555,7 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, data_len -= ret; /* Check that we consumed all the input der data. */ - if ((p - der) != (int) der_len) { + if ((size_t) (p - der) != der_len) { return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } -- cgit v1.1 From bda440f82da4fe20b7e3bfc0f0d9ae66fe8a9442 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 08:16:50 +0100 Subject: test_suite_psa_crypto_util: increase the size of tested integers - Replace 192 case with 256 - Replace 256 case with 512 - Add 521 case Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 118 +++++++++++++++------------ 1 file changed, 64 insertions(+), 54 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index ce942c8..8598a4e 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,71 +1,81 @@ -ECDSA Raw -> DER, 192bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 - -ECDSA Raw -> DER, 192bit, Raw data too short -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA - -ECDSA Raw -> DER, 192bit, DER buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30340218010101010101010101010101010101010101010101010101":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +ECDSA Raw -> DER, 256bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA Raw -> DER, 192bit, Null r -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"000000000000000000000000000000000000000000000000020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA +ECDSA Raw -> DER, 256bit, Raw data too short +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA Raw -> DER, 192bit, Null s -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101000000000000000000000000000000000000000000000000":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA +ECDSA Raw -> DER, 256bit, DER buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL -ECDSA Raw -> DER, 192bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"810101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30350219008101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 +ECDSA Raw -> DER, 256bit, Null r +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA Raw -> DER, 192bit, s with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101820202020202020202020202020202020202020202020202":"30350218010101010101010101010101010101010101010101010101021900820202020202020202020202020202020202020202020202":0 +ECDSA Raw -> DER, 256bit, Null s +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 192bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":0 +ECDSA Raw -> DER, 256bit, r with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 192bit, Raw buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +ECDSA Raw -> DER, 256bit, s with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 192bit, Wrong sequence tag -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"403402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ECDSA DER -> Raw, 256bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 192bit, Invalid sequence length -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"30FF02180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_LENGTH +ECDSA DER -> Raw, 256bit, Raw buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL -ECDSA DER -> Raw, 192bit, Wrong integer tag -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303401180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ECDSA DER -> Raw, 256bit, Wrong sequence tag +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 192bit, Wrong r integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402170101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ECDSA DER -> Raw, 256bit, Invalid sequence length +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH -ECDSA DER -> Raw, 192bit, Wrong r integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402190101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ECDSA DER -> Raw, 256bit, Wrong integer tag +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 192bit, Wrong s integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010217020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 192bit, Wrong s integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010219020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA Raw -> DER, 256bit, Success +ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":0 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH -ECDSA DER -> Raw, 256bit, Success +ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":0 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +ECDSA Raw -> DER, 512bit, Success +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 512bit, Success +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +# Bit length is rounded up to 528 to be multiple of 8 +ECDSA Raw -> DER, 521bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_521 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +# Bit length is rounded up to 528 to be multiple of 8 +ECDSA DER -> Raw, 521bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_521 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 -- cgit v1.1 From 99c0369d314ca613d4b721f96c8987560a60c220 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 08:21:10 +0100 Subject: psa_util: add include asn1write.h in public header This is mandatory to have support for the error codes defined in the asn1write.h header file. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 5 +++++ tests/suites/test_suite_psa_crypto_util.function | 2 -- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index ea0d5bb..87787f1 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -16,6 +16,11 @@ #include "psa/crypto.h" +/* ASN1 defines used in the ECDSA conversion functions. */ +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_ASN1_PARSE_C) +#include +#endif + #if defined(MBEDTLS_PSA_CRYPTO_C) /* Expose whatever RNG the PSA subsystem uses to applications using the diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 2a99073..bf1f88d 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -1,8 +1,6 @@ /* BEGIN_HEADER */ -#include #include #include -#include enum { ECDSA_RAW_TO_DER = 0, -- cgit v1.1 From c22e3ce8efd8a6f6c804ac1b28c17b0ea3bb4080 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 08:46:59 +0100 Subject: psa_util: remove CRYPTO_C guard from ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 8 ++++---- library/psa_util.c | 22 ++++++++++++---------- tests/suites/test_suite_psa_crypto_util.function | 7 +------ 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 87787f1..93fb38d 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -16,10 +16,10 @@ #include "psa/crypto.h" -/* ASN1 defines used in the ECDSA conversion functions. */ -#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_ASN1_PARSE_C) +/* ASN1 defines used in the ECDSA conversion functions. + * Note: intentionally not adding MBEDTLS_ASN1_[PARSE|WRITE]_C guards here + * otherwise error codes would be unknown in test_suite_psa_crypto_util.data.*/ #include -#endif #if defined(MBEDTLS_PSA_CRYPTO_C) @@ -180,6 +180,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa { return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK); } +#endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_ASN1_WRITE_C) /** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 @@ -221,5 +222,4 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, /**@}*/ -#endif /* MBEDTLS_PSA_CRYPTO_C */ #endif /* MBEDTLS_PSA_UTIL_H */ diff --git a/library/psa_util.c b/library/psa_util.c index c257d75..ad5c9fb 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -8,14 +8,20 @@ #include "common.h" -#if defined(MBEDTLS_PSA_CRYPTO_C) +/* This is needed for MBEDTLS_ERR_XXX macros */ +#include -#include +#if defined(MBEDTLS_ASN1_WRITE_C) +#include +#include +#endif #include "psa_util_internal.h" -/* The following includes are needed for MBEDTLS_ERR_XXX macros */ -#include +#if defined(MBEDTLS_PSA_CRYPTO_C) + +#include + #if defined(MBEDTLS_MD_LIGHT) #include #endif @@ -40,10 +46,6 @@ #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA) #include #endif -#if defined(MBEDTLS_ASN1_WRITE_C) -#include -#include -#endif /* PSA_SUCCESS is kept at the top of each error table since * it's the most common status when everything functions properly. */ @@ -334,6 +336,8 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, } #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ +#endif /* MBEDTLS_PSA_CRYPTO_C */ + #if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Convert a single raw coordinate to DER ASN.1 format. The output der @@ -565,5 +569,3 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, return 0; } #endif /* MBEDTLS_ASN1_PARSE_C */ - -#endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index bf1f88d..57cda09 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -8,12 +8,7 @@ enum { }; /* END_HEADER */ -/* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C - * END_DEPENDENCIES - */ - -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C */ void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; -- cgit v1.1 From 3f0809a99d3464ca105c75d75093a8e6cd9fffd8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 09:00:55 +0100 Subject: test_suite_psa_crypto_util: split ECDSA test function in two Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 40 +++++++++++------------ tests/suites/test_suite_psa_crypto_util.function | 41 +++++++++++++++--------- 2 files changed, 46 insertions(+), 35 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 8598a4e..a8d3458 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,81 +1,81 @@ ECDSA Raw -> DER, 256bit, Success depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Raw data too short depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, DER buffer too small depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA Raw -> DER, 256bit, Null r depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Null s depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, s with MSb set depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Success depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Raw buffer too small depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA DER -> Raw, 256bit, Wrong sequence tag depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Invalid sequence length depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH +ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH ECDSA DER -> Raw, 256bit, Wrong integer tag depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # Bit length is rounded up to 528 to be multiple of 8 ECDSA Raw -> DER, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # Bit length is rounded up to 528 to be multiple of 8 ECDSA DER -> Raw, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 57cda09..3c49766 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -1,15 +1,10 @@ /* BEGIN_HEADER */ #include #include - -enum { - ECDSA_RAW_TO_DER = 0, - ECDSA_DER_TO_RAW, -}; /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C */ -void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_result, int exp_ret) +/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ +void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; size_t tmp_buf_len = exp_result->len; @@ -17,16 +12,32 @@ void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_re TEST_CALLOC(tmp_buf, tmp_buf_len); - if (direction == ECDSA_RAW_TO_DER) { - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); - } else { - TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + + if (exp_ret == 0) { + ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); } +exit: + mbedtls_free(tmp_buf); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */ +void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) +{ + unsigned char *tmp_buf = NULL; + size_t tmp_buf_len = exp_result->len; + size_t ret_len; + + TEST_CALLOC(tmp_buf, tmp_buf_len); + + TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + if (exp_ret == 0) { ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); } -- cgit v1.1 From 3ccb2b54236a096c6757521ecce458b5e84f4abe Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 10:51:24 +0100 Subject: all.sh: add exception for ASN1_PARSE_C in check_test_dependencies There is no PSA equivalent to ASN1 legacy symbols. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..41faaee 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1059,11 +1059,16 @@ component_check_test_dependencies () { echo "!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" >> $expected # No PSA equivalent - used to skip decryption tests in PSA-ECB, CBC/XTS/NIST_KW/DES echo "!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT" >> $expected - # This is used by import_rsa_made_up() in test_suite_psa_crypto in order - # to build a fake RSA key of the wanted size based on + # MBEDTLS_ASN1_WRITE_C is used by import_rsa_made_up() in test_suite_psa_crypto + # in order to build a fake RSA key of the wanted size based on # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by # the test code and that's probably the most convenient way of achieving # the test's goal. + # + # Both MBEDTLS_ASN1_[PARSE|WRITE]_C are used in ECDSA conversion functions + # (in psa_util module) and, therefore, also in test_suite_psa_crypto_util. + # There is no PSA equivalent for these ASN1 symbols in PSA. + echo "MBEDTLS_ASN1_PARSE_C" >> $expected echo "MBEDTLS_ASN1_WRITE_C" >> $expected # No PSA equivalent - we should probably have one in the future. echo "MBEDTLS_ECP_RESTARTABLE" >> $expected -- cgit v1.1 From 86bae52c5500509d9837fff6f0d40e2cff980e2a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 11:12:31 +0100 Subject: psa_util: skip leading zeros in der format with "if" instead of "while" This is possible because we know that DER format can have at most 1 leading zero. Signed-off-by: Valerio Setti --- library/psa_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index ad5c9fb..e69ff6b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -494,8 +494,8 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } - /* Skip leading zeros */ - while (*p == 0x00) { + /* Skip possible leading zero */ + if (*p == 0x00) { p++; unpadded_len--; /* It should never happen that the input number is all zeros. */ -- cgit v1.1 From a7b83a04ee9142f876c4703fbbdb5ee56c6566a9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 16:07:29 +0100 Subject: psa_util: add variable casting in convert_raw_to_der_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index e69ff6b..ef9aff1 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -364,7 +364,7 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra unsigned char *der_buf_end) { unsigned char *p = der_buf_end; - int len = raw_len; + int len = (int) raw_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* Copy the raw coordinate to the end of der_buf. */ -- cgit v1.1 From 31657ed70c80303d980c0d88ba5d0f1cca15fd4e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 11 Jan 2024 07:01:30 +0100 Subject: test_suite_psa_crypto_util: change curve type for 256bits tests Tests with 256 bits curve simply depends on any curve of that size, but they don't really care about which family is enabled. Here I replaced PSA_WANT_ECC_SECP_R1_256 with PSA_WANT_ECC_SECP_K1_256 because otherwise there were test disparities in the "analyze_driver_vs_reference_tfm_config" component of "analyze_outcomes.py". It looked simpler to change the curve type in the test suite's data rather than adding proper exceptions in "analyze_outcomes.py" Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 32 ++++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index a8d3458..4984861 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,65 +1,65 @@ ECDSA Raw -> DER, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Raw data too short -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, DER buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA Raw -> DER, 256bit, Null r -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Null s -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, s with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Raw buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA DER -> Raw, 256bit, Wrong sequence tag -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Invalid sequence length -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH ECDSA DER -> Raw, 256bit, Wrong integer tag -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA ECDSA Raw -> DER, 512bit, Success -- cgit v1.1 From 17105df3e776a79b2668c2fb960ef1f4dcb8171a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 11 Jan 2024 10:41:59 +0100 Subject: test_suite_psa_crypto_util: add comments to 512/521 bit size test cases Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 4984861..45a3cb5 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -62,20 +62,24 @@ ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA DER -> Raw, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 -# Bit length is rounded up to 528 to be multiple of 8 +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. +# Bit length is rounded up to 528 to be multiple of 8. ECDSA Raw -> DER, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 -# Bit length is rounded up to 528 to be multiple of 8 +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. +# Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 -- cgit v1.1 From f4d2dc2d772cef1baa7367996c45e9a0ae7e1be1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Jan 2024 10:57:48 +0100 Subject: psa_util: guard ECDSA conversion functions with proper (internal) symbol Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_crypto.h | 7 +++++++ include/mbedtls/psa_util.h | 4 ++++ library/psa_util.c | 4 ++++ tests/suites/test_suite_psa_crypto_util.function | 4 ++-- 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 696266c..833f152 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -400,6 +400,13 @@ #define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY #endif +/* psa_util file features some ECDSA conversion functions, to convert between + * legacy's ASN.1 DER format and PSA's raw one. */ +#if defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) +#define MBEDTLS_PSA_UTIL_HAVE_ECDSA +#endif + /* Some internal helpers to determine which keys are availble. */ #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES)) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 93fb38d..3bf05d1 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -182,6 +182,8 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa } #endif /* MBEDTLS_PSA_CRYPTO_C */ +#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) + #if defined(MBEDTLS_ASN1_WRITE_C) /** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 * format (used by legacy crypto APIs). @@ -220,6 +222,8 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, size_t bits); #endif /* MBEDTLS_ASN1_PARSE_C */ +#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ + /**@}*/ #endif /* MBEDTLS_PSA_UTIL_H */ diff --git a/library/psa_util.c b/library/psa_util.c index ef9aff1..c78b603 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -338,6 +338,8 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, #endif /* MBEDTLS_PSA_CRYPTO_C */ +#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) + #if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Convert a single raw coordinate to DER ASN.1 format. The output der @@ -569,3 +571,5 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, return 0; } #endif /* MBEDTLS_ASN1_PARSE_C */ + +#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 3c49766..bfdafa7 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -3,7 +3,7 @@ #include /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_WRITE_C */ void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; @@ -25,7 +25,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_PARSE_C */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; -- cgit v1.1 From 688f795cb38b86995051c3033b7aeb73f573ddf8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Jan 2024 09:18:40 +0100 Subject: asn1: use the new symbol to guard dependencies of ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/asn1.h | 5 +++-- include/mbedtls/asn1write.h | 5 +++-- include/mbedtls/psa_util.h | 4 ---- library/asn1parse.c | 5 +++-- library/asn1write.c | 5 +++-- library/psa_util.c | 4 ---- tests/suites/test_suite_psa_crypto_util.function | 4 ++-- 7 files changed, 14 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 3c3bfad..ff019f4 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -197,7 +197,8 @@ typedef struct mbedtls_asn1_named_data { } mbedtls_asn1_named_data; -#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) /** * \brief Get the length of an ASN.1 element. * Updates the pointer to immediately behind the length. @@ -244,7 +245,7 @@ int mbedtls_asn1_get_len(unsigned char **p, int mbedtls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag); -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_PARSE_C) /** diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 7af4aba..0c5a85a 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -36,7 +36,8 @@ extern "C" { #endif -#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) /** * \brief Write a length field in ASN.1 format. * @@ -65,7 +66,7 @@ int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start, */ int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsigned char tag); -#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */ +#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA*/ #if defined(MBEDTLS_ASN1_WRITE_C) /** diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 3bf05d1..15e92e3 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -184,7 +184,6 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -#if defined(MBEDTLS_ASN1_WRITE_C) /** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 * format (used by legacy crypto APIs). * @@ -201,9 +200,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, unsigned char *der, size_t der_size, size_t *der_len, size_t bits); -#endif /* MBEDTLS_ASN1_WRITE_C */ -#if defined(MBEDTLS_ASN1_PARSE_C) /** Convert an ECDSA signature from DER ASN.1 format (used by legacy crypto * APIs) to raw format (used by PSA APIs). * @@ -220,7 +217,6 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_size, size_t *raw_len, size_t bits); -#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/library/asn1parse.c b/library/asn1parse.c index c02b233..e33fdf7 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -7,7 +7,8 @@ #include "common.h" -#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) #include "mbedtls/asn1.h" #include "mbedtls/platform_util.h" @@ -73,7 +74,7 @@ int mbedtls_asn1_get_tag(unsigned char **p, return mbedtls_asn1_get_len(p, end, len); } -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, diff --git a/library/asn1write.c b/library/asn1write.c index 114091d..775a9ef 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -7,7 +7,8 @@ #include "common.h" -#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) #include "mbedtls/asn1write.h" #include "mbedtls/error.h" @@ -62,7 +63,7 @@ int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsign return 1; } -#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */ +#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_WRITE_C) static int mbedtls_asn1_write_len_and_tag(unsigned char **p, diff --git a/library/psa_util.c b/library/psa_util.c index c78b603..9e21602 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -340,7 +340,6 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -#if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Convert a single raw coordinate to DER ASN.1 format. The output der * buffer is filled backward (i.e. starting from its end). @@ -451,9 +450,7 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, return 0; } -#endif /* MBEDTLS_ASN1_WRITE_C */ -#if defined(MBEDTLS_ASN1_PARSE_C) /** * \brief Convert a single integer from ASN.1 DER format to raw. * @@ -570,6 +567,5 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, return 0; } -#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index bfdafa7..8f0dd6c 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -3,7 +3,7 @@ #include /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; @@ -25,7 +25,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; -- cgit v1.1 From 448377bec7c7d1a063c7bc6a0adeb8053659e97b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Jan 2024 16:24:07 +0100 Subject: all.sh: remove MBEDTLS_ASN1_PARSE_C exception from check_test_dependencies() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 41faaee..fddcc01 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1065,10 +1065,9 @@ component_check_test_dependencies () { # the test code and that's probably the most convenient way of achieving # the test's goal. # - # Both MBEDTLS_ASN1_[PARSE|WRITE]_C are used in ECDSA conversion functions + # MBEDTLS_ASN1_WRITE_C is also used in ECDSA conversion functions # (in psa_util module) and, therefore, also in test_suite_psa_crypto_util. - # There is no PSA equivalent for these ASN1 symbols in PSA. - echo "MBEDTLS_ASN1_PARSE_C" >> $expected + # There is no PSA equivalent for this ASN1 symbols in PSA. echo "MBEDTLS_ASN1_WRITE_C" >> $expected # No PSA equivalent - we should probably have one in the future. echo "MBEDTLS_ECP_RESTARTABLE" >> $expected -- cgit v1.1 From 1533c3f660e009b333c9f1f47b4866769f3edde6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 11:24:20 +0100 Subject: test_suite_rsa: improve rsa_parse_write_pkcs1_key() adding more checks Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 8 ++++---- tests/suites/test_suite_rsa.function | 10 +++++++++- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index de5e569..92209c4 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -617,13 +617,13 @@ depends_on:MBEDTLS_SELF_TEST rsa_selftest: RSA parse/write PKCS#1 private key - 1024 bits -rsa_import_pkcs1_key:0:"3082025d020100028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb702030100010281801e97247066217ff6303881341a259c4bcd3e147f87f1a714045e80a06b541847e2ce54a78801d21b302fd33f616d6ed7cfa8a262ef5e23257a1642b5fc5a61577f7dba2324e687a10b25751c78996e72d5a8c3bc4e33e4a2a96b2b44b6685e85c37200a34381269250b59f65468ea4288713c4ae3e0e064e524a53a5d7e1ec91024100cbd11d9aad72bfb8db4e6bc7c6910661b3f38fbfa368d6dba0cd6c9aa3a716c03fa374bf8b2e7ba73a216d6ded9468fbaa3d130ee376190cc41ef30419a7da1d024100c7c0e189209483f36ee00a67474960c6ddf0d3a63ca0c76955fe9f358435a5e5318c35397c4245042e0dfabf8decedfd36e4d211349b8ecc4c1baac83f30d4e3024008e692f2644cb48eb01516a3dcca0c8b4bbe81328f424ecfbc8ffc042ccd6932f014854eb017519315f8cbbc973979f4339503360d3ce50f27a96a576d7f65090241009c9b4ef74870c7a6b215ba7250446a385fc6b0d8d30da669a23f172948f71a923f2f528738316894a75ad46d1be3568ec05bd38a23b995d1fc1570e6c00c13cb0241008716c9fa7d2295f34f5849b7c593d1adcec72556ed1044cd79c868c890620b143874a8208a65b7c5e235ccaae4c2492107af513fb2cbb682a3e8119af028f7a8" +rsa_parse_write_pkcs1_key:0:"3082025d020100028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb702030100010281801e97247066217ff6303881341a259c4bcd3e147f87f1a714045e80a06b541847e2ce54a78801d21b302fd33f616d6ed7cfa8a262ef5e23257a1642b5fc5a61577f7dba2324e687a10b25751c78996e72d5a8c3bc4e33e4a2a96b2b44b6685e85c37200a34381269250b59f65468ea4288713c4ae3e0e064e524a53a5d7e1ec91024100cbd11d9aad72bfb8db4e6bc7c6910661b3f38fbfa368d6dba0cd6c9aa3a716c03fa374bf8b2e7ba73a216d6ded9468fbaa3d130ee376190cc41ef30419a7da1d024100c7c0e189209483f36ee00a67474960c6ddf0d3a63ca0c76955fe9f358435a5e5318c35397c4245042e0dfabf8decedfd36e4d211349b8ecc4c1baac83f30d4e3024008e692f2644cb48eb01516a3dcca0c8b4bbe81328f424ecfbc8ffc042ccd6932f014854eb017519315f8cbbc973979f4339503360d3ce50f27a96a576d7f65090241009c9b4ef74870c7a6b215ba7250446a385fc6b0d8d30da669a23f172948f71a923f2f528738316894a75ad46d1be3568ec05bd38a23b995d1fc1570e6c00c13cb0241008716c9fa7d2295f34f5849b7c593d1adcec72556ed1044cd79c868c890620b143874a8208a65b7c5e235ccaae4c2492107af513fb2cbb682a3e8119af028f7a8" RSA parse/write PKCS#1 public key - 1024 bits -rsa_import_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001" +rsa_parse_write_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001" RSA parse/write PKCS#1 private key - 2048 bits -rsa_import_pkcs1_key:0:"308204a40201000282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d102030100010282010100d25c964f769d3aad0210ac04da5c90a9136b27e41a47108a86d0beff6341330640bf4dddb39e82134b97a12da58ae3165988f94ad4687148cfc6f5c4e6a7804316d3eddf496f807f4c7b17ffe9e3a1e3a2408c857bf32ff2137584284242a7a96c1780229f7bd7aca82d10f2afc48d4620e1e35e35fa52be3e97b16dad6e84dbdfab4e7e21c7c2e5e5cd1c936f6c221e806bd14afa77b3eefc62e984aa2d391da408aaec0dbd2eade3023ebac77e3416cd67491d60053d317c6c8665be5c33961c379309d37d0a653d1859a6abfe195644d474739dbc44f62e623505f9460d9d8defafb12f4149d5baaf798f1345f565430cd7c096c24ca8d02d13fe90c20c5102818100f116cfdbfc0d5b3528cbfada1b21d4292ff188d41a4b22e658a9e29f610adf5fcb3329b0f567ba5029195fd648d06cc2174638f2f18ff0e0251e283e0a0b1f792751925efb617af3405083245c673dae77edc811fd668769d28ac1bee36261658a32f56a5e1b9b9e4f4fa7da55adeeb08c92f1de89f6186bd9c6d1e721638d2d02818100ea51e8798225e4ee77aa08e2f5ee0f8b847edd4c34d9bf7b8cf339b61d5bd22d504c5ab5f17572850f39018736474a449186e783dfda35da95902c8eaaec4bebb8ab6c057c678f37cd53fc1a12e5ace83d2a44d72195d565b3e8c12f89f2523fe37e52adbafde783be361fcd1f021aaaabf860febd8c5726c7089622ccca73b50281807d8248b7d76204a78a13970650b5adc3bb67dcb9beee7abebc4dc4e3001c2ee9a9d97accdb1523137431f78890e3a09af28ee63ae3b2f1cd5ec57261c9ccbc97cff651630d2f5458aa94bf910061e6e49b1eb8d754ba39a8c7a8e0f04564041c5e73e4fb78fe9a673216dfe57451563fa70f20c79fbef43bc166160463877609028180693b0fa44206b2a145ac5f014e60f32a3cfe9c73b4e8754e0f26cc2c35531f38aa6f1fedc5da70ebc0c261255003041f771b96ad6ac29c9ce5be31c4808e4e2a366d05be10f89121065d49428c6a0914e32330774ce5f5480f5be02671551a0b07279c09d9885d8894cbc9cc5cb89d3138b9fb156c1ab2a8ff89a3a34d453e6102818100aff57dd813fd064d8d1a5e8c7ea7e534dff6963a9b5b1c4da12219268c0500288901bbd36edb8071679bcd9d0d8deacfaa52e4b3659f4a69a5c5322f104524f83eb4b94bf6f02b5ad7c2ccd9bc5688f4e18ff2a70ae7638a83f2f87d8ecc9e0eebf2283f809670c8a0b79e1a576a6c9c04d4d71b75647c818a23873cdc0d77bf" +rsa_parse_write_pkcs1_key:0:"308204a40201000282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d102030100010282010100d25c964f769d3aad0210ac04da5c90a9136b27e41a47108a86d0beff6341330640bf4dddb39e82134b97a12da58ae3165988f94ad4687148cfc6f5c4e6a7804316d3eddf496f807f4c7b17ffe9e3a1e3a2408c857bf32ff2137584284242a7a96c1780229f7bd7aca82d10f2afc48d4620e1e35e35fa52be3e97b16dad6e84dbdfab4e7e21c7c2e5e5cd1c936f6c221e806bd14afa77b3eefc62e984aa2d391da408aaec0dbd2eade3023ebac77e3416cd67491d60053d317c6c8665be5c33961c379309d37d0a653d1859a6abfe195644d474739dbc44f62e623505f9460d9d8defafb12f4149d5baaf798f1345f565430cd7c096c24ca8d02d13fe90c20c5102818100f116cfdbfc0d5b3528cbfada1b21d4292ff188d41a4b22e658a9e29f610adf5fcb3329b0f567ba5029195fd648d06cc2174638f2f18ff0e0251e283e0a0b1f792751925efb617af3405083245c673dae77edc811fd668769d28ac1bee36261658a32f56a5e1b9b9e4f4fa7da55adeeb08c92f1de89f6186bd9c6d1e721638d2d02818100ea51e8798225e4ee77aa08e2f5ee0f8b847edd4c34d9bf7b8cf339b61d5bd22d504c5ab5f17572850f39018736474a449186e783dfda35da95902c8eaaec4bebb8ab6c057c678f37cd53fc1a12e5ace83d2a44d72195d565b3e8c12f89f2523fe37e52adbafde783be361fcd1f021aaaabf860febd8c5726c7089622ccca73b50281807d8248b7d76204a78a13970650b5adc3bb67dcb9beee7abebc4dc4e3001c2ee9a9d97accdb1523137431f78890e3a09af28ee63ae3b2f1cd5ec57261c9ccbc97cff651630d2f5458aa94bf910061e6e49b1eb8d754ba39a8c7a8e0f04564041c5e73e4fb78fe9a673216dfe57451563fa70f20c79fbef43bc166160463877609028180693b0fa44206b2a145ac5f014e60f32a3cfe9c73b4e8754e0f26cc2c35531f38aa6f1fedc5da70ebc0c261255003041f771b96ad6ac29c9ce5be31c4808e4e2a366d05be10f89121065d49428c6a0914e32330774ce5f5480f5be02671551a0b07279c09d9885d8894cbc9cc5cb89d3138b9fb156c1ab2a8ff89a3a34d453e6102818100aff57dd813fd064d8d1a5e8c7ea7e534dff6963a9b5b1c4da12219268c0500288901bbd36edb8071679bcd9d0d8deacfaa52e4b3659f4a69a5c5322f104524f83eb4b94bf6f02b5ad7c2ccd9bc5688f4e18ff2a70ae7638a83f2f87d8ecc9e0eebf2283f809670c8a0b79e1a576a6c9c04d4d71b75647c818a23873cdc0d77bf" RSA parse/write PKCS#1 public key - 2048 bits -rsa_import_pkcs1_key:1:"3082010a0282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d10203010001" +rsa_parse_write_pkcs1_key:1:"3082010a0282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d10203010001" diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 315d4f6..62f593e 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1373,7 +1373,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void rsa_import_pkcs1_key(int is_public, data_t *input) +void rsa_parse_write_pkcs1_key(int is_public, data_t *input) { mbedtls_rsa_context rsa_ctx; unsigned char *input_start = input->x; @@ -1388,13 +1388,21 @@ void rsa_import_pkcs1_key(int is_public, data_t *input) mbedtls_rsa_init(&rsa_ctx); + /* Parse the key and write it back to output_buf. */ if (is_public) { TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &input_start, input_end), 0); + TEST_ASSERT(input_start == input_end); TEST_EQUAL(mbedtls_rsa_pubkey_write(&rsa_ctx, output_start, &output_end), input->len); } else { TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), 0); TEST_EQUAL(mbedtls_rsa_key_write(&rsa_ctx, output_start, &output_end), input->len); } + /* This check holds because we alloacated an output buffer which is exactly + * large enough to contain the written data. */ + TEST_ASSERT(output_end == output_start); + + /* Check that the written key matches with the one provided in input. */ + TEST_MEMORY_COMPARE(output_buf, input->len, input->x, input->len); exit: mbedtls_free(output_buf); -- cgit v1.1 From 6def24ce73fb90d5706b290cce675f7bd0a0f4ba Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 12:33:04 +0100 Subject: test_suite_[pkparse/rsa]: move RSA private key parsing tests Signed-off-by: Valerio Setti --- library/rsa_internal.h | 1 + tests/suites/test_suite_pkparse.data | 72 ------------------------------------ tests/suites/test_suite_rsa.data | 54 +++++++++++++++++++++++++++ tests/suites/test_suite_rsa.function | 13 +++++++ 4 files changed, 68 insertions(+), 72 deletions(-) diff --git a/library/rsa_internal.h b/library/rsa_internal.h index 62972c6..6046850 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -15,6 +15,7 @@ #define MBEDTLS_RSA_INTERNAL_H #include "mbedtls/rsa.h" +#include "mbedtls/asn1.h" /** * \brief Parse a PKCS#1 (ASN.1) encoded private RSA key. diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 6387735..762fd52 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -1120,78 +1120,6 @@ pk_parse_key:"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Key ASN1 (First tag not Sequence) pk_parse_key:"020100":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT -Key ASN1 (RSAPrivateKey, incorrect version tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"300100":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, version tag missing) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, invalid version) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3003020101":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct version, incorrect tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"300402010000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct format+values, minimal modulus size (128 bit)) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0 - -Key ASN1 (RSAPrivateKey, correct format, modulus too small (127 bit)) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct format, modulus even) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857002030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct format, d == 0) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"30630201000211007c8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct format, d == p == q == 0) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, trailing garbage) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3064020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c00":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, n wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, e wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c8571FF030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, d wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c85710203010001FF11009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, p wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201FF0900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, q wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61FF0900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, dp wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a211FF09009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, dq wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401FF0813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - -Key ASN1 (RSAPrivateKey, correct values, qp wrong tag) -depends_on:MBEDTLS_RSA_C -pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT - Key ASN1 (ECPrivateKey, empty parameters) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_parse_key:"30070201010400a000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 92209c4..5d81610 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -627,3 +627,57 @@ rsa_parse_write_pkcs1_key:0:"308204a40201000282010100dcabfd25f3b7d67155e5c252051 RSA parse/write PKCS#1 public key - 2048 bits rsa_parse_write_pkcs1_key:1:"3082010a0282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d10203010001" + +RSA parse private key - incorrect version tag +rsa_parse_pkcs1_key:"300100":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - version tag missing +rsa_parse_pkcs1_key:"3000":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +RSA parse private key - invalid version +rsa_parse_pkcs1_key:"3003020101":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse private key - correct version, incorrect tag +rsa_parse_pkcs1_key:"300402010000":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct format+values, minimal modulus size (128 bit) +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0 + +RSA parse private key - correct format, modulus too small (127 bit) +rsa_parse_pkcs1_key:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + +RSA parse private key - correct format, modulus even +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857002030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse private key - correct format, d == 0 +rsa_parse_pkcs1_key:"30630201000211007c8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse private key - correct format, d == p == q == 0 +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse private key - correct values, trailing garbage +rsa_parse_pkcs1_key:"3064020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c00":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +RSA parse private key - correct values, n wrong tag +rsa_parse_pkcs1_key:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, e wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c8571FF030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, d wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c85710203010001FF11009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, p wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201FF0900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, q wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61FF0900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, dp wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a211FF09009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, dq wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401FF0813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse private key - correct values, qp wrong tag +rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 62f593e..4fe15dd 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1373,6 +1373,19 @@ exit: /* END_CASE */ /* BEGIN_CASE */ +void rsa_parse_pkcs1_key(data_t *input, int exp_ret_val) +{ + mbedtls_rsa_context rsa_ctx; + mbedtls_rsa_init(&rsa_ctx); + + TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), exp_ret_val); + +exit: + mbedtls_rsa_free(&rsa_ctx); +} +/* END_CASE */ + +/* BEGIN_CASE */ void rsa_parse_write_pkcs1_key(int is_public, data_t *input) { mbedtls_rsa_context rsa_ctx; -- cgit v1.1 From 6d597f1967cb140686724f6cd1d69a988d801bc7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 13:44:41 +0100 Subject: test_suite_rsa: extend rsa_parse_pkcs1_key adding tests for public key Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 66 ++++++++++++++++++++++++++---------- tests/suites/test_suite_rsa.function | 11 ++++-- 2 files changed, 57 insertions(+), 20 deletions(-) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 5d81610..bd28681 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -629,55 +629,85 @@ RSA parse/write PKCS#1 public key - 2048 bits rsa_parse_write_pkcs1_key:1:"3082010a0282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d10203010001" RSA parse private key - incorrect version tag -rsa_parse_pkcs1_key:"300100":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"300100":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - version tag missing -rsa_parse_pkcs1_key:"3000":MBEDTLS_ERR_ASN1_OUT_OF_DATA +rsa_parse_pkcs1_key:0:"3000":MBEDTLS_ERR_ASN1_OUT_OF_DATA RSA parse private key - invalid version -rsa_parse_pkcs1_key:"3003020101":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +rsa_parse_pkcs1_key:0:"3003020101":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse private key - correct version, incorrect tag -rsa_parse_pkcs1_key:"300402010000":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"300402010000":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct format+values, minimal modulus size (128 bit) -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0 +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0 RSA parse private key - correct format, modulus too small (127 bit) -rsa_parse_pkcs1_key:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED +rsa_parse_pkcs1_key:0:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED RSA parse private key - correct format, modulus even -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857002030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857002030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse private key - correct format, d == 0 -rsa_parse_pkcs1_key:"30630201000211007c8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +rsa_parse_pkcs1_key:0:"30630201000211007c8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse private key - correct format, d == p == q == 0 -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse private key - correct values, trailing garbage -rsa_parse_pkcs1_key:"3064020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c00":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +rsa_parse_pkcs1_key:0:"3064020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c00":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH RSA parse private key - correct values, n wrong tag -rsa_parse_pkcs1_key:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, e wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c8571FF030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c8571FF030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, d wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c85710203010001FF11009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c85710203010001FF11009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, p wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201FF0900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201FF0900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, q wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61FF0900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61FF0900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, dp wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a211FF09009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a211FF09009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, dq wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401FF0813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401FF0813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct values, qp wrong tag -rsa_parse_pkcs1_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse public key - wrong initial tag +rsa_parse_pkcs1_key:1:"318189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse public key - wrong modulus tag +rsa_parse_pkcs1_key:1:"308189038181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse public key - wrong public exponent tag +rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70303010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse public key - modulus 0 +rsa_parse_pkcs1_key:1:"3081890281810000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000203010001":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse public key - public exponent 0 +rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203000000":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse public key - wrong sequence length +rsa_parse_pkcs1_key:1:"308188028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +RSA parse public key - wrong modulus length +rsa_parse_pkcs1_key:1:"308189028180009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +RSA parse public key - wrong public exponent length +rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70202010001":MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSA parse public key - missing modulus +rsa_parse_pkcs1_key:1:"30050203010001":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +RSA parse public key - missing public exponent +rsa_parse_pkcs1_key:1:"308184028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7":MBEDTLS_ERR_ASN1_OUT_OF_DATA diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 4fe15dd..71ca2b9 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1373,12 +1373,19 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void rsa_parse_pkcs1_key(data_t *input, int exp_ret_val) +void rsa_parse_pkcs1_key(int is_public, data_t *input, int exp_ret_val) { mbedtls_rsa_context rsa_ctx; + unsigned char *start = input->x; + unsigned char *end = input->x + input->len; + mbedtls_rsa_init(&rsa_ctx); - TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), exp_ret_val); + if (is_public) { + TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &start, end), exp_ret_val); + } else { + TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), exp_ret_val); + } exit: mbedtls_rsa_free(&rsa_ctx); -- cgit v1.1 From ea986472828ad935dddaa9fe481bcc7d9b482df6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 24 Jan 2024 13:55:56 +0100 Subject: changelog: document RSA parse/write improvements Signed-off-by: Valerio Setti --- ChangeLog.d/8647.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ChangeLog.d/8647.txt diff --git a/ChangeLog.d/8647.txt b/ChangeLog.d/8647.txt new file mode 100644 index 0000000..cfd3a4b --- /dev/null +++ b/ChangeLog.d/8647.txt @@ -0,0 +1,7 @@ +Default behavior changes + * Importing of RSA keys in PEM format in PSA is officially unsupported + (this was previously undocumented). + +Features + * It is possible to enable RSA support in PSA (MBEDTLS_PSA_CRYPTO_C + + RSA_C) without enabling PK module (MBEDTLS_[PK|PK_WRITE|PK_PARSE]_C). -- cgit v1.1 From 7fd162ec262408e4700f95bfe90638dca5247967 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 24 Jan 2024 18:05:53 +0000 Subject: Refactor common PThreads CMake code Move the flags and find of Threads to root CMakeLists.txt, rather than duplicate these everywhere. Make explicit linking of library with PThreads use the same mechanism. Signed-off-by: Paul Elliott --- CMakeLists.txt | 5 +++++ library/CMakeLists.txt | 2 +- programs/aes/CMakeLists.txt | 4 ---- programs/cipher/CMakeLists.txt | 4 ---- programs/fuzz/CMakeLists.txt | 4 ---- programs/hash/CMakeLists.txt | 4 ---- programs/pkey/CMakeLists.txt | 4 ---- programs/psa/CMakeLists.txt | 4 ---- programs/random/CMakeLists.txt | 4 ---- programs/ssl/CMakeLists.txt | 3 --- programs/test/CMakeLists.txt | 4 ---- programs/test/cmake_subproject/CMakeLists.txt | 4 ---- programs/util/CMakeLists.txt | 4 ---- programs/x509/CMakeLists.txt | 4 ---- tests/CMakeLists.txt | 4 ---- 15 files changed, 6 insertions(+), 52 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ad05646..68dfcb0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -114,6 +114,11 @@ if(MBEDTLS_PYTHON_EXECUTABLE) endif() +# We now potentially need to link all executables against PThreads, if available +set(CMAKE_THREAD_PREFER_PTHREAD TRUE) +set(THREADS_PREFER_PTHREAD_FLAG TRUE) +find_package(Threads) + # If this is the root project add longer list of available CMAKE_BUILD_TYPE values if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR) set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE} diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 5c297e0..4980341 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -231,7 +231,7 @@ if(HAIKU) endif(HAIKU) if(LINK_WITH_PTHREAD) - set(libs ${libs} pthread) + set(libs ${libs} ${CMAKE_THREAD_LIBS_INIT}) endif() if(LINK_WITH_TRUSTED_STORAGE) diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt index 8174102..ccb8db5 100644 --- a/programs/aes/CMakeLists.txt +++ b/programs/aes/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(executables crypt_and_hash ) diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt index b497e8a..e925524 100644 --- a/programs/cipher/CMakeLists.txt +++ b/programs/cipher/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(executables cipher_aead_demo ) diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index 97b8fd2..c389029 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(libs ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT} diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt index 504a405..fcacf3b 100644 --- a/programs/hash/CMakeLists.txt +++ b/programs/hash/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(executables generic_sum hello diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index 2f55c61..cd0387a 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(executables_mbedtls dh_client dh_server diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt index dd1b1a2..a8e4b0e 100644 --- a/programs/psa/CMakeLists.txt +++ b/programs/psa/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(executables aead_demo crypto_examples diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt index c1184d1..5940395 100644 --- a/programs/random/CMakeLists.txt +++ b/programs/random/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(executables gen_entropy gen_random_ctr_drbg diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index 8047b9f..ec2c86f 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -1,6 +1,3 @@ -set(THREADS_USE_PTHREADS_WIN32 true) -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) set(libs diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 3709276..f91f786 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(libs ${mbedtls_target} ) diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt index 2f8ab2a..78bd5e7 100644 --- a/programs/test/cmake_subproject/CMakeLists.txt +++ b/programs/test/cmake_subproject/CMakeLists.txt @@ -1,9 +1,5 @@ cmake_minimum_required(VERSION 3.5.1) -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - # Test the target renaming support by adding a prefix to the targets built set(MBEDTLS_TARGET_PREFIX subproject_test_) diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt index 6a8659e..cb6bc3d 100644 --- a/programs/util/CMakeLists.txt +++ b/programs/util/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(libs ${mbedcrypto_target} ) diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt index e41b406..43437f0 100644 --- a/programs/x509/CMakeLists.txt +++ b/programs/x509/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(libs ${mbedx509_target} ) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index cb54ea4..70f5bc9 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -1,7 +1,3 @@ -set(CMAKE_THREAD_PREFER_PTHREAD TRUE) -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads) - set(libs ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT} -- cgit v1.1 From 0c847bcbe79c11a74b5b1d1fec687d75888dfab5 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 24 Jan 2024 19:08:31 +0000 Subject: Fix Make issues with Everest enabled Apply Gilles suggestion to fix the problem with make on the CI when everest is enabled, i.e. use $(THIRDPARTY_DIR) instead of a fuzz specific hack involving $(THIRDPARTY_INCLUDES) Signed-off-by: Paul Elliott --- 3rdparty/everest/Makefile.inc | 8 ++++---- 3rdparty/p256-m/Makefile.inc | 6 +++--- programs/Makefile | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/3rdparty/everest/Makefile.inc b/3rdparty/everest/Makefile.inc index 77a6b49..8055ce9 100644 --- a/3rdparty/everest/Makefile.inc +++ b/3rdparty/everest/Makefile.inc @@ -1,6 +1,6 @@ -THIRDPARTY_INCLUDES+=-I../3rdparty/everest/include -I../3rdparty/everest/include/everest -I../3rdparty/everest/include/everest/kremlib +THIRDPARTY_INCLUDES+=-I$(THIRDPARTY_DIR)/everest/include -I$(THIRDPARTY_DIR)/everest/include/everest -I$(THIRDPARTY_DIR)/everest/include/everest/kremlib THIRDPARTY_CRYPTO_OBJECTS+= \ - ../3rdparty/everest/library/everest.o \ - ../3rdparty/everest/library/x25519.o \ - ../3rdparty/everest/library/Hacl_Curve25519_joined.o + $(THIRDPARTY_DIR)/everest/library/everest.o \ + $(THIRDPARTY_DIR)/everest/library/x25519.o \ + $(THIRDPARTY_DIR)/everest/library/Hacl_Curve25519_joined.o diff --git a/3rdparty/p256-m/Makefile.inc b/3rdparty/p256-m/Makefile.inc index fc8f73b..53bb55b 100644 --- a/3rdparty/p256-m/Makefile.inc +++ b/3rdparty/p256-m/Makefile.inc @@ -1,5 +1,5 @@ -THIRDPARTY_INCLUDES+=-I../3rdparty/p256-m/p256-m/include -I../3rdparty/p256-m/p256-m/include/p256-m -I../3rdparty/p256-m/p256-m_driver_interface +THIRDPARTY_INCLUDES+=-I$(THIRDPARTY_DIR)/p256-m/p256-m/include -I$(THIRDPARTY_DIR)/p256-m/p256-m/include/p256-m -I$(THIRDPARTY_DIR)/p256-m/p256-m_driver_interface THIRDPARTY_CRYPTO_OBJECTS+= \ - ../3rdparty/p256-m//p256-m_driver_entrypoints.o \ - ../3rdparty/p256-m//p256-m/p256-m.o + $(THIRDPARTY_DIR)/p256-m//p256-m_driver_entrypoints.o \ + $(THIRDPARTY_DIR)/p256-m//p256-m/p256-m.o diff --git a/programs/Makefile b/programs/Makefile index 82c8569..6baf465 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -114,7 +114,7 @@ all: fuzz endif fuzz: ${MBEDTLS_TEST_OBJS} - $(MAKE) -C fuzz THIRDPARTY_INCLUDES=$(THIRDPARTY_INCLUDES) + $(MAKE) -C fuzz ${MBEDTLS_TEST_OBJS}: $(MAKE) -C ../tests mbedtls_test -- cgit v1.1 From 9cd2e9ad1b0c198708694661fc0567cddf2c754a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 24 Jan 2024 13:40:09 +0100 Subject: mbedtls_pk_get_psa_attributes: require MBEDTLS_PSA_CRYPTO_C Ideally this and other pk functions would work with MBEDTLS_PSA_CRYPTO_CLIENT (i.e. whether PSA API functions are implemented locally or via client-server communication). However, at the moment, some helper functions are missing when MBEDTLS_PSA_CRYPTO_C is disabled, at least mbedtls_ecc_group_to_psa(). For the time being, don't provide mbedtls_pk_get_psa_attributes() when MBEDTLS_PSA_CRYPTO_C is disabled. We can improve later, looking generally at a group of functions to generalize, not mixed with delivering new APIs. Signed-off-by: Gilles Peskine --- include/mbedtls/pk.h | 4 ++-- library/pk.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index a43b949..54ca9ad 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -484,7 +484,7 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, psa_key_usage_t usage); #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(MBEDTLS_PSA_CRYPTO_C) /** * \brief Determine valid PSA attributes that can be used to * import a key into PSA. @@ -596,7 +596,7 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, psa_key_usage_t usage, psa_key_attributes_t *attributes); -#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ +#endif /* MBEDTLS_PSA_CRYPTO_C */ /** * \brief Verify signature (including padding if relevant). diff --git a/library/pk.c b/library/pk.c index 1911325..b629ce2 100644 --- a/library/pk.c +++ b/library/pk.c @@ -378,7 +378,7 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(MBEDTLS_RSA_C) static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa, int want_crypt) @@ -586,7 +586,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, return 0; } -#endif +#endif /* MBEDTLS_PSA_CRYPTO_C */ /* * Helper for mbedtls_pk_sign and mbedtls_pk_verify -- cgit v1.1 From 2bd4ddc8e0c0a908aea046ff8f79547805e840cd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 24 Jan 2024 14:15:02 +0100 Subject: Implement pick-a-curve when ECP_LIGHT is disabled Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 39 ++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index e522ea7..2a8a5f7 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -160,6 +160,43 @@ size_t mbedtls_rsa_key_len_func(void *ctx) } #endif /* MBEDTLS_RSA_C */ +#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) +static mbedtls_ecp_group_id ecc_pick_grp_id(void) +{ +#if defined(MBEDTLS_ECP_LIGHT) + return mbedtls_ecp_grp_id_list()[0]; +#elif defined(PSA_WANT_ECC_SECP_R1_192) + return MBEDTLS_ECP_DP_SECP192R1; +#elif defined(PSA_WANT_ECC_SECP_R1_224) + return MBEDTLS_ECP_DP_SECP224R1; +#elif defined(PSA_WANT_ECC_SECP_R1_256) + return MBEDTLS_ECP_DP_SECP256R1; +#elif defined(PSA_WANT_ECC_SECP_R1_384) + return MBEDTLS_ECP_DP_SECP384R1; +#elif defined(PSA_WANT_ECC_SECP_R1_521) + return MBEDTLS_ECP_DP_SECP521R1; +#elif defined(PSA_WANT_ECC_SECP_K1_192) + return MBEDTLS_ECP_DP_SECP192K1; +#elif defined(PSA_WANT_ECC_SECP_K1_224) + return MBEDTLS_ECP_DP_SECP224K1; +#elif defined(PSA_WANT_ECC_SECP_K1_256) + return MBEDTLS_ECP_DP_SECP256K1; +#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) + return MBEDTLS_ECP_DP_BP256R1; +#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) + return MBEDTLS_ECP_DP_BP384R1; +#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) + return MBEDTLS_ECP_DP_BP512R1; +#elif defined(PSA_WANT_ECC_MONTGOMERY_255) + return MBEDTLS_ECP_DP_CURVE25519; +#elif defined(PSA_WANT_ECC_MONTGOMERY_448) + return MBEDTLS_ECP_DP_CURVE448; +#else + return 0; +#endif +} +#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) */ + #if defined(MBEDTLS_PSA_CRYPTO_C) static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, mbedtls_pk_context *pk, psa_key_type_t *psa_type) @@ -201,7 +238,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, case MBEDTLS_PK_ECKEY_DH: case MBEDTLS_PK_ECDSA: { - mbedtls_ecp_group_id grp_id = mbedtls_ecp_grp_id_list()[0]; + mbedtls_ecp_group_id grp_id = ecc_pick_grp_id(); size_t bits; *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits)); TEST_EQUAL(pk_genkey(pk, grp_id), 0); -- cgit v1.1 From 77faddf93b3fbe9601dcdb69fdc0e338d5f5133d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 24 Jan 2024 10:50:17 +0100 Subject: Depend on legacy RSA key generation for test code In principle the RSA tests shouldn't depend on RSA key generation: they just need to operate on RSA keys. However they do need some method of creating an RSA key, and we're currently doing random generation. So depend on what the test code needs. Depend on the legacy RSA interface, since driver-only RSA isn't currently supported in the PK module. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 96 ++++++++++++++++++------------------- tests/suites/test_suite_pk.function | 6 ++- 2 files changed, 53 insertions(+), 49 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 8951e72..e64f9b7 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -688,136 +688,136 @@ pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ # Bad usage due to not specifying sign/crypt/derive. PSA attributes for pk: RSA usage=0 (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:0:MBEDTLS_ERR_PK_TYPE_MISMATCH # Bad usage due to not specifying sign/crypt/derive. PSA attributes for pk: RSA usage=EXPORT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH # Bad usage due to not specifying more than one of sign/crypt/derive. PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=SIGN_MESSAGE|SIGN_HASH (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=SIGN_MESSAGE|VERIFY_MESSAGE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 pair DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 pair DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 pair->public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 pair->public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 pair->public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 public DECRYPT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair SIGN_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair SIGN_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair->public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public SIGN_MESSAGE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 public SIGN_HASH (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair DERIVE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 public DERIVE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DECRYPT (bad) @@ -989,69 +989,69 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:0 PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN|VERIFY & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN|DECRYPT & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT # For a PK_OPAQUE key, mbedtls_pk_get_psa_attributes() ignores the input # key's algorithm policy. Just this time, test with a few different algorithms. PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [0] -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:0 PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [raw] -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:0 PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [v15] -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:0 PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [PSS] -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:0 PSA attributes for pk: opaque RSA pair, DECRYPT & DECRYPT -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_DECRYPT PSA attributes for pk: opaque RSA pair, DECRYPT|... & DECRYPT -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, ... & DERIVE (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair, ... & EXPORT (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair->public, 0 & VERIFY_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:0 PSA attributes for pk: opaque RSA pair->public, 0 & VERIFY_HASH -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:0 PSA attributes for pk: opaque RSA pair->public, 0 & ENCRYPT -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:0 PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 2a8a5f7..cf0581c 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -215,10 +215,14 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, *psa_type = PSA_KEY_TYPE_RSA_KEY_PAIR; mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); if (want_pair) { +#if defined(MBEDTLS_GENPRIME) TEST_EQUAL(mbedtls_rsa_gen_key( rsa, mbedtls_test_rnd_std_rand, NULL, MBEDTLS_RSA_GEN_KEY_MIN_BITS, 65537), 0); +#else + TEST_FAIL("I don't know how to create an RSA key pair in this configuration."); +#endif } else { unsigned char N[PSA_BITS_TO_BYTES(MBEDTLS_RSA_GEN_KEY_MIN_BITS)] = { 0xff }; N[sizeof(N) - 1] = 0x03; @@ -1772,7 +1776,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME */ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, int usage_arg, int to_pair, int expected_alg) -- cgit v1.1 From 80edec5f847a2baaaa3173bd849cc8dac1a0b8d4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 25 Jan 2024 09:33:48 +0100 Subject: all.sh: remove MBEDTLS_PEM_PARSE_C exception from check_test_dependencies() Since we officially disabled support for importing of PEM formatted keys into PSA we removed dedicated tests from test_suite_psa_crypto. As a consequence MBEDTLS_PEM_PARSE_C is no more an exception for component_check_test_dependencies(). Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f0a0058..318df37 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1069,9 +1069,6 @@ component_check_test_dependencies () { echo "MBEDTLS_ECP_RESTARTABLE" >> $expected # No PSA equivalent - needed by some init tests echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected - # Used by two tests that are about an extension to the PSA standard; - # as such, no PSA equivalent. - echo "MBEDTLS_PEM_PARSE_C" >> $expected # Compare reality with expectation. # We want an exact match, to ensure the above list remains up-to-date. -- cgit v1.1 From 92c17c456c6cef1058598062b207c032d8b9fad3 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Thu, 25 Jan 2024 19:11:03 +0800 Subject: Use separate input/output buffer. Explain why error is expected Signed-off-by: Chien Wong --- tests/suites/test_suite_gcm.function | 43 +++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 07a6e45..e23d8d0 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -493,15 +493,20 @@ exit: /* END_CASE */ /* BEGIN_CASE */ +/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of IV should + * satisfy 1 <= bit_len(IV) <= 2^64 - 1. */ void gcm_invalid_iv_len(void) { mbedtls_gcm_context ctx; uint8_t b16[16] = { 0 }; + // Invalid IV length 0 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); + // Only testable on platforms where sizeof(size_t) >= 8. #if SIZE_MAX >= UINT64_MAX + // Invalid IV length 2^61 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); #endif @@ -513,30 +518,31 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -/* - * Test if GCM rejects total ad_len >= 2^61 bytes. - * Also test if GCM handles potential total ad_len overflow properly. - - * Only testable on platforms where sizeof(size_t) >= 8. - */ void gcm_add_len_too_long(void) { + // Only testable on platforms where sizeof(size_t) >= 8. #if SIZE_MAX >= UINT64_MAX mbedtls_gcm_context ctx; uint8_t b16[16] = { 0 }; + /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should + * be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */ + uint64_t len_max = 1ULL << 61; gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); - TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1ULL << 61), + // Feed AD that just exceeds the length limit + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max), MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + // Feed AD that just exceeds the length limit in two calls TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0); - TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, (1ULL << 61) - 1), + TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max - 1), MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); + // Test if potential total AD length overflow is handled properly TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0); TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT); @@ -547,35 +553,36 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -/* - * Test if GCM rejects total input length > 2^36 - 32 bytes. - * Also test if GCM handles potential total input length overflow properly. - - * Only testable on platforms where sizeof(size_t) >= 8. - */ void gcm_input_len_too_long(void) { + // Only testable on platforms where sizeof(size_t) >= 8 #if SIZE_MAX >= UINT64_MAX mbedtls_gcm_context ctx; uint8_t b16[16] = { 0 }; + uint8_t out[1]; size_t out_len; + /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should + * be <= 2^39 - 256. This is the maximum valid length in bytes. */ uint64_t len_max = (1ULL << 36) - 32; gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); - TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, b16, len_max + 1, + // Feed input that just exceeds the length limit + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, out, len_max + 1, &out_len), MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); - TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, b16, 1, &out_len), 0); + // Feed input that just exceeds the length limit in two calls + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0); TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, b16, len_max, &out_len), MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); - TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, b16, 1, &out_len), 0); - TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, b16, UINT64_MAX, + // Test if potential total input length overflow is handled properly + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0); + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, out, UINT64_MAX, &out_len), MBEDTLS_ERR_GCM_BAD_INPUT); -- cgit v1.1 From ef56795fd273b36a712dde7987a10fd54065ec79 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Thu, 25 Jan 2024 19:22:50 +0800 Subject: Fix 1 forgotten separate input/output buffer Signed-off-by: Chien Wong --- tests/suites/test_suite_gcm.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index e23d8d0..dac2a5d 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -575,7 +575,7 @@ void gcm_input_len_too_long(void) gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0); // Feed input that just exceeds the length limit in two calls TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0); - TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, b16, len_max, &out_len), + TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, out, len_max, &out_len), MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); -- cgit v1.1 From 43643c471492a6524600ecbbd3b90db94b3db538 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 25 Jan 2024 13:21:59 +0100 Subject: Remove now-redundant guard fixup "mbedtls_pk_get_psa_attributes: require MBEDTLS_PSA_CRYPTO_C" Signed-off-by: Gilles Peskine --- library/pk.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/library/pk.c b/library/pk.c index b629ce2..3f28787 100644 --- a/library/pk.c +++ b/library/pk.c @@ -577,12 +577,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, } psa_set_key_usage_flags(attributes, more_usage); -#if defined(MBEDTLS_PSA_CRYPTO_C) - /* Assume that we have all Mbed TLS attributes. When - * MBEDTLS_PSA_CRYPTO_CLIENT is enabled but not MBEDTLS_PSA_CRYPTO_C, - * we only assume standard PSA functions. */ psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE); -#endif return 0; } -- cgit v1.1 From da2a33de0f2d0f7f179220d1a92f788d1459c3e3 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 25 Jan 2024 20:48:56 +0000 Subject: tests: fix `calloc()` argument list (`gcc-14` fix) `gcc-14` added a new `-Wcalloc-transposed-args` warning recently. It detected minor infelicity in `calloc()` API usage in `mbedtls`: In file included from /build/mbedtls/tests/include/test/ssl_helpers.h:19, from /build/mbedtls/tests/src/test_helpers/ssl_helpers.c:11: /build/mbedtls/tests/src/test_helpers/ssl_helpers.c: In function 'mbedtls_test_init_handshake_options': /build/mbedtls/tests/include/test/macros.h:128:46: error: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Werror=calloc-transposed-args] 128 | (pointer) = mbedtls_calloc(sizeof(*(pointer)), \ | ^ Signed-off-by: Sergei Trofimovich --- tests/include/test/macros.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h index 8de9c4d..a73e06f 100644 --- a/tests/include/test/macros.h +++ b/tests/include/test/macros.h @@ -125,8 +125,8 @@ do { \ TEST_ASSERT((pointer) == NULL); \ if ((item_count) != 0) { \ - (pointer) = mbedtls_calloc(sizeof(*(pointer)), \ - (item_count)); \ + (pointer) = mbedtls_calloc((item_count), \ + sizeof(*(pointer))); \ TEST_ASSERT((pointer) != NULL); \ } \ } while (0) @@ -155,8 +155,8 @@ #define TEST_CALLOC_NONNULL(pointer, item_count) \ do { \ TEST_ASSERT((pointer) == NULL); \ - (pointer) = mbedtls_calloc(sizeof(*(pointer)), \ - (item_count)); \ + (pointer) = mbedtls_calloc((item_count), \ + sizeof(*(pointer))); \ if (((pointer) == NULL) && ((item_count) == 0)) { \ (pointer) = mbedtls_calloc(1, 1); \ } \ @@ -175,8 +175,8 @@ do { \ TEST_ASSERT((pointer) == NULL); \ if ((item_count) != 0) { \ - (pointer) = mbedtls_calloc(sizeof(*(pointer)), \ - (item_count)); \ + (pointer) = mbedtls_calloc((item_count), \ + sizeof(*(pointer))); \ TEST_ASSUME((pointer) != NULL); \ } \ } while (0) -- cgit v1.1 From 1a54352f5a2abccf86f52108398fbc3f9126760b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 09:35:18 +0100 Subject: psa_crypto_ffdh: move dhm.h inclusion to c file Signed-off-by: Valerio Setti --- library/psa_crypto_ffdh.c | 6 ++++++ library/psa_crypto_ffdh.h | 1 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c index 6cc086e..95b2a1e 100644 --- a/library/psa_crypto_ffdh.c +++ b/library/psa_crypto_ffdh.c @@ -10,6 +10,12 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) +/* This header is only needed because it defines + * MBEDTLS_DHM_RFC7919_FFDHExxxx_[P|G]_BIN symbols that are used in + * mbedtls_psa_ffdh_set_prime_generator(). A part from that, this module + * only uses bignum functions for arithmetic. */ +#include + #include #include "psa_crypto_core.h" #include "psa_crypto_ffdh.h" diff --git a/library/psa_crypto_ffdh.h b/library/psa_crypto_ffdh.h index baeb928..79accd1 100644 --- a/library/psa_crypto_ffdh.h +++ b/library/psa_crypto_ffdh.h @@ -10,7 +10,6 @@ #define PSA_CRYPTO_FFDH_H #include -#include /** Perform a key agreement and return the FFDH shared secret. * -- cgit v1.1 From 48e4167cedda343e05645999564780164cf9eebe Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 10:34:32 +0100 Subject: adjust_legacy_from_psa: improve pattern for enabling internal symbols Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_from_psa.h | 156 +++++++----------------- 1 file changed, 44 insertions(+), 112 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 9e6163f..8888b2c 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -47,128 +47,56 @@ */ /* ECC: curves: is acceleration complete? */ -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) +#if (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \ + !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)) || \ + (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \ + !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)) || \ + (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \ + !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)) || \ + (defined(PSA_WANT_ECC_SECP_R1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)) || \ + (defined(PSA_WANT_ECC_SECP_R1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)) || \ + (defined(PSA_WANT_ECC_SECP_R1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)) || \ + (defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \ + (defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \ + (defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \ + (defined(PSA_WANT_ECC_SECP_K1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)) || \ + (defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES #endif -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) +#if (defined(PSA_WANT_ECC_MONTGOMERY_255) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)) || \ + (defined(PSA_WANT_ECC_MONTGOMERY_448) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_MONTGOMERY_255) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#endif - -#if defined(PSA_WANT_ECC_MONTGOMERY_448) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_R1_192) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_R1_224) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_R1_256) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_R1_384) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_R1_521) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_K1_192) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_K1_224) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES -#endif - -#if defined(PSA_WANT_ECC_SECP_K1_256) && \ - !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES #endif /* ECC: algs: is acceleration complete? */ -#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \ - !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS -#endif - -#if defined(PSA_WANT_ALG_ECDH) && \ - !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS -#endif - -#if defined(PSA_WANT_ALG_ECDSA) && \ - !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS -#endif - -#if defined(PSA_WANT_ALG_JPAKE) && \ - !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) +#if (defined(PSA_WANT_ALG_ECDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)) || \ + (defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)) || \ + (defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)) || \ + (defined(PSA_WANT_ALG_JPAKE) && !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS #endif /* ECC: key types: is acceleration complete? */ -#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES +#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \ + (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC #endif -#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC -#endif - -#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES -#endif - -#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES -#endif - -#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) +#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \ + (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)) || \ + (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)) || \ + (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)) || \ + (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES #endif @@ -443,38 +371,42 @@ #if defined(PSA_WANT_DH_RFC7919_2048) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1 -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */ #endif /* PSA_WANT_DH_RFC7919_2048 */ #if defined(PSA_WANT_DH_RFC7919_3072) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1 -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */ #endif /* PSA_WANT_DH_RFC7919_3072 */ #if defined(PSA_WANT_DH_RFC7919_4096) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1 -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */ #endif /* PSA_WANT_DH_RFC7919_4096 */ #if defined(PSA_WANT_DH_RFC7919_6144) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1 -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */ #endif /* PSA_WANT_DH_RFC7919_6144 */ #if defined(PSA_WANT_DH_RFC7919_8192) #if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1 -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */ #endif /* PSA_WANT_DH_RFC7919_8192 */ +/* Internal macro to state that there is at least 1 domain parameter which is builtin. */ +#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048) || \ + defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072) || \ + defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096) || \ + defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144) || \ + defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192) +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS +#endif + #if defined(PSA_WANT_ALG_FFDH) #if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS) #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 -- cgit v1.1 From bcf0fc5119115a2d6502d3acd3121c7813a51b02 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 14:53:28 +0100 Subject: adjust_legacy_crypto: add parenthesis to improve clarity Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_crypto.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 833f152..eb52d3f 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -402,8 +402,8 @@ /* psa_util file features some ECDSA conversion functions, to convert between * legacy's ASN.1 DER format and PSA's raw one. */ -#if defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PSA_CRYPTO_C) && \ - (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) +#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA))) #define MBEDTLS_PSA_UTIL_HAVE_ECDSA #endif -- cgit v1.1 From f8ce457fb606309c87ba5c2595eeb9d5a9ce6cf2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 14:55:14 +0100 Subject: all.sh: fix comment in check_test_dependencies() MBEDTLS_ASN1_WRITE_C is no more required for ECDSA conversion functions. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index fddcc01..c4982b6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1064,10 +1064,6 @@ component_check_test_dependencies () { # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by # the test code and that's probably the most convenient way of achieving # the test's goal. - # - # MBEDTLS_ASN1_WRITE_C is also used in ECDSA conversion functions - # (in psa_util module) and, therefore, also in test_suite_psa_crypto_util. - # There is no PSA equivalent for this ASN1 symbols in PSA. echo "MBEDTLS_ASN1_WRITE_C" >> $expected # No PSA equivalent - we should probably have one in the future. echo "MBEDTLS_ECP_RESTARTABLE" >> $expected -- cgit v1.1 From 89d8a12e9ce40b2b0eee6e7d3a9fabfbc48910a7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 15:04:05 +0100 Subject: analyze_outcomes: fix typo Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index b6e26d4..c300f91 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -247,7 +247,7 @@ KNOWN_TASKS = { 'component_driver': 'test_psa_crypto_config_accel_hmac', 'ignored_suites': [ # These suites require legacy hash support, which is disabled - # in the accelerate component. + # in the accelerated component. 'shax', 'mdx', # This suite tests builtins directly, but these are missing # in the accelerated case. -- cgit v1.1 From 18be2fb9df3097bbe54c90a420b976dccace4279 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 15:07:02 +0100 Subject: driver-only-builds: improve a sentence in the HMAC section Signed-off-by: Valerio Setti --- docs/driver-only-builds.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index e4c30bd..4095d8e 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -118,7 +118,9 @@ HMAC by enabling and accelerating: In such a build it is possible to disable legacy HMAC support by disabling `MBEDTLS_MD_C` and still getting crypto operations, X.509 and TLS to work as usual. Exceptions are: -- [Hashes](#hashes) are obviously valid here for the accelerated algorithms. +- As mentioned in [Hashes](#hashes) direct calls to legacy lo-level hash APIs + (`mbedtls_sha256()` etc.) will not be possible for the legacy modules that + are disabled. - Legacy HMAC support (`mbedtls_md_hmac_xxx()`) won't be possible. - `MBEDTLS_PKCS[5|7]_C`, `MBEDTLS_HMAC_DRBG_C` and `MBEDTLS_HKDF_C` since they depend on the legacy implementation of HMAC. -- cgit v1.1 From e29c868ca498a45976e60b0b6be416f71badb2fc Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 16:24:44 +0000 Subject: programs_dh_server: Updated to use `mbedtls_dhm_set_group()` & `mbedtls_dhm_get_len()`. Signed-off-by: Minos Galanakis --- programs/pkey/dh_server.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 91bac0e..1ae5651 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -66,7 +66,7 @@ int main(void) mbedtls_dhm_context dhm; mbedtls_aes_context aes; - mbedtls_mpi N, P, Q, D, E; + mbedtls_mpi N, P, Q, D, E, dhm_P, dhm_G; mbedtls_net_init(&listen_fd); mbedtls_net_init(&client_fd); @@ -75,8 +75,8 @@ int main(void) mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q); - mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); - + mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&dhm_P); + mbedtls_mpi_init(&dhm_G); /* * 1. Setup the RNG */ @@ -141,8 +141,9 @@ int main(void) goto exit; } - if (mbedtls_mpi_read_file(&dhm.MBEDTLS_PRIVATE(P), 16, f) != 0 || - mbedtls_mpi_read_file(&dhm.MBEDTLS_PRIVATE(G), 16, f) != 0) { + if ((ret = mbedtls_mpi_read_file(&dhm_P, 16, f)) != 0 || + (ret = mbedtls_mpi_read_file(&dhm_G, 16, f)) != 0 || + (ret = mbedtls_dhm_set_group(&dhm, &dhm_P, &dhm_G) != 0)) { mbedtls_printf(" failed\n ! Invalid DH parameter file\n\n"); fclose(f); goto exit; @@ -176,7 +177,7 @@ int main(void) memset(buf, 0, sizeof(buf)); if ((ret = - mbedtls_dhm_make_params(&dhm, (int) mbedtls_mpi_size(&dhm.MBEDTLS_PRIVATE(P)), buf, &n, + mbedtls_dhm_make_params(&dhm, (int) mbedtls_dhm_get_len(&dhm), buf, &n, mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { mbedtls_printf(" failed\n ! mbedtls_dhm_make_params returned %d\n\n", ret); goto exit; @@ -286,7 +287,8 @@ int main(void) exit: mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q); - mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); + mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&dhm_P); + mbedtls_mpi_free(&dhm_G); mbedtls_net_free(&client_fd); mbedtls_net_free(&listen_fd); -- cgit v1.1 From 97489dc7e5f9c161395144b0397fb65a5fbfc29b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 12 Jan 2024 16:47:52 +0000 Subject: programs_benchmark: Updated to use `mbedtls_dhm_set_group()` & `mbedtls_dhm_get_len()` Signed-off-by: Minos Galanakis --- programs/test/benchmark.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 6f7f69b..895b148 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -1089,18 +1089,21 @@ int main(int argc, char *argv[]) mbedtls_dhm_context dhm; size_t olen; size_t n; + mbedtls_mpi P, G; + mbedtls_mpi_init(&P); mbedtls_mpi_init(&G); for (i = 0; (size_t) i < sizeof(dhm_sizes) / sizeof(dhm_sizes[0]); i++) { mbedtls_dhm_init(&dhm); - if (mbedtls_mpi_read_binary(&dhm.MBEDTLS_PRIVATE(P), dhm_P[i], + if (mbedtls_mpi_read_binary(&P, dhm_P[i], dhm_P_size[i]) != 0 || - mbedtls_mpi_read_binary(&dhm.MBEDTLS_PRIVATE(G), dhm_G[i], - dhm_G_size[i]) != 0) { + mbedtls_mpi_read_binary(&G, dhm_G[i], + dhm_G_size[i]) != 0 || + mbedtls_dhm_set_group(&dhm, &P, &G) != 0) { mbedtls_exit(1); } - n = mbedtls_mpi_size(&dhm.MBEDTLS_PRIVATE(P)); + n = mbedtls_dhm_get_len(&dhm); mbedtls_dhm_make_public(&dhm, (int) n, buf, n, myrand, NULL); if (mbedtls_mpi_copy(&dhm.MBEDTLS_PRIVATE(GY), &dhm.MBEDTLS_PRIVATE(GX)) != 0) { mbedtls_exit(1); @@ -1119,6 +1122,7 @@ int main(int argc, char *argv[]) mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &olen, myrand, NULL)); mbedtls_dhm_free(&dhm); + mbedtls_mpi_free(&P), mbedtls_mpi_free(&G); } } #endif -- cgit v1.1 From 8ee1b5f46ec60b3bd67706d083116c6d2373918b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Jan 2024 15:54:19 +0000 Subject: programs_benchmark: Updated to use `mbedtls_dhm_read_public()`. Signed-off-by: Minos Galanakis --- programs/test/benchmark.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 895b148..8fa5d62 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -1105,7 +1105,8 @@ int main(int argc, char *argv[]) n = mbedtls_dhm_get_len(&dhm); mbedtls_dhm_make_public(&dhm, (int) n, buf, n, myrand, NULL); - if (mbedtls_mpi_copy(&dhm.MBEDTLS_PRIVATE(GY), &dhm.MBEDTLS_PRIVATE(GX)) != 0) { + + if (mbedtls_dhm_read_public(&dhm, buf, n) != 0) { mbedtls_exit(1); } -- cgit v1.1 From c22bb7a0a461d2671e22df1665914414801087e8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 12:15:23 +0100 Subject: adjust_legacy_from_psa: optimize legacy enablement also for EC key types Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_from_psa.h | 48 ++++++++++++------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 8888b2c..22dde3a 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -87,6 +87,13 @@ #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC #endif +/* Special case: we don't support cooked key derivation in drivers yet */ +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) +#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE +#endif + +/* Note: the condition about key derivation is always true as DERIVE can't be + * accelerated yet */ #if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \ !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \ (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \ @@ -96,18 +103,9 @@ (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \ !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)) || \ (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)) -#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES -#endif - -/* Special case: we don't support cooked key derivation in drivers yet */ -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) -#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE -#endif - -/* Note: the condition is always true as DERIVE can't be accelerated yet */ -#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \ - !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)) || \ + (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES #endif @@ -314,8 +312,6 @@ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1 -#define MBEDTLS_ECP_LIGHT -#define MBEDTLS_BIGNUM_C #endif /* missing accel */ #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ @@ -324,8 +320,6 @@ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 -#define MBEDTLS_ECP_LIGHT -#define MBEDTLS_BIGNUM_C #endif /* missing accel */ #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */ @@ -333,8 +327,6 @@ #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 -#define MBEDTLS_ECP_LIGHT -#define MBEDTLS_BIGNUM_C #endif /* missing accel */ #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ @@ -342,8 +334,6 @@ #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 -#define MBEDTLS_ECP_C -#define MBEDTLS_BIGNUM_C #endif /* missing accel */ #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT */ @@ -351,8 +341,6 @@ #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 -#define MBEDTLS_ECP_C -#define MBEDTLS_BIGNUM_C #endif /* missing accel */ #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ @@ -361,11 +349,23 @@ #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 -#define MBEDTLS_ECP_LIGHT -#define MBEDTLS_BIGNUM_C #endif /* missing accel */ #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) +#define MBEDTLS_ECP_LIGHT +#define MBEDTLS_BIGNUM_C +#endif + +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) +#define MBEDTLS_ECP_C +#define MBEDTLS_BIGNUM_C +#endif + /* End of ECC section */ #if defined(PSA_WANT_DH_RFC7919_2048) -- cgit v1.1 From 0a6acf8db4b5c78272acf03dff08738d938331f1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 14:37:58 +0100 Subject: adjust_legacy_from_psa: use EC pattern for enabling builtin elements of DH Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_from_psa.h | 139 ++++++++++++++++-------- 1 file changed, 93 insertions(+), 46 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 22dde3a..b27f6b9 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -368,52 +368,130 @@ /* End of ECC section */ +/* + * DH key types follow the same pattern used above for EC keys. They are defined + * by a triplet (curve, key_type, alg). A triplet is accelerated if all its + * component are accelerated, otherwise each component needs to be builtin. + */ + +/* DH: curves: is acceleration complete? */ +#if (defined(PSA_WANT_DH_RFC7919_2048) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048)) || \ + (defined(PSA_WANT_DH_RFC7919_3072) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072)) || \ + (defined(PSA_WANT_DH_RFC7919_4096) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096)) || \ + (defined(PSA_WANT_DH_RFC7919_6144) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144)) || \ + (defined(PSA_WANT_DH_RFC7919_8192) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192)) +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES +#endif + +/* DH: algs: is acceleration complete? */ +#if defined(PSA_WANT_ALG_FFDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS +#endif + +/* DH: key types: is acceleration complete? */ +#if (defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)) || \ + (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC)) || \ + (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT)) || \ + (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT)) || \ + (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) && \ + !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE)) +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES +#endif + #if defined(PSA_WANT_DH_RFC7919_2048) -#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1 #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */ #endif /* PSA_WANT_DH_RFC7919_2048 */ #if defined(PSA_WANT_DH_RFC7919_3072) -#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1 #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */ #endif /* PSA_WANT_DH_RFC7919_3072 */ #if defined(PSA_WANT_DH_RFC7919_4096) -#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1 #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */ #endif /* PSA_WANT_DH_RFC7919_4096 */ #if defined(PSA_WANT_DH_RFC7919_6144) -#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1 #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */ #endif /* PSA_WANT_DH_RFC7919_6144 */ #if defined(PSA_WANT_DH_RFC7919_8192) -#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) +#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1 #endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */ #endif /* PSA_WANT_DH_RFC7919_8192 */ -/* Internal macro to state that there is at least 1 domain parameter which is builtin. */ -#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048) || \ - defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072) || \ - defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096) || \ - defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144) || \ - defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192) -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS -#endif - #if defined(PSA_WANT_ALG_FFDH) -#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_PARAMS) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 #define MBEDTLS_BIGNUM_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */ #endif /* PSA_WANT_ALG_FFDH */ +#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */ +#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */ + +#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */ +#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */ + +#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */ +#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */ + +#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */ +#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */ + +#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1 +#define MBEDTLS_BIGNUM_C +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */ +#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */ + +/* End of DH section */ + #if defined(PSA_WANT_ALG_HKDF) #if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) /* @@ -601,37 +679,6 @@ #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC */ #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */ -#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT) -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */ -#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */ - -#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT) -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */ -#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */ - -#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE) -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */ -#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */ - -#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC) -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1 -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */ -#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */ - -#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY) -#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1 -#define MBEDTLS_BIGNUM_C -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */ -#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */ - #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1 -- cgit v1.1 From 2bec5df945585982d29aa44c6a04574468979ac2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 14:39:28 +0100 Subject: psa_crypto_ffdh: fix typos Signed-off-by: Valerio Setti --- library/psa_crypto_ffdh.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c index 95b2a1e..0099d5f 100644 --- a/library/psa_crypto_ffdh.c +++ b/library/psa_crypto_ffdh.c @@ -11,8 +11,8 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) /* This header is only needed because it defines - * MBEDTLS_DHM_RFC7919_FFDHExxxx_[P|G]_BIN symbols that are used in - * mbedtls_psa_ffdh_set_prime_generator(). A part from that, this module + * MBEDTLS_DHM_RFC7919_FFDHEXXXX_[P|G]_BIN symbols that are used in + * mbedtls_psa_ffdh_set_prime_generator(). Apart from that, this module * only uses bignum functions for arithmetic. */ #include -- cgit v1.1 From cc0fd47531ffeffb3185db77a17ee113ce874ea6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 10:19:52 +0100 Subject: platform_util: remove declarations of MBEDTLS_INTERNAL_VALIDATE[_RET]() These macros end up as being always "empty", so they can be removed. Signed-off-by: Valerio Setti --- include/mbedtls/platform_util.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index cba02ab..1b371ef 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -23,10 +23,6 @@ extern "C" { #endif -/* Internal macros meant to be called only from within the library. */ -#define MBEDTLS_INTERNAL_VALIDATE_RET(cond, ret) do { } while (0) -#define MBEDTLS_INTERNAL_VALIDATE(cond) do { } while (0) - /* Internal helper macros for deprecating API constants. */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) -- cgit v1.1 From 41f8f733a13fee5797d305a8196eedd404abd000 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 11:44:40 +0100 Subject: test_psa_compliance: add exception for tests using wrong RSA pub key format Signed-off-by: Valerio Setti --- tests/scripts/test_psa_compliance.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py index 0d56ddf..ed36bef 100755 --- a/tests/scripts/test_psa_compliance.py +++ b/tests/scripts/test_psa_compliance.py @@ -30,7 +30,12 @@ from mbedtls_dev import build_tree EXPECTED_FAILURES = { # psa_hash_suspend() and psa_hash_resume() are not supported. # - Tracked in issue #3274 - 262, 263 + 262, 263, + # PSA standard format for RSA public keys is a sequence of just n (modulus) + # and e (public exponent). However following tests rely on a format which + # also includes some metadata to identify the key as an RSA key, but this + # is not compliant with PSA standard. + 239, 240, 241, 242, 250, 251, } # We currently use a fork of ARM-software/psa-arch-tests, with a couple of downstream patches -- cgit v1.1 From a45a399a6b7418118fd441b4240b583ae3b60a32 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 10:28:09 +0100 Subject: lib: remove NULL pointer checks performed with MBEDTLS_INTERNAL_VALIDATE[_RET] Symbols defined starting from MBEDTLS_INTERNAL_VALIDATE[_RET] are removed as well. Signed-off-by: Valerio Setti --- include/mbedtls/cipher.h | 10 ------ library/aria.c | 29 --------------- library/bignum.c | 93 ------------------------------------------------ library/ecp_curves.c | 7 ---- library/ecp_curves_new.c | 7 ---- library/platform_util.c | 2 -- 6 files changed, 148 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 815b5bb..1dc31c9 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -678,7 +678,6 @@ int MBEDTLS_DEPRECATED mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return 0; } @@ -698,7 +697,6 @@ static inline unsigned int mbedtls_cipher_get_block_size( static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return MBEDTLS_MODE_NONE; } @@ -719,7 +717,6 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return 0; } @@ -743,8 +740,6 @@ static inline int mbedtls_cipher_get_iv_size( static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET( - ctx != NULL, MBEDTLS_CIPHER_NONE); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return MBEDTLS_CIPHER_NONE; } @@ -764,7 +759,6 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return 0; } @@ -784,8 +778,6 @@ static inline const char *mbedtls_cipher_get_name( static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET( - ctx != NULL, MBEDTLS_KEY_LENGTH_NONE); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return MBEDTLS_KEY_LENGTH_NONE; } @@ -805,8 +797,6 @@ static inline int mbedtls_cipher_get_key_bitlen( static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx) { - MBEDTLS_INTERNAL_VALIDATE_RET( - ctx != NULL, MBEDTLS_OPERATION_NONE); if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) { return MBEDTLS_OPERATION_NONE; } diff --git a/library/aria.c b/library/aria.c index ba12578..2c36598 100644 --- a/library/aria.c +++ b/library/aria.c @@ -25,12 +25,6 @@ #include "mbedtls/platform_util.h" -/* Parameter validation macros */ -#define ARIA_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) -#define ARIA_VALIDATE(cond) \ - MBEDTLS_INTERNAL_VALIDATE(cond) - /* * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes * @@ -363,8 +357,6 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, int i; uint32_t w[4][4], *w2; - ARIA_VALIDATE_RET(ctx != NULL); - ARIA_VALIDATE_RET(key != NULL); if (keybits != 128 && keybits != 192 && keybits != 256) { return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; @@ -418,8 +410,6 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits) { int i, j, k, ret; - ARIA_VALIDATE_RET(ctx != NULL); - ARIA_VALIDATE_RET(key != NULL); ret = mbedtls_aria_setkey_enc(ctx, key, keybits); if (ret != 0) { @@ -455,9 +445,6 @@ int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, int i; uint32_t a, b, c, d; - ARIA_VALIDATE_RET(ctx != NULL); - ARIA_VALIDATE_RET(input != NULL); - ARIA_VALIDATE_RET(output != NULL); a = MBEDTLS_GET_UINT32_LE(input, 0); b = MBEDTLS_GET_UINT32_LE(input, 4); @@ -505,7 +492,6 @@ int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, /* Initialize context */ void mbedtls_aria_init(mbedtls_aria_context *ctx) { - ARIA_VALIDATE(ctx != NULL); memset(ctx, 0, sizeof(mbedtls_aria_context)); } @@ -531,13 +517,8 @@ int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, unsigned char *output) { unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; - - ARIA_VALIDATE_RET(ctx != NULL); ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || mode == MBEDTLS_ARIA_DECRYPT); - ARIA_VALIDATE_RET(length == 0 || input != NULL); - ARIA_VALIDATE_RET(length == 0 || output != NULL); - ARIA_VALIDATE_RET(iv != NULL); if (length % MBEDTLS_ARIA_BLOCKSIZE) { return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH; @@ -587,14 +568,8 @@ int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, { unsigned char c; size_t n; - - ARIA_VALIDATE_RET(ctx != NULL); ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || mode == MBEDTLS_ARIA_DECRYPT); - ARIA_VALIDATE_RET(length == 0 || input != NULL); - ARIA_VALIDATE_RET(length == 0 || output != NULL); - ARIA_VALIDATE_RET(iv != NULL); - ARIA_VALIDATE_RET(iv_off != NULL); n = *iv_off; @@ -650,12 +625,8 @@ int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, int c, i; size_t n; - ARIA_VALIDATE_RET(ctx != NULL); ARIA_VALIDATE_RET(length == 0 || input != NULL); ARIA_VALIDATE_RET(length == 0 || output != NULL); - ARIA_VALIDATE_RET(nonce_counter != NULL); - ARIA_VALIDATE_RET(stream_block != NULL); - ARIA_VALIDATE_RET(nc_off != NULL); n = *nc_off; /* An overly large value of n can lead to an unlimited diff --git a/library/bignum.c b/library/bignum.c index 1869137..6a80720 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -37,11 +37,6 @@ #include "mbedtls/platform.h" -#define MPI_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA) -#define MPI_VALIDATE(cond) \ - MBEDTLS_INTERNAL_VALIDATE(cond) - /* * Compare signed values in constant time */ @@ -51,10 +46,6 @@ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, { mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(Y != NULL); - MPI_VALIDATE_RET(ret != NULL); - if (X->n != Y->n) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } @@ -115,8 +106,6 @@ int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, unsigned char assign) { int ret = 0; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(Y != NULL); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n)); @@ -149,8 +138,6 @@ int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, { int ret = 0; int s; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(Y != NULL); if (X == Y) { return 0; @@ -179,8 +166,6 @@ cleanup: */ void mbedtls_mpi_init(mbedtls_mpi *X) { - MPI_VALIDATE(X != NULL); - X->s = 1; X->n = 0; X->p = NULL; @@ -210,7 +195,6 @@ void mbedtls_mpi_free(mbedtls_mpi *X) int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs) { mbedtls_mpi_uint *p; - MPI_VALIDATE_RET(X != NULL); if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) { return MBEDTLS_ERR_MPI_ALLOC_FAILED; @@ -243,7 +227,6 @@ int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs) { mbedtls_mpi_uint *p; size_t i; - MPI_VALIDATE_RET(X != NULL); if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) { return MBEDTLS_ERR_MPI_ALLOC_FAILED; @@ -312,8 +295,6 @@ int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y) { int ret = 0; size_t i; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(Y != NULL); if (X == Y) { return 0; @@ -355,8 +336,6 @@ cleanup: void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y) { mbedtls_mpi T; - MPI_VALIDATE(X != NULL); - MPI_VALIDATE(Y != NULL); memcpy(&T, X, sizeof(mbedtls_mpi)); memcpy(X, Y, sizeof(mbedtls_mpi)); @@ -385,7 +364,6 @@ static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z) int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MPI_VALIDATE_RET(X != NULL); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1)); memset(X->p, 0, X->n * ciL); @@ -403,8 +381,6 @@ cleanup: */ int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos) { - MPI_VALIDATE_RET(X != NULL); - if (X->n * biL <= pos) { return 0; } @@ -420,7 +396,6 @@ int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val) int ret = 0; size_t off = pos / biL; size_t idx = pos % biL; - MPI_VALIDATE_RET(X != NULL); if (val != 0 && val != 1) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -448,7 +423,6 @@ cleanup: size_t mbedtls_mpi_lsb(const mbedtls_mpi *X) { size_t i; - MBEDTLS_INTERNAL_VALIDATE_RET(X != NULL, 0); #if defined(__has_builtin) #if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz) @@ -530,8 +504,6 @@ int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s) int sign = 1; mbedtls_mpi_uint d; mbedtls_mpi T; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(s != NULL); if (radix < 2 || radix > 16) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -634,8 +606,6 @@ int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix, size_t n; char *p; mbedtls_mpi T; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(olen != NULL); MPI_VALIDATE_RET(buflen == 0 || buf != NULL); if (radix < 2 || radix > 16) { @@ -726,9 +696,6 @@ int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin) */ char s[MBEDTLS_MPI_RW_BUFFER_SIZE]; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(fin != NULL); - if (radix < 2 || radix > 16) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } @@ -772,7 +739,6 @@ int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE * newline characters and '\0' */ char s[MBEDTLS_MPI_RW_BUFFER_SIZE]; - MPI_VALIDATE_RET(X != NULL); if (radix < 2 || radix > 16) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -843,8 +809,6 @@ int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buf { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const size_t limbs = CHARS_TO_LIMBS(buflen); - - MPI_VALIDATE_RET(X != NULL); MPI_VALIDATE_RET(buflen == 0 || buf != NULL); /* Ensure that target MPI has exactly the necessary number of limbs */ @@ -887,7 +851,6 @@ int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i; - MPI_VALIDATE_RET(X != NULL); i = mbedtls_mpi_bitlen(X) + count; @@ -908,7 +871,6 @@ cleanup: */ int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count) { - MPI_VALIDATE_RET(X != NULL); if (X->n != 0) { mbedtls_mpi_core_shift_r(X->p, X->n, count); } @@ -921,8 +883,6 @@ int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count) int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y) { size_t i, j; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(Y != NULL); for (i = X->n; i > 0; i--) { if (X->p[i - 1] != 0) { @@ -964,8 +924,6 @@ int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y) int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y) { size_t i, j; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(Y != NULL); for (i = X->n; i > 0; i--) { if (X->p[i - 1] != 0) { @@ -1016,7 +974,6 @@ int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z) { mbedtls_mpi Y; mbedtls_mpi_uint p[1]; - MPI_VALIDATE_RET(X != NULL); *p = mpi_sint_abs(z); Y.s = TO_SIGN(z); @@ -1035,9 +992,6 @@ int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi size_t j; mbedtls_mpi_uint *p; mbedtls_mpi_uint c; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); if (X == B) { const mbedtls_mpi *T = A; A = X; B = T; @@ -1098,9 +1052,6 @@ int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n; mbedtls_mpi_uint carry; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); for (n = B->n; n > 0; n--) { if (B->p[n - 1] != 0) { @@ -1152,9 +1103,6 @@ static int add_sub_mpi(mbedtls_mpi *X, int flip_B) { int ret, s; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); s = A->s; if (A->s * B->s * flip_B < 0) { @@ -1203,8 +1151,6 @@ int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b { mbedtls_mpi B; mbedtls_mpi_uint p[1]; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); p[0] = mpi_sint_abs(b); B.s = TO_SIGN(b); @@ -1221,8 +1167,6 @@ int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b { mbedtls_mpi B; mbedtls_mpi_uint p[1]; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); p[0] = mpi_sint_abs(b); B.s = TO_SIGN(b); @@ -1241,9 +1185,6 @@ int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi size_t i, j; mbedtls_mpi TA, TB; int result_is_zero = 0; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB); @@ -1300,9 +1241,6 @@ cleanup: */ int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b) { - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - size_t n = A->n; while (n > 0 && A->p[n - 1] == 0) { --n; @@ -1448,8 +1386,6 @@ int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, size_t i, n, t, k; mbedtls_mpi X, Y, Z, T1, T2; mbedtls_mpi_uint TP2[3]; - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); if (mbedtls_mpi_cmp_int(B, 0) == 0) { return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO; @@ -1572,7 +1508,6 @@ int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, { mbedtls_mpi B; mbedtls_mpi_uint p[1]; - MPI_VALIDATE_RET(A != NULL); p[0] = mpi_sint_abs(b); B.s = TO_SIGN(b); @@ -1588,9 +1523,6 @@ int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MPI_VALIDATE_RET(R != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); if (mbedtls_mpi_cmp_int(B, 0) < 0) { return MBEDTLS_ERR_MPI_NEGATIVE_VALUE; @@ -1618,8 +1550,6 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s { size_t i; mbedtls_mpi_uint x, y, z; - MPI_VALIDATE_RET(r != NULL); - MPI_VALIDATE_RET(A != NULL); if (b == 0) { return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO; @@ -1763,11 +1693,6 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos; int neg; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(E != NULL); - MPI_VALIDATE_RET(N != NULL); - if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } @@ -2054,10 +1979,6 @@ int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B) size_t lz, lzt; mbedtls_mpi TA, TB; - MPI_VALIDATE_RET(G != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(B != NULL); - mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB); MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); @@ -2168,9 +2089,6 @@ int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const size_t limbs = CHARS_TO_LIMBS(size); - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(f_rng != NULL); - /* Ensure that target MPI has exactly the necessary number of limbs */ MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs)); if (size == 0) { @@ -2214,9 +2132,6 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(A != NULL); - MPI_VALIDATE_RET(N != NULL); if (mbedtls_mpi_cmp_int(N, 1) <= 0) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -2372,9 +2287,6 @@ static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds, size_t i, j, k, s; mbedtls_mpi W, R, T, A, RR; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(f_rng != NULL); - mbedtls_mpi_init(&W); mbedtls_mpi_init(&R); mbedtls_mpi_init(&T); mbedtls_mpi_init(&A); mbedtls_mpi_init(&RR); @@ -2462,8 +2374,6 @@ int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi XX; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(f_rng != NULL); XX.s = 1; XX.n = X->n; @@ -2513,9 +2423,6 @@ int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags, mbedtls_mpi_uint r; mbedtls_mpi Y; - MPI_VALIDATE_RET(X != NULL); - MPI_VALIDATE_RET(f_rng != NULL); - if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 577e23b..d295709 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -23,12 +23,6 @@ #if !defined(MBEDTLS_ECP_ALT) -/* Parameter validation macros based on platform_util.h */ -#define ECP_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA) -#define ECP_VALIDATE(cond) \ - MBEDTLS_INTERNAL_VALIDATE(cond) - #define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) } #define ECP_MPI_INIT_ARRAY(x) \ @@ -4722,7 +4716,6 @@ cleanup: */ int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) { - ECP_VALIDATE_RET(grp != NULL); mbedtls_ecp_group_free(grp); mbedtls_ecp_group_init(grp); diff --git a/library/ecp_curves_new.c b/library/ecp_curves_new.c index 4ee0f58..035b23a 100644 --- a/library/ecp_curves_new.c +++ b/library/ecp_curves_new.c @@ -28,12 +28,6 @@ #if !defined(MBEDTLS_ECP_ALT) -/* Parameter validation macros based on platform_util.h */ -#define ECP_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA) -#define ECP_VALIDATE(cond) \ - MBEDTLS_INTERNAL_VALIDATE(cond) - #define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) } #define ECP_MPI_INIT_ARRAY(x) \ @@ -4764,7 +4758,6 @@ cleanup: */ int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id) { - ECP_VALIDATE_RET(grp != NULL); mbedtls_ecp_group_free(grp); mbedtls_ecp_group_init(grp); diff --git a/library/platform_util.c b/library/platform_util.c index 9f5dcb8..f840004 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -93,8 +93,6 @@ static void *(*const volatile memset_func)(void *, int, size_t) = memset; void mbedtls_platform_zeroize(void *buf, size_t len) { - MBEDTLS_INTERNAL_VALIDATE(len == 0 || buf != NULL); - if (len > 0) { #if defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) explicit_bzero(buf, len); -- cgit v1.1 From ea3a6114e6fd8feada89ba550d563546aa521cc9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 10:37:14 +0100 Subject: aria: replace ARIA_VALIDATE_RET() with a simple "if" block Signed-off-by: Valerio Setti --- library/aria.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/library/aria.c b/library/aria.c index 2c36598..a4d6c50 100644 --- a/library/aria.c +++ b/library/aria.c @@ -517,8 +517,10 @@ int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, unsigned char *output) { unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; - ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || - mode == MBEDTLS_ARIA_DECRYPT); + + if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) { + return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; + } if (length % MBEDTLS_ARIA_BLOCKSIZE) { return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH; @@ -568,8 +570,10 @@ int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, { unsigned char c; size_t n; - ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || - mode == MBEDTLS_ARIA_DECRYPT); + + if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) { + return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; + } n = *iv_off; @@ -625,9 +629,6 @@ int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, int c, i; size_t n; - ARIA_VALIDATE_RET(length == 0 || input != NULL); - ARIA_VALIDATE_RET(length == 0 || output != NULL); - n = *nc_off; /* An overly large value of n can lead to an unlimited * buffer overflow. Therefore, guard against this -- cgit v1.1 From 4e048f1749757d4ea83f8bab414fc47015119f8a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 10:46:19 +0100 Subject: bignum: removing usage of MPI_VALIDATE_RET() Signed-off-by: Valerio Setti --- library/bignum.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 6a80720..d3d72ab 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -606,7 +606,6 @@ int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix, size_t n; char *p; mbedtls_mpi T; - MPI_VALIDATE_RET(buflen == 0 || buf != NULL); if (radix < 2 || radix > 16) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -809,7 +808,6 @@ int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buf { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const size_t limbs = CHARS_TO_LIMBS(buflen); - MPI_VALIDATE_RET(buflen == 0 || buf != NULL); /* Ensure that target MPI has exactly the necessary number of limbs */ MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs)); -- cgit v1.1 From f23336e0406e719fe5d736e2b464e22468ca0f3b Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 24 Jan 2024 11:39:21 +0000 Subject: Make psa_close_key thread safe There are two mutex locks here, the one performed in get_and_lock.. and the one performed outside. Linearizes at the final unlock. (This function is deprecated) Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 47ace35..3bb2691 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -536,11 +536,22 @@ psa_status_t psa_close_key(psa_key_handle_t handle) return status; } + +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif if (slot->registered_readers == 1) { - return psa_wipe_key_slot(slot); + status = psa_wipe_key_slot(slot); } else { - return psa_unregister_read(slot); + status = psa_unregister_read(slot); } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif + + return status; } psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) -- cgit v1.1 From b0821959ae4a742de79d834bd71bc3cd1952fb86 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 24 Jan 2024 11:42:32 +0000 Subject: Make psa_purge_key thread safe Relies on get_and_lock_X being thread safe. There are two mutex locks here, one in psa_get_and_lock... Linearization point is the final unlock (or first lock on failure). Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 3bb2691..e8813b9 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -564,12 +564,22 @@ psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) return status; } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) && (slot->registered_readers == 1)) { - return psa_wipe_key_slot(slot); + status = psa_wipe_key_slot(slot); } else { - return psa_unregister_read(slot); + status = psa_unregister_read(slot); } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif + + return status; } void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats) -- cgit v1.1 From 16abd59a62522852423a35c2b96a087676e6a7ad Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 24 Jan 2024 17:37:46 +0000 Subject: Update psa_wipe_all_key_slots and document non-thread safety This function, and mbedtls_psa_crypto_free, are not thread safe as they wipe slots regardless of state. They are not part of the PSA Crypto API, untrusted applications cannot call these functions in a crypto service. In a service intergration, mbedtls_psa_crypto_free on the client cuts the communication with the crypto service. Signed-off-by: Ryan Everett --- include/psa/crypto_extra.h | 2 ++ library/psa_crypto_slot_management.c | 6 ++++++ library/psa_crypto_slot_management.h | 2 ++ 3 files changed, 10 insertions(+) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index fc9bf4f..18dccae 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -198,6 +198,8 @@ psa_status_t mbedtls_psa_register_se_key( * * This function clears all data associated with the PSA layer, * including the whole key store. + * This function is not thread safe, it wipes every key slot regardless of + * state and reader count. It should only be called when no slot is in use. * * This is an Mbed TLS extension. */ diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index e8813b9..599cc36 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -144,6 +144,9 @@ void psa_wipe_all_key_slots(void) { size_t slot_idx; +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); +#endif for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { psa_key_slot_t *slot = &global_data.key_slots[slot_idx]; slot->registered_readers = 1; @@ -151,6 +154,9 @@ void psa_wipe_all_key_slots(void) (void) psa_wipe_key_slot(slot); } global_data.key_slots_initialized = 0; +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex); +#endif } psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 002429b..18a9144 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -92,6 +92,8 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, psa_status_t psa_initialize_key_slots(void); /** Delete all data from key slots in memory. + * This function is not thread safe, it wipes every key slot regardless of + * state and reader count. It should only be called when no slot is in use. * * This does not affect persistent storage. */ void psa_wipe_all_key_slots(void); -- cgit v1.1 From 9b9b5a52d95c476a66e441706a38e98631c6990e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 16:53:03 +0100 Subject: psa_util: some code improvement to convert_der_to_raw_single_int() This commit also fixes test_suite_psa_crypto_util.data due to the change in one of the return values. Signed-off-by: Valerio Setti --- library/psa_util.c | 10 +++++++--- tests/suites/test_suite_psa_crypto_util.data | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 9e21602..0349873 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -494,7 +494,7 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } /* Skip possible leading zero */ - if (*p == 0x00) { + if ((*p == 0x00) && (unpadded_len > 0)) { p++; unpadded_len--; /* It should never happen that the input number is all zeros. */ @@ -503,9 +503,13 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } } - if (unpadded_len < coordinate_size) { + if (unpadded_len > coordinate_size) { + /* Parsed number is longer than the maximum expected value. */ + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } else { padding_len = coordinate_size - unpadded_len; - memset(raw, 0x00, padding_len); + /* raw buffer was already zeroed in mbedtls_ecdsa_der_to_raw() so + * zero-padding operation is skipped here. */ } memcpy(raw + padding_len, p, unpadded_len); p += unpadded_len; diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 45a3cb5..40f6391 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -52,7 +52,7 @@ ecdsa_der_to_raw:256:"3044021911111111111111111111111111111111111111111111111111 ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) depends_on:PSA_WANT_ECC_SECP_K1_256 -- cgit v1.1 From ee5238fcf4c25f046cd54a00680118e3da65f2b5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 17:34:07 +0100 Subject: suite_psa_crypto_util: add more testing for mbedtls_ecdsa_raw_to_der() A new test function is added, ecdsa_raw_to_der_incremental, that tests incremental output DER buffer sizes checking that only the correct one (tested at last) works correctly. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 12 ++++++++++++ tests/suites/test_suite_psa_crypto_util.function | 24 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 40f6391..4bb2044 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -83,3 +83,15 @@ ecdsa_raw_to_der:528:"1111111111111111111111111111111111111111111111111111111111 ECDSA DER -> Raw, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der_incremental:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222" + +ECDSA Raw -> DER, 512bit, Incremental DER buffer sizes +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818502410091111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" + +ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes +depends_on:PSA_WANT_ECC_SECP_R1_521 +ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 8f0dd6c..d1647d4 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -26,6 +26,30 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ +void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_result) +{ + unsigned char *tmp_buf = NULL; + size_t tmp_buf_len = exp_result->len; + size_t ret_len; + size_t i; + + TEST_CALLOC(tmp_buf, tmp_buf_len); + + for (i = 0; i < tmp_buf_len; i++) { + TEST_ASSERT(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, i, &ret_len, + key_bits) != 0); + } + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, i, &ret_len, + key_bits), 0); + +exit: + mbedtls_free(tmp_buf); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; -- cgit v1.1 From 122c94fd269a0c0f3c047a1a9f7ca03489ab292b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 18:02:03 +0100 Subject: psa_util: remove raw_len param from convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 0349873..0c603b7 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -460,7 +460,6 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \param raw Output buffer that will be filled with the * converted data. This should be at least * coordinate_size bytes. - * \param raw_len Size (in bytes) of the output raw buffer. * \param coordinate_size Size (in bytes) of a single coordinate in raw * format. * @@ -475,17 +474,12 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \warning Der and raw buffers must not be overlapping. */ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_len, - size_t coordinate_size) + unsigned char *raw, size_t coordinate_size) { unsigned char *p = der; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t unpadded_len, padding_len = 0; - if (raw_len < coordinate_size) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - /* Get the length of ASN.1 element (i.e. the integer we need to parse). */ ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len, MBEDTLS_ASN1_INTEGER); @@ -543,8 +537,7 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, memset(raw_tmp, 0, sizeof(raw_tmp)); /* Extract r */ - ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, sizeof(raw_tmp), - coordinate_size); + ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size); if (ret < 0) { return ret; } @@ -553,7 +546,6 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, /* Extract s */ ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size, - sizeof(raw_tmp) - coordinate_size, coordinate_size); if (ret < 0) { return ret; -- cgit v1.1 From c053d968f2b90926a6c69b079fc35d25713005fb Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 25 Jan 2024 17:56:32 +0000 Subject: Make psa_destroy_key threadsafe We do not require linearizability in the case of destroying a key in use. Using a key and destroying it simultaneously will not cause any issues as the user will only use the copy of the key in the slot. Two simulatenous deletion calls to one key cannot interfere, the first caller sets the slot's state to PENDING_DELETION, the second caller will back off. Remove outdated comment about one key being in multiple slots, psa_open_key does not put the key into a new slot. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e6d3851..c816668 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1071,6 +1071,10 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) return status; } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif /* Set the key slot containing the key description's state to * PENDING_DELETION. This stops new operations from registering * to read the slot. Current readers can safely continue to access @@ -1079,7 +1083,12 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) * If the key is persistent, we can now delete the copy of the key * from memory. If the key is opaque, we require the driver to * deal with the deletion. */ - slot->state = PSA_SLOT_PENDING_DELETION; + status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL, + PSA_SLOT_PENDING_DELETION); + + if (status != PSA_SUCCESS) { + goto exit; + } if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) { /* Refuse the destruction of a read-only key (which may or may not work @@ -1134,11 +1143,6 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) if (overall_status == PSA_SUCCESS) { overall_status = status; } - - /* TODO: other slots may have a copy of the same key. We should - * invalidate them. - * https://github.com/ARMmbed/mbed-crypto/issues/214 - */ } #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ @@ -1159,8 +1163,14 @@ exit: /* Unregister from reading the slot. If we are the last active reader * then this will wipe the slot. */ status = psa_unregister_read(slot); - /* Prioritize CORRUPTION_DETECTED from unregistering over - * a storage error. */ + +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif + + /* Prioritize CORRUPTION_DETECTED from unregistering or + * SERVICE_FAILURE from unlocking over a storage error. */ if (status != PSA_SUCCESS) { overall_status = status; } -- cgit v1.1 From 7a795fd9515a27dd1d7e5cc4fe319526c46842b9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 18:08:42 +0100 Subject: suite_psa_crypto_util: add more test cases for DER->RAW - r with MSb set - Invalid r (only 1 zero byte) Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 4bb2044..49b4919 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -62,6 +62,14 @@ ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, r with MSb set +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -- cgit v1.1 From 763971f32ec317c5c8c6248f39d2f30cee3a93b5 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Mon, 29 Jan 2024 17:13:36 +0000 Subject: Comment on locking strategy in psa_destroy_key Signed-off-by: Ryan Everett --- library/psa_crypto.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c816668..9d7b72f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1072,6 +1072,10 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) } #if defined(MBEDTLS_THREADING_C) + /* We cannot unlock between setting the state to PENDING_DELETION + * and destroying the key in storage, as otherwise another thread + * could load the key into a new slot and the key will not be + * fully destroyed. */ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( &mbedtls_threading_key_slot_mutex)); #endif -- cgit v1.1 From 307ce2cff5fa44decd481cd334c9206ad8e3725a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 08:05:20 +0100 Subject: test_psa_compliance: use the last upstream release of psa-arch-tests Release: v23.06_API1.5_ADAC_EAC This fixes all the issues that were previously added as exceptions. Signed-off-by: Valerio Setti --- tests/scripts/test_psa_compliance.py | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py index ed36bef..8d70cbc 100755 --- a/tests/scripts/test_psa_compliance.py +++ b/tests/scripts/test_psa_compliance.py @@ -27,27 +27,10 @@ from mbedtls_dev import build_tree # The test numbers correspond to the numbers used by the console output of the test suite. # Test number 2xx corresponds to the files in the folder # psa-arch-tests/api-tests/dev_apis/crypto/test_c0xx -EXPECTED_FAILURES = { - # psa_hash_suspend() and psa_hash_resume() are not supported. - # - Tracked in issue #3274 - 262, 263, - # PSA standard format for RSA public keys is a sequence of just n (modulus) - # and e (public exponent). However following tests rely on a format which - # also includes some metadata to identify the key as an RSA key, but this - # is not compliant with PSA standard. - 239, 240, 241, 242, 250, 251, -} - -# We currently use a fork of ARM-software/psa-arch-tests, with a couple of downstream patches -# that allow it to build with Mbed TLS 3, and fixes a couple of issues in the compliance test suite. -# These fixes allow the tests numbered 216, 248 and 249 to complete successfully. -# -# Once all the fixes are upstreamed, this fork should be replaced with an upstream commit/tag. -# - Tracked in issue #5145 -# -# Web URL: https://github.com/bensze01/psa-arch-tests/tree/fixes-for-mbedtls-3 -PSA_ARCH_TESTS_REPO = 'https://github.com/bensze01/psa-arch-tests.git' -PSA_ARCH_TESTS_REF = 'fix-pr-5736' +EXPECTED_FAILURES = {} # type: dict + +PSA_ARCH_TESTS_REPO = 'https://github.com/ARM-software/psa-arch-tests.git' +PSA_ARCH_TESTS_REF = 'v23.06_API1.5_ADAC_EAC' #pylint: disable=too-many-branches,too-many-statements,too-many-locals def main(library_build_dir: str): -- cgit v1.1 From e0c13cffb30453877d7e1f280465d50da1671021 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 30 Jan 2024 10:17:49 +0100 Subject: Update some msg descriptions Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 13338d4..aeeddd6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2453,16 +2453,16 @@ component_test_no_psa_crypto_full_cmake_asan() { # Note: ssl-opt.sh has some test cases that depend on # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO # This is the only component where those tests are not skipped. - msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)" + msg "test: ssl-opt.sh (full minus PSA crypto)" tests/ssl-opt.sh - msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh default (full minus PSA crypto)" tests/compat.sh - msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh NULL (full minus PSA crypto)" tests/compat.sh -f 'NULL' - msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" + msg "test: compat.sh ARIA + ChachaPoly (full minus PSA crypto)" env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } -- cgit v1.1 From f8c2cd14896d0047926a3e242896ece3b580c0b1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 30 Jan 2024 10:18:36 +0100 Subject: Update preprocessor guard comment Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index cf0581c..23a7b25 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -127,7 +127,7 @@ static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits) &mbedtls_pk_ec_rw(*pk)->d, &mbedtls_pk_ec_rw(*pk)->Q, mbedtls_test_rnd_std_rand, NULL); -#endif /* MBEDTLS_ECP_C && !MBEDTLS_PK_USE_PSA_EC_DATA */ +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ } #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ -- cgit v1.1 From 3da3c0a0009dca7abd26c387d1754f8c56a431e6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 30 Jan 2024 10:22:29 +0100 Subject: Always call psa_crypto_init when testing mbedtls_pk_get_psa_attributes mbedtls_pk_get_psa_attributes() actually works without having initialized the PSA subsystem, because it doesn't call any non-client PSA API functions. But the function is only useful in conjunction with the PSA API: it's meant to be followed by importing a key with the resulting attributes. We don't advertize it to work without an up-and-running PSA subsystem, and there's no need to test it without an up-and-running PSA subsystem as we were (accidentally) doing. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 23a7b25..225ead4 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1711,7 +1711,7 @@ void pk_get_psa_attributes(int pk_type, int from_pair, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_usage_t usage = usage_arg; - MD_OR_USE_PSA_INIT(); + PSA_INIT(); psa_key_type_t expected_psa_type = 0; if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) { @@ -1772,7 +1772,7 @@ void pk_get_psa_attributes(int pk_type, int from_pair, exit: mbedtls_pk_free(&pk); psa_reset_key_attributes(&attributes); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ @@ -1786,7 +1786,7 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, psa_key_usage_t usage = usage_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - MD_OR_USE_PSA_INIT(); + PSA_INIT(); psa_key_type_t expected_psa_type = 0; if (!pk_setup_for_type(MBEDTLS_PK_RSA, from_pair, &pk, &expected_psa_type)) { @@ -1833,7 +1833,7 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, exit: mbedtls_pk_free(&pk); psa_reset_key_attributes(&attributes); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ @@ -1847,7 +1847,7 @@ void pk_get_psa_attributes_fail(int pk_type, int from_pair, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_usage_t usage = usage_arg; - MD_OR_USE_PSA_INIT(); + PSA_INIT(); psa_key_type_t expected_psa_type; if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) { @@ -1860,7 +1860,7 @@ void pk_get_psa_attributes_fail(int pk_type, int from_pair, exit: mbedtls_pk_free(&pk); psa_reset_key_attributes(&attributes); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From 03aa9bc2268d2e5c00fccb3cfd18c498e23f79a6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 30 Jan 2024 11:08:44 +0100 Subject: Switch pk_setup_for_type() to return MBEDTLS_ERR_xxx Use mbedtls return codes rather than a boolean "has test not failed?". Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 225ead4..3fa7c7a 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -6,6 +6,7 @@ #include "mbedtls/asn1.h" #include "mbedtls/base64.h" #include "mbedtls/ecp.h" +#include "mbedtls/error.h" #include "mbedtls/rsa.h" #include "pk_internal.h" @@ -201,10 +202,8 @@ static mbedtls_ecp_group_id ecc_pick_grp_id(void) static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, mbedtls_pk_context *pk, psa_key_type_t *psa_type) { - int ok = 0; - if (pk_type == MBEDTLS_PK_NONE) { - return 1; + return 0; } TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0); @@ -278,10 +277,10 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, if (!want_pair) { *psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type); } - ok = 1; + return 0; exit: - return ok; + return MBEDTLS_ERR_ERROR_GENERIC_ERROR; } #endif @@ -1714,9 +1713,8 @@ void pk_get_psa_attributes(int pk_type, int from_pair, PSA_INIT(); psa_key_type_t expected_psa_type = 0; - if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) { - goto exit; - } + TEST_EQUAL(pk_setup_for_type(pk_type, from_pair, + &pk, &expected_psa_type), 0); if (!to_pair) { expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type); } @@ -1789,9 +1787,8 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, PSA_INIT(); psa_key_type_t expected_psa_type = 0; - if (!pk_setup_for_type(MBEDTLS_PK_RSA, from_pair, &pk, &expected_psa_type)) { - goto exit; - } + TEST_EQUAL(pk_setup_for_type(MBEDTLS_PK_RSA, from_pair, + &pk, &expected_psa_type), 0); mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk); TEST_EQUAL(mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_type), 0); if (!to_pair) { @@ -1850,9 +1847,8 @@ void pk_get_psa_attributes_fail(int pk_type, int from_pair, PSA_INIT(); psa_key_type_t expected_psa_type; - if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) { - goto exit; - } + TEST_EQUAL(pk_setup_for_type(pk_type, from_pair, + &pk, &expected_psa_type), 0); TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), expected_ret); -- cgit v1.1 From 2a6cb5c88104d92496365d77bbb0a91f803d2241 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98rjan=20Malde?= Date: Fri, 26 Jan 2024 12:51:35 +0000 Subject: fix build for midipix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ørjan Malde --- library/entropy_poll.c | 2 +- library/platform_util.c | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/library/entropy_poll.c b/library/entropy_poll.c index bd21e2d..794ee03 100644 --- a/library/entropy_poll.c +++ b/library/entropy_poll.c @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#if defined(__linux__) && !defined(_GNU_SOURCE) +#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE) /* Ensure that syscall() is available even when compiling with -std=c99 */ #define _GNU_SOURCE #endif diff --git a/library/platform_util.c b/library/platform_util.c index 9f5dcb8..eafb0aa 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -151,10 +151,10 @@ void mbedtls_zeroize_and_free(void *buf, size_t len) #include #if !defined(_WIN32) && (defined(unix) || \ defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \ - defined(__MACH__))) + defined(__MACH__)) || defined__midipix__) #include #endif /* !_WIN32 && (unix || __unix || __unix__ || - * (__APPLE__ && __MACH__)) */ + * (__APPLE__ && __MACH__) || __midipix__) */ #if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) || \ (defined(_POSIX_THREAD_SAFE_FUNCTIONS) && \ @@ -222,9 +222,10 @@ void (*mbedtls_test_hook_test_fail)(const char *, int, const char *); #include #if !defined(_WIN32) && \ (defined(unix) || defined(__unix) || defined(__unix__) || \ - (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__)) + (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__) || defined(__midipix__)) #include -#endif /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__) */ +#endif \ + /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__ || __midipix__) */ #if (defined(_POSIX_VERSION) && _POSIX_VERSION >= 199309L) || defined(__HAIKU__) mbedtls_ms_time_t mbedtls_ms_time(void) { @@ -232,7 +233,7 @@ mbedtls_ms_time_t mbedtls_ms_time(void) struct timespec tv; mbedtls_ms_time_t current_ms; -#if defined(__linux__) && defined(CLOCK_BOOTTIME) +#if defined(__linux__) && defined(CLOCK_BOOTTIME) || defined(__midipix__) ret = clock_gettime(CLOCK_BOOTTIME, &tv); #else ret = clock_gettime(CLOCK_MONOTONIC, &tv); -- cgit v1.1 From 9e4eeff6e0b3e1ab4d60517998d6137e153c4a27 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Tue, 30 Jan 2024 13:51:18 +0000 Subject: Fix comment about verison of clang required for 'build_aes_armce' Signed-off-by: Tom Cosgrove --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d2..9e45e0f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4750,7 +4750,7 @@ component_build_aes_aesce_armcc () { } support_build_aes_armce() { - # clang >= 4 is required to build with AES extensions + # clang >= 11 is required to build with AES extensions ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" [ "${ver}" -ge 11 ] } -- cgit v1.1 From d4c373a597ea27edcbcd2104e907315493605f68 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Tue, 30 Jan 2024 13:56:38 +0000 Subject: Refactor all.sh clang version detection code Prevents a script failure when attempting to run build_aes_armce on a system without clang Signed-off-by: Tom Cosgrove --- tests/scripts/all.sh | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9e45e0f..315a66b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -821,6 +821,14 @@ pre_generate_files() { fi } +clang_version() { + if command -v clang > /dev/null ; then + clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#' + else + echo 0 # report version 0 for "no clang" + fi +} + ################################################################ #### Helpers for components using libtestdriver1 ################################################################ @@ -4692,14 +4700,8 @@ component_test_aesni_m32 () { # ~ 60s } support_test_aesni_m32_clang() { - support_test_aesni_m32 && if command -v clang > /dev/null ; then - # clang >= 4 is required to build with target attributes - clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" - [[ "${clang_ver}" -ge 4 ]] - else - # clang not available - false - fi + # clang >= 4 is required to build with target attributes + support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]] } component_test_aesni_m32_clang() { @@ -4751,8 +4753,7 @@ component_build_aes_aesce_armcc () { support_build_aes_armce() { # clang >= 11 is required to build with AES extensions - ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" - [ "${ver}" -ge 11 ] + [[ $(clang_version) -ge 11 ]] } component_build_aes_armce () { @@ -4807,15 +4808,8 @@ component_build_aes_armce () { } support_build_sha_armce() { - if command -v clang > /dev/null ; then - # clang >= 4 is required to build with SHA extensions - clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" - - [[ "${clang_ver}" -ge 4 ]] - else - # clang not available - false - fi + # clang >= 4 is required to build with SHA extensions + [[ $(clang_version) -ge 4 ]] } component_build_sha_armce () { -- cgit v1.1 From 78da7468ca64838cfd3405a819f59b970b2da3b2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 15:08:40 +0100 Subject: psa_util: minor improvements to convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 0c603b7..dfea36b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -459,7 +459,8 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \param der_len Length of the der buffer in bytes. * \param raw Output buffer that will be filled with the * converted data. This should be at least - * coordinate_size bytes. + * coordinate_size bytes and it must be zeroed before + * calling this function. * \param coordinate_size Size (in bytes) of a single coordinate in raw * format. * @@ -500,11 +501,10 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, if (unpadded_len > coordinate_size) { /* Parsed number is longer than the maximum expected value. */ return MBEDTLS_ERR_ASN1_INVALID_DATA; - } else { - padding_len = coordinate_size - unpadded_len; - /* raw buffer was already zeroed in mbedtls_ecdsa_der_to_raw() so - * zero-padding operation is skipped here. */ } + padding_len = coordinate_size - unpadded_len; + /* raw buffer was already zeroed by the calling function so zero-padding + * operation is skipped here. */ memcpy(raw + padding_len, p, unpadded_len); p += unpadded_len; -- cgit v1.1 From 98e1931a0a7486a147ae64877ea1542690d99582 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 15:46:02 +0100 Subject: test_suite_psa_crypto_util: alloc/free buffer inside loop in ecdsa_raw_to_der_incremental() Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.function | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index d1647d4..9dc95b6 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -33,17 +33,19 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul size_t ret_len; size_t i; - TEST_CALLOC(tmp_buf, tmp_buf_len); - - for (i = 0; i < tmp_buf_len; i++) { + for (i = 1; i < tmp_buf_len; i++) { + TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(input->x, input->len, tmp_buf, i, &ret_len, key_bits) != 0); + mbedtls_free(tmp_buf); + tmp_buf = NULL; } + + TEST_CALLOC(tmp_buf, i); TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, tmp_buf, i, &ret_len, key_bits), 0); - exit: mbedtls_free(tmp_buf); } -- cgit v1.1 From 252311d41e1e13de76c1a71875b3553f54210fbd Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 15:50:28 +0100 Subject: test_suite_psa_crypto_util: add test with 0-length for r Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 49b4919..78f048a 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -70,6 +70,10 @@ ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ECDSA DER -> Raw, 256bit, Invalid r (0-length) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3025020002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -- cgit v1.1 From 36dee75368a0db0aa262f0dda0c53400b2ccd0f8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 30 Jan 2024 16:15:17 +0100 Subject: Update ECDSA signature conversion based on experimentation Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index fb00705..e09d23c 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -282,7 +282,7 @@ int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, * It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type. * `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`. * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage. - * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.) + * For an RSA key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.) * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`. * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`. * For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed. @@ -331,7 +331,8 @@ Based on the [gap analysis](#signature-formats): ``` int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, - unsigned char *der, size_t der_size, size_t *der_len); + unsigned char *der, size_t der_size, size_t *der_len, + size_t bits); int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_size, size_t *raw_len, size_t bits); @@ -339,5 +340,5 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, * These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`. * The input and output buffers can overlap. - -[OPEN] Should these functions rely on the ASN.1 module? To be decided when implementing. +* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is not needed in the raw-to-DER direction, but [it can help catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971) and the information is readily available in practice. +* Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015). -- cgit v1.1 From cbb9caead4c4ba5d80d6cb01386518ef6d05eaaa Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 16 Feb 2023 23:40:40 +0100 Subject: Changelog for building SHA-256 and 512 with old libc Linux/Aarch64: support SHA acceleration detection with older libc On Linux on aarch64 (64-bit ARMv8) processors, we use getauxval() to detect whether the runtime environment supports SHA-256 or SHA-512 acceleration. Some libc do not define the necessary HWCAP_xxx constants to analyze the result of getauxval(), either because they don't bother or because they're too old to recognize the values we need (for example, HWCAP_SHA2 appeared in Glibc 2.24 and HWCAP_SHA512 appeared in Glibc 2.27). In such cases, assume that the values are the same as in the kernel ABI and define the constants manually. Signed-off-by: Gilles Peskine Signed-off-by: Dave Rodgman --- ChangeLog.d/linux-aarch64-hwcap.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/linux-aarch64-hwcap.txt diff --git a/ChangeLog.d/linux-aarch64-hwcap.txt b/ChangeLog.d/linux-aarch64-hwcap.txt new file mode 100644 index 0000000..23af878 --- /dev/null +++ b/ChangeLog.d/linux-aarch64-hwcap.txt @@ -0,0 +1,4 @@ +Bugfix + * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512 + acceleration detection when the libc headers do not define the + corresponding constant. Reported by valord577. -- cgit v1.1 From 76e4c6352daf57645e19493c4566a949c0502198 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 11:33:32 +0100 Subject: test_suite_aria: remove NOT_DEFINED dependency from aria_invalid_param() Signed-off-by: Valerio Setti --- tests/suites/test_suite_aria.function | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index f1748d1..a454eba 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -16,7 +16,7 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:NOT_DEFINED */ +/* BEGIN_CASE */ void aria_invalid_param() { mbedtls_aria_context ctx; @@ -52,8 +52,10 @@ void aria_invalid_param() output)); #endif /* MBEDTLS_CIPHER_MODE_CFB */ +#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) exit: return; +#endif } /* END_CASE */ -- cgit v1.1 From 779a1a5b204141b9bf7174fb981d49a8d35096b0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 11:40:24 +0100 Subject: aria: remove leftover in comments Signed-off-by: Valerio Setti --- library/aria.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/aria.c b/library/aria.c index a4d6c50..d9f84cc 100644 --- a/library/aria.c +++ b/library/aria.c @@ -578,8 +578,7 @@ int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, n = *iv_off; /* An overly large value of n can lead to an unlimited - * buffer overflow. Therefore, guard against this - * outside of parameter validation. */ + * buffer overflow. */ if (n >= MBEDTLS_ARIA_BLOCKSIZE) { return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; } @@ -631,8 +630,7 @@ int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, n = *nc_off; /* An overly large value of n can lead to an unlimited - * buffer overflow. Therefore, guard against this - * outside of parameter validation. */ + * buffer overflow. */ if (n >= MBEDTLS_ARIA_BLOCKSIZE) { return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; } -- cgit v1.1 From f988f95b9a5b430cb81e9bb233161afd9a961ad6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 14:40:31 +0100 Subject: test_suite_bignum: add test function: mpi_zero_length_buffer_is_null() The goal is to test all the bignum's functions that accept a buffer and its length and verify that they do not crash if a NULL pointer is passed in as buffer and 0 length is specified. Signed-off-by: Valerio Setti --- tests/suites/test_suite_bignum.function | 20 ++++++++++++++++++++ tests/suites/test_suite_bignum.misc.data | 3 +++ 2 files changed, 23 insertions(+) diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index c90f1bb..2305f48 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -144,6 +144,26 @@ exit: /* END_CASE */ /* BEGIN_CASE */ +void mpi_zero_length_buffer_is_null() +{ + mbedtls_mpi X; + size_t olen; + + mbedtls_mpi_init(&X); + + /* Simply test that the following functions do not crash when a NULL buffer + * pointer and 0 length is passed. We don't care much about the return value. */ + TEST_EQUAL(mbedtls_mpi_read_binary(&X, NULL, 0), 0); + TEST_EQUAL(mbedtls_mpi_read_binary_le(&X, NULL, 0), 0); + TEST_EQUAL(mbedtls_mpi_write_string(&X, 16, NULL, 0, &olen), MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL); + TEST_EQUAL(mbedtls_mpi_write_binary(&X, NULL, 0), 0); + +exit: + mbedtls_mpi_free(&X); +} +/* END_CASE */ + +/* BEGIN_CASE */ void mpi_read_binary(data_t *buf, char *input_A) { mbedtls_mpi X; diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 9d068f1..c53e42a 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -82,6 +82,9 @@ mpi_read_write_string:16:"":2:"0":4:0:0 Test mpi_write_string #10 (Negative hex with odd number of digits) mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL +Provide NULL buffer with 0 length +mpi_zero_length_buffer_is_null + Base test mbedtls_mpi_read_binary #1 mpi_read_binary:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"0941379D00FED1491FE15DF284DFDE4A142F68AA8D412023195CEE66883E6290FFE703F4EA5963BF212713CEE46B107C09182B5EDCD955ADAC418BF4918E2889AF48E1099D513830CEC85C26AC1E158B52620E33BA8692F893EFBB2F958B4424" -- cgit v1.1 From dae21d3808be93c30fda318b19657b4db6ad2b5d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 30 Jan 2024 15:31:42 +0000 Subject: Support SHA-512 hwcap detection on old libc Signed-off-by: Dave Rodgman --- library/sha512.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/sha512.c b/library/sha512.c index 6011254..6dcea8d 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -102,6 +102,14 @@ # if defined(__linux__) /* Our preferred method of detection is getauxval() */ # include +# if !defined(HWCAP_SHA512) +/* The same header that declares getauxval() should provide the HWCAP_xxx + * constants to analyze its return value. However, the libc may be too + * old to have the constant that we need. So if it's missing, assume that + * the value is the same one used by the Linux kernel ABI. + */ +# define HWCAP_SHA512 (1 << 21) +# endif # endif /* Use SIGILL on Unix, and fall back to it on Linux */ # include -- cgit v1.1 From 91372f5549ac16438993913d5a2a52373b33f3e8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 17:01:15 +0100 Subject: test_suite_rsa: add more test cases for RSA key parsing Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index bd28681..545e7ff 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -643,6 +643,9 @@ rsa_parse_pkcs1_key:0:"300402010000":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG RSA parse private key - correct format+values, minimal modulus size (128 bit) rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0 +RSA parse private key - missing SEQUENCE +rsa_parse_pkcs1_key:0:"020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + RSA parse private key - correct format, modulus too small (127 bit) rsa_parse_pkcs1_key:0:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED @@ -682,6 +685,9 @@ rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000 RSA parse private key - correct values, qp wrong tag rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +RSA parse public key - missing SEQUENCE +rsa_parse_pkcs1_key:1:"028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + RSA parse public key - wrong initial tag rsa_parse_pkcs1_key:1:"318189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG @@ -711,3 +717,6 @@ rsa_parse_pkcs1_key:1:"30050203010001":MBEDTLS_ERR_ASN1_OUT_OF_DATA RSA parse public key - missing public exponent rsa_parse_pkcs1_key:1:"308184028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +RSA parse public key - correct values, trailing garbage +rsa_parse_pkcs1_key:1:"30818a028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7020301000100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH -- cgit v1.1 From 3af9bc18f3be7a3e3cc52aa5f08dd4c7b92ddcb6 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Jan 2024 17:21:57 +0000 Subject: Wrap get_and_lock_key_slot_in_memory calls in mutex It is useful to do this for the call in get_and_lock_key_slot. Documenting that get_and_lock_key_slot_in_memory requires the mutex is not part of this PR Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 599cc36..f4c6ee0 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -527,26 +527,29 @@ psa_status_t psa_open_key(mbedtls_svc_key_id_t key, psa_key_handle_t *handle) psa_status_t psa_close_key(psa_key_handle_t handle) { - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; if (psa_key_handle_is_null(handle)) { return PSA_SUCCESS; } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif status = psa_get_and_lock_key_slot_in_memory(handle, &slot); if (status != PSA_SUCCESS) { if (status == PSA_ERROR_DOES_NOT_EXIST) { status = PSA_ERROR_INVALID_HANDLE; } - +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } -#if defined(MBEDTLS_THREADING_C) - PSA_THREADING_CHK_RET(mbedtls_mutex_lock( - &mbedtls_threading_key_slot_mutex)); -#endif if (slot->registered_readers == 1) { status = psa_wipe_key_slot(slot); } else { @@ -562,18 +565,22 @@ psa_status_t psa_close_key(psa_key_handle_t handle) psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) { - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif status = psa_get_and_lock_key_slot_in_memory(key, &slot); if (status != PSA_SUCCESS) { +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } -#if defined(MBEDTLS_THREADING_C) - PSA_THREADING_CHK_RET(mbedtls_mutex_lock( - &mbedtls_threading_key_slot_mutex)); -#endif if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) && (slot->registered_readers == 1)) { status = psa_wipe_key_slot(slot); -- cgit v1.1 From fad978b2321551d91c51ce4a3ff76fea1a9ef34e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 30 Jan 2024 18:00:26 +0000 Subject: Fix race condition with test comparison functions Make sure we hold the mutex whilst making several changes at the same time, to prevent race condition on writing connected bits of data. Signed-off-by: Paul Elliott --- tests/src/helpers.c | 185 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 107 insertions(+), 78 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index d0c75b0..85345d8 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -53,18 +53,13 @@ mbedtls_test_result_t mbedtls_test_get_result(void) void mbedtls_test_set_result(mbedtls_test_result_t result, const char *test, int line_no, const char *filename) { -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ + /* Internal function only - mbedtls_test_info_mutex should be held prior + * to calling this function. */ mbedtls_test_info.result = result; mbedtls_test_info.test = test; mbedtls_test_info.line_no = line_no; mbedtls_test_info.filename = filename; - -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_unlock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ } const char *mbedtls_test_get_test(void) @@ -151,15 +146,10 @@ unsigned long mbedtls_test_get_step(void) void mbedtls_test_set_step(unsigned long step) { -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ + /* Internal function only - mbedtls_test_info_mutex should be held prior + * to calling this function. */ mbedtls_test_info.step = step; - -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_unlock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_get_line1(char *line) @@ -177,19 +167,14 @@ void mbedtls_test_get_line1(char *line) void mbedtls_test_set_line1(const char *line) { -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ + /* Internal function only - mbedtls_test_info_mutex should be held prior + * to calling this function. */ if (line == NULL) { memset(mbedtls_test_info.line1, 0, MBEDTLS_TEST_LINE_LENGTH); } else { memcpy(mbedtls_test_info.line1, line, MBEDTLS_TEST_LINE_LENGTH); } - -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_unlock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_get_line2(char *line) @@ -207,19 +192,14 @@ void mbedtls_test_get_line2(char *line) void mbedtls_test_set_line2(const char *line) { -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ + /* Internal function only - mbedtls_test_info_mutex should be held prior + * to calling this function. */ if (line == NULL) { memset(mbedtls_test_info.line2, 0, MBEDTLS_TEST_LINE_LENGTH); } else { memcpy(mbedtls_test_info.line2, line, MBEDTLS_TEST_LINE_LENGTH); } - -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_unlock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ } @@ -264,15 +244,10 @@ unsigned mbedtls_test_get_case_uses_negative_0(void) void mbedtls_test_set_case_uses_negative_0(unsigned uses) { -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ + /* Internal function only - mbedtls_test_info_mutex should be held prior + * to calling this function. */ mbedtls_test_info.case_uses_negative_0 = uses; - -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_unlock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_increment_case_uses_negative_0(void) @@ -355,21 +330,41 @@ int mbedtls_test_ascii2uc(const char c, unsigned char *uc) void mbedtls_test_fail(const char *test, int line_no, const char *filename) { - if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { - /* We've already recorded the test as having failed. Don't +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + /* Don't use accessor, we already hold mutex. */ + if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { + /* If we have already recorded the test as having failed then don't * overwrite any previous information about the failure. */ - return; + mbedtls_test_set_result(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename); } - mbedtls_test_set_result(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_skip(const char *test, int line_no, const char *filename) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SKIPPED, test, line_no, filename); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_info_reset(void) { +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0); mbedtls_test_set_step((unsigned long) (-1)); mbedtls_test_set_line1(NULL); @@ -378,6 +373,10 @@ void mbedtls_test_info_reset(void) #if defined(MBEDTLS_BIGNUM_C) mbedtls_test_set_case_uses_negative_0(0); #endif + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } int mbedtls_test_equal(const char *test, int line_no, const char *filename, @@ -390,21 +389,31 @@ int mbedtls_test_equal(const char *test, int line_no, const char *filename, return 1; } - if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { - /* We've already recorded the test as having failed. Don't +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + /* Don't use accessor, as we already hold mutex. */ + if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { + /* If we've already recorded the test as having failed then don't * overwrite any previous information about the failure. */ - return 0; + + char buf[MBEDTLS_TEST_LINE_LENGTH]; + mbedtls_test_fail(test, line_no, filename); + (void) mbedtls_snprintf(buf, sizeof(buf), + "lhs = 0x%016llx = %lld", + value1, (long long) value1); + mbedtls_test_set_line1(buf); + (void) mbedtls_snprintf(buf, sizeof(buf), + "rhs = 0x%016llx = %lld", + value2, (long long) value2); + mbedtls_test_set_line2(buf); } - char buf[MBEDTLS_TEST_LINE_LENGTH]; - mbedtls_test_fail(test, line_no, filename); - (void) mbedtls_snprintf(buf, sizeof(buf), - "lhs = 0x%016llx = %lld", - value1, (long long) value1); - mbedtls_test_set_line1(buf); - (void) mbedtls_snprintf(buf, sizeof(buf), - "rhs = 0x%016llx = %lld", - value2, (long long) value2); - mbedtls_test_set_line2(buf); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + return 0; } @@ -418,21 +427,31 @@ int mbedtls_test_le_u(const char *test, int line_no, const char *filename, return 1; } - if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { - /* We've already recorded the test as having failed. Don't +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + /* Don't use accessor, we already hold mutex. */ + if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { + /* If we've already recorded the test as having failed then don't * overwrite any previous information about the failure. */ - return 0; + + char buf[MBEDTLS_TEST_LINE_LENGTH]; + mbedtls_test_fail(test, line_no, filename); + (void) mbedtls_snprintf(buf, sizeof(buf), + "lhs = 0x%016llx = %llu", + value1, value1); + mbedtls_test_set_line1(buf); + (void) mbedtls_snprintf(buf, sizeof(buf), + "rhs = 0x%016llx = %llu", + value2, value2); + mbedtls_test_set_line2(buf); } - char buf[MBEDTLS_TEST_LINE_LENGTH]; - mbedtls_test_fail(test, line_no, filename); - (void) mbedtls_snprintf(buf, sizeof(buf), - "lhs = 0x%016llx = %llu", - value1, value1); - mbedtls_test_set_line1(buf); - (void) mbedtls_snprintf(buf, sizeof(buf), - "rhs = 0x%016llx = %llu", - value2, value2); - mbedtls_test_set_line2(buf); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + return 0; } @@ -446,21 +465,31 @@ int mbedtls_test_le_s(const char *test, int line_no, const char *filename, return 1; } - if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED) { - /* We've already recorded the test as having failed. Don't +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + /* Don't use accessor, we already hold mutex. */ + if (mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_FAILED) { + /* If we've already recorded the test as having failed then don't * overwrite any previous information about the failure. */ - return 0; + + char buf[MBEDTLS_TEST_LINE_LENGTH]; + mbedtls_test_fail(test, line_no, filename); + (void) mbedtls_snprintf(buf, sizeof(buf), + "lhs = 0x%016llx = %lld", + (unsigned long long) value1, value1); + mbedtls_test_set_line1(buf); + (void) mbedtls_snprintf(buf, sizeof(buf), + "rhs = 0x%016llx = %lld", + (unsigned long long) value2, value2); + mbedtls_test_set_line2(buf); } - char buf[MBEDTLS_TEST_LINE_LENGTH]; - mbedtls_test_fail(test, line_no, filename); - (void) mbedtls_snprintf(buf, sizeof(buf), - "lhs = 0x%016llx = %lld", - (unsigned long long) value1, value1); - mbedtls_test_set_line1(buf); - (void) mbedtls_snprintf(buf, sizeof(buf), - "rhs = 0x%016llx = %lld", - (unsigned long long) value2, value2); - mbedtls_test_set_line2(buf); + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + return 0; } -- cgit v1.1 From 5c5210f7e1be8b26cf85eb5fc624692e1d24e647 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Jan 2024 18:27:16 +0000 Subject: Remove state transitions in psa_load_X_key_into_slot These calls otherwise don't abide by our assertions about changing the slot. psa_get_and_lock_key_slot, the only caller to these, handles the state transitions already. It also changes the contents of the slot after these calls. Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 47ace35..9358619 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -248,11 +248,6 @@ static psa_status_t psa_load_persistent_key_into_slot(psa_key_slot_t *slot) data = (psa_se_key_data_storage_t *) key_data; status = psa_copy_key_material_into_slot( slot, data->slot_number, sizeof(data->slot_number)); - - if (status == PSA_SUCCESS) { - status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING, - PSA_SLOT_FULL); - } goto exit; } #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ @@ -262,9 +257,6 @@ static psa_status_t psa_load_persistent_key_into_slot(psa_key_slot_t *slot) goto exit; } - status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING, - PSA_SLOT_FULL); - exit: psa_free_persistent_key_data(key_data, key_data_length); return status; @@ -337,9 +329,6 @@ static psa_status_t psa_load_builtin_key_into_slot(psa_key_slot_t *slot) /* Copy actual key length and core attributes into the slot on success */ slot->key.bytes = key_buffer_length; slot->attr = attributes.core; - - status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING, - PSA_SLOT_FULL); exit: if (status != PSA_SUCCESS) { psa_remove_key_data_from_memory(slot); -- cgit v1.1 From a888645bb8f5ec8e43179d355243483205e501f7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 17:35:49 +0100 Subject: test_suite_rsa: add test for key write with incremental output size Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 6 +++++ tests/suites/test_suite_rsa.function | 50 ++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 545e7ff..8a224d5 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -720,3 +720,9 @@ rsa_parse_pkcs1_key:1:"308184028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6 RSA parse public key - correct values, trailing garbage rsa_parse_pkcs1_key:1:"30818a028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7020301000100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +RSA priv key write - incremental output buffer size +rsa_key_write_incremental:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c" + +RSA priv public key write - incremental output buffer size +rsa_key_write_incremental:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001" diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 71ca2b9..44caacd 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1430,6 +1430,56 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void rsa_key_write_incremental(int is_public, data_t *input) +{ + mbedtls_rsa_context rsa_ctx; + unsigned char *buf = NULL, *start, *end; + size_t i; + + mbedtls_rsa_init(&rsa_ctx); + + /* This is supposed to succeed as the real target of this test are the + * write attempt below. */ + if (is_public) { + start = input->x; + end = input->x + input->len; + TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &start, end), 0); + } else { + TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), 0); + } + + for (i = 1; i < input->len; i++) { + TEST_CALLOC(buf, i); + end = buf + i; + /* We don't care much about the return value as long as it fails. */ + if (is_public) { + TEST_ASSERT(mbedtls_rsa_pubkey_write(&rsa_ctx, buf, &end) != 0); + } else { + TEST_ASSERT(mbedtls_rsa_key_write(&rsa_ctx, buf, &end) != 0); + } + mbedtls_free(buf); + buf = NULL; + } + + /* Ensure with the correct output buffer size everything works as expected. */ + TEST_CALLOC(buf, i); + end = buf + i; + + if (is_public) { + TEST_ASSERT(mbedtls_rsa_pubkey_write(&rsa_ctx, buf, &end) != 0); + } else { + TEST_ASSERT(mbedtls_rsa_key_write(&rsa_ctx, buf, &end) > 0); + } + +exit: + if (buf != NULL) { + mbedtls_free(buf); + } + mbedtls_rsa_free(&rsa_ctx); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void rsa_selftest() { -- cgit v1.1 From efcc55500265c7a1a39a507cfbb0220aebefd689 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 31 Jan 2024 11:15:37 +0100 Subject: test_suite_psa_crypto_util: add test with 0-length s Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 78f048a..46af1f1 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,6 +74,10 @@ ECDSA DER -> Raw, 256bit, Invalid r (0-length) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3025020002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, Invalid s (0-length) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3044022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -- cgit v1.1 From 3122f4da50b401cc56374ad8891bfd782a506483 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 31 Jan 2024 11:16:46 +0100 Subject: psa_util: invert check order for leading zeros in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index dfea36b..be257e7 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -489,7 +489,7 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } /* Skip possible leading zero */ - if ((*p == 0x00) && (unpadded_len > 0)) { + if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; /* It should never happen that the input number is all zeros. */ -- cgit v1.1 From 6ad1fd133f257429d0b6a2876c29ea0daf9b2893 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 31 Jan 2024 13:21:33 +0000 Subject: Update psa_get_and_lock_key_slot_in_memory Document that callers must hold the key slot mutex. Change the volatile key checking behaviour so that it doesn't read the contents of non-FULL slots. Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 9358619..2a73c0a 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -70,6 +70,9 @@ int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok) * On success, the function locks the key slot. It is the responsibility of * the caller to unlock the key slot when it does not access it anymore. * + * If multi-threading is enabled, the caller must hold the + * global key slot mutex. + * * \param key Key identifier to query. * \param[out] p_slot On success, `*p_slot` contains a pointer to the * key slot containing the description of the key @@ -94,16 +97,14 @@ static psa_status_t psa_get_and_lock_key_slot_in_memory( if (psa_key_id_is_volatile(key_id)) { slot = &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN]; - /* - * Check if both the PSA key identifier key_id and the owner - * identifier of key match those of the key slot. - * - * Note that, if the key slot is not occupied, its PSA key identifier - * is equal to zero. This is an invalid value for a PSA key identifier - * and thus cannot be equal to the valid PSA key identifier key_id. - */ - status = mbedtls_svc_key_id_equal(key, slot->attr.id) ? - PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST; + /* Check if both the PSA key identifier key_id and the owner + * identifier of key match those of the key slot. */ + if ((slot->state == PSA_SLOT_FULL) && + (mbedtls_svc_key_id_equal(key, slot->attr.id))) { + status = PSA_SUCCESS; + } else { + status = PSA_ERROR_DOES_NOT_EXIST; + } } else { if (!psa_is_valid_key_id(key, 1)) { return PSA_ERROR_INVALID_HANDLE; -- cgit v1.1 From 2f1f17201dbf9242c07cfb4ac781e637a0e314af Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 31 Jan 2024 13:31:00 +0000 Subject: Make psa_get_and_lock_key_slot threadsafe Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 2a73c0a..fd33ad9 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -348,12 +348,24 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, return PSA_ERROR_BAD_STATE; } +#if defined(MBEDTLS_THREADING_C) + /* If the key is persistent and not loaded, we cannot unlock the mutex + * between checking if the key is loaded and setting the slot as FULL, + * as otherwise another thread may load and then destroy the key + * in the meantime. */ + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif /* * On success, the pointer to the slot is passed directly to the caller * thus no need to unlock the key slot here. */ status = psa_get_and_lock_key_slot_in_memory(key, p_slot); if (status != PSA_ERROR_DOES_NOT_EXIST) { +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } @@ -364,6 +376,10 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, status = psa_reserve_free_key_slot(&volatile_key_id, p_slot); if (status != PSA_SUCCESS) { +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } @@ -397,10 +413,15 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, status = psa_register_read(*p_slot); } - return status; #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ - return PSA_ERROR_INVALID_HANDLE; + status = PSA_ERROR_INVALID_HANDLE; #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ + +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif + return status; } psa_status_t psa_unregister_read(psa_key_slot_t *slot) -- cgit v1.1 From faf026c67cf8054b8be8a42091f700a1b1417744 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 31 Jan 2024 14:32:06 +0100 Subject: Explain purpose of test specific write/parse ticket functions Signed-off-by: Ronald Cron --- tests/src/test_helpers/ssl_helpers.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 5195746..980c192 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2427,7 +2427,13 @@ int mbedtls_test_tweak_tls13_certificate_msg_vector_len( } #endif /* MBEDTLS_TEST_HOOKS */ -/* Functions for session ticket tests */ +/* + * Functions for tests based on tickets. Implementations of the + * write/parse ticket interfaces as defined by mbedtls_ssl_ticket_write/parse_t. + * Basically same implementations as in ticket.c without the encryption. That + * way we can tweak easily tickets characteristics to simulate misbehaving + * peers. + */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) int mbedtls_test_ticket_write( void *p_ticket, const mbedtls_ssl_session *session, -- cgit v1.1 From eb1722a2b9ab4660992ef306566be1bc7fc5af2a Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 31 Jan 2024 13:36:39 +0000 Subject: Add a wrapper function for psa_unregister_read There are at least 20 occurences in the current code where we will need this pattern of code, so I thought it best to put this in a function Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 15 +++++++++++++++ library/psa_crypto_slot_management.h | 21 +++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index fd33ad9..53ebf31 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -458,6 +458,21 @@ psa_status_t psa_unregister_read(psa_key_slot_t *slot) return PSA_ERROR_CORRUPTION_DETECTED; } +psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif + status = psa_unregister_read(slot); +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif + return status; +} + psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime, psa_se_drv_table_entry_t **p_drv) { diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 002429b..c6ba68b 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -200,6 +200,27 @@ static inline psa_status_t psa_register_read(psa_key_slot_t *slot) */ psa_status_t psa_unregister_read(psa_key_slot_t *slot); +/** Wrap a call to psa_unregister_read in the global key slot mutex. + * + * If threading is disabled, this simply calls psa_unregister_read. + * + * \note To ease the handling of errors in retrieving a key slot + * a NULL input pointer is valid, and the function returns + * successfully without doing anything in that case. + * + * \param[in] slot The key slot. + * \retval #PSA_SUCCESS + * \p slot is NULL or the key slot reader counter has been + * decremented (and potentially wiped) successfully. + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * The slot's state was neither PSA_SLOT_FULL nor + * PSA_SLOT_PENDING_DELETION. + * Or a wipe was attempted and the slot's state was not + * PSA_SLOT_PENDING_DELETION. + * Or registered_readers was equal to 0. + */ +psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot); + /** Test whether a lifetime designates a key in an external cryptoprocessor. * * \param lifetime The lifetime to test. -- cgit v1.1 From fb792cad31f843c5924869cb99bc3cef05edd6ca Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 31 Jan 2024 13:40:05 +0000 Subject: Make psa_get_and_lock_X_with_policy threadsafe Between the call to psa_get_and_lock_key_slot and psa_unregister_read we only read the contents of a slot which we are registered to read, so no extra mutex taking is needed. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e6d3851..e3b2be6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -936,7 +936,7 @@ static psa_status_t psa_get_and_lock_key_slot_with_policy( error: *p_slot = NULL; - psa_unregister_read(slot); + psa_unregister_read_under_mutex(slot); return status; } @@ -968,7 +968,7 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( } if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) { - psa_unregister_read(*p_slot); + psa_unregister_read_under_mutex(*p_slot); *p_slot = NULL; return PSA_ERROR_NOT_SUPPORTED; } -- cgit v1.1 From 095a3a5a299d5e7a2adab71bc2aa25d5f44606a0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 31 Jan 2024 14:34:22 +0100 Subject: Fix PSA init and done macros in TLS unit tests Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 234181d..65fed18 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3582,7 +3582,7 @@ void tls13_resume_session_with_ticket() mbedtls_test_init_handshake_options(&server_options); mbedtls_ssl_session_init(&saved_session); - MD_OR_USE_PSA_INIT(); + PSA_INIT(); client_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, @@ -3652,7 +3652,7 @@ exit: mbedtls_test_free_handshake_options(&client_options); mbedtls_test_free_handshake_options(&server_options); mbedtls_ssl_session_free(&saved_session); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ @@ -3678,7 +3678,7 @@ void tls13_early_data() mbedtls_test_init_handshake_options(&server_options); mbedtls_ssl_session_init(&saved_session); - MD_OR_USE_PSA_INIT(); + PSA_INIT(); client_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, @@ -3767,6 +3767,6 @@ exit: mbedtls_test_free_handshake_options(&server_options); mbedtls_ssl_session_free(&saved_session); mbedtls_debug_set_threshold(0); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From a103ec9ad45465579ebf082c9b460920ed3cf78d Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 31 Jan 2024 13:59:57 +0000 Subject: Make one shot operations thread safe These all follow a pattern of locking some key slot, reading its contents, and then unregistering from reading the slot. psa_copy_key also writes to another slot, but calls the functions needed to be threadsafe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e3b2be6..5e35fac 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1285,7 +1285,7 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, psa_reset_key_attributes(attributes); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -1381,7 +1381,7 @@ psa_status_t psa_export_key(mbedtls_svc_key_id_t key, slot->key.data, slot->key.bytes, data, data_size, data_length); - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -1495,7 +1495,7 @@ psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, data, data_size, data_length); exit: - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -2167,7 +2167,7 @@ exit: psa_fail_key_creation(target_slot, driver); } - unlock_status = psa_unregister_read(source_slot); + unlock_status = psa_unregister_read_under_mutex(source_slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -2674,7 +2674,7 @@ exit: psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -2818,7 +2818,7 @@ exit: psa_wipe_tag_output_buffer(signature, status, signature_size, *signature_length); - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -2866,7 +2866,7 @@ static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key, signature, signature_length); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; @@ -3133,7 +3133,7 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, alg, input, input_length, salt, salt_length, output, output_size, output_length); exit: - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -3185,7 +3185,7 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, output, output_size, output_length); exit: - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -4256,7 +4256,7 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, output_size - default_iv_length, output_length); exit: - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); if (status == PSA_SUCCESS) { status = unlock_status; } @@ -4317,7 +4317,7 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, output, output_size, output_length); exit: - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); if (status == PSA_SUCCESS) { status = unlock_status; } @@ -4443,7 +4443,7 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, } exit: - psa_unregister_read(slot); + psa_unregister_read_under_mutex(slot); return status; } @@ -4498,7 +4498,7 @@ psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, } exit: - psa_unregister_read(slot); + psa_unregister_read_under_mutex(slot); return status; } @@ -7151,7 +7151,7 @@ exit: *output_length = output_size; } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } -- cgit v1.1 From 5de9c6f295fcc4328c6c94af0aa217a1a43ae2d7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 31 Jan 2024 14:45:16 +0100 Subject: Fix and add comments in ticket and early data test function Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 65fed18..9b282dc 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3606,8 +3606,9 @@ void tls13_resume_session_with_ticket() /* * Run initial handshake: ephemeral key exchange mode, certificate with - * RSA key, signed with PKCS15, verified with PKCS21. Then, get the ticket - * sent by the server at the end of its handshake sequence. + * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature + * algorithm. Then, get the ticket sent by the server at the end of its + * handshake sequence. */ TEST_ASSERT(mbedtls_test_move_handshake_to_state( &(server_ep.ssl), &(client_ep.ssl), @@ -3637,6 +3638,11 @@ void tls13_resume_session_with_ticket() ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); TEST_EQUAL(ret, 0); + /* + * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not + * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks + * below. + */ TEST_ASSERT(mbedtls_test_move_handshake_to_state( &(server_ep.ssl), &(client_ep.ssl), MBEDTLS_SSL_HANDSHAKE_WRAPUP) == 0); @@ -3656,6 +3662,11 @@ exit: } /* END_CASE */ +/* + * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is + * a temporary workaround to not run the test in Windows-2013 where there is + * an issue with mbedtls_vsnprintf(). + */ /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ void tls13_early_data() { @@ -3707,8 +3718,9 @@ void tls13_early_data() /* * Run initial handshake: ephemeral key exchange mode, certificate with - * RSA key, signed with PKCS15, verified with PKCS21. Then, get the ticket - * sent by the server at the end of its handshake sequence. + * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature + * algorithm. Then, get the ticket sent by the server at the end of its + * handshake sequence. */ TEST_ASSERT(mbedtls_test_move_handshake_to_state( &(server_ep.ssl), &(client_ep.ssl), -- cgit v1.1 From eb84534ee3e77dede536f13744d19a4b392831db Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 31 Jan 2024 14:48:23 +0100 Subject: Use TEST_EQUAL instead of TEST_ASSERT where possible Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 9b282dc..d26407e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3610,9 +3610,9 @@ void tls13_resume_session_with_ticket() * algorithm. Then, get the ticket sent by the server at the end of its * handshake sequence. */ - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_OVER) == 0); + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER), 0); do { ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); @@ -3643,9 +3643,9 @@ void tls13_resume_session_with_ticket() * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks * below. */ - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_WRAPUP) == 0); + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); TEST_EQUAL(server_ep.ssl.handshake->resume, 1); TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1); @@ -3722,9 +3722,9 @@ void tls13_early_data() * algorithm. Then, get the ticket sent by the server at the end of its * handshake sequence. */ - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_OVER) == 0); + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER), 0); do { ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); @@ -3752,9 +3752,9 @@ void tls13_early_data() mbedtls_debug_set_threshold(3); - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(client_ep.ssl), &(server_ep.ssl), - MBEDTLS_SSL_SERVER_HELLO) == 0); + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_SERVER_HELLO), 0); TEST_ASSERT(client_ep.ssl.early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); @@ -3764,9 +3764,9 @@ void tls13_early_data() early_data_len); TEST_EQUAL(ret, early_data_len); - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_CLIENT_FINISHED) == 0); + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_CLIENT_FINISHED), 0); TEST_EQUAL(server_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); -- cgit v1.1 From 9efc60298ffbc09c43c837cbf7565023a312666e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 31 Jan 2024 15:33:23 +0000 Subject: Fix code style issues Signed-off-by: Paul Elliott --- tests/src/helpers.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 85345d8..49a7df2 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -147,7 +147,7 @@ unsigned long mbedtls_test_get_step(void) void mbedtls_test_set_step(unsigned long step) { /* Internal function only - mbedtls_test_info_mutex should be held prior - * to calling this function. */ + * to calling this function. */ mbedtls_test_info.step = step; } @@ -168,7 +168,7 @@ void mbedtls_test_get_line1(char *line) void mbedtls_test_set_line1(const char *line) { /* Internal function only - mbedtls_test_info_mutex should be held prior - * to calling this function. */ + * to calling this function. */ if (line == NULL) { memset(mbedtls_test_info.line1, 0, MBEDTLS_TEST_LINE_LENGTH); @@ -193,7 +193,7 @@ void mbedtls_test_get_line2(char *line) void mbedtls_test_set_line2(const char *line) { /* Internal function only - mbedtls_test_info_mutex should be held prior - * to calling this function. */ + * to calling this function. */ if (line == NULL) { memset(mbedtls_test_info.line2, 0, MBEDTLS_TEST_LINE_LENGTH); @@ -245,7 +245,7 @@ unsigned mbedtls_test_get_case_uses_negative_0(void) void mbedtls_test_set_case_uses_negative_0(unsigned uses) { /* Internal function only - mbedtls_test_info_mutex should be held prior - * to calling this function. */ + * to calling this function. */ mbedtls_test_info.case_uses_negative_0 = uses; } -- cgit v1.1 From 6823247376c67aaf52badb20c5bcad69bf3a53b4 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 31 Jan 2024 15:59:06 +0000 Subject: Fix compile warning in tests Signed-off-by: Dave Rodgman --- tests/suites/test_suite_gcm.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index dac2a5d..0af4209 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -165,6 +165,7 @@ static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key, TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len)); exit: /* empty */ + return; } /* END_HEADER */ @@ -514,6 +515,7 @@ void gcm_invalid_iv_len(void) goto exit; /* To suppress error that exit is defined but not used */ exit: /* empty */ + return; } /* END_CASE */ -- cgit v1.1 From 24e9a32c83ac07c08260060e62eba432ae1fb4c1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 1 Feb 2024 12:26:23 +0000 Subject: Refactor to help future other implementations Improve the definition of mbedtls_test_thread_t to assist adding future threading implementations, when they happen. Signed-off-by: Paul Elliott --- tests/include/test/threading_helpers.h | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/tests/include/test/threading_helpers.h b/tests/include/test/threading_helpers.h index ba965c8..0054358 100644 --- a/tests/include/test/threading_helpers.h +++ b/tests/include/test/threading_helpers.h @@ -27,11 +27,6 @@ #if defined(MBEDTLS_THREADING_PTHREAD) #include - -typedef struct mbedtls_test_thread_t { - pthread_t MBEDTLS_PRIVATE(thread); -} mbedtls_test_thread_t; - #endif /* MBEDTLS_THREADING_PTHREAD */ #if defined(MBEDTLS_THREADING_ALT) @@ -58,17 +53,30 @@ void mbedtls_test_thread_set_alt(int (*thread_create)(mbedtls_test_thread_t *thr void *thread_data), int (*thread_join)(mbedtls_test_thread_t *thread)); +#else /* MBEDTLS_THREADING_ALT*/ + +typedef struct mbedtls_test_thread_t { + +#if defined(MBEDTLS_THREADING_PTHREAD) + pthread_t MBEDTLS_PRIVATE(thread); +#else /* MBEDTLS_THREADING_PTHREAD */ + /* Make sure this struct is always non-empty */ + unsigned dummy; +#endif + +} mbedtls_test_thread_t; + #endif /* MBEDTLS_THREADING_ALT*/ /** - * \brief The function pointers for thread create and thread + * \brief The function pointers for thread create and thread * join. * - * \note These functions are part of the testing API only and + * \note These functions are part of the testing API only and * thus not considered part of the public API of * MbedTLS and thus may change without notice. * - * \note All these functions are expected to work or + * \note All these functions are expected to work or * the result will be undefined. */ extern int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, -- cgit v1.1 From ae942ece478f7909f679699f08109556ac40c44c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 1 Feb 2024 12:44:01 +0000 Subject: Fix style issues Signed-off-by: Paul Elliott --- tests/include/test/threading_helpers.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/include/test/threading_helpers.h b/tests/include/test/threading_helpers.h index 0054358..79bc6c0 100644 --- a/tests/include/test/threading_helpers.h +++ b/tests/include/test/threading_helpers.h @@ -69,14 +69,14 @@ typedef struct mbedtls_test_thread_t { #endif /* MBEDTLS_THREADING_ALT*/ /** - * \brief The function pointers for thread create and thread + * \brief The function pointers for thread create and thread * join. * - * \note These functions are part of the testing API only and - * thus not considered part of the public API of + * \note These functions are part of the testing API only + * and thus not considered part of the public API of * MbedTLS and thus may change without notice. * - * \note All these functions are expected to work or + * \note All these functions are expected to work or * the result will be undefined. */ extern int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, -- cgit v1.1 From 0b2835d1fde5739bd728e8b805ca76c22f90e9e2 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 1 Feb 2024 13:27:04 +0000 Subject: Fix accidental copy paste mistake Signed-off-by: Paul Elliott --- tests/src/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 49a7df2..936da06 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -375,7 +375,7 @@ void mbedtls_test_info_reset(void) #endif #ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); #endif /* MBEDTLS_THREADING_C */ } -- cgit v1.1 From ba8e9addd9c968ae25fa251dc0c40459f9c555f9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 1 Feb 2024 13:54:46 +0000 Subject: Fix test dependencies Signed-off-by: Dave Rodgman --- tests/suites/test_suite_gcm.misc.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_gcm.misc.data b/tests/suites/test_suite_gcm.misc.data index 57f05ca..108630e 100644 --- a/tests/suites/test_suite_gcm.misc.data +++ b/tests/suites/test_suite_gcm.misc.data @@ -2,13 +2,13 @@ GCM - Invalid parameters gcm_invalid_param: GCM - Invalid IV length -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES gcm_invalid_iv_len: GCM - Additional data length too long -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES gcm_add_len_too_long: GCM - Input length too long -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES gcm_input_len_too_long: -- cgit v1.1 From 2d73baf171560d27afef869cc960172b717ea7db Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 15:25:17 +0100 Subject: psa_util: convert_der_to_raw_single_int: ensure the input DER integers have valid length Signed-off-by: Valerio Setti --- library/psa_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index be257e7..b13d83d 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -492,10 +492,10 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; - /* It should never happen that the input number is all zeros. */ - if (unpadded_len == 0) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } + } + /* It should never happen that the input number has 0 length. */ + if (unpadded_len == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; } if (unpadded_len > coordinate_size) { -- cgit v1.1 From 3ecb395fb93626e6250ee693b6eb0ce3eba0fe44 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 15:26:24 +0100 Subject: test_suite_psa_crypto_util: fix tests for 0-length and one 0x00 byte for r and s Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 46af1f1..9368d79 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -68,15 +68,19 @@ ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111 ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA DER -> Raw, 256bit, Invalid s (only 1 zero byte) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Invalid r (0-length) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3025020002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Invalid s (0-length) +ECDSA DER -> Raw, 256bit,Invalid s (0-length) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3044022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success @@ -110,4 +114,4 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" +ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" \ No newline at end of file -- cgit v1.1 From 9e520f7ea952b7c815c66f93e8743b45772abd12 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 15:50:44 +0100 Subject: changelog: improve descriptions Signed-off-by: Valerio Setti --- ChangeLog.d/8647.txt | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/8647.txt b/ChangeLog.d/8647.txt index cfd3a4b..44007e2 100644 --- a/ChangeLog.d/8647.txt +++ b/ChangeLog.d/8647.txt @@ -1,7 +1,10 @@ Default behavior changes - * Importing of RSA keys in PEM format in PSA is officially unsupported - (this was previously undocumented). + * psa_import_key() now only accepts RSA keys in the PSA standard formats. + The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, + PEM) accepted by the pkparse module has been removed. Applications that + need these format can call mbedtls_pk_parse_{public,}key() followed by + mbedtls_pk_import_into_psa(). -Features - * It is possible to enable RSA support in PSA (MBEDTLS_PSA_CRYPTO_C + - RSA_C) without enabling PK module (MBEDTLS_[PK|PK_WRITE|PK_PARSE]_C). +Changes + * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules, + saving code size when those are not otherwise enabled. -- cgit v1.1 From 52ed54b9490745b3daae5bc9acb99b5455654c34 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 16:29:01 +0100 Subject: psa_crypto_rsa: remove unnecessary casting Signed-off-by: Valerio Setti --- library/psa_crypto_rsa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 7da6012..cfa2da6 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -73,8 +73,8 @@ psa_status_t mbedtls_psa_rsa_load_representation( if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { status = mbedtls_to_psa_error(mbedtls_rsa_key_parse(*p_rsa, data, data_length)); } else { - unsigned char *p = (unsigned char *) data; - unsigned char *end = (unsigned char *) (data + data_length); + unsigned char *p = data; + unsigned char *end = (data + data_length); status = mbedtls_to_psa_error(mbedtls_rsa_pubkey_parse(*p_rsa, &p, end)); } if (status != PSA_SUCCESS) { -- cgit v1.1 From 149b0e7ca2e19bbc2d0aff72615e7727fdbd844c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 5 Jan 2024 14:25:03 +0100 Subject: ssl.h: Fix comment Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3629526..3e6b1e6 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1843,7 +1843,7 @@ struct mbedtls_ssl_context { #if defined(MBEDTLS_SSL_EARLY_DATA) int MBEDTLS_PRIVATE(early_data_status); -#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ +#endif /** Callback to export key block and master secret */ mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); -- cgit v1.1 From 5d0ae9021f28e317cfe7a2a10852dacb163c5872 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 5 Jan 2024 14:20:35 +0100 Subject: tls13: srv: Refine early data status The main purpose is to know from the status if early data can be received of not and why. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 24 ++++++++++++++++++++---- library/ssl_misc.h | 20 +++++++++++++++++++- library/ssl_tls.c | 10 ++++++++++ library/ssl_tls13_server.c | 3 +++ 4 files changed, 52 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3e6b1e6..f478a18 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1644,6 +1644,26 @@ struct mbedtls_ssl_context { */ mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); +#if defined(MBEDTLS_SSL_EARLY_DATA) + /** + * On client side, status of the negotiation of the use of early data. + * See the documentation of mbedtls_ssl_get_early_data_status() for more + * information. + * + * On server side, internal only, status of early data in the course of an + * handshake. One of MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, + * #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED, + * #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED, + * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED and + * MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED. + * + * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT or + * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, at the beginning of a new + * handshake. + */ + int MBEDTLS_PRIVATE(early_data_status); +#endif + unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1841,10 +1861,6 @@ struct mbedtls_ssl_context { * and #MBEDTLS_SSL_CID_DISABLED. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_EARLY_DATA) - int MBEDTLS_PRIVATE(early_data_status); -#endif - /** Callback to export key block and master secret */ mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 96afe76..9439408 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2132,8 +2132,26 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, size_t *out_len); #if defined(MBEDTLS_SSL_SRV_C) -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED \ +/* Additional internal early data status, server side only. */ +/* + * The server has not received the ClientHello yet, the status of early data + * is thus unknown. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN \ MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT + +/* + * The server has received the ClientHello, it contained no early data + * extension. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED 3 + +/* + * The server has received the early data extension, it has accepted early + * data and received the end of early data message from the client marking the + * end of early data reception. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED 4 #endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_EARLY_DATA */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0bc18f1..72db821 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1098,6 +1098,16 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_ALLOC_FAILED; } +#if defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_SRV_C) + MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN == 0, + "MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN not equal to 0"); +#endif + MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT == 0, + "MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT not equal to 0"); + ssl->early_data_status = 0; +#endif + /* Initialize structures */ mbedtls_ssl_session_init(ssl->session_negotiate); ssl_handshake_params_init(ssl->handshake); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 904bb5b..ff501c8 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3024,6 +3024,9 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( ssl, buf, buf + buf_len)); + ssl->early_data_status = + MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED; + MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to handshake keys for inbound traffic" "( K_recv = handshake )")); -- cgit v1.1 From 739a1d42469e9f65aa39ca1b5615a33eb58c961e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 8 Dec 2022 21:10:25 +0800 Subject: tls: Add internal function ssl_read_application_data() The function will be used by mbedtls_ssl_read_early_data() as well. Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- library/ssl_msg.c | 66 ++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 44 insertions(+), 22 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 6579c96..e769767 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5648,12 +5648,53 @@ static int ssl_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl) } /* + * brief Read at most 'len' application data bytes from the input + * buffer. + * + * param ssl SSL context: + * - First byte of application data not read yet in the input + * buffer located at address `in_offt`. + * - The number of bytes of data not read yet is `in_msglen`. + * param buf buffer that will hold the data + * param len maximum number of bytes to read + * + * note The function updates the fields `in_offt` and `in_msglen` + * according to the number of bytes read. + * + * return The number of bytes read. + */ +static int ssl_read_application_data( + mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) +{ + size_t n = (len < ssl->in_msglen) ? len : ssl->in_msglen; + + if (len != 0) { + memcpy(buf, ssl->in_offt, n); + ssl->in_msglen -= n; + } + + /* Zeroising the plaintext buffer to erase unused application data + from the memory. */ + mbedtls_platform_zeroize(ssl->in_offt, n); + + if (ssl->in_msglen == 0) { + /* all bytes consumed */ + ssl->in_offt = NULL; + ssl->keep_current_message = 0; + } else { + /* more data available */ + ssl->in_offt += n; + } + + return (int) n; +} + +/* * Receive application data decrypted from the SSL layer */ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t n; if (ssl == NULL || ssl->conf == NULL) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -5817,30 +5858,11 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) #endif /* MBEDTLS_SSL_PROTO_DTLS */ } - n = (len < ssl->in_msglen) - ? len : ssl->in_msglen; - - if (len != 0) { - memcpy(buf, ssl->in_offt, n); - ssl->in_msglen -= n; - } - - /* Zeroising the plaintext buffer to erase unused application data - from the memory. */ - mbedtls_platform_zeroize(ssl->in_offt, n); - - if (ssl->in_msglen == 0) { - /* all bytes consumed */ - ssl->in_offt = NULL; - ssl->keep_current_message = 0; - } else { - /* more data available */ - ssl->in_offt += n; - } + ret = ssl_read_application_data(ssl, buf, len); MBEDTLS_SSL_DEBUG_MSG(2, ("<= read")); - return (int) n; + return ret; } /* -- cgit v1.1 From 6a5904db458b4eb0a673b33e6050524e172c1d9a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 6 Dec 2023 17:11:12 +0800 Subject: tls13: srv: Move early data size check placeholder Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index ff501c8..3b560e7 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2911,6 +2911,13 @@ static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) { MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data")); + /* RFC 8446 section 4.6.1 + * + * A server receiving more than max_early_data_size bytes of 0-RTT data + * SHOULD terminate the connection with an "unexpected_message" alert. + * + * TODO: Add received data size check here. + */ return SSL_GOT_EARLY_DATA; } @@ -2956,14 +2963,6 @@ static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl) ssl->in_msg[ssl->in_msglen] = 0; MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg)); - /* RFC 8446 section 4.6.1 - * - * A server receiving more than max_early_data_size bytes of 0-RTT data - * SHOULD terminate the connection with an "unexpected_message" alert. - * - * TODO: Add received data size check here. - */ - return 0; } -- cgit v1.1 From 032985c351020a1e82e485d8146d1bdb01404d58 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 6 Dec 2023 17:59:33 +0800 Subject: Add MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA error code Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 46 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index f478a18..22ceb39 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -90,8 +90,17 @@ #define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00 /** Not possible to read early data */ #define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 +/** + * Early data has been received as part of an on-going handshake. + * This error code can be returned only on server side. This error code can be + * returned by mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), + * mbedtls_ssl_read() and mbedtls_ssl_write() if early data has been received + * as part of the handshake sequence they triggered. To read the early + * data, call mbedtls_ssl_read_early_data(). + */ +#define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA -0x7C00 /** Not possible to write early data */ -#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C00 +#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C80 /* Error space gap */ /* Error space gap */ /* Error space gap */ @@ -4749,6 +4758,11 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use * and the client did not demonstrate reachability yet - in * this case you must stop using the context (see below). + * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + * defined in RFC 8446 (TLS 1.3 specification), has been + * received as part of the handshake. This is server specific. + * You must call mbedtls_ssl_read_early_data() to read the + * early data before to resume the handshake. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -4757,7 +4771,8 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * #MBEDTLS_ERR_SSL_WANT_READ, * #MBEDTLS_ERR_SSL_WANT_WRITE, * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, * you must stop using the SSL context for reading or writing, * and either free it or call \c mbedtls_ssl_session_reset() * on it before re-using it for a new connection; the current @@ -4826,8 +4841,9 @@ static inline int mbedtls_ssl_is_handshake_over(mbedtls_ssl_context *ssl) * * \warning If this function returns something other than \c 0, * #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, - * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using + * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using * the SSL context for reading or writing, and either free it * or call \c mbedtls_ssl_session_reset() on it before * re-using it for a new connection; the current connection @@ -4895,6 +4911,12 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); * \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server * side of a DTLS connection and the client is initiating a * new connection using the same source port. See below. + * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + * defined in RFC 8446 (TLS 1.3 specification), has been + * received as part of an handshake triggered by the function. + * This is server specific. You must call + * mbedtls_ssl_read_early_data() to read the early data before + * to resume the reading of post handshake application data. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -4903,8 +4925,9 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); * #MBEDTLS_ERR_SSL_WANT_READ, * #MBEDTLS_ERR_SSL_WANT_WRITE, * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or - * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT, + * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, * you must stop using the SSL context for reading or writing, * and either free it or call \c mbedtls_ssl_session_reset() * on it before re-using it for a new connection; the current @@ -4969,6 +4992,12 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * operation is in progress (see mbedtls_ecp_set_max_ops()) - * in this case you must call this function again to complete * the handshake when you're done attending other tasks. + * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as + * defined in RFC 8446 (TLS 1.3 specification), has been + * received as part of an handshake triggered by the function. + * This is server specific. You must call + * mbedtls_ssl_read_early_data() to read the early data before + * to resume the writing of application data. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -4976,8 +5005,9 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * a non-negative value, * #MBEDTLS_ERR_SSL_WANT_READ, * #MBEDTLS_ERR_SSL_WANT_WRITE, - * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, + * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, + * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, * you must stop using the SSL context for reading or writing, * and either free it or call \c mbedtls_ssl_session_reset() * on it before re-using it for a new connection; the current -- cgit v1.1 From 3a04562ace1ba39667c80173fb4cfb74008bb922 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 8 Jan 2024 18:44:59 +0100 Subject: Update mbedtls_ssl_read_early_data() definition Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 22ceb39..7f1bd8f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5075,8 +5075,11 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_SSL_SRV_C) /** - * \brief Read at most 'len' application data bytes while performing - * the handshake (early data). + * \brief Read at most 'len' bytes of early data + * + * \note This API is server specific. + * + * \note Early data is defined in the TLS 1.3 specification, RFC 8446. * * \note This function behaves mainly as mbedtls_ssl_read(). The * specification of mbedtls_ssl_read() relevant to TLS 1.3 @@ -5084,10 +5087,19 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * function and the present documentation is restricted to the * differences with mbedtls_ssl_read(). * + * \note This function can be used in conjunction with + * mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), + * mbedtls_ssl_read() and mbedtls_ssl_write() to read early + * data when these functions return + * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA. + * * \param ssl SSL context * \param buf buffer that will hold the data * \param len maximum number of bytes to read * + * \note Unlike mbedtls_ssl_read(), this function does not return + * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA. + * * \return One additional specific return value: * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA. * @@ -5112,11 +5124,6 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * \p ssl but this does not preclude for using it with * mbedtls_ssl_write(), mbedtls_ssl_read() or * mbedtls_ssl_handshake(). - * - * \note When a server wants to retrieve early data, it is expected - * that this function starts the handshake for the SSL context - * \p ssl. But this is not mandatory. - * */ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); -- cgit v1.1 From d9ca354dbd760f68c716b773dd2e844b8a22010f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 6 Dec 2023 17:23:52 +0800 Subject: tls13: srv: Add mbedtls_ssl_read_early_data() API Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- library/ssl_msg.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_server.c | 26 ++---------------------- 2 files changed, 51 insertions(+), 24 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index e769767..825ca8f 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5865,6 +5865,55 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) return ret; } + +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) +int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, + unsigned char *buf, size_t len) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const struct mbedtls_ssl_config *conf; + unsigned char *p = buf; + + if (ssl == NULL || ((conf = ssl->conf) == NULL)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) || + (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) || + (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) { + return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; + } + + if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { + return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; + } + + if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN) && + (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { + return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; + } + + ret = mbedtls_ssl_handshake(ssl); + if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) { + if (ssl->in_offt == NULL) { + /* Set the reading pointer */ + ssl->in_offt = ssl->in_msg; + } + ret = ssl_read_application_data(ssl, p, len); + } else if (ret == 0) { + /* + * If the handshake is completed, return immediately that early data + * cannot be read anymore. This potentially saves another call to this + * API and when the function returns 0, it only means that zero byte + * of early data has been received. + */ + return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; + } + + return ret; +} +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */ + /* * Send application data to be encrypted by the SSL layer, taking care of max * fragment length and buffer size. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3b560e7..97ce5c2 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2943,29 +2943,6 @@ static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl, return 0; } -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return ret; - } - - /* - * Output early data - * - * For the time being, we print received data via debug message. - * - * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready. - */ - ssl->in_msg[ssl->in_msglen] = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg)); - - return 0; -} - /* * RFC 8446 section A.2 * @@ -3039,7 +3016,8 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) ssl_tls13_prepare_for_handshake_second_flight(ssl); } else if (ret == SSL_GOT_EARLY_DATA) { - MBEDTLS_SSL_PROC_CHK(ssl_tls13_process_early_application_data(ssl)); + ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA; + goto cleanup; } else { MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; -- cgit v1.1 From 192e0f9b1d8f81044bb70b2c9b60f117b9e0cde2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 16 Dec 2022 18:55:06 +0800 Subject: ssl_server2: Add read early data support Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- programs/ssl/ssl_server2.c | 14 ++++++++++++++ tests/data_files/tls13_early_data.txt | 1 + 2 files changed, 15 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 598d38c..48b2282 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1612,6 +1612,7 @@ int main(int argc, char *argv[]) #if defined(MBEDTLS_SSL_EARLY_DATA) int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED; #endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); #if defined(MBEDTLS_MEMORY_DEBUG) @@ -3450,6 +3451,19 @@ handshake: fflush(stdout); while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) { +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) { + memset(buf, 0, opt.buffer_size); + ret = mbedtls_ssl_read_early_data(&ssl, buf, opt.buffer_size); + if (ret > 0) { + buf[ret] = '\0'; + mbedtls_printf(" %d early data bytes read\n\n%s\n", + ret, (char *) buf); + } + continue; + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS && ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL) { diff --git a/tests/data_files/tls13_early_data.txt b/tests/data_files/tls13_early_data.txt index 0c84b07..95811fd 100644 --- a/tests/data_files/tls13_early_data.txt +++ b/tests/data_files/tls13_early_data.txt @@ -1,3 +1,4 @@ EarlyData context: line 0 lf EarlyData context: line 1 lf +EarlyData context: line 2 lf EarlyData context: If it appears, that means early_data received. -- cgit v1.1 From 579bd4d46b3b253deea9fcfc8bd5826aad088b00 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Nov 2023 15:37:10 +0800 Subject: Update early data test Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- tests/opt-testcases/tls13-misc.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index c1682e3..b6894de 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -506,4 +506,7 @@ run_test "TLS 1.3 G->m: EarlyData: feature is enabled, good." \ -s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN" \ -s "ClientHello: early_data(42) extension exists." \ -s "EncryptedExtensions: early_data(42) extension exists." \ - -s "$( tail -1 $EARLY_DATA_INPUT )" + -s "$( head -1 $EARLY_DATA_INPUT )" \ + -s "$( tail -1 $EARLY_DATA_INPUT )" \ + -s "200 early data bytes read" \ + -s "106 early data bytes read" -- cgit v1.1 From 7b6ee9482e71a47488278a7e1d68d8681f03e174 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 12 Jan 2024 10:29:55 +0100 Subject: tls13: srv: Reject early data in case of HRR Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 97ce5c2..6933d1a 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1780,7 +1780,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) -static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl) +static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, + int hrr_required) { mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1801,6 +1802,11 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl) return; } + if (hrr_required) { + MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, HRR required.")); + return; + } + if (!handshake->resume) { /* We currently support early data only in the case of PSKs established via a NewSessionTicket message thus in the case of a session @@ -1858,7 +1864,8 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl) /* Update the handshake state machine */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) +static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, + int hrr_required) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1882,8 +1889,8 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - /* There is enough information, update early data state. */ - ssl_tls13_update_early_data_status(ssl); + /* There is enough information, update early data status. */ + ssl_tls13_update_early_data_status(ssl, hrr_required); if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { ret = mbedtls_ssl_tls13_compute_early_transform(ssl); @@ -1893,6 +1900,8 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) return ret; } } +#else + ((void) hrr_required); #endif /* MBEDTLS_SSL_EARLY_DATA */ return 0; @@ -1947,7 +1956,9 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl) return 0; } - MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl)); + MBEDTLS_SSL_PROC_CHK( + ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret == + SSL_CLIENT_HELLO_HRR_REQUIRED)); if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); -- cgit v1.1 From 7d21cded3f0bf8fe7096f253585cf19547a5deb4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 30 Jan 2024 14:37:55 +0100 Subject: ssl.h: Simplify guard MBEDTLS_SSL_EARLY_DATA implies MBEDTLS_SSL_PROTO_TLS1_3 thus MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA is equivalent to MBEDTLS_SSL_EARLY_DATA. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7f1bd8f..610ed27 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2018,7 +2018,7 @@ void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport); */ void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_EARLY_DATA) /** * \brief Set the early data mode * Default: disabled on server and client @@ -2073,7 +2073,7 @@ void mbedtls_ssl_conf_max_early_data_size( mbedtls_ssl_config *conf, uint32_t max_early_data_size); #endif /* MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */ +#endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** -- cgit v1.1 From 0883b8b625a5531f2fc8a61b6b0417f00f76f91e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 30 Jan 2024 16:13:34 +0100 Subject: tls13: Introduce early_data_state SSL context field Introduce early_data_state SSL context field to distinguish better this internal state from the status values defined for the mbedtls_ssl_get_early_data_status() API. Distinguish also between the client and server states. Note that the client state are going to be documented and reworked as part of the implementation of mbedtls_ssl_write_early_data(). Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 61 ++++++++++++++++++++++++++++++++++----------- library/ssl_debug_helpers.h | 5 ++++ library/ssl_misc.h | 24 ------------------ library/ssl_msg.c | 6 +++-- library/ssl_tls.c | 8 +----- library/ssl_tls13_client.c | 14 +++++------ library/ssl_tls13_server.c | 22 ++++++++-------- 7 files changed, 74 insertions(+), 66 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 610ed27..bf30852 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1621,6 +1621,49 @@ struct mbedtls_ssl_config { #endif }; +#if defined(MBEDTLS_SSL_EARLY_DATA) +enum mbedtls_ssl_cli_early_data_state { + MBEDTLS_SSL_CLI_EARLY_DATA_STATE_NOT_SENT, + MBEDTLS_SSL_CLI_EARLY_DATA_STATE_ACCEPTED, + MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED +}; + +/* + * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_WAITING_CH: + * The server is waiting for the ClientHello. + * + * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING: + * The server has received a ClientHello indicating early data and has + * accepted them. It is now expecting early data and the end of early + * data message. + * + * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_REJECTED: + * The server has received a ClientHello indicating early data and has + * rejected them. + * + * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_NOT_RECEIVED: + * The server has received a ClientHello, no indication of early data. + * + * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_EOED_RECEIVED + * The server has received the early data extension, it has accepted early + * data and received the end of early data message from the client marking + * the end of early data reception. + */ + +enum mbedtls_ssl_srv_early_data_state { + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_WAITING_CH, + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING, + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_REJECTED, + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_NOT_RECEIVED, + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_EOED_RECEIVED +}; + +union mbedtls_ssl_early_data_state { + enum mbedtls_ssl_cli_early_data_state cli; + enum mbedtls_ssl_srv_early_data_state srv; +}; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + struct mbedtls_ssl_context { const mbedtls_ssl_config *MBEDTLS_PRIVATE(conf); /*!< configuration information */ @@ -1655,22 +1698,10 @@ struct mbedtls_ssl_context { #if defined(MBEDTLS_SSL_EARLY_DATA) /** - * On client side, status of the negotiation of the use of early data. - * See the documentation of mbedtls_ssl_get_early_data_status() for more - * information. - * - * On server side, internal only, status of early data in the course of an - * handshake. One of MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, - * #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED, - * #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED, - * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED and - * MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED. - * - * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT or - * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, at the beginning of a new - * handshake. + * State of the sending (client side) or reception (server side) of early + * data. Reset to the initial state at the beginning of a new handshake. */ - int MBEDTLS_PRIVATE(early_data_status); + union mbedtls_ssl_early_data_state MBEDTLS_PRIVATE(early_data_state); #endif unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 2b0e737..3410c90 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -49,6 +49,11 @@ void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, unsigned int flags); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_EARLY_DATA) +const char *mbedtls_ssl_cli_early_data_state_str(enum mbedtls_ssl_cli_early_data_state in); +const char *mbedtls_ssl_srv_early_data_state_str(enum mbedtls_ssl_srv_early_data_state in); +#endif + #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \ mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \ hs_msg_type, extensions_mask, NULL) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9439408..2a488bb 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2130,30 +2130,6 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); - -#if defined(MBEDTLS_SSL_SRV_C) -/* Additional internal early data status, server side only. */ -/* - * The server has not received the ClientHello yet, the status of early data - * is thus unknown. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN \ - MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT - -/* - * The server has received the ClientHello, it contained no early data - * extension. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED 3 - -/* - * The server has received the early data extension, it has accepted early - * data and received the end of early data message from the client marking the - * end of early data reception. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED 4 -#endif /* MBEDTLS_SSL_SRV_C */ - #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 825ca8f..c6ba115 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5888,8 +5888,10 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; } - if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN) && - (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { + if ((ssl->early_data_state.srv != + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_WAITING_CH) && + (ssl->early_data_state.srv != + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING)) { return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 72db821..50a8cd2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1099,13 +1099,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_SRV_C) - MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN == 0, - "MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN not equal to 0"); -#endif - MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT == 0, - "MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT not equal to 0"); - ssl->early_data_status = 0; + ssl->early_data_state.cli = 0; #endif /* Initialize structures */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 76f0f18..94bbfe8 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1195,10 +1195,10 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, * `accepted` if the EncryptedExtension message contain an early data * indication extension. */ - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + ssl->early_data_state.cli = MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED; } else { MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension")); - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; + ssl->early_data_state.cli = MBEDTLS_SSL_CLI_EARLY_DATA_STATE_NOT_SENT; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1235,7 +1235,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) size_t psk_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Set hs psk for early data when writing the first psk")); @@ -1916,7 +1916,7 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * cases we compute it here. */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT || + if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_NOT_SENT || handshake->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) #endif @@ -2228,7 +2228,7 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + ssl->early_data_state.cli = MBEDTLS_SSL_CLI_EARLY_DATA_STATE_ACCEPTED; } #endif @@ -2565,9 +2565,9 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_ACCEPTED) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); - } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + } else if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else #endif /* MBEDTLS_SSL_EARLY_DATA */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6933d1a..9fcea58 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1780,8 +1780,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) -static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, - int hrr_required) +static void ssl_tls13_update_early_data_state(mbedtls_ssl_context *ssl, + int hrr_required) { mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1789,11 +1789,11 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) { MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: no early data extension received.")); - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED; + ssl->early_data_state.srv = MBEDTLS_SSL_SRV_EARLY_DATA_STATE_NOT_RECEIVED; return; } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + ssl->early_data_state.srv = MBEDTLS_SSL_SRV_EARLY_DATA_STATE_REJECTED; if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { MBEDTLS_SSL_DEBUG_MSG( @@ -1856,7 +1856,7 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, return; } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + ssl->early_data_state.srv = MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1890,9 +1890,9 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) /* There is enough information, update early data status. */ - ssl_tls13_update_early_data_status(ssl, hrr_required); + ssl_tls13_update_early_data_state(ssl, hrr_required); - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->early_data_state.srv == MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING) { ret = mbedtls_ssl_tls13_compute_early_transform(ssl); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET( @@ -2541,7 +2541,7 @@ static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->early_data_state.srv == MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, 0, p, end, &output_len); if (ret != 0) { @@ -2868,7 +2868,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->early_data_state.srv == MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING) { /* See RFC 8446 section A.2 for more information */ MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early keys for inbound traffic. " @@ -3011,8 +3011,8 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( ssl, buf, buf + buf_len)); - ssl->early_data_status = - MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED; + ssl->early_data_state.srv = + MBEDTLS_SSL_SRV_EARLY_DATA_STATE_EOED_RECEIVED; MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to handshake keys for inbound traffic" -- cgit v1.1 From 2c4308958d613f47b33003beba0c087419c24895 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 30 Jan 2024 18:11:11 +0100 Subject: ssl.h: Fix comments Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index bf30852..485ff57 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4793,7 +4793,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * defined in RFC 8446 (TLS 1.3 specification), has been * received as part of the handshake. This is server specific. * You must call mbedtls_ssl_read_early_data() to read the - * early data before to resume the handshake. + * early data before resuming the handshake. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -4947,7 +4947,7 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); * received as part of an handshake triggered by the function. * This is server specific. You must call * mbedtls_ssl_read_early_data() to read the early data before - * to resume the reading of post handshake application data. + * resuming the reading of post handshake application data. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -5028,7 +5028,7 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * received as part of an handshake triggered by the function. * This is server specific. You must call * mbedtls_ssl_read_early_data() to read the early data before - * to resume the writing of application data. + * resuming the writing of application data. * \return Another SSL error code - in this case you must stop using * the context (see below). * -- cgit v1.1 From 44d70a5f2341b3664b8be81a37b94ee97773c4bc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 30 Jan 2024 18:16:47 +0100 Subject: tls13: early data: Improve documentation Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 77 +++++++++++++++++++++++++++++++++++---------------- 1 file changed, 53 insertions(+), 24 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 485ff57..ccabbc2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -92,11 +92,12 @@ #define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 /** * Early data has been received as part of an on-going handshake. - * This error code can be returned only on server side. This error code can be - * returned by mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), - * mbedtls_ssl_read() and mbedtls_ssl_write() if early data has been received - * as part of the handshake sequence they triggered. To read the early - * data, call mbedtls_ssl_read_early_data(). + * This error code can be returned only on server side if and only if early + * data has been enabled by means of the mbedtls_ssl_conf_early_data() API. + * This error code can then be returned by mbedtls_ssl_handshake(), + * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if + * early data has been received as part of the handshake sequence they + * triggered. To read the early data, call mbedtls_ssl_read_early_data(). */ #define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA -0x7C00 /** Not possible to write early data */ @@ -2057,14 +2058,23 @@ void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode); * \param conf The SSL configuration to use. * \param early_data_enabled can be: * - * MBEDTLS_SSL_EARLY_DATA_DISABLED: early data functionality is disabled - * This is the default on client and server. - * - * MBEDTLS_SSL_EARLY_DATA_ENABLED: early data functionality is enabled and - * may be negotiated in the handshake. Application using - * early data functionality needs to be aware of the - * lack of replay protection of the early data application - * payloads. + * MBEDTLS_SSL_EARLY_DATA_DISABLED: + * Early data functionality is disabled. This is the default on client and + * server. + * + * MBEDTLS_SSL_EARLY_DATA_ENABLED: + * Early data functionality is enabled and may be negotiated in the handshake. + * Application using early data functionality needs to be aware that the + * security properties for early data (also refered to as 0-RTT data) are + * weaker than those for other kinds of TLS data. See the documentation of + * mbedtls_ssl_write_early_data() and mbedtls_ssl_read_early_data() for more + * information. + * When early data functionality is enabled on server and only in that case, + * the call to one of the APIs that trigger or resume an handshake sequence, + * namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), + * mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code + * MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have + * been received. To read the early data, call mbedtls_ssl_read_early_data(). * * \warning This interface is experimental and may change without notice. * @@ -4791,9 +4801,11 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * this case you must stop using the context (see below). * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as * defined in RFC 8446 (TLS 1.3 specification), has been - * received as part of the handshake. This is server specific. - * You must call mbedtls_ssl_read_early_data() to read the - * early data before resuming the handshake. + * received as part of the handshake. This is server specific + * and may occur only if the early data feature has been + * enabled on server (see mbedtls_ssl_conf_early_data() + * documentation). You must call mbedtls_ssl_read_early_data() + * to read the early data before resuming the handshake. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -4944,10 +4956,11 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); * new connection using the same source port. See below. * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as * defined in RFC 8446 (TLS 1.3 specification), has been - * received as part of an handshake triggered by the function. - * This is server specific. You must call - * mbedtls_ssl_read_early_data() to read the early data before - * resuming the reading of post handshake application data. + * received as part of the handshake. This is server specific + * and may occur only if the early data feature has been + * enabled on server (see mbedtls_ssl_conf_early_data() + * documentation). You must call mbedtls_ssl_read_early_data() + * to read the early data before resuming the handshake. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -5025,10 +5038,11 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * the handshake when you're done attending other tasks. * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as * defined in RFC 8446 (TLS 1.3 specification), has been - * received as part of an handshake triggered by the function. - * This is server specific. You must call - * mbedtls_ssl_read_early_data() to read the early data before - * resuming the writing of application data. + * received as part of the handshake. This is server specific + * and may occur only if the early data feature has been + * enabled on server (see mbedtls_ssl_conf_early_data() + * documentation). You must call mbedtls_ssl_read_early_data() + * to read the early data before resuming the handshake. * \return Another SSL error code - in this case you must stop using * the context (see below). * @@ -5111,6 +5125,21 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * \note This API is server specific. * * \note Early data is defined in the TLS 1.3 specification, RFC 8446. + * IMPORTANT NOTE from section 2.3 of the specification: + * + * The security properties for 0-RTT data are weaker than + * those for other kinds of TLS data. Specifically: + * - This data is not forward secret, as it is encrypted + * solely under keys derived using the offered PSK. + * - There are no guarantees of non-replay between connections. + * Protection against replay for ordinary TLS 1.3 1-RTT data + * is provided via the server's Random value, but 0-RTT data + * does not depend on the ServerHello and therefore has + * weaker guarantees. This is especially relevant if the + * data is authenticated either with TLS client + * authentication or inside the application protocol. The + * same warnings apply to any use of the + * early_exporter_master_secret. * * \note This function behaves mainly as mbedtls_ssl_read(). The * specification of mbedtls_ssl_read() relevant to TLS 1.3 -- cgit v1.1 From ed7d4bfda589684c59aaadc14e4bfdba07f7cd3d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 31 Jan 2024 07:55:19 +0100 Subject: tls13: srv: Simplify mbedtls_ssl_read_early_data() API Do not progress the handshake in the API, just read early data if some has been detected by a previous call to mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write(). Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 44 ++++++++++---------------------------------- library/ssl_msg.c | 42 ++++-------------------------------------- library/ssl_tls13_server.c | 4 ++++ 3 files changed, 18 insertions(+), 72 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index ccabbc2..5644f08 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5141,49 +5141,25 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * same warnings apply to any use of the * early_exporter_master_secret. * - * \note This function behaves mainly as mbedtls_ssl_read(). The - * specification of mbedtls_ssl_read() relevant to TLS 1.3 - * (thus not the parts specific to (D)TLS 1.2) applies to this - * function and the present documentation is restricted to the - * differences with mbedtls_ssl_read(). - * - * \note This function can be used in conjunction with + * \note This function is used in conjunction with * mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), * mbedtls_ssl_read() and mbedtls_ssl_write() to read early * data when these functions return * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA. * - * \param ssl SSL context + * \param ssl SSL context, it must have been initialized and set up. * \param buf buffer that will hold the data * \param len maximum number of bytes to read * - * \note Unlike mbedtls_ssl_read(), this function does not return + * \return The (positive) number of bytes read if successful. + * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not + * possible to read early data for the SSL context \p ssl. Note + * that this function is intended to be called for an SSL + * context \p ssl only after a call to mbedtls_ssl_handshake(), + * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or + * mbedtls_ssl_write() for \p ssl that has returned * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA. - * - * \return One additional specific return value: - * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA. - * - * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it - * is not possible to read early data for the SSL context - * \p ssl. - * - * It may have been possible and it is not possible - * anymore because the server received the End of Early Data - * message or the maximum number of allowed early data for the - * PSK in use has been reached. - * - * It may never have been possible and will never be possible - * for the SSL context \p ssl because the use of early data - * is disabled for that context or more generally the context - * is not suitably configured to enable early data or the - * client does not use early data or the first call to the - * function was done while the handshake was already too - * advanced to gather and accept early data. - * - * It is not possible to read early data for the SSL context - * \p ssl but this does not preclude for using it with - * mbedtls_ssl_write(), mbedtls_ssl_read() or - * mbedtls_ssl_handshake(). */ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c6ba115..3547f67 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5865,54 +5865,20 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) return ret; } - #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const struct mbedtls_ssl_config *conf; - unsigned char *p = buf; - - if (ssl == NULL || ((conf = ssl->conf) == NULL)) { + if (ssl == NULL || (ssl->conf == NULL)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) || - (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) || - (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) { - return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; - } - - if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { - return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; - } - - if ((ssl->early_data_state.srv != - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_WAITING_CH) && - (ssl->early_data_state.srv != - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING)) { - return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; - } - - ret = mbedtls_ssl_handshake(ssl); - if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) { - if (ssl->in_offt == NULL) { - /* Set the reading pointer */ - ssl->in_offt = ssl->in_msg; - } - ret = ssl_read_application_data(ssl, p, len); - } else if (ret == 0) { - /* - * If the handshake is completed, return immediately that early data - * cannot be read anymore. This potentially saves another call to this - * API and when the function returns 0, it only means that zero byte - * of early data has been received. - */ + if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) || + (ssl->in_offt == NULL)) { return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; } - return ret; + return ssl_read_application_data(ssl, buf, len); } #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 9fcea58..5b90dd5 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2929,6 +2929,10 @@ static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) * * TODO: Add received data size check here. */ + if (ssl->in_offt == NULL) { + /* Set the reading pointer */ + ssl->in_offt = ssl->in_msg; + } return SSL_GOT_EARLY_DATA; } -- cgit v1.1 From 44ff9506ddb315d06f2c33ccf5fe3f0a2ee60014 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 16:51:05 +0100 Subject: rsa: set parse/write functions out of !RSA_ALT guard Signed-off-by: Valerio Setti --- library/rsa.c | 1327 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 663 insertions(+), 664 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index e0c38c3..b81039c 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -46,6 +46,338 @@ #include "mbedtls/platform.h" +int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) +{ + int ret, version; + size_t len; + unsigned char *p, *end; + + mbedtls_mpi T; + mbedtls_mpi_init(&T); + + p = (unsigned char *) key; + end = p + keylen; + + /* + * This function parses the RSAPrivateKey (PKCS#1) + * + * RSAPrivateKey ::= SEQUENCE { + * version Version, + * modulus INTEGER, -- n + * publicExponent INTEGER, -- e + * privateExponent INTEGER, -- d + * prime1 INTEGER, -- p + * prime2 INTEGER, -- q + * exponent1 INTEGER, -- d mod (p-1) + * exponent2 INTEGER, -- d mod (q-1) + * coefficient INTEGER, -- (inverse of q) mod p + * otherPrimeInfos OtherPrimeInfos OPTIONAL + * } + */ + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return ret; + } + + end = p + len; + + if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { + return ret; + } + + if (version != 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + + /* Import N */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, + NULL, NULL)) != 0) { + goto cleanup; + } + + /* Import E */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, + NULL, &T)) != 0) { + goto cleanup; + } + + /* Import D */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, + &T, NULL)) != 0) { + goto cleanup; + } + + /* Import P */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, + NULL, NULL)) != 0) { + goto cleanup; + } + + /* Import Q */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, + NULL, NULL)) != 0) { + goto cleanup; + } + +#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) + /* + * The RSA CRT parameters DP, DQ and QP are nominally redundant, in + * that they can be easily recomputed from D, P and Q. However by + * parsing them from the PKCS1 structure it is possible to avoid + * recalculating them which both reduces the overhead of loading + * RSA private keys into memory and also avoids side channels which + * can arise when computing those values, since all of D, P, and Q + * are secret. See https://eprint.iacr.org/2020/055 for a + * description of one such attack. + */ + + /* Import DP */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { + goto cleanup; + } + + /* Import DQ */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { + goto cleanup; + } + + /* Import QP */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { + goto cleanup; + } + +#else + /* Verify existence of the CRT params */ + if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || + (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { + goto cleanup; + } +#endif + + /* rsa_complete() doesn't complete anything with the default + * implementation but is still called: + * - for the benefit of alternative implementation that may want to + * pre-compute stuff beyond what's provided (eg Montgomery factors) + * - as is also sanity-checks the key + * + * Furthermore, we also check the public part for consistency with + * mbedtls_pk_parse_pubkey(), as it includes size minima for example. + */ + if ((ret = mbedtls_rsa_complete(rsa)) != 0 || + (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { + goto cleanup; + } + + if (p != end) { + ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + +cleanup: + + mbedtls_mpi_free(&T); + + if (ret != 0) { + mbedtls_rsa_free(rsa); + } + + return ret; +} + +int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, + const unsigned char *end) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len; + + /* + * RSAPublicKey ::= SEQUENCE { + * modulus INTEGER, -- n + * publicExponent INTEGER -- e + * } + */ + + if ((ret = mbedtls_asn1_get_tag(p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { + return ret; + } + + if (*p + len != end) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + /* Import N */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { + return ret; + } + + if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, + NULL, 0, NULL, 0)) != 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + + *p += len; + + /* Import E */ + if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { + return ret; + } + + if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, + NULL, 0, *p, len)) != 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + + *p += len; + + if (mbedtls_rsa_complete(rsa) != 0 || + mbedtls_rsa_check_pubkey(rsa) != 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + + if (*p != end) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + return 0; +} + +int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, + unsigned char **p) +{ + size_t len = 0; + int ret; + + mbedtls_mpi T; /* Temporary holding the exported parameters */ + + /* + * Export the parameters one after another to avoid simultaneous copies. + */ + + mbedtls_mpi_init(&T); + + /* Export QP */ + if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export DQ */ + if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export DP */ + if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export Q */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export P */ + if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export D */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export E */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export N */ + if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + +end_of_export: + + mbedtls_mpi_free(&T); + if (ret < 0) { + return ret; + } + + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + return (int) len; +} + +/* + * RSAPublicKey ::= SEQUENCE { + * modulus INTEGER, -- n + * publicExponent INTEGER -- e + * } + */ +int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, + unsigned char **p) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + mbedtls_mpi T; + + mbedtls_mpi_init(&T); + + /* Export E */ + if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + + /* Export N */ + if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || + (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { + goto end_of_export; + } + len += ret; + +end_of_export: + + mbedtls_mpi_free(&T); + if (ret < 0) { + return ret; + } + + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + return (int) len; +} #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) @@ -221,804 +553,471 @@ int mbedtls_rsa_import(mbedtls_rsa_context *ctx, if (N != NULL) { ctx->len = mbedtls_mpi_size(&ctx->N); - } - - return 0; -} - -int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx, - unsigned char const *N, size_t N_len, - unsigned char const *P, size_t P_len, - unsigned char const *Q, size_t Q_len, - unsigned char const *D, size_t D_len, - unsigned char const *E, size_t E_len) -{ - int ret = 0; - - if (N != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len)); - ctx->len = mbedtls_mpi_size(&ctx->N); - } - - if (P != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len)); - } - - if (Q != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len)); - } - - if (D != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len)); - } - - if (E != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len)); - } - -cleanup: - - if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); - } - - return 0; -} - -/* - * Checks whether the context fields are set in such a way - * that the RSA primitives will be able to execute without error. - * It does *not* make guarantees for consistency of the parameters. - */ -static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv, - int blinding_needed) -{ -#if !defined(MBEDTLS_RSA_NO_CRT) - /* blinding_needed is only used for NO_CRT to decide whether - * P,Q need to be present or not. */ - ((void) blinding_needed); -#endif - - if (ctx->len != mbedtls_mpi_size(&ctx->N) || - ctx->len > MBEDTLS_MPI_MAX_SIZE) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - - /* - * 1. Modular exponentiation needs positive, odd moduli. - */ - - /* Modular exponentiation wrt. N is always used for - * RSA public key operations. */ - if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 || - mbedtls_mpi_get_bit(&ctx->N, 0) == 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - -#if !defined(MBEDTLS_RSA_NO_CRT) - /* Modular exponentiation for P and Q is only - * used for private key operations and if CRT - * is used. */ - if (is_priv && - (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || - mbedtls_mpi_get_bit(&ctx->P, 0) == 0 || - mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 || - mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } -#endif /* !MBEDTLS_RSA_NO_CRT */ - - /* - * 2. Exponents must be positive - */ - - /* Always need E for public key operations */ - if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - -#if defined(MBEDTLS_RSA_NO_CRT) - /* For private key operations, use D or DP & DQ - * as (unblinded) exponents. */ - if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } -#else - if (is_priv && - (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 || - mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } -#endif /* MBEDTLS_RSA_NO_CRT */ - - /* Blinding shouldn't make exponents negative either, - * so check that P, Q >= 1 if that hasn't yet been - * done as part of 1. */ -#if defined(MBEDTLS_RSA_NO_CRT) - if (is_priv && blinding_needed && - (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || - mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } -#endif - - /* It wouldn't lead to an error if it wasn't satisfied, - * but check for QP >= 1 nonetheless. */ -#if !defined(MBEDTLS_RSA_NO_CRT) - if (is_priv && - mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } -#endif - - return 0; -} - -int mbedtls_rsa_complete(mbedtls_rsa_context *ctx) -{ - int ret = 0; - int have_N, have_P, have_Q, have_D, have_E; -#if !defined(MBEDTLS_RSA_NO_CRT) - int have_DP, have_DQ, have_QP; -#endif - int n_missing, pq_missing, d_missing, is_pub, is_priv; - - have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0); - have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0); - have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0); - have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0); - have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0); - -#if !defined(MBEDTLS_RSA_NO_CRT) - have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0); - have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0); - have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0); -#endif - - /* - * Check whether provided parameters are enough - * to deduce all others. The following incomplete - * parameter sets for private keys are supported: - * - * (1) P, Q missing. - * (2) D and potentially N missing. - * - */ - - n_missing = have_P && have_Q && have_D && have_E; - pq_missing = have_N && !have_P && !have_Q && have_D && have_E; - d_missing = have_P && have_Q && !have_D && have_E; - is_pub = have_N && !have_P && !have_Q && !have_D && have_E; - - /* These three alternatives are mutually exclusive */ - is_priv = n_missing || pq_missing || d_missing; - - if (!is_priv && !is_pub) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - - /* - * Step 1: Deduce N if P, Q are provided. - */ - - if (!have_N && have_P && have_Q) { - if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, - &ctx->Q)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); - } - - ctx->len = mbedtls_mpi_size(&ctx->N); - } - - /* - * Step 2: Deduce and verify all remaining core parameters. - */ - - if (pq_missing) { - ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D, - &ctx->P, &ctx->Q); - if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); - } - - } else if (d_missing) { - if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P, - &ctx->Q, - &ctx->E, - &ctx->D)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); - } - } - - /* - * Step 3: Deduce all additional parameters specific - * to our current RSA implementation. - */ - -#if !defined(MBEDTLS_RSA_NO_CRT) - if (is_priv && !(have_DP && have_DQ && have_QP)) { - ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, - &ctx->DP, &ctx->DQ, &ctx->QP); - if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); - } - } -#endif /* MBEDTLS_RSA_NO_CRT */ - - /* - * Step 3: Basic sanity checks - */ + } - return rsa_check_context(ctx, is_priv, 1); + return 0; } -int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx, - unsigned char *N, size_t N_len, - unsigned char *P, size_t P_len, - unsigned char *Q, size_t Q_len, - unsigned char *D, size_t D_len, - unsigned char *E, size_t E_len) +int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx, + unsigned char const *N, size_t N_len, + unsigned char const *P, size_t P_len, + unsigned char const *Q, size_t Q_len, + unsigned char const *D, size_t D_len, + unsigned char const *E, size_t E_len) { int ret = 0; - int is_priv; - - /* Check if key is private or public */ - is_priv = - mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; - - if (!is_priv) { - /* If we're trying to export private parameters for a public key, - * something must be wrong. */ - if (P != NULL || Q != NULL || D != NULL) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - - } if (N != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len)); + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len)); + ctx->len = mbedtls_mpi_size(&ctx->N); } if (P != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len)); + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len)); } if (Q != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len)); + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len)); } if (D != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len)); + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len)); } if (E != NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len)); + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len)); } cleanup: - return ret; -} - -int mbedtls_rsa_export(const mbedtls_rsa_context *ctx, - mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, - mbedtls_mpi *D, mbedtls_mpi *E) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - int is_priv; - - /* Check if key is private or public */ - is_priv = - mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; - - if (!is_priv) { - /* If we're trying to export private parameters for a public key, - * something must be wrong. */ - if (P != NULL || Q != NULL || D != NULL) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - - } - - /* Export all requested core parameters. */ - - if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) || - (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) || - (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) || - (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) || - (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) { - return ret; + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); } return 0; } /* - * Export CRT parameters - * This must also be implemented if CRT is not used, for being able to - * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt - * can be used in this case. + * Checks whether the context fields are set in such a way + * that the RSA primitives will be able to execute without error. + * It does *not* make guarantees for consistency of the parameters. */ -int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx, - mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP) +static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv, + int blinding_needed) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - int is_priv; +#if !defined(MBEDTLS_RSA_NO_CRT) + /* blinding_needed is only used for NO_CRT to decide whether + * P,Q need to be present or not. */ + ((void) blinding_needed); +#endif - /* Check if key is private or public */ - is_priv = - mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && - mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; + if (ctx->len != mbedtls_mpi_size(&ctx->N) || + ctx->len > MBEDTLS_MPI_MAX_SIZE) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } - if (!is_priv) { + /* + * 1. Modular exponentiation needs positive, odd moduli. + */ + + /* Modular exponentiation wrt. N is always used for + * RSA public key operations. */ + if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 || + mbedtls_mpi_get_bit(&ctx->N, 0) == 0) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } #if !defined(MBEDTLS_RSA_NO_CRT) - /* Export all requested blinding parameters. */ - if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) || - (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) || - (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); - } -#else - if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, - DP, DQ, QP)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); + /* Modular exponentiation for P and Q is only + * used for private key operations and if CRT + * is used. */ + if (is_priv && + (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || + mbedtls_mpi_get_bit(&ctx->P, 0) == 0 || + mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 || + mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } -#endif - - return 0; -} - -/* - * Initialize an RSA context - */ -void mbedtls_rsa_init(mbedtls_rsa_context *ctx) -{ - memset(ctx, 0, sizeof(mbedtls_rsa_context)); - - ctx->padding = MBEDTLS_RSA_PKCS_V15; - ctx->hash_id = MBEDTLS_MD_NONE; - -#if defined(MBEDTLS_THREADING_C) - /* Set ctx->ver to nonzero to indicate that the mutex has been - * initialized and will need to be freed. */ - ctx->ver = 1; - mbedtls_mutex_init(&ctx->mutex); -#endif -} +#endif /* !MBEDTLS_RSA_NO_CRT */ -/* - * Set padding for an existing RSA context - */ -int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding, - mbedtls_md_type_t hash_id) -{ - switch (padding) { -#if defined(MBEDTLS_PKCS1_V15) - case MBEDTLS_RSA_PKCS_V15: - break; -#endif + /* + * 2. Exponents must be positive + */ -#if defined(MBEDTLS_PKCS1_V21) - case MBEDTLS_RSA_PKCS_V21: - break; -#endif - default: - return MBEDTLS_ERR_RSA_INVALID_PADDING; + /* Always need E for public key operations */ + if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } -#if defined(MBEDTLS_PKCS1_V21) - if ((padding == MBEDTLS_RSA_PKCS_V21) && - (hash_id != MBEDTLS_MD_NONE)) { - /* Just make sure this hash is supported in this build. */ - if (mbedtls_md_info_from_type(hash_id) == NULL) { - return MBEDTLS_ERR_RSA_INVALID_PADDING; - } +#if defined(MBEDTLS_RSA_NO_CRT) + /* For private key operations, use D or DP & DQ + * as (unblinded) exponents. */ + if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } -#endif /* MBEDTLS_PKCS1_V21 */ - - ctx->padding = padding; - ctx->hash_id = hash_id; - - return 0; -} - -/* - * Get padding mode of initialized RSA context - */ -int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx) -{ - return ctx->padding; -} - -/* - * Get hash identifier of mbedtls_md_type_t type - */ -int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx) -{ - return ctx->hash_id; -} - -/* - * Get length in bytes of RSA modulus - */ -size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx) -{ - return ctx->len; -} - -/* - * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. - * - * The value zero is: - * - never a valid value for an RSA parameter - * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). - * - * Since values can't be omitted in PKCS#1, passing a zero value to - * rsa_complete() would be incorrect, so reject zero values early. - */ -static int asn1_get_nonzero_mpi(unsigned char **p, - const unsigned char *end, - mbedtls_mpi *X) -{ - int ret; +#else + if (is_priv && + (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 || + mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } +#endif /* MBEDTLS_RSA_NO_CRT */ - ret = mbedtls_asn1_get_mpi(p, end, X); - if (ret != 0) { - return ret; + /* Blinding shouldn't make exponents negative either, + * so check that P, Q >= 1 if that hasn't yet been + * done as part of 1. */ +#if defined(MBEDTLS_RSA_NO_CRT) + if (is_priv && blinding_needed && + (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || + mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } +#endif - if (mbedtls_mpi_cmp_int(X, 0) == 0) { + /* It wouldn't lead to an error if it wasn't satisfied, + * but check for QP >= 1 nonetheless. */ +#if !defined(MBEDTLS_RSA_NO_CRT) + if (is_priv && + mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } +#endif return 0; } -int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) +int mbedtls_rsa_complete(mbedtls_rsa_context *ctx) { - int ret, version; - size_t len; - unsigned char *p, *end; + int ret = 0; + int have_N, have_P, have_Q, have_D, have_E; +#if !defined(MBEDTLS_RSA_NO_CRT) + int have_DP, have_DQ, have_QP; +#endif + int n_missing, pq_missing, d_missing, is_pub, is_priv; - mbedtls_mpi T; - mbedtls_mpi_init(&T); + have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0); + have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0); + have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0); + have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0); + have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0); - p = (unsigned char *) key; - end = p + keylen; +#if !defined(MBEDTLS_RSA_NO_CRT) + have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0); + have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0); + have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0); +#endif /* - * This function parses the RSAPrivateKey (PKCS#1) + * Check whether provided parameters are enough + * to deduce all others. The following incomplete + * parameter sets for private keys are supported: + * + * (1) P, Q missing. + * (2) D and potentially N missing. * - * RSAPrivateKey ::= SEQUENCE { - * version Version, - * modulus INTEGER, -- n - * publicExponent INTEGER, -- e - * privateExponent INTEGER, -- d - * prime1 INTEGER, -- p - * prime2 INTEGER, -- q - * exponent1 INTEGER, -- d mod (p-1) - * exponent2 INTEGER, -- d mod (q-1) - * coefficient INTEGER, -- (inverse of q) mod p - * otherPrimeInfos OtherPrimeInfos OPTIONAL - * } */ - if ((ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return ret; - } - end = p + len; + n_missing = have_P && have_Q && have_D && have_E; + pq_missing = have_N && !have_P && !have_Q && have_D && have_E; + d_missing = have_P && have_Q && !have_D && have_E; + is_pub = have_N && !have_P && !have_Q && !have_D && have_E; - if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { - return ret; - } + /* These three alternatives are mutually exclusive */ + is_priv = n_missing || pq_missing || d_missing; - if (version != 0) { + if (!is_priv && !is_pub) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - /* Import N */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, - NULL, NULL)) != 0) { - goto cleanup; - } - - /* Import E */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, - NULL, &T)) != 0) { - goto cleanup; - } - - /* Import D */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, - &T, NULL)) != 0) { - goto cleanup; - } + /* + * Step 1: Deduce N if P, Q are provided. + */ - /* Import P */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, - NULL, NULL)) != 0) { - goto cleanup; - } + if (!have_N && have_P && have_Q) { + if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, + &ctx->Q)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); + } - /* Import Q */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, - NULL, NULL)) != 0) { - goto cleanup; + ctx->len = mbedtls_mpi_size(&ctx->N); } -#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) /* - * The RSA CRT parameters DP, DQ and QP are nominally redundant, in - * that they can be easily recomputed from D, P and Q. However by - * parsing them from the PKCS1 structure it is possible to avoid - * recalculating them which both reduces the overhead of loading - * RSA private keys into memory and also avoids side channels which - * can arise when computing those values, since all of D, P, and Q - * are secret. See https://eprint.iacr.org/2020/055 for a - * description of one such attack. + * Step 2: Deduce and verify all remaining core parameters. */ - /* Import DP */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { - goto cleanup; - } - - /* Import DQ */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { - goto cleanup; - } - - /* Import QP */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { - goto cleanup; - } + if (pq_missing) { + ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D, + &ctx->P, &ctx->Q); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); + } -#else - /* Verify existence of the CRT params */ - if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || - (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { - goto cleanup; + } else if (d_missing) { + if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P, + &ctx->Q, + &ctx->E, + &ctx->D)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); + } } -#endif - /* rsa_complete() doesn't complete anything with the default - * implementation but is still called: - * - for the benefit of alternative implementation that may want to - * pre-compute stuff beyond what's provided (eg Montgomery factors) - * - as is also sanity-checks the key - * - * Furthermore, we also check the public part for consistency with - * mbedtls_pk_parse_pubkey(), as it includes size minima for example. + /* + * Step 3: Deduce all additional parameters specific + * to our current RSA implementation. */ - if ((ret = mbedtls_rsa_complete(rsa)) != 0 || - (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { - goto cleanup; - } - if (p != end) { - ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; +#if !defined(MBEDTLS_RSA_NO_CRT) + if (is_priv && !(have_DP && have_DQ && have_QP)) { + ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, + &ctx->DP, &ctx->DQ, &ctx->QP); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); + } } +#endif /* MBEDTLS_RSA_NO_CRT */ -cleanup: - - mbedtls_mpi_free(&T); - - if (ret != 0) { - mbedtls_rsa_free(rsa); - } + /* + * Step 3: Basic sanity checks + */ - return ret; + return rsa_check_context(ctx, is_priv, 1); } -int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, - const unsigned char *end) +int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx, + unsigned char *N, size_t N_len, + unsigned char *P, size_t P_len, + unsigned char *Q, size_t Q_len, + unsigned char *D, size_t D_len, + unsigned char *E, size_t E_len) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len; - - /* - * RSAPublicKey ::= SEQUENCE { - * modulus INTEGER, -- n - * publicExponent INTEGER -- e - * } - */ + int ret = 0; + int is_priv; - if ((ret = mbedtls_asn1_get_tag(p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return ret; - } + /* Check if key is private or public */ + is_priv = + mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; - if (*p + len != end) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } + if (!is_priv) { + /* If we're trying to export private parameters for a public key, + * something must be wrong. */ + if (P != NULL || Q != NULL || D != NULL) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } - /* Import N */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { - return ret; } - if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, - NULL, 0, NULL, 0)) != 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + if (N != NULL) { + MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len)); } - *p += len; - - /* Import E */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { - return ret; + if (P != NULL) { + MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len)); } - if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, - NULL, 0, *p, len)) != 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + if (Q != NULL) { + MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len)); } - *p += len; - - if (mbedtls_rsa_complete(rsa) != 0 || - mbedtls_rsa_check_pubkey(rsa) != 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + if (D != NULL) { + MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len)); } - if (*p != end) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + if (E != NULL) { + MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len)); } - return 0; +cleanup: + + return ret; } -int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, - unsigned char **p) +int mbedtls_rsa_export(const mbedtls_rsa_context *ctx, + mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, + mbedtls_mpi *D, mbedtls_mpi *E) { - size_t len = 0; - int ret; - - mbedtls_mpi T; /* Temporary holding the exported parameters */ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int is_priv; - /* - * Export the parameters one after another to avoid simultaneous copies. - */ + /* Check if key is private or public */ + is_priv = + mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; - mbedtls_mpi_init(&T); + if (!is_priv) { + /* If we're trying to export private parameters for a public key, + * something must be wrong. */ + if (P != NULL || Q != NULL || D != NULL) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } - /* Export QP */ - if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; } - len += ret; - /* Export DQ */ - if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Export all requested core parameters. */ - /* Export DP */ - if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; + if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) || + (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) || + (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) || + (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) || + (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) { + return ret; } - len += ret; - /* Export Q */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; + return 0; +} - /* Export P */ - if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; +/* + * Export CRT parameters + * This must also be implemented if CRT is not used, for being able to + * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt + * can be used in this case. + */ +int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx, + mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int is_priv; - /* Export D */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; - } - len += ret; + /* Check if key is private or public */ + is_priv = + mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && + mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; - /* Export E */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; + if (!is_priv) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - len += ret; - /* Export N */ - if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; +#if !defined(MBEDTLS_RSA_NO_CRT) + /* Export all requested blinding parameters. */ + if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) || + (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) || + (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); } - len += ret; +#else + if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, + DP, DQ, QP)) != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); + } +#endif -end_of_export: + return 0; +} - mbedtls_mpi_free(&T); - if (ret < 0) { - return ret; - } +/* + * Initialize an RSA context + */ +void mbedtls_rsa_init(mbedtls_rsa_context *ctx) +{ + memset(ctx, 0, sizeof(mbedtls_rsa_context)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); + ctx->padding = MBEDTLS_RSA_PKCS_V15; + ctx->hash_id = MBEDTLS_MD_NONE; - return (int) len; +#if defined(MBEDTLS_THREADING_C) + /* Set ctx->ver to nonzero to indicate that the mutex has been + * initialized and will need to be freed. */ + ctx->ver = 1; + mbedtls_mutex_init(&ctx->mutex); +#endif } /* - * RSAPublicKey ::= SEQUENCE { - * modulus INTEGER, -- n - * publicExponent INTEGER -- e - * } + * Set padding for an existing RSA context */ -int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, - unsigned char **p) +int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding, + mbedtls_md_type_t hash_id) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - mbedtls_mpi T; - - mbedtls_mpi_init(&T); + switch (padding) { +#if defined(MBEDTLS_PKCS1_V15) + case MBEDTLS_RSA_PKCS_V15: + break; +#endif - /* Export E */ - if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; +#if defined(MBEDTLS_PKCS1_V21) + case MBEDTLS_RSA_PKCS_V21: + break; +#endif + default: + return MBEDTLS_ERR_RSA_INVALID_PADDING; } - len += ret; - /* Export N */ - if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || - (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { - goto end_of_export; +#if defined(MBEDTLS_PKCS1_V21) + if ((padding == MBEDTLS_RSA_PKCS_V21) && + (hash_id != MBEDTLS_MD_NONE)) { + /* Just make sure this hash is supported in this build. */ + if (mbedtls_md_info_from_type(hash_id) == NULL) { + return MBEDTLS_ERR_RSA_INVALID_PADDING; + } } - len += ret; +#endif /* MBEDTLS_PKCS1_V21 */ -end_of_export: + ctx->padding = padding; + ctx->hash_id = hash_id; - mbedtls_mpi_free(&T); - if (ret < 0) { + return 0; +} + +/* + * Get padding mode of initialized RSA context + */ +int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx) +{ + return ctx->padding; +} + +/* + * Get hash identifier of mbedtls_md_type_t type + */ +int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx) +{ + return ctx->hash_id; +} + +/* + * Get length in bytes of RSA modulus + */ +size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx) +{ + return ctx->len; +} + +/* + * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. + * + * The value zero is: + * - never a valid value for an RSA parameter + * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). + * + * Since values can't be omitted in PKCS#1, passing a zero value to + * rsa_complete() would be incorrect, so reject zero values early. + */ +static int asn1_get_nonzero_mpi(unsigned char **p, + const unsigned char *end, + mbedtls_mpi *X) +{ + int ret; + + ret = mbedtls_asn1_get_mpi(p, end, X); + if (ret != 0) { return ret; } - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); + if (mbedtls_mpi_cmp_int(X, 0) == 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } - return (int) len; + return 0; } #if defined(MBEDTLS_GENPRIME) -- cgit v1.1 From 135ebde273d57f23932650efc60a17af00a1b328 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 17:00:29 +0100 Subject: rsa: rename parse/write functions in order to follow the standard format Signed-off-by: Valerio Setti --- library/pk_wrap.c | 8 ++++---- library/pkparse.c | 12 ++++++------ library/pkwrite.c | 4 ++-- library/psa_crypto_rsa.c | 8 ++++---- library/rsa.c | 8 ++++---- library/rsa_internal.h | 8 ++++---- tests/suites/test_suite_rsa.function | 24 ++++++++++++------------ 7 files changed, 36 insertions(+), 36 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index ff8eeb1..f8ce099 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -87,7 +87,7 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, return MBEDTLS_ERR_RSA_VERIFY_FAILED; } - key_len = mbedtls_rsa_pubkey_write(rsa, buf, &p); + key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p); if (key_len <= 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } @@ -185,7 +185,7 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg, return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; } - key_len = mbedtls_rsa_key_write(rsa_ctx, buf, &p); + key_len = mbedtls_rsa_write_key(rsa_ctx, buf, &p); if (key_len <= 0) { mbedtls_free(buf); return MBEDTLS_ERR_PK_BAD_INPUT_DATA; @@ -293,7 +293,7 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - key_len = mbedtls_rsa_key_write(rsa, buf, &p); + key_len = mbedtls_rsa_write_key(rsa, buf, &p); if (key_len <= 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } @@ -375,7 +375,7 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; } - key_len = mbedtls_rsa_pubkey_write(rsa, buf, &p); + key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p); if (key_len <= 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } diff --git a/library/pkparse.c b/library/pkparse.c index 17df101..b2127b2 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -850,7 +850,7 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, #if defined(MBEDTLS_RSA_C) if (pk_alg == MBEDTLS_PK_RSA) { - ret = mbedtls_rsa_pubkey_parse(mbedtls_pk_rsa(*pk), p, end); + ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), p, end); } else #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) @@ -1098,7 +1098,7 @@ static int pk_parse_key_pkcs8_unencrypted_der( #if defined(MBEDTLS_RSA_C) if (pk_alg == MBEDTLS_PK_RSA) { - if ((ret = mbedtls_rsa_key_parse(mbedtls_pk_rsa(*pk), p, len)) != 0) { + if ((ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), p, len)) != 0) { mbedtls_pk_free(pk); return ret; } @@ -1288,7 +1288,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk, if (ret == 0) { pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || - (ret = mbedtls_rsa_key_parse(mbedtls_pk_rsa(*pk), + (ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), pem.buf, pem.buflen)) != 0) { mbedtls_pk_free(pk); } @@ -1429,7 +1429,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk, pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); if (mbedtls_pk_setup(pk, pk_info) == 0 && - mbedtls_rsa_key_parse(mbedtls_pk_rsa(*pk), key, keylen) == 0) { + mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), key, keylen) == 0) { return 0; } @@ -1504,7 +1504,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, return ret; } - if ((ret = mbedtls_rsa_pubkey_parse(mbedtls_pk_rsa(*ctx), &p, p + pem.buflen)) != 0) { + if ((ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), &p, p + pem.buflen)) != 0) { mbedtls_pk_free(ctx); } @@ -1551,7 +1551,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, } p = (unsigned char *) key; - ret = mbedtls_rsa_pubkey_parse(mbedtls_pk_rsa(*ctx), &p, p + keylen); + ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), &p, p + keylen); if (ret == 0) { return ret; } diff --git a/library/pkwrite.c b/library/pkwrite.c index 91529eb..b9ddcf1 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -78,7 +78,7 @@ static int pk_write_rsa_der(unsigned char **p, unsigned char *buf, return (int) len; } #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return mbedtls_rsa_key_write(mbedtls_pk_rsa(*pk), buf, p); + return mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk), buf, p); } #endif /* MBEDTLS_RSA_C */ @@ -416,7 +416,7 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, #if defined(MBEDTLS_RSA_C) if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) { - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_pubkey_write(mbedtls_pk_rsa(*key), start, p)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*key), start, p)); } else #endif #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index cfa2da6..0047a26 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -71,11 +71,11 @@ psa_status_t mbedtls_psa_rsa_load_representation( /* Parse the data. */ if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { - status = mbedtls_to_psa_error(mbedtls_rsa_key_parse(*p_rsa, data, data_length)); + status = mbedtls_to_psa_error(mbedtls_rsa_parse_key(*p_rsa, data, data_length)); } else { unsigned char *p = data; unsigned char *end = (data + data_length); - status = mbedtls_to_psa_error(mbedtls_rsa_pubkey_parse(*p_rsa, &p, end)); + status = mbedtls_to_psa_error(mbedtls_rsa_parse_pubkey(*p_rsa, &p, end)); } if (status != PSA_SUCCESS) { goto exit; @@ -163,9 +163,9 @@ psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type, * representation of the non-encrypted PKCS#1 RSAPrivateKey for a * private key and of the RFC3279 RSAPublicKey for a public key. */ if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { - ret = mbedtls_rsa_key_write(rsa, data, &end); + ret = mbedtls_rsa_write_key(rsa, data, &end); } else { - ret = mbedtls_rsa_pubkey_write(rsa, data, &end); + ret = mbedtls_rsa_write_pubkey(rsa, data, &end); } if (ret < 0) { diff --git a/library/rsa.c b/library/rsa.c index b81039c..62b56cd 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -46,7 +46,7 @@ #include "mbedtls/platform.h" -int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) +int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) { int ret, version; size_t len; @@ -192,7 +192,7 @@ cleanup: return ret; } -int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, +int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, unsigned char **p, const unsigned char *end) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -250,7 +250,7 @@ int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, return 0; } -int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, +int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start, unsigned char **p) { size_t len = 0; @@ -342,7 +342,7 @@ end_of_export: * publicExponent INTEGER -- e * } */ -int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, +int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start, unsigned char **p) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; diff --git a/library/rsa_internal.h b/library/rsa_internal.h index 6046850..7bbdc8c 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -28,7 +28,7 @@ * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of invalid version. */ -int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); +int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); /** * \brief Parse a PKCS#1 (ASN.1) encoded public RSA key. @@ -44,7 +44,7 @@ int mbedtls_rsa_key_parse(mbedtls_rsa_context *rsa, const unsigned char *key, si * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of importing or * priv/pub validation errors. */ -int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, +int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, unsigned char **p, const unsigned char *end); /** @@ -67,7 +67,7 @@ int mbedtls_rsa_pubkey_parse(mbedtls_rsa_context *rsa, unsigned char **p, * \note The output buffer is filled backward, i.e. starting from its * end and moving toward its start. */ -int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, +int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start, unsigned char **p); /** @@ -90,7 +90,7 @@ int mbedtls_rsa_key_write(const mbedtls_rsa_context *rsa, unsigned char *start, * \note The output buffer is filled backward, i.e. starting from its * end and moving toward its start. */ -int mbedtls_rsa_pubkey_write(const mbedtls_rsa_context *rsa, unsigned char *start, +int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start, unsigned char **p); #if defined(MBEDTLS_PKCS1_V21) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 44caacd..2cc9fc1 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1382,9 +1382,9 @@ void rsa_parse_pkcs1_key(int is_public, data_t *input, int exp_ret_val) mbedtls_rsa_init(&rsa_ctx); if (is_public) { - TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &start, end), exp_ret_val); + TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, &start, end), exp_ret_val); } else { - TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), exp_ret_val); + TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), exp_ret_val); } exit: @@ -1410,12 +1410,12 @@ void rsa_parse_write_pkcs1_key(int is_public, data_t *input) /* Parse the key and write it back to output_buf. */ if (is_public) { - TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &input_start, input_end), 0); + TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, &input_start, input_end), 0); TEST_ASSERT(input_start == input_end); - TEST_EQUAL(mbedtls_rsa_pubkey_write(&rsa_ctx, output_start, &output_end), input->len); + TEST_EQUAL(mbedtls_rsa_write_pubkey(&rsa_ctx, output_start, &output_end), input->len); } else { - TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), 0); - TEST_EQUAL(mbedtls_rsa_key_write(&rsa_ctx, output_start, &output_end), input->len); + TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0); + TEST_EQUAL(mbedtls_rsa_write_key(&rsa_ctx, output_start, &output_end), input->len); } /* This check holds because we alloacated an output buffer which is exactly * large enough to contain the written data. */ @@ -1444,9 +1444,9 @@ void rsa_key_write_incremental(int is_public, data_t *input) if (is_public) { start = input->x; end = input->x + input->len; - TEST_EQUAL(mbedtls_rsa_pubkey_parse(&rsa_ctx, &start, end), 0); + TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, &start, end), 0); } else { - TEST_EQUAL(mbedtls_rsa_key_parse(&rsa_ctx, input->x, input->len), 0); + TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0); } for (i = 1; i < input->len; i++) { @@ -1454,9 +1454,9 @@ void rsa_key_write_incremental(int is_public, data_t *input) end = buf + i; /* We don't care much about the return value as long as it fails. */ if (is_public) { - TEST_ASSERT(mbedtls_rsa_pubkey_write(&rsa_ctx, buf, &end) != 0); + TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &end) != 0); } else { - TEST_ASSERT(mbedtls_rsa_key_write(&rsa_ctx, buf, &end) != 0); + TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &end) != 0); } mbedtls_free(buf); buf = NULL; @@ -1467,9 +1467,9 @@ void rsa_key_write_incremental(int is_public, data_t *input) end = buf + i; if (is_public) { - TEST_ASSERT(mbedtls_rsa_pubkey_write(&rsa_ctx, buf, &end) != 0); + TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &end) != 0); } else { - TEST_ASSERT(mbedtls_rsa_key_write(&rsa_ctx, buf, &end) > 0); + TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &end) > 0); } exit: -- cgit v1.1 From 201e643509f7ddb4a30805f48446c4712bb49dbd Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 17:19:37 +0100 Subject: rsa: simplify mbedtls_rsa_parse_pubkey() input parameters In this way mbedtls_rsa_parse_pubkey() and mbedtls_rsa_parse_key() input parameter list is the same. Signed-off-by: Valerio Setti --- library/pkparse.c | 6 +-- library/psa_crypto_rsa.c | 4 +- library/rsa.c | 79 ++++++++++++++++++------------------ library/rsa_internal.h | 9 ++-- tests/suites/test_suite_rsa.function | 15 ++----- 5 files changed, 51 insertions(+), 62 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index b2127b2..a47815b 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -850,7 +850,7 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, #if defined(MBEDTLS_RSA_C) if (pk_alg == MBEDTLS_PK_RSA) { - ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), p, end); + ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), *p, (size_t) (end - *p)); } else #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) @@ -1504,7 +1504,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, return ret; } - if ((ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), &p, p + pem.buflen)) != 0) { + if ((ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), p, pem.buflen)) != 0) { mbedtls_pk_free(ctx); } @@ -1551,7 +1551,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, } p = (unsigned char *) key; - ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), &p, p + keylen); + ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), p, keylen); if (ret == 0) { return ret; } diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 0047a26..4a574d1 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -73,9 +73,7 @@ psa_status_t mbedtls_psa_rsa_load_representation( if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { status = mbedtls_to_psa_error(mbedtls_rsa_parse_key(*p_rsa, data, data_length)); } else { - unsigned char *p = data; - unsigned char *end = (data + data_length); - status = mbedtls_to_psa_error(mbedtls_rsa_parse_pubkey(*p_rsa, &p, end)); + status = mbedtls_to_psa_error(mbedtls_rsa_parse_pubkey(*p_rsa, data, data_length)); } if (status != PSA_SUCCESS) { goto exit; diff --git a/library/rsa.c b/library/rsa.c index 62b56cd..f4add91 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -46,6 +46,34 @@ #include "mbedtls/platform.h" +/* + * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. + * + * The value zero is: + * - never a valid value for an RSA parameter + * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). + * + * Since values can't be omitted in PKCS#1, passing a zero value to + * rsa_complete() would be incorrect, so reject zero values early. + */ +static int asn1_get_nonzero_mpi(unsigned char **p, + const unsigned char *end, + mbedtls_mpi *X) +{ + int ret; + + ret = mbedtls_asn1_get_mpi(p, end, X); + if (ret != 0) { + return ret; + } + + if (mbedtls_mpi_cmp_int(X, 0) == 0) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + + return 0; +} + int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) { int ret, version; @@ -192,9 +220,10 @@ cleanup: return ret; } -int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, unsigned char **p, - const unsigned char *end) +int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) { + unsigned char *p = (unsigned char *) key; + unsigned char *end = (unsigned char *) (key + keylen); int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len; @@ -205,45 +234,45 @@ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, unsigned char **p, * } */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { return ret; } - if (*p + len != end) { + if (p + len != end) { return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } /* Import N */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { return ret; } - if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0, + if ((ret = mbedtls_rsa_import_raw(rsa, p, len, NULL, 0, NULL, 0, NULL, 0, NULL, 0)) != 0) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - *p += len; + p += len; /* Import E */ - if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { return ret; } if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, - NULL, 0, *p, len)) != 0) { + NULL, 0, p, len)) != 0) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - *p += len; + p += len; if (mbedtls_rsa_complete(rsa) != 0 || mbedtls_rsa_check_pubkey(rsa) != 0) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - if (*p != end) { + if (p != end) { return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } @@ -992,34 +1021,6 @@ size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx) return ctx->len; } -/* - * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. - * - * The value zero is: - * - never a valid value for an RSA parameter - * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). - * - * Since values can't be omitted in PKCS#1, passing a zero value to - * rsa_complete() would be incorrect, so reject zero values early. - */ -static int asn1_get_nonzero_mpi(unsigned char **p, - const unsigned char *end, - mbedtls_mpi *X) -{ - int ret; - - ret = mbedtls_asn1_get_mpi(p, end, X); - if (ret != 0) { - return ret; - } - - if (mbedtls_mpi_cmp_int(X, 0) == 0) { - return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } - - return 0; -} - #if defined(MBEDTLS_GENPRIME) /* diff --git a/library/rsa_internal.h b/library/rsa_internal.h index 7bbdc8c..acf14a2 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -34,18 +34,15 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si * \brief Parse a PKCS#1 (ASN.1) encoded public RSA key. * * \param rsa The RSA context where parsed data will be stored. - * \param p Beginning of the buffer containing the key to be parsed. - * On successful return, the referenced pointer will be - * updated in order to point to the end of the parsed data. - * \param end End of the buffer containing the key to be parsed. + * \param key The buffer that contains the key. + * \param keylen The length of the key buffer in bytes. * * \return 0 on success. * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of importing or * priv/pub validation errors. */ -int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, unsigned char **p, - const unsigned char *end); +int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); /** * \brief Write a PKCS#1 (ASN.1) encoded private RSA key. diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 2cc9fc1..357c6ed 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1376,13 +1376,11 @@ exit: void rsa_parse_pkcs1_key(int is_public, data_t *input, int exp_ret_val) { mbedtls_rsa_context rsa_ctx; - unsigned char *start = input->x; - unsigned char *end = input->x + input->len; mbedtls_rsa_init(&rsa_ctx); if (is_public) { - TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, &start, end), exp_ret_val); + TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), exp_ret_val); } else { TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), exp_ret_val); } @@ -1396,8 +1394,6 @@ exit: void rsa_parse_write_pkcs1_key(int is_public, data_t *input) { mbedtls_rsa_context rsa_ctx; - unsigned char *input_start = input->x; - unsigned char *input_end = input->x + input->len; unsigned char *output_buf = NULL; unsigned char *output_start; unsigned char *output_end; @@ -1410,8 +1406,7 @@ void rsa_parse_write_pkcs1_key(int is_public, data_t *input) /* Parse the key and write it back to output_buf. */ if (is_public) { - TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, &input_start, input_end), 0); - TEST_ASSERT(input_start == input_end); + TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), 0); TEST_EQUAL(mbedtls_rsa_write_pubkey(&rsa_ctx, output_start, &output_end), input->len); } else { TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0); @@ -1434,7 +1429,7 @@ exit: void rsa_key_write_incremental(int is_public, data_t *input) { mbedtls_rsa_context rsa_ctx; - unsigned char *buf = NULL, *start, *end; + unsigned char *buf = NULL, *end; size_t i; mbedtls_rsa_init(&rsa_ctx); @@ -1442,9 +1437,7 @@ void rsa_key_write_incremental(int is_public, data_t *input) /* This is supposed to succeed as the real target of this test are the * write attempt below. */ if (is_public) { - start = input->x; - end = input->x + input->len; - TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, &start, end), 0); + TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), 0); } else { TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0); } -- cgit v1.1 From 5fe9f6699bef38d3af95ecb4cd222de318993078 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 17:35:56 +0100 Subject: rsa_internal: update documentation for parse/write functions Signed-off-by: Valerio Setti --- library/rsa_internal.h | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/library/rsa_internal.h b/library/rsa_internal.h index acf14a2..4cb564e 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -24,9 +24,11 @@ * \param key The buffer that contains the key. * \param keylen The length of the key buffer in bytes. * - * \return 0 in success - * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. - * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of invalid version. + * \return 0 on success. + * \return MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while + * parsing data. + * \return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the + * provided key fail. */ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); @@ -39,8 +41,10 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si * * \return 0 on success. * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. - * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA in case of importing or - * priv/pub validation errors. + * \return MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while + * parsing data. + * \return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the + * provided key fail. */ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen); @@ -56,8 +60,8 @@ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, * * \return On success, the number of bytes written to the output buffer * (i.e. a value > 0). - * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA is the RSA context does not - * cointain valid. + * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the RSA context does not + * contain a valid key pair. * \return MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the * output buffer. * @@ -79,8 +83,8 @@ int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start, * * \return On success, the number of bytes written to the output buffer * (i.e. a value > 0). - * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA is the RSA context does not - * cointain valid. + * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the RSA context does not + * contain a valid public key. * \return MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the * output buffer. * -- cgit v1.1 From 56cfe2fab6e5c529be54256fa15c657952502323 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 17:53:26 +0100 Subject: test_suite_rsa: improve rsa_parse_write_pkcs1_key() and rsa_key_write_incremental() Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.function | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 357c6ed..6d1a0f0 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1395,29 +1395,27 @@ void rsa_parse_write_pkcs1_key(int is_public, data_t *input) { mbedtls_rsa_context rsa_ctx; unsigned char *output_buf = NULL; - unsigned char *output_start; - unsigned char *output_end; + unsigned char *output_end, *output_p; + size_t output_len; + + mbedtls_rsa_init(&rsa_ctx); TEST_CALLOC(output_buf, input->len); - output_start = output_buf; output_end = output_buf + input->len; - - mbedtls_rsa_init(&rsa_ctx); + output_p = output_end; /* Parse the key and write it back to output_buf. */ if (is_public) { TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), 0); - TEST_EQUAL(mbedtls_rsa_write_pubkey(&rsa_ctx, output_start, &output_end), input->len); + TEST_EQUAL(mbedtls_rsa_write_pubkey(&rsa_ctx, output_buf, &output_p), input->len); } else { TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0); - TEST_EQUAL(mbedtls_rsa_write_key(&rsa_ctx, output_start, &output_end), input->len); + TEST_EQUAL(mbedtls_rsa_write_key(&rsa_ctx, output_buf, &output_p), input->len); } - /* This check holds because we alloacated an output buffer which is exactly - * large enough to contain the written data. */ - TEST_ASSERT(output_end == output_start); + output_len = output_end - output_p; /* Check that the written key matches with the one provided in input. */ - TEST_MEMORY_COMPARE(output_buf, input->len, input->x, input->len); + TEST_MEMORY_COMPARE(output_p, output_len, input->x, input->len); exit: mbedtls_free(output_buf); @@ -1466,9 +1464,7 @@ void rsa_key_write_incremental(int is_public, data_t *input) } exit: - if (buf != NULL) { - mbedtls_free(buf); - } + mbedtls_free(buf); mbedtls_rsa_free(&rsa_ctx); } /* END_CASE */ -- cgit v1.1 From 164537c4a65b66dcd57a0a2e074304c5ffb9cf03 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 1 Feb 2024 18:05:47 +0100 Subject: tls13: early data: Improve, add comments Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 5 +++-- library/ssl_msg.c | 4 ++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 5644f08..2aae32e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2074,7 +2074,8 @@ void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode); * namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), * mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code * MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have - * been received. To read the early data, call mbedtls_ssl_read_early_data(). + * been received. To read the early data, call mbedtls_ssl_read_early_data() + * before calling the original function again. * * \warning This interface is experimental and may change without notice. * @@ -5124,7 +5125,7 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * * \note This API is server specific. * - * \note Early data is defined in the TLS 1.3 specification, RFC 8446. + * \warning Early data is defined in the TLS 1.3 specification, RFC 8446. * IMPORTANT NOTE from section 2.3 of the specification: * * The security properties for 0-RTT data are weaker than diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3547f67..20501c9 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5873,6 +5873,10 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + /* + * The server may receive early data only while waiting for the End of + * Early Data handshake message. + */ if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) || (ssl->in_offt == NULL)) { return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA; -- cgit v1.1 From 3b9034544e7fd2f5dc634795c8c3996506de7a10 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 1 Feb 2024 18:11:05 +0100 Subject: Revert "tls13: Introduce early_data_state SSL context field" This reverts commit 0883b8b625a5531f2fc8a61b6b0417f00f76f91e. Due to the scope reduction of mbedtls_ssl_read_early_data() it is not necessary anymore to refine the usage of early_data_status/state rather the opposite. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 61 +++++++++++---------------------------------- library/ssl_debug_helpers.h | 5 ---- library/ssl_misc.h | 24 ++++++++++++++++++ library/ssl_tls.c | 8 +++++- library/ssl_tls13_client.c | 14 +++++------ library/ssl_tls13_server.c | 22 ++++++++-------- 6 files changed, 64 insertions(+), 70 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2aae32e..635804d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1622,49 +1622,6 @@ struct mbedtls_ssl_config { #endif }; -#if defined(MBEDTLS_SSL_EARLY_DATA) -enum mbedtls_ssl_cli_early_data_state { - MBEDTLS_SSL_CLI_EARLY_DATA_STATE_NOT_SENT, - MBEDTLS_SSL_CLI_EARLY_DATA_STATE_ACCEPTED, - MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED -}; - -/* - * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_WAITING_CH: - * The server is waiting for the ClientHello. - * - * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING: - * The server has received a ClientHello indicating early data and has - * accepted them. It is now expecting early data and the end of early - * data message. - * - * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_REJECTED: - * The server has received a ClientHello indicating early data and has - * rejected them. - * - * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_NOT_RECEIVED: - * The server has received a ClientHello, no indication of early data. - * - * MBEDTLS_SSL_SRV_EARLY_DATA_STATE_EOED_RECEIVED - * The server has received the early data extension, it has accepted early - * data and received the end of early data message from the client marking - * the end of early data reception. - */ - -enum mbedtls_ssl_srv_early_data_state { - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_WAITING_CH, - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING, - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_REJECTED, - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_NOT_RECEIVED, - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_EOED_RECEIVED -}; - -union mbedtls_ssl_early_data_state { - enum mbedtls_ssl_cli_early_data_state cli; - enum mbedtls_ssl_srv_early_data_state srv; -}; -#endif /* MBEDTLS_SSL_EARLY_DATA */ - struct mbedtls_ssl_context { const mbedtls_ssl_config *MBEDTLS_PRIVATE(conf); /*!< configuration information */ @@ -1699,10 +1656,22 @@ struct mbedtls_ssl_context { #if defined(MBEDTLS_SSL_EARLY_DATA) /** - * State of the sending (client side) or reception (server side) of early - * data. Reset to the initial state at the beginning of a new handshake. + * On client side, status of the negotiation of the use of early data. + * See the documentation of mbedtls_ssl_get_early_data_status() for more + * information. + * + * On server side, internal only, status of early data in the course of an + * handshake. One of MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, + * #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED, + * #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED, + * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED and + * MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED. + * + * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT or + * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, at the beginning of a new + * handshake. */ - union mbedtls_ssl_early_data_state MBEDTLS_PRIVATE(early_data_state); + int MBEDTLS_PRIVATE(early_data_status); #endif unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 3410c90..2b0e737 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -49,11 +49,6 @@ void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, unsigned int flags); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_SSL_EARLY_DATA) -const char *mbedtls_ssl_cli_early_data_state_str(enum mbedtls_ssl_cli_early_data_state in); -const char *mbedtls_ssl_srv_early_data_state_str(enum mbedtls_ssl_srv_early_data_state in); -#endif - #define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \ mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \ hs_msg_type, extensions_mask, NULL) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2a488bb..9439408 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2130,6 +2130,30 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); + +#if defined(MBEDTLS_SSL_SRV_C) +/* Additional internal early data status, server side only. */ +/* + * The server has not received the ClientHello yet, the status of early data + * is thus unknown. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN \ + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT + +/* + * The server has received the ClientHello, it contained no early data + * extension. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED 3 + +/* + * The server has received the early data extension, it has accepted early + * data and received the end of early data message from the client marking the + * end of early data reception. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED 4 +#endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 50a8cd2..72db821 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1099,7 +1099,13 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - ssl->early_data_state.cli = 0; +#if defined(MBEDTLS_SSL_SRV_C) + MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN == 0, + "MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN not equal to 0"); +#endif + MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT == 0, + "MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT not equal to 0"); + ssl->early_data_status = 0; #endif /* Initialize structures */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 94bbfe8..76f0f18 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1195,10 +1195,10 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, * `accepted` if the EncryptedExtension message contain an early data * indication extension. */ - ssl->early_data_state.cli = MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; } else { MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension")); - ssl->early_data_state.cli = MBEDTLS_SSL_CLI_EARLY_DATA_STATE_NOT_SENT; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1235,7 +1235,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) size_t psk_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED) { + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Set hs psk for early data when writing the first psk")); @@ -1916,7 +1916,7 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * cases we compute it here. */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_NOT_SENT || + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT || handshake->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) #endif @@ -2228,7 +2228,7 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } - ssl->early_data_state.cli = MBEDTLS_SSL_CLI_EARLY_DATA_STATE_ACCEPTED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; } #endif @@ -2565,9 +2565,9 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_ACCEPTED) { + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); - } else if (ssl->early_data_state.cli == MBEDTLS_SSL_CLI_EARLY_DATA_STATE_REJECTED) { + } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else #endif /* MBEDTLS_SSL_EARLY_DATA */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 5b90dd5..4bdb7e7 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1780,8 +1780,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) -static void ssl_tls13_update_early_data_state(mbedtls_ssl_context *ssl, - int hrr_required) +static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, + int hrr_required) { mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1789,11 +1789,11 @@ static void ssl_tls13_update_early_data_state(mbedtls_ssl_context *ssl, MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) { MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: no early data extension received.")); - ssl->early_data_state.srv = MBEDTLS_SSL_SRV_EARLY_DATA_STATE_NOT_RECEIVED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED; return; } - ssl->early_data_state.srv = MBEDTLS_SSL_SRV_EARLY_DATA_STATE_REJECTED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { MBEDTLS_SSL_DEBUG_MSG( @@ -1856,7 +1856,7 @@ static void ssl_tls13_update_early_data_state(mbedtls_ssl_context *ssl, return; } - ssl->early_data_state.srv = MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1890,9 +1890,9 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) /* There is enough information, update early data status. */ - ssl_tls13_update_early_data_state(ssl, hrr_required); + ssl_tls13_update_early_data_status(ssl, hrr_required); - if (ssl->early_data_state.srv == MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING) { + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { ret = mbedtls_ssl_tls13_compute_early_transform(ssl); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET( @@ -2541,7 +2541,7 @@ static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_state.srv == MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING) { + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, 0, p, end, &output_len); if (ret != 0) { @@ -2868,7 +2868,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_state.srv == MBEDTLS_SSL_SRV_EARLY_DATA_STATE_ACCEPTING) { + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { /* See RFC 8446 section A.2 for more information */ MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early keys for inbound traffic. " @@ -3015,8 +3015,8 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( ssl, buf, buf + buf_len)); - ssl->early_data_state.srv = - MBEDTLS_SSL_SRV_EARLY_DATA_STATE_EOED_RECEIVED; + ssl->early_data_status = + MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED; MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to handshake keys for inbound traffic" -- cgit v1.1 From 78a38f607cdc4fc5292eefa6d6489a49bc9b1e58 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 1 Feb 2024 18:30:31 +0100 Subject: tls13: srv: Do not use early_data_status Due to the scope reduction for mbedtls_ssl_read_early_data(), on server as early data state variable we now only need a flag in the handshake context indicating if the server has accepted early data or not. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 16 ++++------------ library/ssl_misc.h | 28 ++++----------------------- library/ssl_tls.c | 10 ++-------- library/ssl_tls13_server.c | 37 +++++++++++++++--------------------- tests/suites/test_suite_ssl.function | 3 +-- 5 files changed, 26 insertions(+), 68 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 635804d..b063360 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1654,22 +1654,14 @@ struct mbedtls_ssl_context { */ mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); -#if defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) /** - * On client side, status of the negotiation of the use of early data. + * Status of the negotiation of the use of early data. * See the documentation of mbedtls_ssl_get_early_data_status() for more * information. * - * On server side, internal only, status of early data in the course of an - * handshake. One of MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, - * #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED, - * #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED, - * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED and - * MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED. - * - * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT or - * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, at the beginning of a new - * handshake. + * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT when the context is + * reset. */ int MBEDTLS_PRIVATE(early_data_status); #endif diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9439408..c9632f9 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -650,6 +650,10 @@ struct mbedtls_ssl_handshake_params { /* Flag indicating if a CertificateRequest message has been sent * to the client or not. */ uint8_t certificate_request_sent; +#if defined(MBEDTLS_SSL_EARLY_DATA) + /* Flag indicating if the server has accepted early data or not. */ + uint8_t early_data_accepted; +#endif #endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -2130,30 +2134,6 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); - -#if defined(MBEDTLS_SSL_SRV_C) -/* Additional internal early data status, server side only. */ -/* - * The server has not received the ClientHello yet, the status of early data - * is thus unknown. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN \ - MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT - -/* - * The server has received the ClientHello, it contained no early data - * extension. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED 3 - -/* - * The server has received the early data extension, it has accepted early - * data and received the end of early data message from the client marking the - * end of early data reception. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED 4 -#endif /* MBEDTLS_SSL_SRV_C */ - #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 72db821..c952add 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1098,14 +1098,8 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_ALLOC_FAILED; } -#if defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_SRV_C) - MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN == 0, - "MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN not equal to 0"); -#endif - MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT == 0, - "MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT not equal to 0"); - ssl->early_data_status = 0; +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; #endif /* Initialize structures */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 4bdb7e7..8bd70ef 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1780,8 +1780,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) -static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, - int hrr_required) +static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl, + int hrr_required) { mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1789,22 +1789,19 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) { MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: no early data extension received.")); - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED; - return; + return 0; } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; - if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, feature disabled in server configuration.")); - return; + return 0; } if (hrr_required) { MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, HRR required.")); - return; + return 0; } if (!handshake->resume) { @@ -1813,7 +1810,7 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, resumption. */ MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, not a session resumption.")); - return; + return 0; } /* RFC 8446 4.2.10 @@ -1836,7 +1833,7 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, the selected key in " "`pre_shared_key` is not the first one.")); - return; + return 0; } if (handshake->ciphersuite_info->id != @@ -1844,7 +1841,7 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, the selected ciphersuite is not the one " "of the selected pre-shared key.")); - return; + return 0; } @@ -1853,11 +1850,10 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl, 1, ("EarlyData: rejected, early_data not allowed in ticket " "permission bits.")); - return; + return 0; } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; - + return 1; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1889,10 +1885,10 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) - /* There is enough information, update early data status. */ - ssl_tls13_update_early_data_status(ssl, hrr_required); + ssl->handshake->early_data_accepted = + ssl_tls13_is_early_data_accepted(ssl, hrr_required); - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->handshake->early_data_accepted) { ret = mbedtls_ssl_tls13_compute_early_transform(ssl); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET( @@ -2541,7 +2537,7 @@ static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->handshake->early_data_accepted) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, 0, p, end, &output_len); if (ret != 0) { @@ -2868,7 +2864,7 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + if (ssl->handshake->early_data_accepted) { /* See RFC 8446 section A.2 for more information */ MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early keys for inbound traffic. " @@ -3015,9 +3011,6 @@ static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( ssl, buf, buf + buf_len)); - ssl->early_data_status = - MBEDTLS_SSL_EARLY_DATA_STATUS_END_OF_EARLY_DATA_RECEIVED; - MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to handshake keys for inbound traffic" "( K_recv = handshake )")); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d26407e..12b048f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3768,8 +3768,7 @@ void tls13_early_data() &(server_ep.ssl), &(client_ep.ssl), MBEDTLS_SSL_CLIENT_FINISHED), 0); - TEST_EQUAL(server_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); TEST_EQUAL(server_pattern.counter, 1); exit: -- cgit v1.1 From 38dbab9f8d3adaba6ffb12769d420565d365e060 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 1 Feb 2024 19:31:56 +0100 Subject: tests: ssl: Adjust early data test Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 12b048f..2d1a757 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,8 +12,7 @@ #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } -#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ - defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ @@ -3662,12 +3661,7 @@ exit: } /* END_CASE */ -/* - * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is - * a temporary workaround to not run the test in Windows-2013 where there is - * an issue with mbedtls_vsnprintf(). - */ -/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ void tls13_early_data() { int ret = -1; @@ -3678,7 +3672,6 @@ void tls13_early_data() mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; - mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; /* * Test set-up @@ -3699,9 +3692,6 @@ void tls13_early_data() mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); server_options.pk_alg = MBEDTLS_PK_ECDSA; - server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; - server_options.srv_log_obj = &server_pattern; - server_pattern.pattern = early_data; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &server_options, NULL, NULL, NULL, NULL); @@ -3750,15 +3740,12 @@ void tls13_early_data() ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); TEST_EQUAL(ret, 0); - mbedtls_debug_set_threshold(3); - TEST_EQUAL(mbedtls_test_move_handshake_to_state( &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_SERVER_HELLO), 0); TEST_ASSERT(client_ep.ssl.early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); - TEST_EQUAL(server_pattern.counter, 0); ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data, early_data_len); @@ -3766,10 +3753,16 @@ void tls13_early_data() TEST_EQUAL(mbedtls_test_move_handshake_to_state( &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_CLIENT_FINISHED), 0); + MBEDTLS_SSL_CLIENT_FINISHED), MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); - TEST_EQUAL(server_pattern.counter, 1); + TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), buf, sizeof(buf)), + early_data_len); + TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); + + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER), 0); exit: mbedtls_test_ssl_endpoint_free(&client_ep, NULL); @@ -3777,7 +3770,6 @@ exit: mbedtls_test_free_handshake_options(&client_options); mbedtls_test_free_handshake_options(&server_options); mbedtls_ssl_session_free(&saved_session); - mbedtls_debug_set_threshold(0); PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From e208b25b7942c3c5ee2c092363d2d38ee4d913cc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:42:21 +0100 Subject: Minor documentation improvements Signed-off-by: Gilles Peskine --- include/mbedtls/pk.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 54ca9ad..7b41321 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -554,17 +554,17 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, * \p usage, exporting and copying the key, and * possibly other permissions as documented for the * \p usage parameter. - * The permitted algorithm is determined as follows + * The permitted algorithm policy is determined as follows * based on the #mbedtls_pk_type_t type of \p pk, * the chosen \p usage and other factors: - * - #MBEDTLS_PK_RSA with whose underlying + * - #MBEDTLS_PK_RSA whose underlying * #mbedtls_rsa_context has the padding mode * #MBEDTLS_RSA_PKCS_V15: * #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH) * if \p usage is SIGN/VERIFY, and * #PSA_ALG_RSA_PKCS1V15_CRYPT * if \p usage is ENCRYPT/DECRYPT. - * - #MBEDTLS_PK_RSA with whose underlying + * - #MBEDTLS_PK_RSA whose underlying * #mbedtls_rsa_context has the padding mode * #MBEDTLS_RSA_PKCS_V21 and the digest type * corresponding to the PSA algorithm \c hash: @@ -581,7 +581,7 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, * - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY * if \p usage is DERIVE: * #PSA_ALG_ECDH. - * - #MBEDTLS_PK_OPAQUE: same as the algorithm policy + * - #MBEDTLS_PK_OPAQUE: same as the primary algorithm * set for the underlying PSA key, except that * sign/decrypt flags are removed if the type is * set to a public key type. -- cgit v1.1 From 19411635a5bf6f3c45744b82855f1aa3380f8a50 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:42:28 +0100 Subject: Test enrollment algorithm for the non-OPAQUE case Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 3fa7c7a..0711a93 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1723,6 +1723,7 @@ void pk_get_psa_attributes(int pk_type, int from_pair, mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; //TODO: diversity psa_set_key_id(&attributes, key_id); psa_set_key_lifetime(&attributes, lifetime); + psa_set_key_enrollment_algorithm(&attributes, 42); psa_key_usage_t expected_usage = usage; /* Usage implied universally */ -- cgit v1.1 From 7e353ba37a70961f5eb934c2d5be190ad654cf51 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:46:19 +0100 Subject: Create auxiliary function for repeated code Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 68 +++++++++++++++---------------------- 1 file changed, 28 insertions(+), 40 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 0711a93..14d049d 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -135,6 +135,32 @@ static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits) return -1; } +#if defined(MBEDTLS_PSA_CRYPTO_C) +static psa_key_usage_t pk_get_psa_attributes_implied_usage( + psa_key_usage_t expected_usage) +{ + /* Usage implied universally */ + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + /* Usage implied by mbedtls_pk_get_psa_attributes() */ + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_HASH; + } + if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_DECRYPT) { + expected_usage |= PSA_KEY_USAGE_ENCRYPT; + } + expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + return expected_usage; +} +#endif /* MBEDTLS_PSA_CRYPTO_C */ + #if defined(MBEDTLS_RSA_C) int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, const unsigned char *input, unsigned char *output, @@ -1724,26 +1750,7 @@ void pk_get_psa_attributes(int pk_type, int from_pair, psa_set_key_id(&attributes, key_id); psa_set_key_lifetime(&attributes, lifetime); psa_set_key_enrollment_algorithm(&attributes, 42); - - psa_key_usage_t expected_usage = usage; - /* Usage implied universally */ - if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { - expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; - } - if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { - expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; - } - /* Usage implied by mbedtls_pk_get_psa_attributes() */ - if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { - expected_usage |= PSA_KEY_USAGE_VERIFY_HASH; - } - if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) { - expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; - } - if (expected_usage & PSA_KEY_USAGE_DECRYPT) { - expected_usage |= PSA_KEY_USAGE_ENCRYPT; - } - expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage); #if defined(MBEDTLS_ECDSA_DETERMINISTIC) /* When the resulting algorithm is ECDSA, the compile-time configuration @@ -1795,26 +1802,7 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, if (!to_pair) { expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type); } - - psa_key_usage_t expected_usage = usage; - /* Usage implied universally */ - if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { - expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; - } - if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { - expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; - } - /* Usage implied by mbedtls_pk_get_psa_attributes() */ - if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { - expected_usage |= PSA_KEY_USAGE_VERIFY_HASH; - } - if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) { - expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; - } - if (expected_usage & PSA_KEY_USAGE_DECRYPT) { - expected_usage |= PSA_KEY_USAGE_ENCRYPT; - } - expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage); TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0); -- cgit v1.1 From ae2668be973fac1a437955c0e61fda636ee9a647 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:48:04 +0100 Subject: Don't use mbedtls_pk_ec in our own code Signed-off-by: Gilles Peskine --- library/pk.c | 2 +- tests/suites/test_suite_pk.function | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/pk.c b/library/pk.c index 3f28787..696e7e5 100644 --- a/library/pk.c +++ b/library/pk.c @@ -475,7 +475,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, size_t bits = psa_get_key_bits(&old_attributes); psa_ecc_family_t family = PSA_KEY_TYPE_ECC_GET_FAMILY(old_type); #else - mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); + const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk); int has_private = (ec->d.n != 0); size_t bits = 0; psa_ecc_family_t family = diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 14d049d..706bb70 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -287,7 +287,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, pk->pub_raw, pk->pub_raw_len, &pk->priv_id)); #else - mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); + mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); mbedtls_mpi_free(&ec->d); #endif } -- cgit v1.1 From 0aad5f8f34bb6a6ecf2e30c6d01dde4c77944e30 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:49:46 +0100 Subject: Copypasta Signed-off-by: Gilles Peskine --- library/pk.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/pk.c b/library/pk.c index 696e7e5..c32294d 100644 --- a/library/pk.c +++ b/library/pk.c @@ -553,7 +553,6 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, return MBEDTLS_ERR_PK_TYPE_MISMATCH; } break; - break; default: return MBEDTLS_ERR_PK_TYPE_MISMATCH; } -- cgit v1.1 From 2e54854d16ff84d8d2277134b1a14bd507f4a742 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:50:00 +0100 Subject: Copypasta Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index e64f9b7..204f58c 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -701,7 +701,7 @@ PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH -# Bad usage due to not specifying more than one of sign/crypt/derive. +# Bad usage due to specifying more than one of sign/crypt/derive. PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH -- cgit v1.1 From e2a77f21ea79063a1e9dd025447cf927283ff222 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:50:24 +0100 Subject: Use PSA_INIT with test that requires PSA USE_PSA_INIT is for test code that doesn't use PSA functions when USE_PSA_CRYPTO is disabled. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 706bb70..7969d22 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1867,7 +1867,7 @@ void pk_get_psa_attributes_opaque(int o_type_arg, int o_bits_arg, psa_key_usage_t usage = usage_arg; psa_key_usage_t expected_usage = expected_usage_arg; - USE_PSA_INIT(); + PSA_INIT(); psa_set_key_type(&attributes, o_type); psa_set_key_bits(&attributes, bits); @@ -1899,6 +1899,6 @@ exit: mbedtls_pk_free(&pk); psa_destroy_key(key_id); psa_reset_key_attributes(&attributes); - USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From e45d51f7b58deb9ad4e246d111b26af3bdfc8698 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 20:53:11 +0100 Subject: Clearer variable names Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 7969d22..3d7a179 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1850,8 +1850,8 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ -void pk_get_psa_attributes_opaque(int o_type_arg, int o_bits_arg, - int o_usage_arg, int o_alg_arg, +void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, + int from_usage_arg, int from_alg_arg, int usage_arg, int expected_ret, int to_pair, int expected_usage_arg) @@ -1860,18 +1860,18 @@ void pk_get_psa_attributes_opaque(int o_type_arg, int o_bits_arg, mbedtls_pk_init(&pk); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_type_t o_type = o_type_arg; - size_t bits = o_bits_arg; - psa_key_usage_t o_usage = o_usage_arg; - psa_algorithm_t alg = o_alg_arg; + psa_key_type_t from_type = from_type_arg; + size_t bits = from_bits_arg; + psa_key_usage_t from_usage = from_usage_arg; + psa_algorithm_t alg = from_alg_arg; psa_key_usage_t usage = usage_arg; psa_key_usage_t expected_usage = expected_usage_arg; PSA_INIT(); - psa_set_key_type(&attributes, o_type); + psa_set_key_type(&attributes, from_type); psa_set_key_bits(&attributes, bits); - psa_set_key_usage_flags(&attributes, o_usage); + psa_set_key_usage_flags(&attributes, from_usage); psa_set_key_algorithm(&attributes, alg); psa_set_key_enrollment_algorithm(&attributes, 42); //TODO: test with persistent key @@ -1879,7 +1879,7 @@ void pk_get_psa_attributes_opaque(int o_type_arg, int o_bits_arg, TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); psa_key_type_t expected_psa_type = - to_pair ? o_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(o_type); + to_pair ? from_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(from_type); TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), expected_ret); -- cgit v1.1 From e8209752440abd4f2014e71e7a0aa018ad247db4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 21:00:33 +0100 Subject: Fix comment Signed-off-by: Gilles Peskine --- library/pk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pk.c b/library/pk.c index c32294d..80e30be 100644 --- a/library/pk.c +++ b/library/pk.c @@ -424,7 +424,7 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, #if defined(MBEDTLS_RSA_C) case MBEDTLS_PK_RSA: { - int want_crypt = 0; /* 0: encrypt/decrypt; 1: sign/verify */ + int want_crypt = 0; /* 0: sign/verify; 1: encrypt/decrypt */ switch (usage) { case PSA_KEY_USAGE_SIGN_MESSAGE: case PSA_KEY_USAGE_SIGN_HASH: -- cgit v1.1 From 793920c1ffc64660835d1257afbc9daf3d16eb58 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 21:26:54 +0100 Subject: mbedtls_pk_get_psa_attributes: opaque: require specified usage In the MBEDTLS_PK_OPAQUE, have mbedtls_pk_get_psa_attributes() require the specified usage to be enabled for the specified key. Otherwise the following call to mbedtls_pk_import_into_psa() is unlikely to result in a key with a useful policy, so the call to mbedtls_pk_get_psa_attributes() was probably an error. Adjust the existing test cases accordingly and add a few negative test cases. Signed-off-by: Gilles Peskine --- include/mbedtls/pk.h | 1 + library/pk.c | 3 +++ tests/suites/test_suite_pk.data | 60 +++++++++++++++++++++++------------------ 3 files changed, 38 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 7b41321..f218558 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -585,6 +585,7 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, * set for the underlying PSA key, except that * sign/decrypt flags are removed if the type is * set to a public key type. + * The underlying key must allow \p usage. * Note that the enrollment algorithm set with * psa_set_key_enrollment_algorithm() is not copied. * diff --git a/library/pk.c b/library/pk.c index 80e30be..3b9c537 100644 --- a/library/pk.c +++ b/library/pk.c @@ -564,6 +564,9 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type); } more_usage = psa_get_key_usage_flags(&old_attributes); + if ((usage & more_usage) == 0) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } psa_set_key_type(attributes, new_type); psa_set_key_bits(attributes, psa_get_key_bits(&old_attributes)); psa_set_key_algorithm(attributes, psa_get_key_algorithm(&old_attributes)); diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 204f58c..0858163 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -988,9 +988,9 @@ PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH -PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE +PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE (bad policy) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME @@ -1008,23 +1008,31 @@ PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT +PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_HASH (bad policy) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 + # For a PK_OPAQUE key, mbedtls_pk_get_psa_attributes() ignores the input # key's algorithm policy. Just this time, test with a few different algorithms. -PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [0] +PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [0] +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE + +PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [raw] depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE -PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [raw] +PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [v15] depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE -PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [v15] +PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [PSS] depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE -PSA attributes for pk: opaque RSA pair, 0 & SIGN_HASH [PSS] +PSA attributes for pk: opaque RSA pair, 0 & DECRYPT (bad policy) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair, DECRYPT & DECRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME @@ -1042,21 +1050,21 @@ PSA attributes for pk: opaque RSA pair, ... & EXPORT (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 -PSA attributes for pk: opaque RSA pair->public, 0 & VERIFY_MESSAGE +PSA attributes for pk: opaque RSA pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE -PSA attributes for pk: opaque RSA pair->public, 0 & VERIFY_HASH +PSA attributes for pk: opaque RSA pair->public, VERIFY_HASH & VERIFY_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA attributes for pk: opaque RSA pair->public, 0 & ENCRYPT +PSA attributes for pk: opaque RSA pair->public, ENCRYPT & ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:PSA_KEY_USAGE_ENCRYPT -PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE +PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE (bad policy) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair, SIGN_MESSAGE & SIGN_MESSAGE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 @@ -1074,9 +1082,9 @@ PSA attributes for pk: opaque ECC pair, SIGN|... & SIGN_MESSAGE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT -PSA attributes for pk: opaque ECC pair, 0 & SIGN_HASH +PSA attributes for pk: opaque ECC pair, SIGN_HASH & SIGN_HASH depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH PSA attributes for pk: opaque ECC pair, ... & DERIVE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 @@ -1090,14 +1098,14 @@ PSA attributes for pk: opaque ECC pair, ... & EXPORT (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDH:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 -PSA attributes for pk: opaque ECC pair->public, 0 & VERIFY_MESSAGE +PSA attributes for pk: opaque ECC pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE -PSA attributes for pk: opaque ECC pair->public, 0 & VERIFY_HASH +PSA attributes for pk: opaque ECC pair->public, VERIFY_HASH & VERIFY_HASH depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH -PSA attributes for pk: opaque ECC pair->public, 0 & ENCRYPT (bad) +PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0 +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0 -- cgit v1.1 From a1a7b0805758f28d3ddf3505ddba092028855782 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 21:32:29 +0100 Subject: Fix typo in dependency Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 0858163..3902d3d 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1063,49 +1063,49 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE (bad policy) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair, SIGN_MESSAGE & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque ECC pair, SIGN|VERIFY & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque ECC pair, SIGN|DECRYPT & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT PSA attributes for pk: opaque ECC pair, SIGN|... & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque ECC pair, SIGN_HASH & SIGN_HASH -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH PSA attributes for pk: opaque ECC pair, ... & DERIVE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE PSA attributes for pk: opaque ECC pair, ... & DECRYPT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair, ... & EXPORT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDH:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque ECC pair->public, VERIFY_HASH & VERIFY_HASH -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_FAMILY_SECP_R1_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0 -- cgit v1.1 From 591e83d13969019b887a2499b92f722923cb3fe5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 21:33:44 +0100 Subject: Add missing implied usage Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 3902d3d..55146fe 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1084,7 +1084,7 @@ pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):2 PSA attributes for pk: opaque ECC pair, SIGN_HASH & SIGN_HASH depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque ECC pair, ... & DERIVE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 @@ -1104,7 +1104,7 @@ pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):2 PSA attributes for pk: opaque ECC pair->public, VERIFY_HASH & VERIFY_HASH depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 -- cgit v1.1 From 5922cb9309ac0a22a066111b6183c5616b8fedd9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 09:21:25 +0100 Subject: pkparse: keep legacy PK error codes when RSA key parsing fails This helps in reverting the changes to test_suite_x509parse.data when the RSA key parsing fails. Signed-off-by: Valerio Setti --- library/pkparse.c | 9 +++++++++ tests/suites/test_suite_x509parse.data | 10 +++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index a47815b..91d6eb5 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -851,6 +851,15 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, #if defined(MBEDTLS_RSA_C) if (pk_alg == MBEDTLS_PK_RSA) { ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), *p, (size_t) (end - *p)); + if (ret == 0) { + /* On success all the input has been consumed by the parsing function. */ + *p += end - *p; + } else if (ret & 0x7f) { + /* In case of ASN1 error codes add MBEDTLS_ERR_PK_INVALID_PUBKEY. */ + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); + } else { + ret = MBEDTLS_ERR_PK_INVALID_PUBKEY; + } } else #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6e20125..261c220 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1774,15 +1774,15 @@ x509parse_crt:"307d3068a0030201008204deadbeef300d06092a864886f70d01010b0500300c3 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring length) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring tag) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400310000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400310000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv RSA modulus) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0302ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0302ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT ASN1 (TBS, inv SubPubKeyInfo, total length mismatch) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 @@ -1790,11 +1790,11 @@ x509parse_crt:"3081893074a0030201008204deadbeef300d06092a864886f70d01010b0500300 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, check failed) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +x509parse_crt:"3081873072a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY X509 CRT ASN1 (TBS, inv SubPubKeyInfo, check failed, expanded length notation) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY # We expect an extension parsing error here because the IssuerID is optional. # Hence, if we find an ASN.1 tag doesn't match the IssuerID, we assume the -- cgit v1.1 From c701cb28350353d8ee293791368c411d372e0eff Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 11:09:37 +0100 Subject: test_suite_rsa: improve rsa_key_write_incremental() Output buffer is tested from being 1 single byte up to twice what it is strictly required to contain the output data. Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.function | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 6d1a0f0..2f70028 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -1427,8 +1427,8 @@ exit: void rsa_key_write_incremental(int is_public, data_t *input) { mbedtls_rsa_context rsa_ctx; - unsigned char *buf = NULL, *end; - size_t i; + unsigned char *buf = NULL, *end, *p; + size_t i, written_data; mbedtls_rsa_init(&rsa_ctx); @@ -1440,27 +1440,36 @@ void rsa_key_write_incremental(int is_public, data_t *input) TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0); } + /* Test with an output buffer smaller than required. */ for (i = 1; i < input->len; i++) { TEST_CALLOC(buf, i); end = buf + i; + p = end; /* We don't care much about the return value as long as it fails. */ if (is_public) { - TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &end) != 0); + TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &p) != 0); } else { - TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &end) != 0); + TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &p) != 0); } mbedtls_free(buf); buf = NULL; } - /* Ensure with the correct output buffer size everything works as expected. */ - TEST_CALLOC(buf, i); - end = buf + i; - - if (is_public) { - TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &end) != 0); - } else { - TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &end) > 0); + /* Test with an output buffer equal or larger than what it is strictly required. */ + for (i = input->len; i < (2 * input->len); i++) { + TEST_CALLOC(buf, i); + end = buf + i; + p = end; + /* This time all write functions must succeed. */ + if (is_public) { + TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &p) > 0); + } else { + TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &p) > 0); + } + written_data = (end - p); + TEST_MEMORY_COMPARE(p, written_data, input->x, input->len); + mbedtls_free(buf); + buf = NULL; } exit: -- cgit v1.1 From 684d78fcfa471109a3b9eeafbb18d8cdef8f8da2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 12:30:16 +0100 Subject: test_suite_rsa: improve key parsing tests for extra data 2 scenarios are taken into account: - syntactically valid extra data inside the SEQUENCE - extra data outside the SEQUENCE A single integer is used as extra data in both cases. Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 8a224d5..f4bd60a 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -658,8 +658,11 @@ rsa_parse_pkcs1_key:0:"30630201000211007c8ab070369ede72920e5a51523c8571020301000 RSA parse private key - correct format, d == p == q == 0 rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA -RSA parse private key - correct values, trailing garbage -rsa_parse_pkcs1_key:0:"3064020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c00":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +RSA parse private key - correct values, extra integer inside the SEQUENCE +rsa_parse_pkcs1_key:0:"3066020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +RSA parse private key - correct values, extra integer outside the SEQUENCE +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":0 RSA parse private key - correct values, n wrong tag rsa_parse_pkcs1_key:0:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG @@ -718,8 +721,11 @@ rsa_parse_pkcs1_key:1:"30050203010001":MBEDTLS_ERR_ASN1_OUT_OF_DATA RSA parse public key - missing public exponent rsa_parse_pkcs1_key:1:"308184028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7":MBEDTLS_ERR_ASN1_OUT_OF_DATA -RSA parse public key - correct values, trailing garbage -rsa_parse_pkcs1_key:1:"30818a028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7020301000100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +RSA parse public key - correct values, extra integer inside the SEQUENCE +rsa_parse_pkcs1_key:1:"30818c028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +RSA parse public key - correct values, extra integer outside the SEQUENCE +rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":0 RSA priv key write - incremental output buffer size rsa_key_write_incremental:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c" -- cgit v1.1 From c9dd8611f8f4d10ddbfe823dfc7615acd957536d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 12:34:06 +0100 Subject: test_suite_psa_crypto_util: add missing new line at the end of file Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 9368d79..c92b5fc 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -114,4 +114,4 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" \ No newline at end of file +ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" -- cgit v1.1 From cb3b4cae0a78460be0cadec7bc553d629e838e4c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 2 Feb 2024 13:12:39 +0100 Subject: Fix handling of ECC public keys under MBEDTLS_PK_USE_PSA_EC_DATA The test code to construct test keys and the implementation had matching errors: both assumed that there was a PSA public key object. Fix this. Signed-off-by: Gilles Peskine --- include/mbedtls/pk.h | 2 ++ library/pk.c | 14 +++++--------- tests/suites/test_suite_pk.function | 4 +--- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index f218558..13b960a 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -253,6 +253,8 @@ typedef struct mbedtls_pk_context { * inside the ecp_keypair structure * - the following fields are used for all public key operations: signature * verify, key pair check and key write. + * - For a key pair, priv_id contains the private key. For a public key, + * priv_id is null. * Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy * ecp_keypair structure is used for storing the public key and performing * all the operations. diff --git a/library/pk.c b/library/pk.c index 3b9c537..d0869b8 100644 --- a/library/pk.c +++ b/library/pk.c @@ -464,16 +464,12 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, int sign_ok = (pk_type != MBEDTLS_PK_ECKEY_DH); int derive_ok = (pk_type != MBEDTLS_PK_ECDSA); #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - status = psa_get_key_attributes(pk->priv_id, &old_attributes); - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + psa_ecc_family_t family = pk->ec_family; + size_t bits = pk->ec_bits; + int has_private = 0; + if (pk->priv_id != MBEDTLS_SVC_KEY_ID_INIT) { + has_private = 1; } - psa_key_type_t old_type = psa_get_key_type(&old_attributes); - int has_private = PSA_KEY_TYPE_IS_KEY_PAIR(old_type); - size_t bits = psa_get_key_bits(&old_attributes); - psa_ecc_family_t family = PSA_KEY_TYPE_ECC_GET_FAMILY(old_type); #else const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk); int has_private = (ec->d.n != 0); diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 3d7a179..efbe6b0 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -283,9 +283,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, PSA_KEY_USAGE_VERIFY_HASH); psa_set_key_algorithm(&pub_attributes, PSA_ALG_ECDSA_ANY); PSA_ASSERT(psa_destroy_key(pk->priv_id)); - PSA_ASSERT(psa_import_key(&pub_attributes, - pk->pub_raw, pk->pub_raw_len, - &pk->priv_id)); + pk->priv_id = MBEDTLS_SVC_KEY_ID_INIT; #else mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); mbedtls_mpi_free(&ec->d); -- cgit v1.1 From d078386287b53486ec95fc400a7bcd1007b18f39 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 2 Feb 2024 13:13:34 +0100 Subject: Smoke tests for mbedtls_pk_get_psa_attributes after parsing We'll test more fully by adding a call to mbedtls_pk_import_into_psa() once that function is implemented. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkparse.function | 82 ++++++++++++++++++++++++++++++-- 1 file changed, 79 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index d416b87..14afef6 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -41,6 +41,33 @@ void pk_parse_keyfile_rsa(char *key_file, char *password, int result) TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_RSA)); rsa = mbedtls_pk_rsa(ctx); TEST_EQUAL(mbedtls_rsa_check_privkey(rsa), 0); + +#if defined(MBEDTLS_PSA_CRYPTO_C) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_SIGN_HASH, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_SIGN_MESSAGE, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_DECRYPT, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_MESSAGE, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_ENCRYPT, + &attributes), 0); +#endif } exit: @@ -68,6 +95,21 @@ void pk_parse_public_keyfile_rsa(char *key_file, int result) TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_RSA)); rsa = mbedtls_pk_rsa(ctx); TEST_EQUAL(mbedtls_rsa_check_pubkey(rsa), 0); + +#if defined(MBEDTLS_PSA_CRYPTO_C) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_ENCRYPT, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_MESSAGE, + &attributes), 0); +#endif } exit: @@ -100,6 +142,17 @@ void pk_parse_public_keyfile_ec(char *key_file, int result) eckey = mbedtls_pk_ec_ro(ctx); TEST_EQUAL(mbedtls_ecp_check_pubkey(&eckey->grp, &eckey->Q), 0); #endif + +#if defined(MBEDTLS_PSA_CRYPTO_C) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_MESSAGE, + &attributes), 0); +#endif } exit: @@ -124,11 +177,34 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result) if (res == 0) { TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY)); -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + /* PSA keys are already checked on import so nothing to do here. */ +#else const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec_ro(ctx); TEST_EQUAL(mbedtls_ecp_check_privkey(&eckey->grp, &eckey->d), 0); -#else - /* PSA keys are already checked on import so nothing to do here. */ +#endif + +#if defined(MBEDTLS_PSA_CRYPTO_C) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_SIGN_HASH, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_SIGN_MESSAGE, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_DERIVE, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes), 0); + psa_reset_key_attributes(&attributes); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, + PSA_KEY_USAGE_VERIFY_MESSAGE, + &attributes), 0); #endif } -- cgit v1.1 From fc590dd3612466ab343db79490cc32355d5ec86a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 13:46:02 +0100 Subject: changelog: fix typo Signed-off-by: Valerio Setti --- ChangeLog.d/8647.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/8647.txt b/ChangeLog.d/8647.txt index 44007e2..98326dc 100644 --- a/ChangeLog.d/8647.txt +++ b/ChangeLog.d/8647.txt @@ -2,7 +2,7 @@ Default behavior changes * psa_import_key() now only accepts RSA keys in the PSA standard formats. The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, PEM) accepted by the pkparse module has been removed. Applications that - need these format can call mbedtls_pk_parse_{public,}key() followed by + need these formats can call mbedtls_pk_parse_{public,}key() followed by mbedtls_pk_import_into_psa(). Changes -- cgit v1.1 From 6fb1be6cb1f8640446e68574fba8f8d5bc5f2459 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Fri, 2 Feb 2024 14:05:32 +0000 Subject: Add comments in psa/crypto_struct.h for id layout Make sure the layout of psa_key_attributes_s is commented enough so that it does not accidentally get reorganized by mistake in the future. Signed-off-by: Antonio de Angelis --- include/psa/crypto_struct.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 606d282..8216f28 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -241,6 +241,17 @@ typedef struct { psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); psa_key_policy_t MBEDTLS_PRIVATE(policy); psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); + /* This type has a different layout in the client view wrt the + * service view of the key id, i.e. in service view usually is + * expected to have MBEDTLS_SVC_KEY_ID_ENCODES_OWNER defined + * thus adding an owner field to the standard psa_key_id_t. For + * implementations with client/service separation, this means the + * object will be marshalled through a transport channel and + * interpreted differently at each side of the transport. Placing + * it at the end of structures allows to interpret the structure + * at the client without reorganizing the memory layout of the + * struct + */ mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); } psa_core_key_attributes_t; @@ -267,6 +278,12 @@ struct psa_key_attributes_s { */ void *MBEDTLS_PRIVATE(domain_parameters); size_t MBEDTLS_PRIVATE(domain_parameters_size); + /* With client/service separation, struct psa_key_attributes_s is + * marshalled through a transport channel between the client and + * service side implementation of the PSA Crypto APIs, thus having + * the mbedtls_svc_key_id_t id as the last field of this structure + * allows for a more efficient marshalling/unmarshalling of parameters + */ psa_core_key_attributes_t MBEDTLS_PRIVATE(core); }; -- cgit v1.1 From 4380a33bd3f1ed8a10cccb2fcceddc1d526854d5 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Fri, 2 Feb 2024 14:21:24 +0000 Subject: Add a client view layout for interruptible hash and pake Add a client view layout (and update related initializers) for PSA sign/verify hash interruptible operation struct and PAKE operation struct Signed-off-by: Antonio de Angelis --- include/psa/crypto_extra.h | 8 ++++++++ include/psa/crypto_struct.h | 16 ++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index fc9bf4f..c67345b 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1828,8 +1828,12 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_PAKE_OPERATION_INIT { 0 } +#else #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, 0, PSA_PAKE_OPERATION_STAGE_SETUP, \ { 0 }, { { 0 } } } +#endif struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -1957,6 +1961,9 @@ struct psa_jpake_computation_stage_s { ((round) == PSA_JPAKE_FIRST ? 2 : 1)) struct psa_pake_operation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -1982,6 +1989,7 @@ struct psa_pake_operation_s { psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); } MBEDTLS_PRIVATE(data); +#endif }; static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init(void) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index cc7731a..26c93da 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -455,6 +455,9 @@ static inline size_t psa_get_key_bits( * \brief The context for PSA interruptible hash signing. */ struct psa_sign_hash_interruptible_operation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -468,9 +471,14 @@ struct psa_sign_hash_interruptible_operation_s { unsigned int MBEDTLS_PRIVATE(error_occurred) : 1; uint32_t MBEDTLS_PRIVATE(num_ops); +#endif }; +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } +#else #define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 } +#endif static inline struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_init(void) @@ -485,6 +493,9 @@ psa_sign_hash_interruptible_operation_init(void) * \brief The context for PSA interruptible hash verification. */ struct psa_verify_hash_interruptible_operation_s { +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + mbedtls_psa_client_handle_t handle; +#else /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping * drivers halfway through the operation is not supported. @@ -498,9 +509,14 @@ struct psa_verify_hash_interruptible_operation_s { unsigned int MBEDTLS_PRIVATE(error_occurred) : 1; uint32_t MBEDTLS_PRIVATE(num_ops); +#endif }; +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) +#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } +#else #define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 } +#endif static inline struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_init(void) -- cgit v1.1 From 5a198925286bf2a9ff849e5d23c930467e9c567f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 13:59:51 +0100 Subject: pkparse: fix check for ASN1 errors in mbedtls_pk_parse_subpubkey() Signed-off-by: Valerio Setti --- library/pkparse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/pkparse.c b/library/pkparse.c index 91d6eb5..5a3d3b2 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -854,7 +854,8 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, if (ret == 0) { /* On success all the input has been consumed by the parsing function. */ *p += end - *p; - } else if (ret & 0x7f) { + } else if ((ret <= MBEDTLS_ERR_ASN1_OUT_OF_DATA) && + (ret >= MBEDTLS_ERR_ASN1_BUF_TOO_SMALL)) { /* In case of ASN1 error codes add MBEDTLS_ERR_PK_INVALID_PUBKEY. */ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret); } else { -- cgit v1.1 From f15e13ead7dc00a21a58a0830a82f214c3e1a77b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 14:00:53 +0100 Subject: test_suite_x509parse: remove useless include of rsa.h Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509parse.function | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index a54c165..c2a2f55 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -9,7 +9,6 @@ #include "mbedtls/base64.h" #include "mbedtls/error.h" #include "mbedtls/pk.h" -#include "mbedtls/rsa.h" #include "string.h" #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 -- cgit v1.1 From 064dd2b87091704227e64e975beba56e3ee69bb3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Dec 2023 14:58:08 +0800 Subject: Adjust check order Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-misc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index b6894de..4e6bf87 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -502,8 +502,8 @@ run_test "TLS 1.3 G->m: EarlyData: feature is enabled, good." \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL:+KX-ALL \ -d 10 -r --earlydata $EARLY_DATA_INPUT " \ 0 \ - -s "NewSessionTicket: early_data(42) extension exists." \ -s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN" \ + -s "NewSessionTicket: early_data(42) extension exists." \ -s "ClientHello: early_data(42) extension exists." \ -s "EncryptedExtensions: early_data(42) extension exists." \ -s "$( head -1 $EARLY_DATA_INPUT )" \ -- cgit v1.1 From 4caf3ca08cb3b1b206477ce07a7a09fa14b7da4c Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 15 Nov 2023 16:13:47 +0800 Subject: tls13: srv: Add discard_early_data_record SSL field Add discard_early_data_record in SSL context for the record layer to know if it has to discard some potential early data record and how. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 30 ++++++++++++++++++++++++++ library/ssl_tls.c | 7 +++++- library/ssl_tls13_server.c | 54 +++++++++++++++++++++------------------------- 3 files changed, 61 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b063360..e0cd79d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -353,6 +353,26 @@ #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN 1000 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX 60000 +/* + * Whether early data record should be discarded or not and how. + * + * The client has indicated early data and the server has rejected them. + * The server has then to skip past early data by either: + * - attempting to deprotect received records using the handshake traffic + * key, discarding records which fail deprotection (up to the configured + * max_early_data_size). Once a record is deprotected successfully, + * it is treated as the start of the client's second flight and the + * server proceeds as with an ordinary 1-RTT handshake. + * - skipping all records with an external content type of + * "application_data" (indicating that they are encrypted), up to the + * configured max_early_data_size. This is the expected behavior if the + * server has sent an HelloRetryRequest message. The server ignores + * application data message before 2nd ClientHello. + */ +#define MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 0 +#define MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1 +#define MBEDTLS_SSL_EARLY_DATA_DISCARD 2 + /** * \name SECTION: Module settings * @@ -1782,6 +1802,16 @@ struct mbedtls_ssl_context { * within a single datagram. */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) + /* + * One of: + * MBEDTLS_SSL_EARLY_DATA_NO_DISCARD + * MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD + * MBEDTLS_SSL_EARLY_DATA_DISCARD + */ + uint8_t MBEDTLS_PRIVATE(discard_early_data_record); +#endif + /* * Record layer (outgoing data) */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c952add..c2f874b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1098,9 +1098,14 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_ALLOC_FAILED; } -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_CLI_C) ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; #endif +#if defined(MBEDTLS_SSL_SRV_C) + ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; +#endif +#endif /* MBEDTLS_SSL_EARLY_DATA */ /* Initialize structures */ mbedtls_ssl_session_init(ssl->session_negotiate); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 8bd70ef..6e87d7b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1780,28 +1780,15 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) -static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl, - int hrr_required) +static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl) { mbedtls_ssl_handshake_params *handshake = ssl->handshake; - if ((handshake->received_extensions & - MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("EarlyData: no early data extension received.")); - return 0; - } - if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, feature disabled in server configuration.")); - return 0; - } - - if (hrr_required) { - MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, HRR required.")); - return 0; + return -1; } if (!handshake->resume) { @@ -1810,7 +1797,7 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl, resumption. */ MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, not a session resumption.")); - return 0; + return -1; } /* RFC 8446 4.2.10 @@ -1833,7 +1820,7 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, the selected key in " "`pre_shared_key` is not the first one.")); - return 0; + return -1; } if (handshake->ciphersuite_info->id != @@ -1841,7 +1828,7 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ("EarlyData: rejected, the selected ciphersuite is not the one " "of the selected pre-shared key.")); - return 0; + return -1; } @@ -1850,10 +1837,10 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl, 1, ("EarlyData: rejected, early_data not allowed in ticket " "permission bits.")); - return 0; + return -1; } - return 1; + return 0; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1885,15 +1872,24 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_EARLY_DATA) - ssl->handshake->early_data_accepted = - ssl_tls13_is_early_data_accepted(ssl, hrr_required); - - if (ssl->handshake->early_data_accepted) { - ret = mbedtls_ssl_tls13_compute_early_transform(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET( - 1, "mbedtls_ssl_tls13_compute_early_transform", ret); - return ret; + if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) { + ssl->handshake->early_data_accepted = 0; + if (!hrr_required) { + ssl->handshake->early_data_accepted = + (ssl_tls13_check_early_data_requirements(ssl) == 0); + } + if (ssl->handshake->early_data_accepted) { + ret = mbedtls_ssl_tls13_compute_early_transform(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_compute_early_transform", ret); + return ret; + } + } else { + ssl->discard_early_data_record = + hrr_required ? + MBEDTLS_SSL_EARLY_DATA_DISCARD : + MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD; } } #else -- cgit v1.1 From 2995d35ac344376acc5e18d3f39e1b6afc6917cb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 18 Jan 2024 16:59:39 +0100 Subject: tls13: srv: Deprotect and discard early data records Signed-off-by: Ronald Cron --- library/ssl_msg.c | 39 +++++++++++++++++++++++ tests/suites/test_suite_ssl.data | 7 +++-- tests/suites/test_suite_ssl.function | 61 +++++++++++++++++++++++++++++------- 3 files changed, 93 insertions(+), 14 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 20501c9..bf9a8ca 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3985,6 +3985,31 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, rec)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret); +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) + /* + * Although the server rejected early data, it might receive early + * data as long as it has not received the client Finished message. + * It is encrypted with early keys and should be ignored as stated + * in section 4.2.10 of RFC 8446: + * + * "Ignore the extension and return a regular 1-RTT response. The + * server then skips past early data by attempting to deprotect + * received records using the handshake traffic key, discarding + * records which fail deprotection (up to the configured + * max_early_data_size). Once a record is deprotected successfully, + * it is treated as the start of the client's second flight and the + * server proceeds as with an ordinary 1-RTT handshake." + */ + if ((old_msg_type == MBEDTLS_SSL_MSG_APPLICATION_DATA) && + (ssl->discard_early_data_record == + MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) { + MBEDTLS_SSL_DEBUG_MSG( + 3, ("EarlyData: deprotect and discard app data records.")); + /* TODO: Add max_early_data_size check here. */ + ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; + } +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */ + #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID && ssl->conf->ignore_unexpected_cid @@ -3997,6 +4022,20 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, return ret; } +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) + /* + * If the server were discarding protected records that it fails to + * deprotect because it has rejected early data, as we have just + * deprotected successfully a record, the server has to resume normal + * operation and fail the connection if the deprotection of a record + * fails. + */ + if (ssl->discard_early_data_record == + MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD) { + ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; + } +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */ + if (old_msg_type != rec->type) { MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d", old_msg_type, rec->type)); diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index c06c0a7..404818d 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3274,5 +3274,8 @@ elliptic_curve_get_properties TLS 1.3 resume session with ticket tls13_resume_session_with_ticket -TLS 1.3 early data -tls13_early_data +TLS 1.3 early data, reference +tls13_early_data:"reference" + +TLS 1.3 early data, deprotect and discard +tls13_early_data:"deprotect and discard" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 2d1a757..31a973b 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3662,9 +3662,10 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ -void tls13_early_data() +void tls13_early_data(char *scenario_string) { int ret = -1; + int scenario = 0; unsigned char buf[64]; const char *early_data = "This is early data."; size_t early_data_len = strlen(early_data); @@ -3672,6 +3673,18 @@ void tls13_early_data() mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; + mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; + + /* + * Determine scenario. + */ + if (strcmp(scenario_string, "reference") == 0) { + scenario = 0; + } else if (strcmp(scenario_string, "deprotect and discard") == 0) { + scenario = 1; + } else { + TEST_FAIL("Unknown scenario."); + } /* * Test set-up @@ -3692,15 +3705,17 @@ void tls13_early_data() mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; + server_options.srv_log_obj = &server_pattern; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &server_options, NULL, NULL, NULL, NULL); TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, mbedtls_test_ticket_write, mbedtls_test_ticket_parse, NULL); - mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), &(server_ep.socket), 1024); @@ -3740,6 +3755,16 @@ void tls13_early_data() ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); TEST_EQUAL(ret, 0); + switch (scenario) { + case 1: /* deprotect and discard */ + mbedtls_debug_set_threshold(3); + server_pattern.pattern = + "EarlyData: deprotect and discard app data records."; + mbedtls_ssl_conf_early_data(&server_ep.conf, + MBEDTLS_SSL_EARLY_DATA_DISABLED); + break; + } + TEST_EQUAL(mbedtls_test_move_handshake_to_state( &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_SERVER_HELLO), 0); @@ -3751,18 +3776,29 @@ void tls13_early_data() early_data_len); TEST_EQUAL(ret, early_data_len); - TEST_EQUAL(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_CLIENT_FINISHED), MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); + ret = mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_WRAPUP); - TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); - TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), buf, sizeof(buf)), - early_data_len); - TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); + switch (scenario) { + case 0: + TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); + TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); + TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), + buf, sizeof(buf)), early_data_len); + TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); + + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); + break; - TEST_EQUAL(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_OVER), 0); + case 1: + TEST_EQUAL(ret, 0); + TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); + TEST_EQUAL(server_pattern.counter, 1); + break; + } exit: mbedtls_test_ssl_endpoint_free(&client_ep, NULL); @@ -3770,6 +3806,7 @@ exit: mbedtls_test_free_handshake_options(&client_options); mbedtls_test_free_handshake_options(&server_options); mbedtls_ssl_session_free(&saved_session); + mbedtls_debug_set_threshold(0); PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From 1483dc3bdedfc3279f84e4aa26427cf7e0c82851 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 19 Jan 2024 10:00:47 +0100 Subject: tls13: cli: Indicate early data only in first ClientHello Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 76f0f18..2598bae 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1182,7 +1182,8 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) && ssl_tls13_early_data_has_valid_ticket(ssl) && - ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { + ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED && + ssl->handshake->hello_retry_request_count == 0) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, 0, p, end, &ext_len); -- cgit v1.1 From 263dbf71679c359be8549e111fcd0160a1ed1ed4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 26 Oct 2022 10:51:27 +0800 Subject: tls13: srv: Do not allow early data indication in 2nd ClientHello Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6e87d7b..93748a6 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1533,6 +1533,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, unsigned int extension_type; size_t extension_data_len; const unsigned char *extension_data_end; + uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH; + + if (ssl->handshake->hello_retry_request_count > 0) { + /* Do not accept early data extension in 2nd ClientHello */ + allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA); + } /* RFC 8446, section 4.2.11 * @@ -1560,7 +1566,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, ret = mbedtls_ssl_tls13_check_received_extension( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, - MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH); + allowed_exts); if (ret != 0) { return ret; } -- cgit v1.1 From f57d14bed4dbefb7419cbd439afeddcd096058d2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 15 Nov 2023 16:40:09 +0800 Subject: Ignore early data app msg before 2nd client hello Signed-off-by: Jerry Yu Signed-off-by: Ronald Cron --- library/ssl_msg.c | 26 ++++++++++++++++++++++++++ tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 27 ++++++++++++++++++++++++--- 3 files changed, 53 insertions(+), 3 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index bf9a8ca..2fe084c 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4109,6 +4109,32 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, } +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) + /* + * Although the server rejected early data because it needed to send an + * HelloRetryRequest message, it might receive early data as long as it has + * not received the client Finished message. + * The early data is encrypted with early keys and should be ignored as + * stated in section 4.2.10 of RFC 8446 (second case): + * + * "The server then ignores early data by skipping all records with an + * external content type of "application_data" (indicating that they are + * encrypted), up to the configured max_early_data_size. Ignore application + * data message before 2nd ClientHello when early_data was received in 1st + * ClientHello." + */ + if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) { + if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) { + MBEDTLS_SSL_DEBUG_MSG( + 3, ("EarlyData: Ignore application message before 2nd ClientHello")); + /* TODO: Add max_early_data_size check here. */ + return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; + } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) { + ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; + } + } +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */ + #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { mbedtls_ssl_dtls_replay_update(ssl); diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 404818d..e5e4c1e 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3279,3 +3279,6 @@ tls13_early_data:"reference" TLS 1.3 early data, deprotect and discard tls13_early_data:"deprotect and discard" + +TLS 1.3 early data, discard after HRR +tls13_early_data:"discard after HRR" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 31a973b..949356a 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3674,6 +3674,11 @@ void tls13_early_data(char *scenario_string) mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; + uint16_t group_list[3] = { + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE + }; /* * Determine scenario. @@ -3682,6 +3687,8 @@ void tls13_early_data(char *scenario_string) scenario = 0; } else if (strcmp(scenario_string, "deprotect and discard") == 0) { scenario = 1; + } else if (strcmp(scenario_string, "discard after HRR") == 0) { + scenario = 2; } else { TEST_FAIL("Unknown scenario."); } @@ -3700,7 +3707,7 @@ void tls13_early_data(char *scenario_string) client_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &client_options, NULL, NULL, NULL, - NULL); + group_list); TEST_EQUAL(ret, 0); mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); @@ -3709,7 +3716,7 @@ void tls13_early_data(char *scenario_string) server_options.srv_log_obj = &server_pattern; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &server_options, NULL, NULL, NULL, - NULL); + group_list); TEST_EQUAL(ret, 0); mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, @@ -3763,6 +3770,19 @@ void tls13_early_data(char *scenario_string) mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); break; + + case 2: /* discard after HRR */ + mbedtls_debug_set_threshold(3); + server_pattern.pattern = + "EarlyData: Ignore application message before 2nd ClientHello"; + mbedtls_ssl_conf_groups(&server_ep.conf, group_list + 1); + /* + * Need to reset again to reconstruct the group list in the + * handshake structure from the configured one. + */ + ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); + TEST_EQUAL(ret, 0); + break; } TEST_EQUAL(mbedtls_test_move_handshake_to_state( @@ -3793,7 +3813,8 @@ void tls13_early_data(char *scenario_string) MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); break; - case 1: + case 1: /* Intentional fallthrough */ + case 2: TEST_EQUAL(ret, 0); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); TEST_EQUAL(server_pattern.counter, 1); -- cgit v1.1 From ae2d81c314c15350484c6188995a1bac9791f3ef Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 22 Jan 2024 09:13:41 +0100 Subject: tests: tls13: Run early data test only in TLS 1.3 only config Temporary workaround to not run the early data test in Windows-2013 where there is an issue with mbedtls_vsnprintf(). Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 949356a..807b5ab 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,7 +12,8 @@ #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ +#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ + defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ @@ -3661,7 +3662,12 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +/* + * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is + * a temporary workaround to not run the test in Windows-2013 where there is + * an issue with mbedtls_vsnprintf(). + */ +/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ void tls13_early_data(char *scenario_string) { int ret = -1; -- cgit v1.1 From 12285c5c7c658a92cecc05a095e36d8d256d828a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 2 Feb 2024 17:52:41 +0000 Subject: Add calls to BLOCK_CIPHER_PSA_INIT / BLOCK_CIPHER_PSA_DONE Signed-off-by: Dave Rodgman --- tests/suites/test_suite_gcm.function | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 0af4209..8bb7b8b 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -499,8 +499,11 @@ exit: void gcm_invalid_iv_len(void) { mbedtls_gcm_context ctx; + mbedtls_gcm_init(&ctx); uint8_t b16[16] = { 0 }; + BLOCK_CIPHER_PSA_INIT(); + // Invalid IV length 0 gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT); mbedtls_gcm_free(&ctx); @@ -514,8 +517,8 @@ void gcm_invalid_iv_len(void) goto exit; /* To suppress error that exit is defined but not used */ exit: - /* empty */ - return; + mbedtls_gcm_free(&ctx); + BLOCK_CIPHER_PSA_DONE(); } /* END_CASE */ @@ -525,7 +528,10 @@ void gcm_add_len_too_long(void) // Only testable on platforms where sizeof(size_t) >= 8. #if SIZE_MAX >= UINT64_MAX mbedtls_gcm_context ctx; + mbedtls_gcm_init(&ctx); uint8_t b16[16] = { 0 }; + BLOCK_CIPHER_PSA_INIT(); + /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should * be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */ uint64_t len_max = 1ULL << 61; @@ -550,6 +556,7 @@ void gcm_add_len_too_long(void) exit: mbedtls_gcm_free(&ctx); + BLOCK_CIPHER_PSA_DONE(); #endif } /* END_CASE */ @@ -563,6 +570,9 @@ void gcm_input_len_too_long(void) uint8_t b16[16] = { 0 }; uint8_t out[1]; size_t out_len; + mbedtls_gcm_init(&ctx); + BLOCK_CIPHER_PSA_INIT(); + /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should * be <= 2^39 - 256. This is the maximum valid length in bytes. */ uint64_t len_max = (1ULL << 36) - 32; @@ -590,6 +600,7 @@ void gcm_input_len_too_long(void) exit: mbedtls_gcm_free(&ctx); + BLOCK_CIPHER_PSA_DONE(); #endif } /* END_CASE */ -- cgit v1.1 From ac61cee2fdcb4b24cc634ab90fa77f85e1dd8087 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 2 Feb 2024 17:53:38 +0000 Subject: Restore mutex lock for mbedtls_test_set_step() This function is called externally from several tests, so still requires a mutex lock. Add an internal function to reset the step, for use in functions where the mutex is already held. Signed-off-by: Paul Elliott --- tests/src/helpers.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 936da06..ee87a61 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -144,12 +144,25 @@ unsigned long mbedtls_test_get_step(void) return step; } -void mbedtls_test_set_step(unsigned long step) +void mbedtls_test_reset_step(void) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ + mbedtls_test_info.step = (unsigned long) (-1); +} + +void mbedtls_test_set_step(unsigned long step) +{ +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + mbedtls_test_info.step = step; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ } void mbedtls_test_get_line1(char *line) @@ -366,7 +379,7 @@ void mbedtls_test_info_reset(void) #endif /* MBEDTLS_THREADING_C */ mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0); - mbedtls_test_set_step((unsigned long) (-1)); + mbedtls_test_reset_step(); mbedtls_test_set_line1(NULL); mbedtls_test_set_line2(NULL); -- cgit v1.1 From 098e2d82cd4917cb03f5c385a449a6c83a1660e5 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 2 Feb 2024 17:59:26 +0000 Subject: Revert accidental formatting change Signed-off-by: Paul Elliott --- tests/include/test/bignum_helpers.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/include/test/bignum_helpers.h b/tests/include/test/bignum_helpers.h index cf175a3..a5e49cb 100644 --- a/tests/include/test/bignum_helpers.h +++ b/tests/include/test/bignum_helpers.h @@ -86,8 +86,8 @@ void mbedtls_test_mpi_mod_modulus_free_with_limbs(mbedtls_mpi_mod_modulus *N); * the "0 (null)" and "0 (1 limb)" and "leading zeros" test cases do what they * claim. * - * \param[out] X The MPI object to populate. It must be initialized. - * \param[in] s The null-terminated hexadecimal string to read from. + * \param[out] X The MPI object to populate. It must be initialized. + * \param[in] s The null-terminated hexadecimal string to read from. * * \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise. */ -- cgit v1.1 From 13ab693c491b59d07436c6a26ce8ecf133646000 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 08:48:39 +0100 Subject: rsa_internal: fix documentation for mbedtls_rsa_parse_key() Signed-off-by: Valerio Setti --- library/rsa_internal.h | 1 + 1 file changed, 1 insertion(+) diff --git a/library/rsa_internal.h b/library/rsa_internal.h index 4cb564e..f79c3b7 100644 --- a/library/rsa_internal.h +++ b/library/rsa_internal.h @@ -25,6 +25,7 @@ * \param keylen The length of the key buffer in bytes. * * \return 0 on success. + * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors. * \return MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while * parsing data. * \return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the -- cgit v1.1 From 45c33ed41ec2d89535aed1ac81d4345939e5c42a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 09:04:10 +0100 Subject: test_suite_rsa: fix data for "extra integer outside the SEQUENCE" Signed-off-by: Valerio Setti --- tests/suites/test_suite_rsa.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index f4bd60a..b404f00 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -725,7 +725,7 @@ RSA parse public key - correct values, extra integer inside the SEQUENCE rsa_parse_pkcs1_key:1:"30818c028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH RSA parse public key - correct values, extra integer outside the SEQUENCE -rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":0 +rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":0 RSA priv key write - incremental output buffer size rsa_key_write_incremental:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c" -- cgit v1.1 From 864519793777dd9bfd416c3a60a272f6d0622934 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 09:50:20 +0100 Subject: psa_util: fix documentation of ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 15e92e3..b7b710f 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -184,35 +184,33 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -/** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 - * format (used by legacy crypto APIs). +/** Convert an ECDSA signature from raw format to DER ASN.1 format. * * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of raw buffer in bytes + * \param raw_len Length of \p raw in bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. - * \param der_size Size of the output der buffer in bytes. + * \param der_size Size of \p der in bytes. * \param[out] der_len On success it contains the amount of valid data - * (in bytes) written to der buffer. It's undefined + * (in bytes) written to \p der. It's undefined * in case of failure. - * \param bits Size of each raw coordinate in bits. + * \param bits Size of each coordinate in bits. */ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, unsigned char *der, size_t der_size, size_t *der_len, size_t bits); -/** Convert an ECDSA signature from DER ASN.1 format (used by legacy crypto - * APIs) to raw format (used by PSA APIs). +/** Convert an ECDSA signature from DER ASN.1 format to raw format. * * \param der Buffer that contains the signature in DER format. - * \param der_len Size of the der buffer in bytes. + * \param der_len Size of \p der in bytes. * \param[out] raw Buffer that will be filled with the converted raw * signature. It can overlap with der buffer. - * \param raw_size Size of the raw buffer in bytes. + * \param raw_size Size of \p raw in bytes. * \param[out] raw_len On success it is updated with the amount of valid - * data (in bytes) written to raw buffer. It's undefined + * data (in bytes) written to \p raw. It's undefined * in case of failure. - * \param bits Size of each raw coordinate in bits. + * \param bits Size of each coordinate in bits. */ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_size, size_t *raw_len, -- cgit v1.1 From 315e4afc0a6bc4e55340fe8de7891e076e277da5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 10:09:15 +0100 Subject: psa_util: change parameters order in ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 14 ++++++-------- library/pk_wrap.c | 7 +++---- library/psa_util.c | 10 ++++------ tests/suites/test_suite_psa_crypto_util.function | 20 ++++++++------------ 4 files changed, 21 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index b7b710f..06732d8 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -186,6 +186,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa /** Convert an ECDSA signature from raw format to DER ASN.1 format. * + * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. * \param raw_len Length of \p raw in bytes. * \param[out] der Buffer that will be filled with the converted DER @@ -194,14 +195,13 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. - * \param bits Size of each coordinate in bits. */ -int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, - unsigned char *der, size_t der_size, size_t *der_len, - size_t bits); +int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len); /** Convert an ECDSA signature from DER ASN.1 format to raw format. * + * \param bits Size of each coordinate in bits. * \param der Buffer that contains the signature in DER format. * \param der_len Size of \p der in bytes. * \param[out] raw Buffer that will be filled with the converted raw @@ -210,11 +210,9 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \param[out] raw_len On success it is updated with the amount of valid * data (in bytes) written to \p raw. It's undefined * in case of failure. - * \param bits Size of each coordinate in bits. */ -int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_size, size_t *raw_len, - size_t bits); +int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len); #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 9a29d92..c45fbd4 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -573,9 +573,8 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, } p = (unsigned char *) sig; - ret = mbedtls_ecdsa_der_to_raw(p, sig_len, extracted_sig, - sizeof(extracted_sig), &converted_sig_len, - curve_bits); + ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig, + sizeof(extracted_sig), &converted_sig_len); if (ret != 0) { goto cleanup; } @@ -730,7 +729,7 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, } done: - ret = mbedtls_ecdsa_raw_to_der(sig, sig_size, sig, sig_size, sig_len, key_bits); + ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, sig_size, sig, sig_size, sig_len); return ret; } diff --git a/library/psa_util.c b/library/psa_util.c index b13d83d..2491f2e 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -402,9 +402,8 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra return len; } -int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, - unsigned char *der, size_t der_size, size_t *der_len, - size_t bits) +int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len) { unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; @@ -511,9 +510,8 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return (int) (p - der); } -int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_size, size_t *raw_len, - size_t bits) +int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len) { unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE]; unsigned char *p = (unsigned char *) der; diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 9dc95b6..c102b07 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -12,9 +12,8 @@ void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_r TEST_CALLOC(tmp_buf, tmp_buf_len); - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len), exp_ret); if (exp_ret == 0) { ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); @@ -35,17 +34,15 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul for (i = 1; i < tmp_buf_len; i++) { TEST_CALLOC(tmp_buf, i); - TEST_ASSERT(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, i, &ret_len, - key_bits) != 0); + TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, i, &ret_len) != 0); mbedtls_free(tmp_buf); tmp_buf = NULL; } TEST_CALLOC(tmp_buf, i); - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, i, &ret_len, - key_bits), 0); + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, i, &ret_len), 0); exit: mbedtls_free(tmp_buf); } @@ -60,9 +57,8 @@ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_r TEST_CALLOC(tmp_buf, tmp_buf_len); - TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); + TEST_EQUAL(mbedtls_ecdsa_der_to_raw(key_bits, input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len), exp_ret); if (exp_ret == 0) { ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); -- cgit v1.1 From 6932e290572f2870f66003228b63d11044c49313 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Mon, 5 Feb 2024 09:49:43 +0000 Subject: Correct the ENCODES_OWNER macro name in comment Signed-off-by: Antonio de Angelis --- include/psa/crypto_struct.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 8216f28..ca264e3 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -243,7 +243,7 @@ typedef struct { psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); /* This type has a different layout in the client view wrt the * service view of the key id, i.e. in service view usually is - * expected to have MBEDTLS_SVC_KEY_ID_ENCODES_OWNER defined + * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined * thus adding an owner field to the standard psa_key_id_t. For * implementations with client/service separation, this means the * object will be marshalled through a transport channel and -- cgit v1.1 From 954ef4bbd5727a92113732e51622af374d2f736f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 12:06:46 +0100 Subject: psa_util: improve convert_raw_to_der_single_int() Allow the function to support DER buffers than what it is nominally required by the provided coordinates. In other words let's ignore padding zeros in the raw number. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 7 ++++++- library/psa_util.c | 25 ++++++++++++------------ tests/suites/test_suite_psa_crypto_util.data | 4 ++++ tests/suites/test_suite_psa_crypto_util.function | 13 +++++++++--- 4 files changed, 33 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 06732d8..132c73f 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -191,7 +191,12 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * \param raw_len Length of \p raw in bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. - * \param der_size Size of \p der in bytes. + * \param der_size Size of \p der in bytes. Given \p bits parameter: + * * #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) can be used + * to determine a large enough buffer for any + * \p raw input vector. + * * The minimum size might be smaller in case + * \p raw input vector contains padding zeros. * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. diff --git a/library/psa_util.c b/library/psa_util.c index 2491f2e..4e350c0 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -365,26 +365,27 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra unsigned char *der_buf_end) { unsigned char *p = der_buf_end; - int len = (int) raw_len; + int len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* Copy the raw coordinate to the end of der_buf. */ - if ((p - der_buf_start) < len) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - p -= len; - memcpy(p, raw_buf, len); - /* ASN.1 DER encoding requires minimal length, so skip leading 0s. * Provided input MPIs should not be 0, but as a failsafe measure, still * detect that and return error in case. */ - while (*p == 0x00) { - ++p; - --len; - if (len == 0) { + while (*raw_buf == 0x00) { + ++raw_buf; + --raw_len; + if (raw_len == 0) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } } + len = (int) raw_len; + + /* Copy the raw coordinate to the end of der_buf. */ + if ((p - der_buf_start) < len) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + p -= len; + memcpy(p, raw_buf, len); /* If MSb is 1, ASN.1 requires that we prepend a 0. */ if (*p & 0x80) { diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index c92b5fc..606e563 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -115,3 +115,7 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" + +ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der_incremental:256:"00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002":"3006020101020102" diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index c102b07..51f42a7 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -32,6 +32,7 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul size_t ret_len; size_t i; + /* Test with an output buffer smaller than required (expexted to fail). */ for (i = 1; i < tmp_buf_len; i++) { TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, @@ -39,10 +40,16 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul mbedtls_free(tmp_buf); tmp_buf = NULL; } + /* Test with an output buffer larger/equal than required (expexted to + * succeed). */ + for (i = tmp_buf_len; i < (2 * tmp_buf_len); i++) { + TEST_CALLOC(tmp_buf, i); + TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, i, &ret_len) == 0); + mbedtls_free(tmp_buf); + tmp_buf = NULL; + } - TEST_CALLOC(tmp_buf, i); - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, - tmp_buf, i, &ret_len), 0); exit: mbedtls_free(tmp_buf); } -- cgit v1.1 From e01a2b03c63ef2fd087d850a6a006231417e5f71 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:16:36 +0100 Subject: psa_util: update documentation for mbedtls_ecdsa_der_to_raw() Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 132c73f..8868bc1 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -211,7 +211,8 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l * \param der_len Size of \p der in bytes. * \param[out] raw Buffer that will be filled with the converted raw * signature. It can overlap with der buffer. - * \param raw_size Size of \p raw in bytes. + * \param raw_size Size of \p raw in bytes. Must be at least + * 2 * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] raw_len On success it is updated with the amount of valid * data (in bytes) written to \p raw. It's undefined * in case of failure. -- cgit v1.1 From 2bd0ecdf4582ee04877c028c456ecf487d47dc9b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:25:15 +0100 Subject: psa_util: improve documentation for convert_raw_to_der_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index 4e350c0..1bb02e9 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -346,7 +346,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, * * \param raw_buf Buffer containing the raw coordinate to be * converted. - * \param raw_len Length of raw_buf in bytes. + * \param raw_len Length of raw_buf in bytes. This must be > 0. * \param der_buf_start Pointer to the beginning of the buffer which * will be filled with the DER converted data. * \param der_buf_end End of the buffer used to store the DER output. -- cgit v1.1 From 8334d00772c155c41eb1a735417fd98dfd0382ee Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:35:26 +0100 Subject: psa_util: improve check of raw_len in mbedtls_ecdsa_raw_to_der() Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 3 ++- library/psa_util.c | 2 +- tests/suites/test_suite_psa_crypto_util.data | 8 ++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 8868bc1..a5f09a4 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -188,7 +188,8 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of \p raw in bytes. + * \param raw_len Length of \p raw in bytes. This must be + * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. * \param der_size Size of \p der in bytes. Given \p bits parameter: diff --git a/library/psa_util.c b/library/psa_util.c index 1bb02e9..f3fcd1d 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (raw_len < 2 * coordinate_len) { + if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 606e563..580622f 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -26,6 +26,14 @@ ECDSA Raw -> DER, 256bit, s with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 +ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, Success depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -- cgit v1.1 From bec1d842ac2a38d37a30fee182a7246ead5c41c9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:50:02 +0100 Subject: psa_util: convert_der_to_raw_single_int() accepts also all zero integers These values are not mathematically valid as signature, but as for what it concerns with ECDSA conversion functions, 0 values in DER format should be translated to 0 values in raw format. Signed-off-by: Valerio Setti --- library/psa_util.c | 4 ---- tests/suites/test_suite_psa_crypto_util.data | 24 ++++++++++++++++-------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index f3fcd1d..0a77855 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -493,10 +493,6 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, p++; unpadded_len--; } - /* It should never happen that the input number has 0 length. */ - if (unpadded_len == 0) { - return MBEDTLS_ERR_ASN1_INVALID_DATA; - } if (unpadded_len > coordinate_size) { /* Parsed number is longer than the maximum expected value. */ diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 580622f..f12a4bb 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,21 +74,29 @@ ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) +ECDSA DER -> Raw, 256bit, Valid r all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Invalid s (only 1 zero byte) +ECDSA DER -> Raw, 256bit, Valid s all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 -ECDSA DER -> Raw, 256bit, Invalid r (0-length) +ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit,Invalid s (0-length) +ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 + +ECDSA DER -> Raw, 256bit, Valid 0-length r +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 256bit, Valid 0-length s +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success -- cgit v1.1 From 05c256fb3639d3ae3ca414d309851e45fdb36ca4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:02:11 +0100 Subject: psa_util: minor performance improvement in mbedtls_ecdsa_der_to_raw() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index 0a77855..7e79b1c 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -529,7 +529,7 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_l return ret; } - memset(raw_tmp, 0, sizeof(raw_tmp)); + memset(raw_tmp, 0, 2 * coordinate_size); /* Extract r */ ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size); -- cgit v1.1 From 091bdc416d5056554bb8963054357423165662b7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:17:44 +0100 Subject: psa_util: enhance checks on leading zeros in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 10 ++++++++++ tests/suites/test_suite_psa_crypto_util.data | 12 ++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 7e79b1c..674f21b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -488,10 +488,20 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } + /* It's invalid to have MSb set without a leading 0x00 (leading 0x00 is + * checked below). */ + if ((*p & 0x80) != 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + /* Skip possible leading zero */ if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; + /* Only 1 leading zero is allowed, otherwise that's an error. */ + if (*p == 0x00) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } } if (unpadded_len > coordinate_size) { diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index f12a4bb..568f6c5 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,13 +74,13 @@ ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Valid r all zeros +ECDSA DER -> Raw, 256bit, Invalid r all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Valid s all zeros +ECDSA DER -> Raw, 256bit, Invalid s all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 @@ -98,6 +98,10 @@ ECDSA DER -> Raw, 256bit, Valid 0-length s depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"30440220911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -- cgit v1.1 From 110126110da3316451f9ddf7d4f011973c6d1a17 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:24:18 +0100 Subject: test_suite_psa_util: use more generic symbols for test case dependencies Use PSA_VENDOR_ECC_MAX_CURVE_BITS instead of a specific curve since what we care about is only bit-size not the curve itself. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 68 ++++++++++++++-------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 568f6c5..69e4e19 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,141 +1,141 @@ ECDSA Raw -> DER, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Raw data too short -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, DER buffer too small -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA Raw -> DER, 256bit, Null r -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Null s -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, s with MSb set -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Raw buffer too small -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA DER -> Raw, 256bit, Wrong sequence tag -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Invalid sequence length -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH ECDSA DER -> Raw, 256bit, Wrong integer tag -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA ECDSA DER -> Raw, 256bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Invalid r all zeros -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Invalid s all zeros -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 ECDSA DER -> Raw, 256bit, Valid 0-length r -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Valid 0-length s -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success -depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA DER -> Raw, 512bit, Success -depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. # Bit length is rounded up to 528 to be multiple of 8. ECDSA Raw -> DER, 521bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. # Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der_incremental:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 512bit, Incremental DER buffer sizes -depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818502410091111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes -depends_on:PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der_incremental:256:"00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002":"3006020101020102" -- cgit v1.1 From a4d17b34f354557838e05d2cb47200e8dcaaf59b Mon Sep 17 00:00:00 2001 From: Bill Roberts Date: Tue, 9 Jan 2024 13:10:05 -0600 Subject: pkg-config: add initial pkg-config files Add three package config files for mbedtls, mbedcrypto and mbedx509. Also update various project variables so the generated PC files have the required data needed without hardcoding it everywhere. This will help distros package the project following existing conventsions between a normal and -devel package that includes the headers and .pc files for pkg-config aware consumers. Fixes: #228 Signed-off-by: Bill Roberts --- CMakeLists.txt | 2 ++ ChangeLog.d/pkg-config-files-addition.txt | 2 ++ pkgconfig/CMakeLists.txt | 25 +++++++++++++++++++++++++ pkgconfig/JoinPaths.cmake | 27 +++++++++++++++++++++++++++ pkgconfig/mbedcrypto.pc.in | 10 ++++++++++ pkgconfig/mbedtls.pc.in | 11 +++++++++++ pkgconfig/mbedx509.pc.in | 11 +++++++++++ 7 files changed, 88 insertions(+) create mode 100644 ChangeLog.d/pkg-config-files-addition.txt create mode 100644 pkgconfig/CMakeLists.txt create mode 100644 pkgconfig/JoinPaths.cmake create mode 100644 pkgconfig/mbedcrypto.pc.in create mode 100644 pkgconfig/mbedtls.pc.in create mode 100644 pkgconfig/mbedx509.pc.in diff --git a/CMakeLists.txt b/CMakeLists.txt index ad05646..37a742e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -278,6 +278,8 @@ add_subdirectory(3rdparty) add_subdirectory(library) +add_subdirectory(pkgconfig) + # # The C files in tests/src directory contain test code shared among test suites # and programs. This shared test code is compiled and linked to test suites and diff --git a/ChangeLog.d/pkg-config-files-addition.txt b/ChangeLog.d/pkg-config-files-addition.txt new file mode 100644 index 0000000..e39f62e --- /dev/null +++ b/ChangeLog.d/pkg-config-files-addition.txt @@ -0,0 +1,2 @@ +Features + * Add pc files for pkg-config. eg.) pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) diff --git a/pkgconfig/CMakeLists.txt b/pkgconfig/CMakeLists.txt new file mode 100644 index 0000000..7dfc043 --- /dev/null +++ b/pkgconfig/CMakeLists.txt @@ -0,0 +1,25 @@ +if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL) + include(JoinPaths.cmake) + join_paths(PKGCONFIG_INCLUDEDIR "\${prefix}" "${CMAKE_INSTALL_INCLUDEDIR}") + join_paths(PKGCONFIG_LIBDIR "\${prefix}" "${CMAKE_INSTALL_LIBDIR}") + + #define these manually since minimum CMAKE version is not 3.9 for DESCRIPTION and 3.12 for HOMEPAGE_URL usage in project() below. + # Prefix with something that won't clash with newer versions of CMAKE. + set(PKGCONFIG_PROJECT_DESCRIPTION "Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems.") + set(PKGCONFIG_PROJECT_HOMEPAGE_URL "https://www.trustedfirmware.org/projects/mbed-tls/") + + configure_file(mbedcrypto.pc.in mbedcrypto.pc @ONLY) + install(FILES + ${CMAKE_CURRENT_BINARY_DIR}/mbedcrypto.pc + DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig) + + configure_file(mbedtls.pc.in mbedtls.pc @ONLY) + install(FILES + ${CMAKE_CURRENT_BINARY_DIR}/mbedtls.pc + DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig) + + configure_file(mbedx509.pc.in mbedx509.pc @ONLY) + install(FILES + ${CMAKE_CURRENT_BINARY_DIR}/mbedx509.pc + DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig) +endif() diff --git a/pkgconfig/JoinPaths.cmake b/pkgconfig/JoinPaths.cmake new file mode 100644 index 0000000..193caed --- /dev/null +++ b/pkgconfig/JoinPaths.cmake @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# This module provides function for joining paths +# known from most languages +# +# Copyright The Mbed TLS Contributors +# +# This script originates from: +# - https://github.com/jtojnar/cmake-snips +# Jan has provided re-licensing under Apache 2.0 and GPL 2.0+ and +# allowed for the change of Copyright. +# +# Modelled after Python’s os.path.join +# https://docs.python.org/3.7/library/os.path.html#os.path.join +# Windows not supported +function(join_paths joined_path first_path_segment) + set(temp_path "${first_path_segment}") + foreach(current_segment IN LISTS ARGN) + if(NOT ("${current_segment}" STREQUAL "")) + if(IS_ABSOLUTE "${current_segment}") + set(temp_path "${current_segment}") + else() + set(temp_path "${temp_path}/${current_segment}") + endif() + endif() + endforeach() + set(${joined_path} "${temp_path}" PARENT_SCOPE) +endfunction() diff --git a/pkgconfig/mbedcrypto.pc.in b/pkgconfig/mbedcrypto.pc.in new file mode 100644 index 0000000..b35afc1 --- /dev/null +++ b/pkgconfig/mbedcrypto.pc.in @@ -0,0 +1,10 @@ +prefix=@CMAKE_INSTALL_PREFIX@ +includedir=@PKGCONFIG_INCLUDEDIR@ +libdir=@PKGCONFIG_LIBDIR@ + +Name: @PROJECT_NAME@ +Description: @PKGCONFIG_PROJECT_DESCRIPTION@ +URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@ +Version: @PROJECT_VERSION@ +Cflags: -I"${includedir}" +Libs: -L"${libdir}" -lmbedcrypto diff --git a/pkgconfig/mbedtls.pc.in b/pkgconfig/mbedtls.pc.in new file mode 100644 index 0000000..2bfce80 --- /dev/null +++ b/pkgconfig/mbedtls.pc.in @@ -0,0 +1,11 @@ +prefix=@CMAKE_INSTALL_PREFIX@ +includedir=@PKGCONFIG_INCLUDEDIR@ +libdir=@PKGCONFIG_LIBDIR@ + +Name: @PROJECT_NAME@ +Description: @PKGCONFIG_PROJECT_DESCRIPTION@ +URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@ +Version: @PROJECT_VERSION@ +Requires.private: mbedcrypto mbedx509 +Cflags: -I"${includedir}" +Libs: -L"${libdir}" -lmbedtls diff --git a/pkgconfig/mbedx509.pc.in b/pkgconfig/mbedx509.pc.in new file mode 100644 index 0000000..0ab2e31 --- /dev/null +++ b/pkgconfig/mbedx509.pc.in @@ -0,0 +1,11 @@ +prefix=@CMAKE_INSTALL_PREFIX@ +includedir=@PKGCONFIG_INCLUDEDIR@ +libdir=@PKGCONFIG_LIBDIR@ + +Name: @PROJECT_NAME@ +Description: @PKGCONFIG_PROJECT_DESCRIPTION@ +URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@ +Version: @PROJECT_VERSION@ +Requires.private: mbedcrypto +Cflags: -I"${includedir}" +Libs: -L"${libdir}" -lmbedx509 -- cgit v1.1 From 31e2d83eeef6a4dc564b1791a5ab31ecc5a3c593 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 5 Feb 2024 16:45:57 +0100 Subject: tls13: srv: Improve coding Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 93748a6..5f6d1a1 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1879,11 +1879,9 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) { - ssl->handshake->early_data_accepted = 0; - if (!hrr_required) { - ssl->handshake->early_data_accepted = - (ssl_tls13_check_early_data_requirements(ssl) == 0); - } + ssl->handshake->early_data_accepted = + (!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0); + if (ssl->handshake->early_data_accepted) { ret = mbedtls_ssl_tls13_compute_early_transform(ssl); if (ret != 0) { -- cgit v1.1 From 71c6e65d83844da1bc15451743bc44a6db75eca4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 5 Feb 2024 16:48:10 +0100 Subject: tls13: ssl_msg.c: Improve/add comments Signed-off-by: Ronald Cron --- library/ssl_msg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 2fe084c..7af9fd2 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4005,7 +4005,7 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) { MBEDTLS_SSL_DEBUG_MSG( 3, ("EarlyData: deprotect and discard app data records.")); - /* TODO: Add max_early_data_size check here. */ + /* TODO: Add max_early_data_size check here, see issue 6347 */ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */ @@ -4019,6 +4019,10 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + /* + * The decryption of the record failed, no reason to ignore it, + * return in error with the decryption error code. + */ return ret; } @@ -4127,7 +4131,7 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) { MBEDTLS_SSL_DEBUG_MSG( 3, ("EarlyData: Ignore application message before 2nd ClientHello")); - /* TODO: Add max_early_data_size check here. */ + /* TODO: Add max_early_data_size check here, see issue 6347 */ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) { ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; -- cgit v1.1 From 1792bb44a0aac407b8d87b08eeba487e19ac854f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 17:34:49 +0100 Subject: test_suite_psa_crypto_util: add more test cases Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 69e4e19..7f3f5b5 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -26,6 +26,18 @@ ECDSA Raw -> DER, 256bit, s with MSb set depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 +ECDSA Raw -> DER, 256bit, both r and s with MSb set +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"A111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"3046022100A111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA Raw -> DER, 256bit, r and s only 1 byte of data +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000110000000000000000000000000000000000000000000000000000000000000022":"3006020111020122":0 + +ECDSA Raw -> DER, 256bit, r and s only 1 byte of data with MSb set +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000A2":"300802020091020200A2":0 + ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA @@ -54,22 +66,26 @@ ECDSA DER -> Raw, 256bit, Wrong integer tag depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) +ECDSA DER -> Raw, 256bit, Wrong r integer length (1 byte smaller than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) +ECDSA DER -> Raw, 256bit, Wrong r integer length (1 byte larger than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) +ECDSA DER -> Raw, 256bit, Wrong s integer length (1 byte smaller than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH -ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) +ECDSA DER -> Raw, 256bit, Wrong s integer length (1 byte larger than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, r size 1 byte larger than allowed for output raw coordinate +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_der_to_raw:256:"3045022111111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 @@ -118,6 +134,10 @@ ECDSA Raw -> DER, 521bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ECDSA Raw -> DER, 521bit, Success (integers exactly 521 bits) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 +ecdsa_raw_to_der:528:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. # Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success -- cgit v1.1 From 9ae32704b615c473303c35c708efa18673858476 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Mon, 5 Feb 2024 16:44:16 +0000 Subject: Add missing dependencies for pkparse tests Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkparse.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index a8d6536..5e9f0e7 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -891,15 +891,15 @@ depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #99.3 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.4 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.5 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.6 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384 DER, 2048-bit) -- cgit v1.1 From 1d5fa22f9dc75841106d96cba39a113fe092dc21 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Mon, 5 Feb 2024 16:45:38 +0000 Subject: Fix pkcs5 aes test data Remove the keyLength parameter from the AES-256 tests. Add MBEDTLS_CIPHER_PADDING_PKCS7 to the dependencies. Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkcs5.data | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 790a31b..939c82f 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -143,16 +143,16 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIP pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" PBES2 Encrypt AES-128-CBC (OK, generated with OpenSSL) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" PBES2 Encrypt AES-192-CBC (OK, generated with OpenSSL) -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94" PBES2 Encrypt AES-256-CBC (OK, generated with OpenSSL) -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7 +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302706092A864886F70D01050C301a0408010203040506070802022710300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" PBES2 Decrypt AES-128-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC @@ -164,7 +164,7 @@ pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886 PBES2 Decrypt AES-256-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" +pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302706092A864886F70D01050C301a0408010203040506070802022710300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" PBES2 Decrypt (bad params tag) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C -- cgit v1.1 From 0e60e93c12002b1aae6fb77e647b3cfdba64134e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 17:59:42 +0100 Subject: test_suite_psa_crypto_util: improve ecdsa_der_to_raw() Check that the parsing always fails if the input is truncated. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.function | 27 ++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 51f42a7..fe811e0 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -58,20 +58,35 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { - unsigned char *tmp_buf = NULL; - size_t tmp_buf_len = exp_result->len; + unsigned char *in_buf = NULL; + size_t in_buf_len; + unsigned char *out_buf = NULL; + size_t out_buf_len = exp_result->len; size_t ret_len; - TEST_CALLOC(tmp_buf, tmp_buf_len); + TEST_CALLOC(out_buf, out_buf_len); + + /* Verify that parsing of truncated input always fails. */ + for (in_buf_len = 1; in_buf_len < input->len; in_buf_len++) { + /* We alloc a copy of input buffer with limited length so that sanitizers + * can detect overreads. */ + TEST_CALLOC(in_buf, in_buf_len); + memcpy(in_buf, input->x, in_buf_len); + TEST_ASSERT(mbedtls_ecdsa_der_to_raw(key_bits, in_buf, in_buf_len, + out_buf, out_buf_len, &ret_len) != 0); + mbedtls_free(in_buf); + in_buf = NULL; + } TEST_EQUAL(mbedtls_ecdsa_der_to_raw(key_bits, input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len), exp_ret); + out_buf, out_buf_len, &ret_len), exp_ret); if (exp_ret == 0) { - ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); + ASSERT_COMPARE(exp_result->x, exp_result->len, out_buf, ret_len); } exit: - mbedtls_free(tmp_buf); + mbedtls_free(in_buf); + mbedtls_free(out_buf); } /* END_CASE */ -- cgit v1.1 From 33327dab8564bff155ec067a281e0e961390e7bf Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 5 Feb 2024 17:46:41 +0100 Subject: tests: early data: Switch to mnemonics for test scenarios Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 6 +++--- tests/suites/test_suite_ssl.function | 37 +++++++++++++++++------------------- 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index e5e4c1e..86945cc 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3275,10 +3275,10 @@ TLS 1.3 resume session with ticket tls13_resume_session_with_ticket TLS 1.3 early data, reference -tls13_early_data:"reference" +tls13_early_data:TEST_EARLY_DATA_REFERENCE TLS 1.3 early data, deprotect and discard -tls13_early_data:"deprotect and discard" +tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD TLS 1.3 early data, discard after HRR -tls13_early_data:"discard after HRR" +tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 807b5ab..cbb29b6 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,6 +12,11 @@ #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } +/* Mnemonics for the early data test scenarios */ +#define TEST_EARLY_DATA_REFERENCE 0 +#define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 1 +#define TEST_EARLY_DATA_DISCARD_AFTER_HRR 2 + #if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ @@ -3668,10 +3673,9 @@ exit: * an issue with mbedtls_vsnprintf(). */ /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ -void tls13_early_data(char *scenario_string) +void tls13_early_data(int scenario) { int ret = -1; - int scenario = 0; unsigned char buf[64]; const char *early_data = "This is early data."; size_t early_data_len = strlen(early_data); @@ -3687,19 +3691,6 @@ void tls13_early_data(char *scenario_string) }; /* - * Determine scenario. - */ - if (strcmp(scenario_string, "reference") == 0) { - scenario = 0; - } else if (strcmp(scenario_string, "deprotect and discard") == 0) { - scenario = 1; - } else if (strcmp(scenario_string, "discard after HRR") == 0) { - scenario = 2; - } else { - TEST_FAIL("Unknown scenario."); - } - - /* * Test set-up */ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); @@ -3769,7 +3760,10 @@ void tls13_early_data(char *scenario_string) TEST_EQUAL(ret, 0); switch (scenario) { - case 1: /* deprotect and discard */ + case TEST_EARLY_DATA_REFERENCE: + break; + + case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: mbedtls_debug_set_threshold(3); server_pattern.pattern = "EarlyData: deprotect and discard app data records."; @@ -3777,7 +3771,7 @@ void tls13_early_data(char *scenario_string) MBEDTLS_SSL_EARLY_DATA_DISABLED); break; - case 2: /* discard after HRR */ + case TEST_EARLY_DATA_DISCARD_AFTER_HRR: mbedtls_debug_set_threshold(3); server_pattern.pattern = "EarlyData: Ignore application message before 2nd ClientHello"; @@ -3789,6 +3783,9 @@ void tls13_early_data(char *scenario_string) ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); TEST_EQUAL(ret, 0); break; + + default: + TEST_FAIL("Unknown scenario."); } TEST_EQUAL(mbedtls_test_move_handshake_to_state( @@ -3807,7 +3804,7 @@ void tls13_early_data(char *scenario_string) MBEDTLS_SSL_HANDSHAKE_WRAPUP); switch (scenario) { - case 0: + case TEST_EARLY_DATA_REFERENCE: TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), @@ -3819,8 +3816,8 @@ void tls13_early_data(char *scenario_string) MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); break; - case 1: /* Intentional fallthrough */ - case 2: + case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: /* Intentional fallthrough */ + case TEST_EARLY_DATA_DISCARD_AFTER_HRR: TEST_EQUAL(ret, 0); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); TEST_EQUAL(server_pattern.counter, 1); -- cgit v1.1 From fe329cea3fdcda1865c21e24b5fa3e5aef219eaa Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 08:00:18 +0100 Subject: rsa: handle buffer length similarly in private and public key parsing Signed-off-by: Valerio Setti --- library/rsa.c | 8 +++++++- tests/suites/test_suite_rsa.data | 2 +- tests/suites/test_suite_x509parse.data | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index f4add91..b250e1d 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -109,6 +109,10 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si end = p + len; + if (end > (key + keylen)) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { return ret; } @@ -239,7 +243,9 @@ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, return ret; } - if (p + len != end) { + end = p + len; + + if (end > (key + keylen)) { return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index b404f00..b89d158 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -707,7 +707,7 @@ RSA parse public key - public exponent 0 rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203000000":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse public key - wrong sequence length -rsa_parse_pkcs1_key:1:"308188028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +rsa_parse_pkcs1_key:1:"308188028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_OUT_OF_DATA RSA parse public key - wrong modulus length rsa_parse_pkcs1_key:1:"308189028180009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 261c220..b9ae20c 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1774,7 +1774,7 @@ x509parse_crt:"307d3068a0030201008204deadbeef300d06092a864886f70d01010b0500300c3 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring length) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring tag) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -- cgit v1.1 From d4fc5d9d1c76a6cb978ceb4cc74ec62b111b0007 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 08:42:42 +0100 Subject: psa_util: allow larger raw buffers in mbedtls_ecdsa_raw_to_der() The only real contraint on the raw buffer is that it is large enough to contain 2 coordinates. Larger buffers are therefore allowed and the extra data will simply be ignored. Note = trying to impose a strict sizing on the raw buffer causes several failures in test suites. This suggests that it is quite common to use larger buffer to store raw signatures. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 2 +- library/psa_util.c | 2 +- tests/suites/test_suite_psa_crypto_util.data | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index a5f09a4..9294d29 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -188,7 +188,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of \p raw in bytes. This must be + * \param raw_len Length of \p raw in bytes. This must be at least * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. diff --git a/library/psa_util.c b/library/psa_util.c index 674f21b..7ce5eea 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { + if (raw_len < 2 * coordinate_len) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 7f3f5b5..f7e6eba 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -42,10 +42,6 @@ ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) -depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA - ECDSA DER -> Raw, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -- cgit v1.1 From c213a2e1e56b5734a6e1a07b7655df28739baf17 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 10:49:14 +0100 Subject: adjust_legacy_from_psa: use groups instead of curves for DH Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_from_psa.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index b27f6b9..56ec276 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -370,17 +370,17 @@ /* * DH key types follow the same pattern used above for EC keys. They are defined - * by a triplet (curve, key_type, alg). A triplet is accelerated if all its + * by a triplet (group, key_type, alg). A triplet is accelerated if all its * component are accelerated, otherwise each component needs to be builtin. */ -/* DH: curves: is acceleration complete? */ +/* DH: groups: is acceleration complete? */ #if (defined(PSA_WANT_DH_RFC7919_2048) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048)) || \ (defined(PSA_WANT_DH_RFC7919_3072) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072)) || \ (defined(PSA_WANT_DH_RFC7919_4096) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096)) || \ (defined(PSA_WANT_DH_RFC7919_6144) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144)) || \ (defined(PSA_WANT_DH_RFC7919_8192) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192)) -#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES +#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS #endif /* DH: algs: is acceleration complete? */ @@ -444,7 +444,7 @@ #if defined(PSA_WANT_ALG_FFDH) #if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || \ - defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \ defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES) #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1 #define MBEDTLS_BIGNUM_C @@ -453,7 +453,7 @@ #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \ - defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \ defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */ @@ -461,7 +461,7 @@ #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \ - defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \ defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */ @@ -475,7 +475,7 @@ #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC) || \ - defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \ defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */ @@ -483,7 +483,7 @@ #if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_CURVES) || \ + defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \ defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1 #define MBEDTLS_BIGNUM_C -- cgit v1.1 From 4e9683e8180801a6d0c5326794263c32d62f1e71 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Thu, 28 Dec 2023 17:07:43 +0800 Subject: Reduce many unnecessary static memory consumption .data section of ssl_client1 becomes 320 bytes smaller on AMD64. Signed-off-by: Chien Wong --- library/ecp_curves.c | 14 +++++++------- library/sha3.c | 4 ++-- library/ssl_tls.c | 16 ++++++++-------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 577e23b..9a011bb 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -52,7 +52,7 @@ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) /* For these curves, we build the group parameters dynamically. */ #define ECP_LOAD_GROUP -static mbedtls_mpi_uint mpi_one[] = { 1 }; +static const mbedtls_mpi_uint mpi_one[] = { 1 }; #endif /* @@ -4511,7 +4511,7 @@ static inline void ecp_mpi_set1(mbedtls_mpi *X) { X->s = 1; X->n = 1; - X->p = mpi_one; + X->p = (mbedtls_mpi_uint *) mpi_one; /* X->p will not be modified so the cast is safe */ } /* @@ -5318,7 +5318,7 @@ cleanup: */ #define P_KOBLITZ_MAX (256 / 8 / sizeof(mbedtls_mpi_uint)) // Max limbs in P #define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R -static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs, +static inline int ecp_mod_koblitz(mbedtls_mpi *N, const mbedtls_mpi_uint *Rp, size_t p_limbs, size_t adjust, size_t shift, mbedtls_mpi_uint mask) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -5332,7 +5332,7 @@ static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p /* Init R */ R.s = 1; - R.p = Rp; + R.p = (mbedtls_mpi_uint *) Rp; /* R.p will not be modified so the cast is safe */ R.n = P_KOBLITZ_R; /* Common setup for M */ @@ -5403,7 +5403,7 @@ cleanup: */ static int ecp_mod_p192k1(mbedtls_mpi *N) { - static mbedtls_mpi_uint Rp[] = { + static const mbedtls_mpi_uint Rp[] = { MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00) }; @@ -5420,7 +5420,7 @@ static int ecp_mod_p192k1(mbedtls_mpi *N) */ static int ecp_mod_p224k1(mbedtls_mpi *N) { - static mbedtls_mpi_uint Rp[] = { + static const mbedtls_mpi_uint Rp[] = { MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00) }; @@ -5442,7 +5442,7 @@ static int ecp_mod_p224k1(mbedtls_mpi *N) */ static int ecp_mod_p256k1(mbedtls_mpi *N) { - static mbedtls_mpi_uint Rp[] = { + static const mbedtls_mpi_uint Rp[] = { MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00) }; diff --git a/library/sha3.c b/library/sha3.c index d90fefa..f420a12 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -37,7 +37,7 @@ mbedtls_sha3_family_functions; /* * List of supported SHA-3 families */ -static mbedtls_sha3_family_functions sha3_families[] = { +static const mbedtls_sha3_family_functions sha3_families[] = { { MBEDTLS_SHA3_224, 1152, 224 }, { MBEDTLS_SHA3_256, 1088, 256 }, { MBEDTLS_SHA3_384, 832, 384 }, @@ -180,7 +180,7 @@ void mbedtls_sha3_clone(mbedtls_sha3_context *dst, */ int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id) { - mbedtls_sha3_family_functions *p = NULL; + const mbedtls_sha3_family_functions *p = NULL; for (p = sha3_families; p->id != MBEDTLS_SHA3_NONE; p++) { if (p->id == id) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ecfecf2..10c5f74 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -631,7 +631,7 @@ static const char *extension_name_table[] = { [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit" }; -static unsigned int extension_type_table[] = { +static const unsigned int extension_type_table[] = { [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, @@ -3706,7 +3706,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT))) -static unsigned char ssl_serialized_session_header[] = { +static const unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, MBEDTLS_VERSION_MINOR, MBEDTLS_VERSION_PATCH, @@ -4431,7 +4431,7 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session) (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ 0u)) -static unsigned char ssl_serialized_context_header[] = { +static const unsigned char ssl_serialized_context_header[] = { MBEDTLS_VERSION_MAJOR, MBEDTLS_VERSION_MINOR, MBEDTLS_VERSION_PATCH, @@ -5049,7 +5049,7 @@ void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) * See the documentation of mbedtls_ssl_conf_curves() for what we promise * about this list. */ -static uint16_t ssl_preset_default_groups[] = { +static const uint16_t ssl_preset_default_groups[] = { #if defined(MBEDTLS_ECP_HAVE_CURVE25519) MBEDTLS_SSL_IANA_TLS_GROUP_X25519, #endif @@ -5100,7 +5100,7 @@ static const int ssl_preset_suiteb_ciphersuites[] = { * - ssl_tls12_preset* is for TLS 1.2 use only. * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. */ -static uint16_t ssl_preset_default_sig_algs[] = { +static const uint16_t ssl_preset_default_sig_algs[] = { #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ defined(MBEDTLS_MD_CAN_SHA256) && \ @@ -5195,7 +5195,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = { #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* NOTICE: see above */ -static uint16_t ssl_preset_suiteb_sig_algs[] = { +static const uint16_t ssl_preset_suiteb_sig_algs[] = { #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ defined(MBEDTLS_MD_CAN_SHA256) && \ @@ -5236,7 +5236,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -static uint16_t ssl_preset_suiteb_groups[] = { +static const uint16_t ssl_preset_suiteb_groups[] = { #if defined(MBEDTLS_ECP_HAVE_SECP256R1) MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, #endif @@ -5250,7 +5250,7 @@ static uint16_t ssl_preset_suiteb_groups[] = { /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` * to make sure there are no duplicated signature algorithm entries. */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_check_no_sig_alg_duplication(uint16_t *sig_algs) +static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs) { size_t i, j; int ret = 0; -- cgit v1.1 From 735ac3ec05f08392e8890632d9489f43f8778ea6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 6 Feb 2024 11:11:32 +0100 Subject: Fix builds with secp224k1 as the only curve Normally, if an elliptic curve is enabled in the legacy API then it's also enabled in the PSA API. In particular, if the legacy API has at least one curve then that curve also works with PSA. There is an exception with secp224k1 which PSA does not support. In a build with secp224k1 as the only legacy curve, MBEDTLS_PK_HAVE_ECC_KEYS is enabled (because you can use the curve through PK) but PSA does not support any elliptic curve, so we can't run PK-PSA bridge tests. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 84 ++++++++++++++++++------------------- tests/suites/test_suite_pk.function | 24 +++++++++++ 2 files changed, 66 insertions(+), 42 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 55146fe..3414958 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -821,171 +821,171 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public DECRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public ENCRYPT (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DERIVE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECKEY_DH pair DERIVE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECDSA pair DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public DERIVE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair SIGN_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair SIGN_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA public VERIFY_MESSAGE -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA public VERIFY_HASH -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public SIGN_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public SIGN_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public SIGN_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public SIGN_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PK_CAN_ECDSA_SOME +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair VERIFY_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair VERIFY_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public SIGN_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public SIGN_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public VERIFY_MESSAGE (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE (bad policy) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 2dd35c8..2574307 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -36,6 +36,30 @@ #define MBEDTLS_TEST_PK_PSA_SIGN #endif +/* MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE is enabled when PSA supports + * at least one elliptic curve. This is distinct from + * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY because that symbol can be enabled even + * when there are no curves. This happens in particular in a configuration + * with MBEDTLS_PSA_CRYPTO_CONFIG disabled and where the only legacy curve + * is secp224k1, which is not supported in PSA. */ +#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) +#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) || \ + defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) || \ + defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) || \ + defined(PSA_WANT_ECC_MONTGOMERY_255) || \ + defined(PSA_WANT_ECC_MONTGOMERY_448) || \ + defined(PSA_WANT_ECC_SECP_K1_192) || \ + defined(PSA_WANT_ECC_SECP_K1_224) || \ + defined(PSA_WANT_ECC_SECP_K1_256) || \ + defined(PSA_WANT_ECC_SECP_R1_192) || \ + defined(PSA_WANT_ECC_SECP_R1_224) || \ + defined(PSA_WANT_ECC_SECP_R1_256) || \ + defined(PSA_WANT_ECC_SECP_R1_384) || \ + defined(PSA_WANT_ECC_SECP_R1_521) +#define MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +#endif +#endif + #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) { -- cgit v1.1 From d0a772740ec78c153b13a3337e2a4e40fbad341e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 5 Feb 2024 17:57:05 +0100 Subject: tests: early data: Complete the handshake Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index cbb29b6..8687a4d 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3810,10 +3810,6 @@ void tls13_early_data(int scenario) TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), buf, sizeof(buf)), early_data_len); TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); - - TEST_EQUAL(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); break; case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: /* Intentional fallthrough */ @@ -3824,6 +3820,10 @@ void tls13_early_data(int scenario) break; } + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER), 0); + exit: mbedtls_test_ssl_endpoint_free(&client_ep, NULL); mbedtls_test_ssl_endpoint_free(&server_ep, NULL); -- cgit v1.1 From b327a1e706f4fbb113ed7f17edcdc23bfa8c5828 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 6 Feb 2024 11:21:26 +0000 Subject: Change unaligned access method for old gcc gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94662 shows that __attribute__ aligned may be ignored. Signed-off-by: Dave Rodgman --- library/alignment.h | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index 248f29b..8db550f 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -71,10 +71,10 @@ typedef uint64_t __packed mbedtls_uint64_unaligned_t; * Tested with several versions of GCC from 4.5.0 up to 9.3.0 * We don't enable for older than 4.5.0 as this has not been tested. */ - #define UINT_UNALIGNED -typedef uint16_t __attribute__((__aligned__(1))) mbedtls_uint16_unaligned_t; -typedef uint32_t __attribute__((__aligned__(1))) mbedtls_uint32_unaligned_t; -typedef uint64_t __attribute__((__aligned__(1))) mbedtls_uint64_unaligned_t; + #define UINT_UNALIGNED_UNION +typedef union { uint16_t x; } __attribute__((packed)) mbedtls_uint16_unaligned_t; +typedef union { uint32_t x; } __attribute__((packed)) mbedtls_uint32_unaligned_t; +typedef union { uint64_t x; } __attribute__((packed)) mbedtls_uint64_unaligned_t; #endif /* @@ -101,6 +101,9 @@ static inline uint16_t mbedtls_get_unaligned_uint16(const void *p) #if defined(UINT_UNALIGNED) mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; r = *p16; +#elif defined(UINT_UNALIGNED_UNION) + mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; + r = p16->x; #else memcpy(&r, p, sizeof(r)); #endif @@ -124,6 +127,9 @@ static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x) #if defined(UINT_UNALIGNED) mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; *p16 = x; +#elif defined(UINT_UNALIGNED_UNION) + mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; + p16->x = x; #else memcpy(p, &x, sizeof(x)); #endif @@ -147,6 +153,9 @@ static inline uint32_t mbedtls_get_unaligned_uint32(const void *p) #if defined(UINT_UNALIGNED) mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; r = *p32; +#elif defined(UINT_UNALIGNED_UNION) + mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; + r = p32->x; #else memcpy(&r, p, sizeof(r)); #endif @@ -170,6 +179,9 @@ static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x) #if defined(UINT_UNALIGNED) mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; *p32 = x; +#elif defined(UINT_UNALIGNED_UNION) + mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; + p32->x = x; #else memcpy(p, &x, sizeof(x)); #endif @@ -193,6 +205,9 @@ static inline uint64_t mbedtls_get_unaligned_uint64(const void *p) #if defined(UINT_UNALIGNED) mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; r = *p64; +#elif defined(UINT_UNALIGNED_UNION) + mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; + r = p64->x; #else memcpy(&r, p, sizeof(r)); #endif @@ -216,6 +231,9 @@ static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x) #if defined(UINT_UNALIGNED) mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; *p64 = x; +#elif defined(UINT_UNALIGNED_UNION) + mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; + p64->x = x; #else memcpy(p, &x, sizeof(x)); #endif -- cgit v1.1 From f20728ee49a89ef8fbb9154dd014c1cbe28a48b9 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 6 Feb 2024 12:49:45 +0000 Subject: Fix missed case for removing accessor Signed-off-by: Paul Elliott --- tests/src/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index ee87a61..da0b54a 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -483,7 +483,7 @@ int mbedtls_test_le_s(const char *test, int line_no, const char *filename, #endif /* MBEDTLS_THREADING_C */ /* Don't use accessor, we already hold mutex. */ - if (mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_FAILED) { + if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { /* If we've already recorded the test as having failed then don't * overwrite any previous information about the failure. */ -- cgit v1.1 From ec9936d1223283d45d947ab1b6d7f1ea31594fe7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 6 Feb 2024 12:56:45 +0000 Subject: Improve gcc guards Signed-off-by: Dave Rodgman --- library/alignment.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/alignment.h b/library/alignment.h index 8db550f..65c5321 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -53,7 +53,7 @@ typedef uint16_t __packed mbedtls_uint16_unaligned_t; typedef uint32_t __packed mbedtls_uint32_unaligned_t; typedef uint64_t __packed mbedtls_uint64_unaligned_t; #elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \ - ((MBEDTLS_GCC_VERSION < 90300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS))) + ((MBEDTLS_GCC_VERSION < 60300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS))) /* * Old versions of gcc, depending on how the target is specified, may generate a branch to memcpy * for calls like `memcpy(dest, src, 4)` rather than generating some LDR or LDRB instructions -- cgit v1.1 From f4e8234f932faa0052b8d97ad9055e7922204aee Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 6 Feb 2024 12:57:03 +0000 Subject: Improve docs Signed-off-by: Dave Rodgman --- library/alignment.h | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index 65c5321..14a86cf 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -55,20 +55,25 @@ typedef uint64_t __packed mbedtls_uint64_unaligned_t; #elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \ ((MBEDTLS_GCC_VERSION < 60300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS))) /* - * Old versions of gcc, depending on how the target is specified, may generate a branch to memcpy - * for calls like `memcpy(dest, src, 4)` rather than generating some LDR or LDRB instructions - * (similar for stores). - * Recent versions where unaligned access is not enabled also do this. + * gcc may generate a branch to memcpy for calls like `memcpy(dest, src, 4)` rather than + * generating some LDR or LDRB instructions (similar for stores). + * + * For versions of gcc < 5.4.0 this always happens. + * For gcc < 6.3.0, this happens at -O0 + * For all versions, this happens iff unaligned access is not supported. + * + * For gcc 4.x, this will generate byte-by-byte loads even if unaligned access is supported, which + * is correct but not optimal. * * For performance (and code size, in some cases), we want to avoid the branch and just generate * some inline load/store instructions since the access is small and constant-size. * * The manual states: - * "The aligned attribute specifies a minimum alignment for the variable or structure field, - * measured in bytes." - * https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html + * "The packed attribute specifies that a variable or structure field should have the smallest + * possible alignment—one byte for a variable" + * https://gcc.gnu.org/onlinedocs/gcc-4.5.4/gcc/Variable-Attributes.html * - * Tested with several versions of GCC from 4.5.0 up to 9.3.0 + * Tested with several versions of GCC from 4.5.0 up to 13.2.0 * We don't enable for older than 4.5.0 as this has not been tested. */ #define UINT_UNALIGNED_UNION -- cgit v1.1 From 22b934e6d2242c5d7c3b14f82ef99ecb62fb7de4 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 6 Feb 2024 12:57:16 +0000 Subject: Use struct not union Signed-off-by: Dave Rodgman --- library/alignment.h | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index 14a86cf..db83595 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -76,10 +76,10 @@ typedef uint64_t __packed mbedtls_uint64_unaligned_t; * Tested with several versions of GCC from 4.5.0 up to 13.2.0 * We don't enable for older than 4.5.0 as this has not been tested. */ - #define UINT_UNALIGNED_UNION -typedef union { uint16_t x; } __attribute__((packed)) mbedtls_uint16_unaligned_t; -typedef union { uint32_t x; } __attribute__((packed)) mbedtls_uint32_unaligned_t; -typedef union { uint64_t x; } __attribute__((packed)) mbedtls_uint64_unaligned_t; + #define UINT_UNALIGNED_STRUCT +typedef struct { uint16_t x; } __attribute__((packed)) mbedtls_uint16_unaligned_t; +typedef struct { uint32_t x; } __attribute__((packed)) mbedtls_uint32_unaligned_t; +typedef struct { uint64_t x; } __attribute__((packed)) mbedtls_uint64_unaligned_t; #endif /* @@ -106,7 +106,7 @@ static inline uint16_t mbedtls_get_unaligned_uint16(const void *p) #if defined(UINT_UNALIGNED) mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; r = *p16; -#elif defined(UINT_UNALIGNED_UNION) +#elif defined(UINT_UNALIGNED_STRUCT) mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; r = p16->x; #else @@ -132,7 +132,7 @@ static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x) #if defined(UINT_UNALIGNED) mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; *p16 = x; -#elif defined(UINT_UNALIGNED_UNION) +#elif defined(UINT_UNALIGNED_STRUCT) mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p; p16->x = x; #else @@ -158,7 +158,7 @@ static inline uint32_t mbedtls_get_unaligned_uint32(const void *p) #if defined(UINT_UNALIGNED) mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; r = *p32; -#elif defined(UINT_UNALIGNED_UNION) +#elif defined(UINT_UNALIGNED_STRUCT) mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; r = p32->x; #else @@ -184,7 +184,7 @@ static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x) #if defined(UINT_UNALIGNED) mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; *p32 = x; -#elif defined(UINT_UNALIGNED_UNION) +#elif defined(UINT_UNALIGNED_STRUCT) mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p; p32->x = x; #else @@ -210,7 +210,7 @@ static inline uint64_t mbedtls_get_unaligned_uint64(const void *p) #if defined(UINT_UNALIGNED) mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; r = *p64; -#elif defined(UINT_UNALIGNED_UNION) +#elif defined(UINT_UNALIGNED_STRUCT) mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; r = p64->x; #else @@ -236,7 +236,7 @@ static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x) #if defined(UINT_UNALIGNED) mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; *p64 = x; -#elif defined(UINT_UNALIGNED_UNION) +#elif defined(UINT_UNALIGNED_STRUCT) mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p; p64->x = x; #else -- cgit v1.1 From eae7fce8296404563632062281c3dc7da32f43db Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 14:40:59 +0100 Subject: add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/8030.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ChangeLog.d/8030.txt diff --git a/ChangeLog.d/8030.txt b/ChangeLog.d/8030.txt new file mode 100644 index 0000000..d99c9e7 --- /dev/null +++ b/ChangeLog.d/8030.txt @@ -0,0 +1,7 @@ +Changes + * Extended PSA Crypto configurations options for FFDH by making it possible + to select only some of the parameters / groups, with the macros + PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro + for each size you want to support. Also, if you have an FFDH accelerator, + you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal + support for these domain parameters. -- cgit v1.1 From d09f96b829aedcddd5bb40681fca2c31ff20a591 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 6 Feb 2024 13:51:58 +0000 Subject: Improve docs Signed-off-by: Dave Rodgman --- library/alignment.h | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index db83595..fece47d 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -58,12 +58,15 @@ typedef uint64_t __packed mbedtls_uint64_unaligned_t; * gcc may generate a branch to memcpy for calls like `memcpy(dest, src, 4)` rather than * generating some LDR or LDRB instructions (similar for stores). * - * For versions of gcc < 5.4.0 this always happens. - * For gcc < 6.3.0, this happens at -O0 - * For all versions, this happens iff unaligned access is not supported. + * This is architecture dependent: x86-64 seems fine even with old gcc; 32-bit Arm + * is affected. To keep it simple, we enable for all architectures. * - * For gcc 4.x, this will generate byte-by-byte loads even if unaligned access is supported, which - * is correct but not optimal. + * For versions of gcc < 5.4.0 this issue always happens. + * For gcc < 6.3.0, this issue happens at -O0 + * For all versions, this issue happens iff unaligned access is not supported. + * + * For gcc 4.x, this implementation will generate byte-by-byte loads even if unaligned access is + * supported, which is correct but not optimal. * * For performance (and code size, in some cases), we want to avoid the branch and just generate * some inline load/store instructions since the access is small and constant-size. @@ -73,6 +76,9 @@ typedef uint64_t __packed mbedtls_uint64_unaligned_t; * possible alignment—one byte for a variable" * https://gcc.gnu.org/onlinedocs/gcc-4.5.4/gcc/Variable-Attributes.html * + * Previous implementations used __attribute__((__aligned__(1)), but had issues with a gcc bug: + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94662 + * * Tested with several versions of GCC from 4.5.0 up to 13.2.0 * We don't enable for older than 4.5.0 as this has not been tested. */ -- cgit v1.1 From 94c5806a64aa68eac1af9ad25d3b4e302fdae2f4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 15:49:06 +0100 Subject: suite_psa_crypto_util: make ecdsa_raw_to_der_incremental() more readable Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.function | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index fe811e0..2d8915e 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -28,12 +28,11 @@ exit: void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_result) { unsigned char *tmp_buf = NULL; - size_t tmp_buf_len = exp_result->len; size_t ret_len; size_t i; /* Test with an output buffer smaller than required (expexted to fail). */ - for (i = 1; i < tmp_buf_len; i++) { + for (i = 1; i < exp_result->len; i++) { TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, tmp_buf, i, &ret_len) != 0); @@ -42,7 +41,7 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul } /* Test with an output buffer larger/equal than required (expexted to * succeed). */ - for (i = tmp_buf_len; i < (2 * tmp_buf_len); i++) { + for (i = exp_result->len; i < (2 * exp_result->len); i++) { TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, tmp_buf, i, &ret_len) == 0); -- cgit v1.1 From e093281a8b51a3d89e61c99b7ac28c7bae47fbfa Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 6 Feb 2024 15:00:58 +0000 Subject: Pacify check-names Signed-off-by: Dave Rodgman --- library/alignment.h | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index fece47d..a17001d 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -83,9 +83,15 @@ typedef uint64_t __packed mbedtls_uint64_unaligned_t; * We don't enable for older than 4.5.0 as this has not been tested. */ #define UINT_UNALIGNED_STRUCT -typedef struct { uint16_t x; } __attribute__((packed)) mbedtls_uint16_unaligned_t; -typedef struct { uint32_t x; } __attribute__((packed)) mbedtls_uint32_unaligned_t; -typedef struct { uint64_t x; } __attribute__((packed)) mbedtls_uint64_unaligned_t; +typedef struct { + uint16_t x; +} __attribute__((packed)) mbedtls_uint16_unaligned_t; +typedef struct { + uint32_t x; +} __attribute__((packed)) mbedtls_uint32_unaligned_t; +typedef struct { + uint64_t x; +} __attribute__((packed)) mbedtls_uint64_unaligned_t; #endif /* -- cgit v1.1 From 79e2e5d2d00d95fe9d9131baa3d79726d28e1f5b Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 6 Feb 2024 15:10:03 +0000 Subject: Add comment to set/increment step functions These functions are thread safe, but using them from within multiple threads at the same time may not have the intended effect, given order cannot be guaranteed. Also, standardise header comment formatting. Signed-off-by: Paul Elliott --- tests/include/test/helpers.h | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index f2fb62d..a939b1c 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -111,6 +111,11 @@ int mbedtls_test_get_line_no(void); /** * \brief Increment the current test step. + * + * \note Calling this function from within multiple threads at the + * same time is not recommended - whilst it is entirely thread + * safe, the order of calls to this function can obviously not + * be ensured, so unexpected results may occur. */ void mbedtls_test_increment_step(void); @@ -215,30 +220,35 @@ void mbedtls_test_fail(const char *test, int line_no, const char *filename); void mbedtls_test_skip(const char *test, int line_no, const char *filename); /** - * \brief Set the test step number for failure reports. + * \brief Set the test step number for failure reports. + * + * Call this function to display "step NNN" in addition to the + * line number and file name if a test fails. Typically the + * "step number" is the index of a for loop but it can be + * whatever you want. * - * Call this function to display "step NNN" in addition to the - * line number and file name if a test fails. Typically the "step - * number" is the index of a for loop but it can be whatever you - * want. + * \note Calling this function from a within multiple threads at the + * same time is not recommended - whilst it is entirely thread + * safe, the order of calls to this function can obviously not + * be ensured, so unexpected results may occur. * * \param step The step number to report. */ void mbedtls_test_set_step(unsigned long step); /** - * \brief Reset mbedtls_test_info to a ready/starting state. + * \brief Reset mbedtls_test_info to a ready/starting state. */ void mbedtls_test_info_reset(void); #ifdef MBEDTLS_TEST_MUTEX_USAGE /** - * \brief Get the test info data mutex. + * \brief Get the test info data mutex. * - * \note This is designed only to be used by threading_helpers to avoid a - * deadlock, not for general access to this mutex. + * \note This is designed only to be used by threading_helpers to + * avoid a deadlock, not for general access to this mutex. * - * \return The test info data mutex. + * \return The test info data mutex. */ mbedtls_threading_mutex_t *mbedtls_test_get_info_mutex(void); -- cgit v1.1 From 2b6a7b37f40c01f63497782525421026ee697f22 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:21:44 +0100 Subject: suite_psa_crypto_util: use 521 bits data and bit-size instead of 528 Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index f7e6eba..eb205b9 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -125,20 +125,14 @@ depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. -# Bit length is rounded up to 528 to be multiple of 8. ECDSA Raw -> DER, 521bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 - -ECDSA Raw -> DER, 521bit, Success (integers exactly 521 bits) -depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_raw_to_der:528:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:521:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. -# Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:521:"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 @@ -150,7 +144,7 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" +ecdsa_raw_to_der_incremental:521:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -- cgit v1.1 From fb53647b0b4c51a57ec195e915cffcca6fcf43f2 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 14:55:25 +0100 Subject: tests: ssl: Move group list to options Signed-off-by: Ronald Cron --- tests/include/test/ssl_helpers.h | 4 +-- tests/src/test_helpers/ssl_helpers.c | 16 +++++----- tests/suites/test_suite_ssl.function | 59 ++++++++++++++++++------------------ 3 files changed, 39 insertions(+), 40 deletions(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 1f41966..44c2fcf 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -85,6 +85,7 @@ typedef struct mbedtls_test_ssl_log_pattern { typedef struct mbedtls_test_handshake_test_options { const char *cipher; + uint16_t *group_list; mbedtls_ssl_protocol_version client_min_version; mbedtls_ssl_protocol_version client_max_version; mbedtls_ssl_protocol_version server_min_version; @@ -440,8 +441,7 @@ int mbedtls_test_ssl_endpoint_init( mbedtls_test_handshake_test_options *options, mbedtls_test_message_socket_context *dtls_context, mbedtls_test_ssl_message_queue *input_queue, - mbedtls_test_ssl_message_queue *output_queue, - uint16_t *group_list); + mbedtls_test_ssl_message_queue *output_queue); /* * Deinitializes endpoint represented by \p ep. diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 980c192..cc96cfe 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -50,6 +50,7 @@ void mbedtls_test_init_handshake_options( rng_seed += 0xD0; #endif opts->cipher = ""; + opts->group_list = NULL; opts->client_min_version = MBEDTLS_SSL_VERSION_UNKNOWN; opts->client_max_version = MBEDTLS_SSL_VERSION_UNKNOWN; opts->server_min_version = MBEDTLS_SSL_VERSION_UNKNOWN; @@ -733,8 +734,7 @@ int mbedtls_test_ssl_endpoint_init( mbedtls_test_handshake_test_options *options, mbedtls_test_message_socket_context *dtls_context, mbedtls_test_ssl_message_queue *input_queue, - mbedtls_test_ssl_message_queue *output_queue, - uint16_t *group_list) + mbedtls_test_ssl_message_queue *output_queue) { int ret = -1; uintptr_t user_data_n; @@ -818,8 +818,8 @@ int mbedtls_test_ssl_endpoint_init( } } - if (group_list != NULL) { - mbedtls_ssl_conf_groups(&(ep->conf), group_list); + if (options->group_list != NULL) { + mbedtls_ssl_conf_groups(&(ep->conf), options->group_list); } mbedtls_ssl_conf_authmode(&(ep->conf), MBEDTLS_SSL_VERIFY_REQUIRED); @@ -2006,7 +2006,7 @@ void mbedtls_test_ssl_perform_handshake( MBEDTLS_SSL_IS_CLIENT, options, &client_context, &client_queue, - &server_queue, NULL) == 0); + &server_queue) == 0); #if defined(MBEDTLS_TIMING_C) mbedtls_ssl_set_timer_cb(&client.ssl, &timer_client, mbedtls_timing_set_delay, @@ -2016,7 +2016,7 @@ void mbedtls_test_ssl_perform_handshake( TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, options, NULL, NULL, - NULL, NULL) == 0); + NULL) == 0); } if (strlen(options->cipher) > 0) { @@ -2029,7 +2029,7 @@ void mbedtls_test_ssl_perform_handshake( MBEDTLS_SSL_IS_SERVER, options, &server_context, &server_queue, - &client_queue, NULL) == 0); + &client_queue) == 0); #if defined(MBEDTLS_TIMING_C) mbedtls_ssl_set_timer_cb(&server.ssl, &timer_server, mbedtls_timing_set_delay, @@ -2038,7 +2038,7 @@ void mbedtls_test_ssl_perform_handshake( } else { TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, - options, NULL, NULL, NULL, + options, NULL, NULL, NULL) == 0); } diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8687a4d..02b9500 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -2457,7 +2457,7 @@ void mbedtls_endpoint_sanity(int endpoint_type) MD_OR_USE_PSA_INIT(); ret = mbedtls_test_ssl_endpoint_init(NULL, endpoint_type, &options, - NULL, NULL, NULL, NULL); + NULL, NULL, NULL); TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret); ret = mbedtls_test_ssl_endpoint_certificate_init(NULL, options.pk_alg, @@ -2465,7 +2465,7 @@ void mbedtls_endpoint_sanity(int endpoint_type) TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret); ret = mbedtls_test_ssl_endpoint_init(&ep, endpoint_type, &options, - NULL, NULL, NULL, NULL); + NULL, NULL, NULL); TEST_ASSERT(ret == 0); exit: @@ -2509,14 +2509,14 @@ void move_handshake_to_state(int endpoint_type, int tls_version, int state, int mbedtls_platform_zeroize(&second_ep, sizeof(second_ep)); ret = mbedtls_test_ssl_endpoint_init(&base_ep, endpoint_type, &options, - NULL, NULL, NULL, NULL); + NULL, NULL, NULL); TEST_ASSERT(ret == 0); ret = mbedtls_test_ssl_endpoint_init( &second_ep, (endpoint_type == MBEDTLS_SSL_IS_SERVER) ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER, - &options, NULL, NULL, NULL, NULL); + &options, NULL, NULL, NULL); TEST_ASSERT(ret == 0); @@ -3069,11 +3069,10 @@ void force_bad_session_id_len() TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, &options, NULL, NULL, - NULL, NULL) == 0); + NULL) == 0); TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, - &options, NULL, NULL, NULL, - NULL) == 0); + &options, NULL, NULL, NULL) == 0); mbedtls_debug_set_threshold(1); mbedtls_ssl_conf_dbg(&server.conf, options.srv_log_fun, @@ -3248,8 +3247,9 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key) mbedtls_test_ssl_endpoint client, server; mbedtls_psa_stats_t stats; size_t free_slots_before = -1; - mbedtls_test_handshake_test_options options; - mbedtls_test_init_handshake_options(&options); + mbedtls_test_handshake_test_options client_options, server_options; + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; @@ -3257,21 +3257,22 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key) mbedtls_platform_zeroize(&client, sizeof(client)); mbedtls_platform_zeroize(&server, sizeof(server)); - options.pk_alg = MBEDTLS_PK_ECDSA; - options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; - options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; - /* Client side, force SECP256R1 to make one key bitflip fail * the raw key agreement. Flipping the first byte makes the * required 0x04 identifier invalid. */ + client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.group_list = iana_tls_group_list; TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, - &options, NULL, NULL, - NULL, iana_tls_group_list), 0); + &client_options, NULL, NULL, + NULL), 0); /* Server side */ + server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; + server_options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, - &options, NULL, NULL, - NULL, NULL), 0); + &server_options, NULL, NULL, + NULL), 0); TEST_EQUAL(mbedtls_test_mock_socket_connect(&(client.socket), &(server.socket), @@ -3307,7 +3308,8 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key) exit: mbedtls_test_ssl_endpoint_free(&client, NULL); mbedtls_test_ssl_endpoint_free(&server, NULL); - mbedtls_test_free_handshake_options(&options); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); MD_OR_USE_PSA_DONE(); } @@ -3336,15 +3338,13 @@ void tls13_server_certificate_msg_invalid_vector_len() client_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, - &client_options, NULL, NULL, NULL, - NULL); + &client_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); mbedtls_test_init_handshake_options(&server_options); server_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, - &server_options, NULL, NULL, NULL, - NULL); + &server_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), @@ -3591,14 +3591,12 @@ void tls13_resume_session_with_ticket() client_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, - &client_options, NULL, NULL, NULL, - NULL); + &client_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); server_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, - &server_options, NULL, NULL, NULL, - NULL); + &server_options, NULL, NULL, NULL); mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, mbedtls_test_ticket_write, mbedtls_test_ticket_parse, @@ -3702,19 +3700,20 @@ void tls13_early_data(int scenario) PSA_INIT(); client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.group_list = group_list; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, - &client_options, NULL, NULL, NULL, - group_list); + &client_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.group_list = group_list; server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; server_options.srv_log_obj = &server_pattern; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, - &server_options, NULL, NULL, NULL, - group_list); + &server_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, mbedtls_test_ticket_write, -- cgit v1.1 From b4ad3e750b9e592cb8e55d95dc1958194de0c5e8 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 14:57:53 +0100 Subject: tests: ssl: First reset to all zeroes options in init Signed-off-by: Ronald Cron --- tests/src/test_helpers/ssl_helpers.c | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index cc96cfe..2090f92 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -49,37 +49,25 @@ void mbedtls_test_init_handshake_options( srand(rng_seed); rng_seed += 0xD0; #endif + + memset(opts, 0, sizeof(*opts)); + opts->cipher = ""; - opts->group_list = NULL; opts->client_min_version = MBEDTLS_SSL_VERSION_UNKNOWN; opts->client_max_version = MBEDTLS_SSL_VERSION_UNKNOWN; opts->server_min_version = MBEDTLS_SSL_VERSION_UNKNOWN; opts->server_max_version = MBEDTLS_SSL_VERSION_UNKNOWN; opts->expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_3; - opts->expected_handshake_result = 0; - opts->expected_ciphersuite = 0; opts->pk_alg = MBEDTLS_PK_RSA; - opts->opaque_alg = 0; - opts->opaque_alg2 = 0; - opts->opaque_usage = 0; - opts->psk_str = NULL; - opts->dtls = 0; opts->srv_auth_mode = MBEDTLS_SSL_VERIFY_NONE; - opts->serialize = 0; opts->mfl = MBEDTLS_SSL_MAX_FRAG_LEN_NONE; opts->cli_msg_len = 100; opts->srv_msg_len = 100; opts->expected_cli_fragments = 1; opts->expected_srv_fragments = 1; - opts->renegotiate = 0; opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; - opts->srv_log_obj = NULL; - opts->cli_log_obj = NULL; - opts->srv_log_fun = NULL; - opts->cli_log_fun = NULL; opts->resize_buffers = 1; #if defined(MBEDTLS_SSL_CACHE_C) - opts->cache = NULL; TEST_CALLOC(opts->cache, 1); mbedtls_ssl_cache_init(opts->cache); #if defined(MBEDTLS_HAVE_TIME) -- cgit v1.1 From ced99be007836d65563c8c1af5db6110cadca550 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 15:49:12 +0100 Subject: tests: ssl: Add early data handshake option Signed-off-by: Ronald Cron --- tests/include/test/ssl_helpers.h | 1 + tests/src/test_helpers/ssl_helpers.c | 5 +++++ tests/suites/test_suite_ssl.function | 4 ++-- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 44c2fcf..0aa53c8 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -113,6 +113,7 @@ typedef struct mbedtls_test_handshake_test_options { void (*srv_log_fun)(void *, int, const char *, int, const char *); void (*cli_log_fun)(void *, int, const char *, int, const char *); int resize_buffers; + int early_data; #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_context *cache; #endif diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 2090f92..a9a2159 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -67,6 +67,7 @@ void mbedtls_test_init_handshake_options( opts->expected_srv_fragments = 1; opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; opts->resize_buffers = 1; + opts->early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; #if defined(MBEDTLS_SSL_CACHE_C) TEST_CALLOC(opts->cache, 1); mbedtls_ssl_cache_init(opts->cache); @@ -812,6 +813,10 @@ int mbedtls_test_ssl_endpoint_init( mbedtls_ssl_conf_authmode(&(ep->conf), MBEDTLS_SSL_VERIFY_REQUIRED); +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_conf_early_data(&(ep->conf), options->early_data); +#endif + #if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C) if (endpoint_type == MBEDTLS_SSL_IS_SERVER && options->cache != NULL) { mbedtls_ssl_conf_session_cache(&(ep->conf), options->cache, diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 02b9500..861aa72 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3701,20 +3701,20 @@ void tls13_early_data(int scenario) client_options.pk_alg = MBEDTLS_PK_ECDSA; client_options.group_list = group_list; + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &client_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); - mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); server_options.pk_alg = MBEDTLS_PK_ECDSA; server_options.group_list = group_list; + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; server_options.srv_log_obj = &server_pattern; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &server_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); - mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED); mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, mbedtls_test_ticket_write, mbedtls_test_ticket_parse, -- cgit v1.1 From 1f6e4e4a4999bd4716db933ecb7762479728e018 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 16:31:33 +0100 Subject: tests: ssl: Add helper function to get a TLS 1.3 ticket Signed-off-by: Ronald Cron --- tests/include/test/ssl_helpers.h | 11 +++++++ tests/src/test_helpers/ssl_helpers.c | 56 ++++++++++++++++++++++++++++++++++++ tests/suites/test_suite_ssl.function | 52 +++++++++++---------------------- 3 files changed, 83 insertions(+), 36 deletions(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 0aa53c8..3506609 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -600,6 +600,17 @@ int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len); #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_test_get_tls13_ticket( + mbedtls_test_handshake_test_options *client_options, + mbedtls_test_handshake_test_options *server_options, + mbedtls_ssl_session *session); +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SRV_C && + MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + #define ECJPAKE_TEST_PWD "bla" #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index a9a2159..ad4c070 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2455,4 +2455,60 @@ int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, return mbedtls_ssl_session_load(session, buf, len); } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ + +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_test_get_tls13_ticket( + mbedtls_test_handshake_test_options *client_options, + mbedtls_test_handshake_test_options *server_options, + mbedtls_ssl_session *session) +{ + int ret = -1; + unsigned char buf[64]; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + client_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER), 0); + + TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 0); + + do { + ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); + } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET); + + ret = mbedtls_ssl_get_session(&(client_ep.ssl), session); + TEST_EQUAL(ret, 0); + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + + return ret; +} +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SRV_C && + MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 861aa72..ca12051 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3572,15 +3572,11 @@ exit: void tls13_resume_session_with_ticket() { int ret = -1; - unsigned char buf[64]; mbedtls_test_ssl_endpoint client_ep, server_ep; mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; - /* - * Test set-up - */ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); mbedtls_test_init_handshake_options(&client_options); @@ -3589,14 +3585,27 @@ void tls13_resume_session_with_ticket() PSA_INIT(); + /* + * Run first handshake to get a ticket from the server. + */ client_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.pk_alg = MBEDTLS_PK_ECDSA; + + ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, + &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Prepare for handshake with the ticket. + */ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &client_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); - server_options.pk_alg = MBEDTLS_PK_ECDSA; ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, mbedtls_test_ticket_write, mbedtls_test_ticket_parse, @@ -3607,41 +3616,12 @@ void tls13_resume_session_with_ticket() &(server_ep.socket), 1024); TEST_EQUAL(ret, 0); - /* - * Run initial handshake: ephemeral key exchange mode, certificate with - * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature - * algorithm. Then, get the ticket sent by the server at the end of its - * handshake sequence. - */ - TEST_EQUAL(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_OVER), 0); - - do { - ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); - } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET); - - /* - * Save client session and reset the SSL context of the two endpoints. - */ - ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session); - TEST_EQUAL(ret, 0); - - ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); - TEST_EQUAL(ret, 0); - - ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); - TEST_EQUAL(ret, 0); - - /* - * Set saved session on client side and handshake using the ticket - * included in that session. - */ - ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); TEST_EQUAL(ret, 0); /* + * Handshake with ticket. + * * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks * below. -- cgit v1.1 From bfcdc069efb1d52a98e3578aa0ec62a4bec7e9e4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 16:57:25 +0100 Subject: tests: ssl: Use get TLS 1.3 ticket helper for early data test Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 94 +++++++++++++----------------------- 1 file changed, 34 insertions(+), 60 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ca12051..d6e4c6a 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3668,9 +3668,6 @@ void tls13_early_data(int scenario) MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; - /* - * Test set-up - */ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); mbedtls_test_init_handshake_options(&client_options); @@ -3679,65 +3676,24 @@ void tls13_early_data(int scenario) PSA_INIT(); + /* + * Run first handshake to get a ticket from the server. + */ + client_options.pk_alg = MBEDTLS_PK_ECDSA; client_options.group_list = group_list; client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; - ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, - &client_options, NULL, NULL, NULL); - TEST_EQUAL(ret, 0); - server_options.pk_alg = MBEDTLS_PK_ECDSA; server_options.group_list = group_list; server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; - server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; - server_options.srv_log_obj = &server_pattern; - ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, - &server_options, NULL, NULL, NULL); - TEST_EQUAL(ret, 0); - - mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, - mbedtls_test_ticket_write, - mbedtls_test_ticket_parse, - NULL); - - ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), - &(server_ep.socket), 1024); - TEST_EQUAL(ret, 0); - - /* - * Run initial handshake: ephemeral key exchange mode, certificate with - * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature - * algorithm. Then, get the ticket sent by the server at the end of its - * handshake sequence. - */ - TEST_EQUAL(mbedtls_test_move_handshake_to_state( - &(server_ep.ssl), &(client_ep.ssl), - MBEDTLS_SSL_HANDSHAKE_OVER), 0); - - do { - ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf)); - } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET); - - /* - * Save client session and reset the SSL context of the two endpoints. - */ - ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session); - TEST_EQUAL(ret, 0); - - ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); - TEST_EQUAL(ret, 0); - ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); + ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, + &saved_session); TEST_EQUAL(ret, 0); /* - * Set saved session on client side and start handshake using the ticket - * included in that session. + * Prepare for handshake with the ticket. */ - - ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); - TEST_EQUAL(ret, 0); - switch (scenario) { case TEST_EARLY_DATA_REFERENCE: break; @@ -3746,27 +3702,45 @@ void tls13_early_data(int scenario) mbedtls_debug_set_threshold(3); server_pattern.pattern = "EarlyData: deprotect and discard app data records."; - mbedtls_ssl_conf_early_data(&server_ep.conf, - MBEDTLS_SSL_EARLY_DATA_DISABLED); + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; case TEST_EARLY_DATA_DISCARD_AFTER_HRR: mbedtls_debug_set_threshold(3); server_pattern.pattern = "EarlyData: Ignore application message before 2nd ClientHello"; - mbedtls_ssl_conf_groups(&server_ep.conf, group_list + 1); - /* - * Need to reset again to reconstruct the group list in the - * handshake structure from the configured one. - */ - ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); - TEST_EQUAL(ret, 0); + server_options.group_list = group_list + 1; break; default: TEST_FAIL("Unknown scenario."); } + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; + server_options.srv_log_obj = &server_pattern; + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Handshake with ticket and send early data. + */ TEST_EQUAL(mbedtls_test_move_handshake_to_state( &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_SERVER_HELLO), 0); -- cgit v1.1 From fe59ff794d2e198665ca9456c097eae0b30fab66 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 14:31:50 +0100 Subject: tls13: Send dummy CCS only once Fix cases where the client was sending two CCS, no harm but better to send only one. Prevent to send even more CCS when early data are involved without having to add conditional state transitions. Signed-off-by: Ronald Cron --- library/ssl_misc.h | 15 ++++++++++++--- library/ssl_tls13_client.c | 23 ++++++++++++++--------- library/ssl_tls13_generic.c | 2 ++ library/ssl_tls13_server.c | 10 +++++++--- 4 files changed, 35 insertions(+), 15 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 16cd62e..dff19c8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -731,14 +731,23 @@ struct mbedtls_ssl_handshake_params { uint8_t key_exchange_mode; /*!< Selected key exchange mode */ /** Number of HelloRetryRequest messages received/sent from/to the server. */ - int hello_retry_request_count; + uint8_t hello_retry_request_count; + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + /** + * Number of dummy change_cipher_spec (CCS) record sent. Used to send only + * one CCS per handshake without having to complicate the handshake state + * transitions. + */ + uint8_t ccs_count; +#endif #if defined(MBEDTLS_SSL_SRV_C) - /** selected_group of key_share extension in HelloRetryRequest message. */ - uint16_t hrr_selected_group; #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ #endif + /** selected_group of key_share extension in HelloRetryRequest message. */ + uint16_t hrr_selected_group; #if defined(MBEDTLS_SSL_SESSION_TICKETS) uint16_t new_session_tickets_count; /*!< number of session tickets */ #endif diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index f4987b3..e6680c7 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2568,8 +2568,6 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); - } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else #endif /* MBEDTLS_SSL_EARLY_DATA */ { @@ -3059,18 +3057,25 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) */ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: - ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); - if (ret == 0) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); + ret = 0; + if (ssl->handshake->ccs_count == 0) { + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret != 0) { + break; + } } + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); break; case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); - if (ret == 0) { - mbedtls_ssl_handshake_set_state( - ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); + ret = 0; + if (ssl->handshake->ccs_count == 0) { + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret != 0) { + break; + } } + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); break; #if defined(MBEDTLS_SSL_EARLY_DATA) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 2666067..386a754 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1390,6 +1390,8 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) /* Dispatch message */ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0)); + ssl->handshake->ccs_count++; + cleanup: MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec")); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 62b117c..05693f3 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3482,10 +3482,14 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) break; case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: - ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); - if (ret == 0) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); + ret = 0; + if (ssl->handshake->ccs_count == 0) { + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret != 0) { + break; + } } + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ -- cgit v1.1 From 90e223364ca559042710316d4ba4e6eb86178284 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 22 Jan 2024 15:24:21 +0100 Subject: tls13: cli: Refine early data status The main purpose of the change is to know from the status, at any point in the handshake, if early data can be sent or not and why. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 6 +++--- library/ssl_misc.h | 32 ++++++++++++++++++++++++++++++++ library/ssl_tls.c | 2 +- library/ssl_tls13_client.c | 45 ++++++++++++++++++++++++++------------------- 4 files changed, 62 insertions(+), 23 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e0cd79d..9583a15 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5106,9 +5106,9 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_SSL_EARLY_DATA) -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 2 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3 #if defined(MBEDTLS_SSL_SRV_C) /** diff --git a/library/ssl_misc.h b/library/ssl_misc.h index dff19c8..942d4ad 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2145,6 +2145,38 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); + +#if defined(MBEDTLS_SSL_CLI_C) +/* + * The client has not sent the first ClientHello yet, it is unknown if the + * client will send an early data indication extension or not. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 + +/* + * The client has sent an early data indication extension in its first + * ClientHello, it has not received the response (ServerHello or + * HelloRetryRequest) from the server yet. The transform to protect early data + * is not set and early data cannot be sent yet. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_SENT 4 + +/* + * The client has sent an early data indication extension in its first + * ClientHello, it has not received the response (ServerHello or + * HelloRetryRequest) from the server yet. The transform to protect early data + * has been set and early data can be written now. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE 5 + +/* + * The client has sent an early data indication extension in its first + * ClientHello, the server has accepted them and the client has received the + * server Finished message. It cannot send early data to the server anymore. + */ +#define MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED 6 +#endif /* MBEDTLS_SSL_CLI_C */ + #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8afedde..3bbd4ca 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1100,7 +1100,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) #if defined(MBEDTLS_SSL_CLI_C) - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN; #endif #if defined(MBEDTLS_SSL_SRV_C) ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index e6680c7..5d7a495 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1180,26 +1180,21 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SSL_EARLY_DATA) - if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) && - ssl_tls13_early_data_has_valid_ticket(ssl) && - ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED && - ssl->handshake->hello_retry_request_count == 0) { + if (ssl->handshake->hello_retry_request_count == 0) { + if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) && + ssl_tls13_early_data_has_valid_ticket(ssl) && + ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { + ret = mbedtls_ssl_tls13_write_early_data_ext( + ssl, 0, p, end, &ext_len); + if (ret != 0) { + return ret; + } + p += ext_len; - ret = mbedtls_ssl_tls13_write_early_data_ext( - ssl, 0, p, end, &ext_len); - if (ret != 0) { - return ret; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SENT; + } else { + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; } - p += ext_len; - - /* Initializes the status to `rejected`. It will be updated to - * `accepted` if the EncryptedExtension message contain an early data - * indication extension. - */ - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; - } else { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension")); - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1236,7 +1231,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) size_t psk_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Set hs psk for early data when writing the first psk")); @@ -1299,6 +1294,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) 1, ("Switch to early data keys for outbound traffic")); mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_earlydata); + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE; #endif } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1971,6 +1967,13 @@ static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl) } ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id; + +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) { + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + } +#endif + return 0; } @@ -2230,6 +2233,8 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) } ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + } else if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) { + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; } #endif @@ -2567,6 +2572,7 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED; mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); } else #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -3088,6 +3094,7 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) 1, ("Switch to early data keys for outbound traffic")); mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_earlydata); + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE; } break; #endif /* MBEDTLS_SSL_EARLY_DATA */ -- cgit v1.1 From a7f94e49a821d37f4f33addd5db8d183cb1720f8 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 09:40:46 +0100 Subject: tests: ssl: Add early data status unit test Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 + tests/suites/test_suite_ssl.function | 143 +++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 86945cc..82ec57a 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3282,3 +3282,6 @@ tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD TLS 1.3 early data, discard after HRR tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR + +TLS 1.3 cli, early data status +tls13_cli_early_data_status diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d6e4c6a..d44848f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3787,3 +3787,146 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +void tls13_cli_early_data_status() +{ + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options client_options; + mbedtls_test_handshake_test_options server_options; + mbedtls_ssl_session saved_session; + + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); + mbedtls_ssl_session_init(&saved_session); + + PSA_INIT(); + + /* + * Run first handshake to get a ticket from the server. + */ + client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + + ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, + &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Prepare for handshake with the ticket. + */ + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Go through the handshake sequence, state by state, checking the early + * data status each time. + */ + do { + int state = client_ep.ssl.state; + + /* Progress the handshake from at least one state */ + while (client_ep.ssl.state == state) { + ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + if (client_ep.ssl.state != state) { + break; + } + ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + } + + switch (client_ep.ssl.state) { + case MBEDTLS_SSL_CLIENT_HELLO: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); + break; + + case MBEDTLS_SSL_SERVER_HELLO: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + break; + + case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + break; + + case MBEDTLS_SSL_SERVER_FINISHED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + break; + + case MBEDTLS_SSL_END_OF_EARLY_DATA: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + + case MBEDTLS_SSL_CLIENT_CERTIFICATE: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + + case MBEDTLS_SSL_CLIENT_FINISHED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); + break; +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + + case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ + case MBEDTLS_SSL_HANDSHAKE_OVER: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + + default: + TEST_FAIL("Unexpected state."); + } + } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER); + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + TEST_EQUAL(client_ep.ssl.handshake->ccs_count, 1); +#endif + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); + mbedtls_ssl_session_free(&saved_session); + PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From 5c208d7dafb5457e6883c7935d0c3b4de9c7072b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 10:13:30 +0100 Subject: tests: ssl: Add scenario param to early data status testing function Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 8 ++-- tests/suites/test_suite_ssl.function | 88 +++++++++++++++++++++++++++--------- 2 files changed, 70 insertions(+), 26 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 82ec57a..916849d 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3274,8 +3274,8 @@ elliptic_curve_get_properties TLS 1.3 resume session with ticket tls13_resume_session_with_ticket -TLS 1.3 early data, reference -tls13_early_data:TEST_EARLY_DATA_REFERENCE +TLS 1.3 early data, early data accepted +tls13_early_data:TEST_EARLY_DATA_ACCEPTED TLS 1.3 early data, deprotect and discard tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD @@ -3283,5 +3283,5 @@ tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD TLS 1.3 early data, discard after HRR tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR -TLS 1.3 cli, early data status -tls13_cli_early_data_status +TLS 1.3 cli, early data status, early data accepted +tls13_cli_early_data_status:TEST_EARLY_DATA_ACCEPTED diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d44848f..920aa2f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -13,7 +13,7 @@ #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } /* Mnemonics for the early data test scenarios */ -#define TEST_EARLY_DATA_REFERENCE 0 +#define TEST_EARLY_DATA_ACCEPTED 0 #define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 1 #define TEST_EARLY_DATA_DISCARD_AFTER_HRR 2 @@ -3695,7 +3695,7 @@ void tls13_early_data(int scenario) * Prepare for handshake with the ticket. */ switch (scenario) { - case TEST_EARLY_DATA_REFERENCE: + case TEST_EARLY_DATA_ACCEPTED: break; case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: @@ -3757,7 +3757,7 @@ void tls13_early_data(int scenario) MBEDTLS_SSL_HANDSHAKE_WRAPUP); switch (scenario) { - case TEST_EARLY_DATA_REFERENCE: + case TEST_EARLY_DATA_ACCEPTED: TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), @@ -3789,7 +3789,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ -void tls13_cli_early_data_status() +void tls13_cli_early_data_status(int scenario) { int ret = -1; mbedtls_test_ssl_endpoint client_ep, server_ep; @@ -3820,6 +3820,14 @@ void tls13_cli_early_data_status() /* * Prepare for handshake with the ticket. */ + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + break; + + default: + TEST_FAIL("Unknown scenario."); + } + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &client_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); @@ -3864,52 +3872,88 @@ void tls13_cli_early_data_status() switch (client_ep.ssl.state) { case MBEDTLS_SSL_CLIENT_HELLO: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); + break; + } break; case MBEDTLS_SSL_SERVER_HELLO: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + break; + } break; case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + break; + } break; case MBEDTLS_SSL_SERVER_FINISHED: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + break; + } break; case MBEDTLS_SSL_END_OF_EARLY_DATA: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + } break; case MBEDTLS_SSL_CLIENT_CERTIFICATE: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + } break; case MBEDTLS_SSL_CLIENT_FINISHED: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + } break; #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); + break; + } break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ case MBEDTLS_SSL_HANDSHAKE_OVER: - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + } break; default: -- cgit v1.1 From 265273e8b38dc2eff285d18cc470521a74f80db7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 11:13:19 +0100 Subject: tests: early data status: Add "not sent" scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 ++ tests/suites/test_suite_ssl.function | 58 ++++++++++++++++++++++++++++++------ 2 files changed, 52 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 916849d..ca4a2dc 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3285,3 +3285,6 @@ tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR TLS 1.3 cli, early data status, early data accepted tls13_cli_early_data_status:TEST_EARLY_DATA_ACCEPTED + +TLS 1.3 cli, early data status, no early data indication +tls13_cli_early_data_status:TEST_EARLY_DATA_NO_INDICATION_SENT diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 920aa2f..5bb9680 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -14,8 +14,9 @@ /* Mnemonics for the early data test scenarios */ #define TEST_EARLY_DATA_ACCEPTED 0 -#define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 1 -#define TEST_EARLY_DATA_DISCARD_AFTER_HRR 2 +#define TEST_EARLY_DATA_NO_INDICATION_SENT 1 +#define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 2 +#define TEST_EARLY_DATA_DISCARD_AFTER_HRR 3 #if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ @@ -3824,6 +3825,10 @@ void tls13_cli_early_data_status(int scenario) case TEST_EARLY_DATA_ACCEPTED: break; + case TEST_EARLY_DATA_NO_INDICATION_SENT: + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + default: TEST_FAIL("Unknown scenario."); } @@ -3873,7 +3878,8 @@ void tls13_cli_early_data_status(int scenario) switch (client_ep.ssl.state) { case MBEDTLS_SSL_CLIENT_HELLO: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_NO_INDICATION_SENT: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); break; @@ -3886,6 +3892,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); break; + + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; } break; @@ -3895,6 +3906,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); break; + + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; } break; @@ -3904,24 +3920,31 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); break; - } - break; - case MBEDTLS_SSL_END_OF_EARLY_DATA: - switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_NO_INDICATION_SENT: TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; } break; + case MBEDTLS_SSL_END_OF_EARLY_DATA: + TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); + break; + case MBEDTLS_SSL_CLIENT_CERTIFICATE: switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); break; + + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; } break; @@ -3931,11 +3954,17 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); break; + + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; } break; #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + TEST_ASSERT(scenario != TEST_EARLY_DATA_NO_INDICATION_SENT); switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: TEST_EQUAL(client_ep.ssl.early_data_status, @@ -3943,6 +3972,12 @@ void tls13_cli_early_data_status(int scenario) break; } break; + + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: + TEST_ASSERT(scenario == TEST_EARLY_DATA_NO_INDICATION_SENT); + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ @@ -3953,6 +3988,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED); break; + + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; } break; -- cgit v1.1 From d6dba675b8b65e9bde5dc16fcbd3ce82f054a00f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 12:22:24 +0100 Subject: tests: early data status: Add "server rejects" scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 7 +++-- tests/suites/test_suite_ssl.function | 57 +++++++++++++++++++++++++++++------- 2 files changed, 52 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index ca4a2dc..0b4f911 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3277,8 +3277,8 @@ tls13_resume_session_with_ticket TLS 1.3 early data, early data accepted tls13_early_data:TEST_EARLY_DATA_ACCEPTED -TLS 1.3 early data, deprotect and discard -tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD +TLS 1.3 early data, server rejects early data +tls13_early_data:TEST_EARLY_DATA_SERVER_REJECTS TLS 1.3 early data, discard after HRR tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR @@ -3288,3 +3288,6 @@ tls13_cli_early_data_status:TEST_EARLY_DATA_ACCEPTED TLS 1.3 cli, early data status, no early data indication tls13_cli_early_data_status:TEST_EARLY_DATA_NO_INDICATION_SENT + +TLS 1.3 cli, early data status, server rejects early data +tls13_cli_early_data_status:TEST_EARLY_DATA_SERVER_REJECTS diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 5bb9680..29ec9b3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -15,7 +15,7 @@ /* Mnemonics for the early data test scenarios */ #define TEST_EARLY_DATA_ACCEPTED 0 #define TEST_EARLY_DATA_NO_INDICATION_SENT 1 -#define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 2 +#define TEST_EARLY_DATA_SERVER_REJECTS 2 #define TEST_EARLY_DATA_DISCARD_AFTER_HRR 3 #if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ @@ -3699,7 +3699,7 @@ void tls13_early_data(int scenario) case TEST_EARLY_DATA_ACCEPTED: break; - case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: + case TEST_EARLY_DATA_SERVER_REJECTS: mbedtls_debug_set_threshold(3); server_pattern.pattern = "EarlyData: deprotect and discard app data records."; @@ -3766,7 +3766,7 @@ void tls13_early_data(int scenario) TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); break; - case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ case TEST_EARLY_DATA_DISCARD_AFTER_HRR: TEST_EQUAL(ret, 0); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); @@ -3829,6 +3829,10 @@ void tls13_cli_early_data_status(int scenario) client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; + case TEST_EARLY_DATA_SERVER_REJECTS: + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + default: TEST_FAIL("Unknown scenario."); } @@ -3879,7 +3883,8 @@ void tls13_cli_early_data_status(int scenario) case MBEDTLS_SSL_CLIENT_HELLO: switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ - case TEST_EARLY_DATA_NO_INDICATION_SENT: + case TEST_EARLY_DATA_NO_INDICATION_SENT: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); break; @@ -3888,7 +3893,8 @@ void tls13_cli_early_data_status(int scenario) case MBEDTLS_SSL_SERVER_HELLO: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); break; @@ -3902,7 +3908,8 @@ void tls13_cli_early_data_status(int scenario) case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); break; @@ -3925,6 +3932,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; } break; @@ -3945,6 +3957,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; } break; @@ -3959,6 +3976,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; } break; @@ -3966,7 +3988,8 @@ void tls13_cli_early_data_status(int scenario) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: TEST_ASSERT(scenario != TEST_EARLY_DATA_NO_INDICATION_SENT); switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); break; @@ -3974,9 +3997,18 @@ void tls13_cli_early_data_status(int scenario) break; case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - TEST_ASSERT(scenario == TEST_EARLY_DATA_NO_INDICATION_SENT); - TEST_EQUAL(client_ep.ssl.early_data_status, - MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + TEST_ASSERT(scenario != TEST_EARLY_DATA_ACCEPTED); + switch (scenario) { + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; + } break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ @@ -3993,6 +4025,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; } break; -- cgit v1.1 From 2261ab298f15385d3b75f9adc0e99a7cd58b3699 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 24 Jan 2024 13:38:31 +0100 Subject: tests: early data status: Add HRR scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 5 ++- tests/suites/test_suite_ssl.function | 68 +++++++++++++++++++++++++++++++----- 2 files changed, 63 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 0b4f911..69ccf26 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3281,7 +3281,7 @@ TLS 1.3 early data, server rejects early data tls13_early_data:TEST_EARLY_DATA_SERVER_REJECTS TLS 1.3 early data, discard after HRR -tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR +tls13_early_data:TEST_EARLY_DATA_HRR TLS 1.3 cli, early data status, early data accepted tls13_cli_early_data_status:TEST_EARLY_DATA_ACCEPTED @@ -3291,3 +3291,6 @@ tls13_cli_early_data_status:TEST_EARLY_DATA_NO_INDICATION_SENT TLS 1.3 cli, early data status, server rejects early data tls13_cli_early_data_status:TEST_EARLY_DATA_SERVER_REJECTS + +TLS 1.3 cli, early data status, hello retry request +tls13_cli_early_data_status:TEST_EARLY_DATA_HRR diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 29ec9b3..2751e58 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -16,7 +16,7 @@ #define TEST_EARLY_DATA_ACCEPTED 0 #define TEST_EARLY_DATA_NO_INDICATION_SENT 1 #define TEST_EARLY_DATA_SERVER_REJECTS 2 -#define TEST_EARLY_DATA_DISCARD_AFTER_HRR 3 +#define TEST_EARLY_DATA_HRR 3 #if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ @@ -3706,7 +3706,7 @@ void tls13_early_data(int scenario) server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; - case TEST_EARLY_DATA_DISCARD_AFTER_HRR: + case TEST_EARLY_DATA_HRR: mbedtls_debug_set_threshold(3); server_pattern.pattern = "EarlyData: Ignore application message before 2nd ClientHello"; @@ -3767,7 +3767,7 @@ void tls13_early_data(int scenario) break; case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ - case TEST_EARLY_DATA_DISCARD_AFTER_HRR: + case TEST_EARLY_DATA_HRR: TEST_EQUAL(ret, 0); TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); TEST_EQUAL(server_pattern.counter, 1); @@ -3797,6 +3797,11 @@ void tls13_cli_early_data_status(int scenario) mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; + uint16_t group_list[3] = { + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE + }; mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); @@ -3813,6 +3818,10 @@ void tls13_cli_early_data_status(int scenario) client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.pk_alg = MBEDTLS_PK_ECDSA; server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + if (scenario == TEST_EARLY_DATA_HRR) { + client_options.group_list = group_list; + server_options.group_list = group_list; + } ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, &saved_session); @@ -3833,6 +3842,10 @@ void tls13_cli_early_data_status(int scenario) server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; + case TEST_EARLY_DATA_HRR: + server_options.group_list = group_list + 1; + break; + default: TEST_FAIL("Unknown scenario."); } @@ -3888,6 +3901,16 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); break; + + case TEST_EARLY_DATA_HRR: + if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); + } else { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + } + break; } break; @@ -3903,6 +3926,16 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + + case TEST_EARLY_DATA_HRR: + if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); + } else { + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + } + break; } break; @@ -3918,6 +3951,11 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; + + case TEST_EARLY_DATA_HRR: + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; } break; @@ -3933,7 +3971,8 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3958,7 +3997,8 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3977,7 +4017,8 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -3989,13 +4030,20 @@ void tls13_cli_early_data_status(int scenario) TEST_ASSERT(scenario != TEST_EARLY_DATA_NO_INDICATION_SENT); switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); break; } break; + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: + TEST_ASSERT(scenario == TEST_EARLY_DATA_HRR); + TEST_EQUAL(client_ep.ssl.early_data_status, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: TEST_ASSERT(scenario != TEST_EARLY_DATA_ACCEPTED); switch (scenario) { @@ -4004,7 +4052,8 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; @@ -4026,7 +4075,8 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); break; - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; -- cgit v1.1 From 6269f3baf497e3a9b8d5e9d8d40d8a9c4af144f6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:55:18 +0100 Subject: Revert "psa_util: allow larger raw buffers in mbedtls_ecdsa_raw_to_der()" This reverts commit d4fc5d9d1c76a6cb978ceb4cc74ec62b111b0007. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 2 +- library/psa_util.c | 2 +- tests/suites/test_suite_psa_crypto_util.data | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 9294d29..a5f09a4 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -188,7 +188,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of \p raw in bytes. This must be at least + * \param raw_len Length of \p raw in bytes. This must be * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. diff --git a/library/psa_util.c b/library/psa_util.c index 7ce5eea..674f21b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (raw_len < 2 * coordinate_len) { + if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index eb205b9..1d17029 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -42,6 +42,10 @@ ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -- cgit v1.1 From cf81f6997759decd200a8953cd9d3f46f3de447a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:57:12 +0100 Subject: psa_util: smarter raw length check in mbedtls_ecdsa_raw_to_der() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index 674f21b..970274e 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { + if (raw_len != (2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } -- cgit v1.1 From bb76f80218fa679eff384a1dace645d5faa5774f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:57:23 +0100 Subject: pk_wrap: use proper raw buffer length in ecdsa_sign_psa() Signed-off-by: Valerio Setti --- library/pk_wrap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index c45fbd4..d61a7cb 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -729,7 +729,7 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, } done: - ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, sig_size, sig, sig_size, sig_len); + ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len); return ret; } -- cgit v1.1 From 1810fd9ac8f78be06558b3cdfacc70a9b3ece362 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 17:02:49 +0100 Subject: add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/7765.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/7765.txt diff --git a/ChangeLog.d/7765.txt b/ChangeLog.d/7765.txt new file mode 100644 index 0000000..3dd6b5d --- /dev/null +++ b/ChangeLog.d/7765.txt @@ -0,0 +1,3 @@ +Features + * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to + convert ECDSA signatures between raw and DER (ASN.1) formats. -- cgit v1.1 From a76a0011aba1b192df04b710ae876f4395381439 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 6 Feb 2024 16:45:54 +0000 Subject: Remove mutex calls in psa_wipe_all_key_slots Code size and code style improvement, these calls aren't needed. Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index f4c6ee0..9890de6 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -144,9 +144,6 @@ void psa_wipe_all_key_slots(void) { size_t slot_idx; -#if defined(MBEDTLS_THREADING_C) - mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); -#endif for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { psa_key_slot_t *slot = &global_data.key_slots[slot_idx]; slot->registered_readers = 1; @@ -154,9 +151,6 @@ void psa_wipe_all_key_slots(void) (void) psa_wipe_key_slot(slot); } global_data.key_slots_initialized = 0; -#if defined(MBEDTLS_THREADING_C) - mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex); -#endif } psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, -- cgit v1.1 From e053cb2f12ad05b58406a28724b362eeffd09cdb Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 6 Feb 2024 14:57:43 +0000 Subject: Stop platform test failures with GCC and TSAN Signed-off-by: Paul Elliott --- tests/include/test/helpers.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 7c962a2..47d4dcd 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -23,6 +23,10 @@ #if defined(__SANITIZE_ADDRESS__) /* gcc -fsanitize=address */ # define MBEDTLS_TEST_HAVE_ASAN #endif +#if defined(__SANITIZE_THREAD__) /* gcc -fsanitize-thread */ +# define MBEDTLS_TEST_HAVE_TSAN +#endif + #if defined(__has_feature) # if __has_feature(address_sanitizer) /* clang -fsanitize=address */ # define MBEDTLS_TEST_HAVE_ASAN -- cgit v1.1 From 30a303f1a8b856cfd6d44ad89754a018e49fb479 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 6 Feb 2024 19:45:11 +0100 Subject: ECDSA signature conversion: put bits first Metadata, then inputs, then outputs. https://github.com/Mbed-TLS/mbedtls/pull/8703#discussion_r1474697136 Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index e09d23c..ec3fcd0 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -330,12 +330,12 @@ Based on the [gap analysis](#signature-formats): [ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below. ``` -int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, - unsigned char *der, size_t der_size, size_t *der_len, - size_t bits); -int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_size, size_t *raw_len, - size_t bits); +int mbedtls_ecdsa_raw_to_der(size_t bits, + const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len); +int mbedtls_ecdsa_der_to_raw(size_t bits, + const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len); ``` * These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`. -- cgit v1.1 From 447bbce8b4e7fd95388dc365b71c09202cb3d238 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 08:02:03 +0100 Subject: rsa: remove unnecessary check in priv/pub key parsing Signed-off-by: Valerio Setti --- library/rsa.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index b250e1d..c8ea980 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -107,12 +107,9 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si return ret; } + /* mbedtls_asn1_get_tag() already ensures that len is valid (i.e. p+len <= end)*/ end = p + len; - if (end > (key + keylen)) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } - if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { return ret; } @@ -243,12 +240,9 @@ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, return ret; } + /* mbedtls_asn1_get_tag() already ensures that len is valid (i.e. p+len <= end)*/ end = p + len; - if (end > (key + keylen)) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } - /* Import N */ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { return ret; -- cgit v1.1 From b62732e1d645e5d7d21e198f556e94437bc69d7f Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 30 Nov 2023 09:58:08 +0000 Subject: tls13: cli: Add mbedtls_ssl_write_early_data() API Signed-off-by: Xiaokang Qian Signed-off-by: Ronald Cron --- library/ssl_msg.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c2e64c6..f3bb323 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -6058,6 +6058,81 @@ int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t return ret; } +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const struct mbedtls_ssl_config *conf; + int written_data_len = 0; + + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write early_data")); + + if (ssl == NULL || (conf = ssl->conf) == NULL) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) || + (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) || + (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) { + return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; + } + + if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { + return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; + } + + /* + * If we are at the beginning of the handshake, advance the handshake just + * enough to be able to send early data if possible. That way, we can + * guarantee that when starting the handshake with this function we will + * send at least one record of early data. + * Otherwise, resume the handshake and if the handshake sequence stops + * waiting for some message from the server, send early data if we can. + */ + + if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN) || + (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT)) { + while ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN) || + (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT)) { + ret = mbedtls_ssl_handshake_step(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake_step", ret); + return ret; + } + + ret = mbedtls_ssl_flush_output(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret); + return ret; + } + } + } else { + if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) && + (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { + return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; + } + + ret = mbedtls_ssl_handshake(ssl); + if ((ret != 0) && (ret != MBEDTLS_ERR_SSL_WANT_READ)) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); + return ret; + } + } + + if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) && + (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { + return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; + } + + written_data_len = ssl_write_real(ssl, buf, len); + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= write early_data, len=%d", written_data_len)); + + return written_data_len; +} +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ + /* * Notify the peer that the connection is being closed */ -- cgit v1.1 From 54a382945334a179e9437c8ef78f6c6f6490bd50 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 25 Jan 2024 09:39:59 +0100 Subject: ssl_client2: Simplify early_data option No need to define specific early data, the idea is rather to just send the usual request data as early data instead of standard application data. Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 40 ++++++++++++++------------------------- tests/opt-testcases/tls13-misc.sh | 4 ++-- 2 files changed, 16 insertions(+), 28 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1b3dedb..83be107 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -52,7 +52,7 @@ int main(void) #define DFL_KEY_OPAQUE 0 #define DFL_KEY_PWD "" #define DFL_PSK "" -#define DFL_EARLY_DATA "" +#define DFL_EARLY_DATA MBEDTLS_SSL_EARLY_DATA_DISABLED #define DFL_PSK_OPAQUE 0 #define DFL_PSK_IDENTITY "Client_identity" #define DFL_ECJPAKE_PW NULL @@ -347,9 +347,8 @@ int main(void) #if defined(MBEDTLS_SSL_EARLY_DATA) #define USAGE_EARLY_DATA \ - " early_data=%%s The file path to read early data from\n" \ - " default: \"\" (do nothing)\n" \ - " option: a file path\n" + " early_data=%%d default: 0 (disabled)\n" \ + " options: 0 (disabled), 1 (enabled)\n" #else #define USAGE_EARLY_DATA "" #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_PROTO_TLS1_3 */ @@ -544,7 +543,7 @@ struct options { int reproducible; /* make communication reproducible */ int skip_close_notify; /* skip sending the close_notify alert */ #if defined(MBEDTLS_SSL_EARLY_DATA) - const char *early_data; /* the path of the file to read early data from */ + int early_data; /* early data enablement flag */ #endif int query_config_mode; /* whether to read config */ int use_srtp; /* Support SRTP */ @@ -742,10 +741,6 @@ int main(int argc, char *argv[]) size_t cid_renego_len = 0; #endif -#if defined(MBEDTLS_SSL_EARLY_DATA) - FILE *early_data_fp = NULL; -#endif /* MBEDTLS_SSL_EARLY_DATA */ - #if defined(MBEDTLS_SSL_ALPN) const char *alpn_list[ALPN_LIST_SIZE]; #endif @@ -1201,7 +1196,15 @@ usage: #if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_EARLY_DATA) else if (strcmp(p, "early_data") == 0) { - opt.early_data = q; + switch (atoi(q)) { + case 0: + opt.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + case 1: + opt.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + break; + default: goto usage; + } } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1968,16 +1971,7 @@ usage: } #if defined(MBEDTLS_SSL_EARLY_DATA) - int early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED; - if (strlen(opt.early_data) > 0) { - if ((early_data_fp = fopen(opt.early_data, "rb")) == NULL) { - mbedtls_printf("failed\n ! Cannot open '%s' for reading.\n", - opt.early_data); - goto exit; - } - early_data_enabled = MBEDTLS_SSL_EARLY_DATA_ENABLED; - } - mbedtls_ssl_conf_early_data(&conf, early_data_enabled); + mbedtls_ssl_conf_early_data(&conf, opt.early_data); #endif /* MBEDTLS_SSL_EARLY_DATA */ if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) { @@ -3035,12 +3029,6 @@ exit: mbedtls_ssl_config_free(&conf); mbedtls_ssl_session_free(&saved_session); -#if defined(MBEDTLS_SSL_EARLY_DATA) - if (early_data_fp != NULL) { - fclose(early_data_fp); - } -#endif - if (session_data != NULL) { mbedtls_platform_zeroize(session_data, session_data_len); } diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 4e6bf87..b24f718 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -263,7 +263,7 @@ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK \ --earlydata --maxearlydata 16384 --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=$EARLY_DATA_INPUT reco_mode=1 reconnect=1 reco_delay=900" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ 0 \ -c "received max_early_data_size: 16384" \ -c "Reconnecting with saved session" \ @@ -287,7 +287,7 @@ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=$EARLY_DATA_INPUT reco_mode=1 reconnect=1" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ 0 \ -c "Reconnecting with saved session" \ -C "NewSessionTicket: early_data(42) extension received." \ -- cgit v1.1 From 4e1bd470fb1f1d8fc526cd5b7dfef45ca3199814 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 23 Jan 2024 09:18:54 +0100 Subject: ssl_client2: Move code to build http request Move code to build http request into a dedicated function. Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 67 +++++++++++++++++++++++++++------------------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 83be107..da58899 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -716,9 +716,46 @@ exit: return ret; } +/* + * Build HTTP request + */ +static void build_http_request(unsigned char *buf, size_t buf_size, int *request_len) +{ + int len, tail_len; + + len = mbedtls_snprintf((char *) buf, buf_size, GET_REQUEST, opt.request_page); + tail_len = (int) strlen(GET_REQUEST_END); + + /* Add padding to GET request to reach opt.request_size in length */ + if (opt.request_size != DFL_REQUEST_SIZE && + len + tail_len < opt.request_size) { + memset(buf + len, 'A', opt.request_size - len - tail_len); + len += opt.request_size - len - tail_len; + } + + strncpy((char *) buf + len, GET_REQUEST_END, buf_size - len); + len += tail_len; + + /* Truncate if request size is smaller than the "natural" size */ + if (opt.request_size != DFL_REQUEST_SIZE && + len > opt.request_size) { + len = opt.request_size; + + /* Still end with \r\n unless that's really not possible */ + if (len >= 2) { + buf[len - 2] = '\r'; + } + if (len >= 1) { + buf[len - 1] = '\n'; + } + } + + *request_len = len; +} + int main(int argc, char *argv[]) { - int ret = 0, len, tail_len, i, written, frags, retry_left; + int ret = 0, len, i, written, frags, retry_left; int query_config_ret = 0; mbedtls_net_context server_fd; io_ctx_t io_ctx; @@ -2442,33 +2479,7 @@ send_request: mbedtls_printf(" > Write to server:"); fflush(stdout); - len = mbedtls_snprintf((char *) buf, sizeof(buf) - 1, GET_REQUEST, - opt.request_page); - tail_len = (int) strlen(GET_REQUEST_END); - - /* Add padding to GET request to reach opt.request_size in length */ - if (opt.request_size != DFL_REQUEST_SIZE && - len + tail_len < opt.request_size) { - memset(buf + len, 'A', opt.request_size - len - tail_len); - len += opt.request_size - len - tail_len; - } - - strncpy((char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1); - len += tail_len; - - /* Truncate if request size is smaller than the "natural" size */ - if (opt.request_size != DFL_REQUEST_SIZE && - len > opt.request_size) { - len = opt.request_size; - - /* Still end with \r\n unless that's really not possible */ - if (len >= 2) { - buf[len - 2] = '\r'; - } - if (len >= 1) { - buf[len - 1] = '\n'; - } - } + build_http_request(buf, sizeof(buf) - 1, &len); if (opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM) { written = 0; -- cgit v1.1 From ccfaefa361631c95d183611c02722dafe08b7455 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 25 Jan 2024 14:34:16 +0100 Subject: ssl_client2: Switch from int to size_t Switch from int to size_t for some data lengths and counter local variables. Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 52 +++++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index da58899..0939393 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -719,18 +719,27 @@ exit: /* * Build HTTP request */ -static void build_http_request(unsigned char *buf, size_t buf_size, int *request_len) +static int build_http_request(unsigned char *buf, size_t buf_size, size_t *request_len) { - int len, tail_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len, tail_len, request_size; + + ret = mbedtls_snprintf((char *) buf, buf_size, GET_REQUEST, opt.request_page); + if (ret < 0) { + return ret; + } - len = mbedtls_snprintf((char *) buf, buf_size, GET_REQUEST, opt.request_page); - tail_len = (int) strlen(GET_REQUEST_END); + len = (size_t) ret; + tail_len = strlen(GET_REQUEST_END); + if (opt.request_size != DFL_REQUEST_SIZE) { + request_size = (size_t) opt.request_size; + } /* Add padding to GET request to reach opt.request_size in length */ if (opt.request_size != DFL_REQUEST_SIZE && - len + tail_len < opt.request_size) { - memset(buf + len, 'A', opt.request_size - len - tail_len); - len += opt.request_size - len - tail_len; + len + tail_len < request_size) { + memset(buf + len, 'A', request_size - len - tail_len); + len = request_size - tail_len; } strncpy((char *) buf + len, GET_REQUEST_END, buf_size - len); @@ -738,8 +747,8 @@ static void build_http_request(unsigned char *buf, size_t buf_size, int *request /* Truncate if request size is smaller than the "natural" size */ if (opt.request_size != DFL_REQUEST_SIZE && - len > opt.request_size) { - len = opt.request_size; + len > request_size) { + len = request_size; /* Still end with \r\n unless that's really not possible */ if (len >= 2) { @@ -751,11 +760,14 @@ static void build_http_request(unsigned char *buf, size_t buf_size, int *request } *request_len = len; + + return 0; } int main(int argc, char *argv[]) { - int ret = 0, len, i, written, frags, retry_left; + int ret = 0, i; + size_t len, written, frags, retry_left; int query_config_ret = 0; mbedtls_net_context server_fd; io_ctx_t io_ctx; @@ -2479,7 +2491,10 @@ send_request: mbedtls_printf(" > Write to server:"); fflush(stdout); - build_http_request(buf, sizeof(buf) - 1, &len); + ret = build_http_request(buf, sizeof(buf) - 1, &len); + if (ret != 0) { + goto exit; + } if (opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM) { written = 0; @@ -2550,8 +2565,11 @@ send_request: } buf[written] = '\0'; - mbedtls_printf(" %d bytes written in %d fragments\n\n%s\n", - written, frags, (char *) buf); + mbedtls_printf( + " %" MBEDTLS_PRINTF_SIZET " bytes written in %" MBEDTLS_PRINTF_SIZET " fragments\n\n%s\n", + written, + frags, + (char *) buf); /* Send a non-empty request if request_size == 0 */ if (len == 0) { @@ -2658,7 +2676,9 @@ send_request: len = ret; buf[len] = '\0'; - mbedtls_printf(" < Read from server: %d bytes read\n\n%s", len, (char *) buf); + mbedtls_printf(" < Read from server: %" MBEDTLS_PRINTF_SIZET " bytes read\n\n%s", + len, + (char *) buf); fflush(stdout); /* End of message should be detected according to the syntax of the * application protocol (eg HTTP), just use a dummy test here. */ @@ -2717,7 +2737,9 @@ send_request: len = ret; buf[len] = '\0'; - mbedtls_printf(" < Read from server: %d bytes read\n\n%s", len, (char *) buf); + mbedtls_printf(" < Read from server: %" MBEDTLS_PRINTF_SIZET " bytes read\n\n%s", + len, + (char *) buf); ret = 0; } -- cgit v1.1 From 2fe0ec8c3195a4fdea120228f543a37120daf3fc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 23 Jan 2024 17:20:46 +0100 Subject: ssl_client2: Add buffer overflow check Add buffer overflow check to build_http_request(). Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 0939393..b501b9f 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -733,6 +733,12 @@ static int build_http_request(unsigned char *buf, size_t buf_size, size_t *reque tail_len = strlen(GET_REQUEST_END); if (opt.request_size != DFL_REQUEST_SIZE) { request_size = (size_t) opt.request_size; + } else { + request_size = len + tail_len; + } + + if (request_size > buf_size) { + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; } /* Add padding to GET request to reach opt.request_size in length */ -- cgit v1.1 From a5561893e76acd5f9a3a822e4ad323875c0c4fde Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 23 Jan 2024 10:30:57 +0100 Subject: ssl_client2: Add support for early data writing Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index b501b9f..0723be8 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -3035,6 +3035,55 @@ reconnect: goto exit; } + ret = build_http_request(buf, sizeof(buf) - 1, &len); + if (ret != 0) { + goto exit; + } + +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (opt.early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED) { + frags = 0; + written = 0; + do { + while ((ret = mbedtls_ssl_write_early_data(&ssl, buf + written, + len - written)) < 0) { + if (ret == MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) { + break; + } + if (ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE && + ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { + mbedtls_printf(" failed\n ! mbedtls_ssl_write returned -0x%x\n\n", + (unsigned int) -ret); + goto exit; + } + + /* For event-driven IO, wait for socket to become available */ + if (opt.event == 1 /* level triggered IO */) { +#if defined(MBEDTLS_TIMING_C) + idle(&server_fd, &timer, ret); +#else + idle(&server_fd, ret); +#endif + } + } + if (ret == MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) { + break; + } + + frags++; + written += ret; + } while (written < len); + } + + buf[written] = '\0'; + mbedtls_printf( + " %" MBEDTLS_PRINTF_SIZET " bytes of early data written in %" MBEDTLS_PRINTF_SIZET " fragments\n\n%s\n", + written, + frags, + (char *) buf); +#endif /* MBEDTLS_SSL_EARLY_DATA */ + while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && -- cgit v1.1 From 30bb7ce9a23bb809a9d336c27d714cf37495cff8 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 30 Nov 2023 09:59:09 +0000 Subject: Add test case for early data writing Signed-off-by: Xiaokang Qian Signed-off-by: Ronald Cron --- tests/opt-testcases/tls13-misc.sh | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index b24f718..ad062dc 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -285,6 +285,31 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_EARLY_DATA requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +run_test "TLS 1.3 m->G: EarlyData: write early data, good" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ + 0 \ + -c "Reconnecting with saved session" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension exists." \ + -c "<= write early_data" \ + -c "<= write EndOfEarlyData" \ + -s "Parsing extension 'Early Data/42' (0 bytes)" \ + -s "Sending extension Early Data/42 (0 bytes)" \ + -s "END OF EARLY DATA (5) was received." \ + -s "early data accepted" \ + -s "decrypted early data with length" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ -- cgit v1.1 From 2fbbba9c5199cfaa425a287be0dcb8cda00737b0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 20:13:42 +0100 Subject: tests: ssl: Add write early data unit test Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 + tests/suites/test_suite_ssl.function | 200 +++++++++++++++++++++++++++++++++++ 2 files changed, 203 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 69ccf26..0592a5f 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3294,3 +3294,6 @@ tls13_cli_early_data_status:TEST_EARLY_DATA_SERVER_REJECTS TLS 1.3 cli, early data status, hello retry request tls13_cli_early_data_status:TEST_EARLY_DATA_HRR + +TLS 1.3 write early data, early data accepted +tls13_write_early_data:TEST_EARLY_DATA_ACCEPTED diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 2751e58..840a201 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4101,3 +4101,203 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +void tls13_write_early_data(int scenario) +{ + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options client_options; + mbedtls_test_handshake_test_options server_options; + mbedtls_ssl_session saved_session; + + int client_state, previous_client_state; + const char *early_data_string = "This is early data."; + const unsigned char *early_data = (const unsigned char *) early_data_string; + size_t early_data_len = strlen(early_data_string); + int write_early_data_ret; + + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); + mbedtls_ssl_session_init(&saved_session); + + PSA_INIT(); + + /* + * Run first handshake to get a ticket from the server. + */ + client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + + ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, + &saved_session); + TEST_EQUAL(ret, 0); + + + /* + * Prepare for handshake with the ticket. + */ + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + break; + + default: + TEST_FAIL("Unknown scenario."); + } + + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Run handshakes and test the writing of early data in each possible + * state. + */ + previous_client_state = MBEDTLS_SSL_HELLO_REQUEST; + client_state = MBEDTLS_SSL_HELLO_REQUEST; + + while (client_state != MBEDTLS_SSL_HANDSHAKE_OVER) { + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + previous_client_state), 0); + + /* Progress the handshake from at least one state */ + while (client_ep.ssl.state == previous_client_state) { + ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + if (client_ep.ssl.state != previous_client_state) { + break; + } + ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + } + + client_state = client_ep.ssl.state; + write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), + early_data, + early_data_len); + + switch (client_state) { + case MBEDTLS_SSL_CLIENT_HELLO: + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); + break; + } + break; + + case MBEDTLS_SSL_SERVER_HELLO: + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); + break; + } + break; + + case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); + break; + } + break; + + case MBEDTLS_SSL_SERVER_FINISHED: + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); + break; + } + break; + + case MBEDTLS_SSL_END_OF_EARLY_DATA: + TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_END_OF_EARLY_DATA); + break; + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); + break; + } + break; + +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + + case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */ + case MBEDTLS_SSL_CLIENT_FINISHED: /* Intentional fallthrough */ + case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ + case MBEDTLS_SSL_HANDSHAKE_OVER: + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, client_state); + break; + } + break; + + default: + TEST_FAIL("Unexpected state."); + } + + mbedtls_test_mock_socket_close(&(client_ep.socket)); + mbedtls_test_mock_socket_close(&(server_ep.socket)); + + ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + previous_client_state = client_state; + } + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); + mbedtls_ssl_session_free(&saved_session); + PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From 8fe2b01b524dc88edd6e788d9e44bf8d0a5ed516 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 20:25:00 +0100 Subject: tests: write early data: Add "not sent" scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 0592a5f..9bf44a1 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3297,3 +3297,6 @@ tls13_cli_early_data_status:TEST_EARLY_DATA_HRR TLS 1.3 write early data, early data accepted tls13_write_early_data:TEST_EARLY_DATA_ACCEPTED + +TLS 1.3 write early data, no early data indication +tls13_write_early_data:TEST_EARLY_DATA_NO_INDICATION_SENT diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 840a201..cf00b4e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4145,6 +4145,10 @@ void tls13_write_early_data(int scenario) case TEST_EARLY_DATA_ACCEPTED: break; + case TEST_EARLY_DATA_NO_INDICATION_SENT: + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + default: TEST_FAIL("Unknown scenario."); } @@ -4201,6 +4205,11 @@ void tls13_write_early_data(int scenario) early_data, early_data_len); + if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) { + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, client_state); + } + switch (client_state) { case MBEDTLS_SSL_CLIENT_HELLO: switch (scenario) { -- cgit v1.1 From 05600e26f4dd4ba5f20a8f860db9e987d49813a5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 10:23:31 +0100 Subject: tests: write early data: Add "server rejects" scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 34 ++++++++++++++++++++++++++++------ 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 9bf44a1..15ad96c 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3300,3 +3300,6 @@ tls13_write_early_data:TEST_EARLY_DATA_ACCEPTED TLS 1.3 write early data, no early data indication tls13_write_early_data:TEST_EARLY_DATA_NO_INDICATION_SENT + +TLS 1.3 write early data, server rejects early data +tls13_write_early_data:TEST_EARLY_DATA_SERVER_REJECTS diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index cf00b4e..6681c04 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4110,7 +4110,6 @@ void tls13_write_early_data(int scenario) mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; - int client_state, previous_client_state; const char *early_data_string = "This is early data."; const unsigned char *early_data = (const unsigned char *) early_data_string; @@ -4149,6 +4148,10 @@ void tls13_write_early_data(int scenario) client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; + case TEST_EARLY_DATA_SERVER_REJECTS: + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + default: TEST_FAIL("Unknown scenario."); } @@ -4213,7 +4216,8 @@ void tls13_write_early_data(int scenario) switch (client_state) { case MBEDTLS_SSL_CLIENT_HELLO: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; @@ -4222,7 +4226,8 @@ void tls13_write_early_data(int scenario) case MBEDTLS_SSL_SERVER_HELLO: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; @@ -4231,7 +4236,8 @@ void tls13_write_early_data(int scenario) case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); break; @@ -4244,6 +4250,11 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); + break; } break; @@ -4256,13 +4267,23 @@ void tls13_write_early_data(int scenario) #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; } break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: + TEST_ASSERT(scenario != TEST_EARLY_DATA_ACCEPTED); + switch (scenario) { + case TEST_EARLY_DATA_SERVER_REJECTS: + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); + break; + } + break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */ @@ -4271,7 +4292,8 @@ void tls13_write_early_data(int scenario) case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ case MBEDTLS_SSL_HANDSHAKE_OVER: switch (scenario) { - case TEST_EARLY_DATA_ACCEPTED: + case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ + case TEST_EARLY_DATA_SERVER_REJECTS: TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, client_state); break; -- cgit v1.1 From b3d42fddaee3a2a0051c177ec39494ce24fd028d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 26 Jan 2024 11:54:06 +0100 Subject: tests: write early data: Add HRR scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 ++ tests/suites/test_suite_ssl.function | 83 +++++++++++++++++++++++++++++++++--- 2 files changed, 79 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 15ad96c..b30fc93 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3303,3 +3303,6 @@ tls13_write_early_data:TEST_EARLY_DATA_NO_INDICATION_SENT TLS 1.3 write early data, server rejects early data tls13_write_early_data:TEST_EARLY_DATA_SERVER_REJECTS + +TLS 1.3 write early data, hello retry request +tls13_write_early_data:TEST_EARLY_DATA_HRR diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6681c04..d6a0d74 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4110,7 +4110,12 @@ void tls13_write_early_data(int scenario) mbedtls_test_handshake_test_options client_options; mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; - int client_state, previous_client_state; + uint16_t group_list[3] = { + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE + }; + int client_state, previous_client_state, beyond_first_hello = 0; const char *early_data_string = "This is early data."; const unsigned char *early_data = (const unsigned char *) early_data_string; size_t early_data_len = strlen(early_data_string); @@ -4131,12 +4136,15 @@ void tls13_write_early_data(int scenario) client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.pk_alg = MBEDTLS_PK_ECDSA; server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + if (scenario == TEST_EARLY_DATA_HRR) { + client_options.group_list = group_list; + server_options.group_list = group_list; + } ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, &saved_session); TEST_EQUAL(ret, 0); - /* * Prepare for handshake with the ticket. */ @@ -4152,6 +4160,10 @@ void tls13_write_early_data(int scenario) server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; break; + case TEST_EARLY_DATA_HRR: + server_options.group_list = group_list + 1; + break; + default: TEST_FAIL("Unknown scenario."); } @@ -4184,6 +4196,19 @@ void tls13_write_early_data(int scenario) client_state = MBEDTLS_SSL_HELLO_REQUEST; while (client_state != MBEDTLS_SSL_HANDSHAKE_OVER) { + /* In case of HRR scenario, once we have been through it, move over + * the first ClientHello and ServerHello otherwise we just keep playing + * this first part of the handshake with HRR. + */ + if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) { + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_SERVER_HELLO) == 0); + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_CLIENT_HELLO) == 0); + } + TEST_EQUAL(mbedtls_test_move_handshake_to_state( &(client_ep.ssl), &(server_ep.ssl), previous_client_state), 0); @@ -4221,6 +4246,18 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; + + case TEST_EARLY_DATA_HRR: + if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); + } else { + beyond_first_hello = 1; + TEST_EQUAL(write_early_data_ret, + MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO); + } + break; } break; @@ -4231,6 +4268,17 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; + + case TEST_EARLY_DATA_HRR: + if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + TEST_EQUAL(write_early_data_ret, early_data_len); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); + } else { + TEST_EQUAL(write_early_data_ret, + MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); + } + break; } break; @@ -4241,6 +4289,11 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); break; + + case TEST_EARLY_DATA_HRR: + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); + break; } break; @@ -4255,6 +4308,11 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); break; + + case TEST_EARLY_DATA_HRR: + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); + break; } break; @@ -4268,19 +4326,29 @@ void tls13_write_early_data(int scenario) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; } break; + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: + TEST_EQUAL(scenario, TEST_EARLY_DATA_HRR); + TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO); + break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: TEST_ASSERT(scenario != TEST_EARLY_DATA_ACCEPTED); switch (scenario) { - case TEST_EARLY_DATA_SERVER_REJECTS: - TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); - TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: + TEST_EQUAL(write_early_data_ret, + MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); + TEST_EQUAL(client_ep.ssl.state, + MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); break; } break; @@ -4293,7 +4361,8 @@ void tls13_write_early_data(int scenario) case MBEDTLS_SSL_HANDSHAKE_OVER: switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, client_state); break; -- cgit v1.1 From 3f557ad59c3279c00258be0660723290e9ee20af Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 Feb 2024 11:22:16 +0100 Subject: Wording improvement Signed-off-by: Gilles Peskine --- docs/architecture/psa-migration/psa-legacy-bridges.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md index ec3fcd0..912344e 100644 --- a/docs/architecture/psa-migration/psa-legacy-bridges.md +++ b/docs/architecture/psa-migration/psa-legacy-bridges.md @@ -340,5 +340,5 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, * These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`. * The input and output buffers can overlap. -* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is not needed in the raw-to-DER direction, but [it can help catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971) and the information is readily available in practice. +* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is redundant in the raw-to-DER direction, but we have it anyway because [it helps catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971), and it isn't a burden on the caller because the information is readily available in practice. * Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015). -- cgit v1.1 From 2840523ae4829984a9b163876351ab5b5a3e3dfc Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 7 Feb 2024 10:42:22 +0000 Subject: Remind contributors not to force-push Signed-off-by: Dave Rodgman --- .github/pull_request_template.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index a07e8ab..586536c 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -18,3 +18,10 @@ Please tick as appropriate and edit the reasons (e.g.: "backport: not needed bec Please refer to the [contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md), especially the checklist for PR contributors. + +Help make review efficient: +* Multiple simple commits + - please structure your PR into a series of small commits, each of which does one thing +* No force-push + - please do not force-push to update your PR - just add new commit(s) + - use `git merge` (or the GitHub web interface) to resolve conflicts - not `git rebase` -- cgit v1.1 From c1a4d1f09a93d25f3037a3d56afaff3990811d94 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 7 Feb 2024 11:04:14 +0000 Subject: Remove comments about rebasing vs merging; link to longer RTD document Signed-off-by: Dave Rodgman --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 586536c..55b5964 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -24,4 +24,4 @@ Help make review efficient: - please structure your PR into a series of small commits, each of which does one thing * No force-push - please do not force-push to update your PR - just add new commit(s) - - use `git merge` (or the GitHub web interface) to resolve conflicts - not `git rebase` +* See our [Guidelines for Contributors](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/) for more details about the review process. -- cgit v1.1 From 2a6593bbb628d72a1c5be18c254ecff6e4f3961c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 7 Feb 2024 11:05:47 +0000 Subject: Slightly soften force-push suggestion Signed-off-by: Dave Rodgman --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 55b5964..9d30412 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -22,6 +22,6 @@ checklist for PR contributors. Help make review efficient: * Multiple simple commits - please structure your PR into a series of small commits, each of which does one thing -* No force-push +* Avoid force-push - please do not force-push to update your PR - just add new commit(s) * See our [Guidelines for Contributors](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/) for more details about the review process. -- cgit v1.1 From 0767fdadbf22410682658ac707c0ed9071b3ad38 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Wed, 7 Feb 2024 10:46:28 +0100 Subject: Enhance GCM throughput using larger precalculated tables. Also refactored the code for shorter tables and moved the check for available accelerators to the context initialization code. Signed-off-by: Matthias Schulz --- include/mbedtls/gcm.h | 37 +++-- include/mbedtls/mbedtls_config.h | 14 ++ library/gcm.c | 287 ++++++++++++++++++++++++++------------- tests/scripts/all.sh | 52 +++++++ 4 files changed, 281 insertions(+), 109 deletions(-) diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index 631b392..f475710 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -33,6 +33,11 @@ #define MBEDTLS_GCM_ENCRYPT 1 #define MBEDTLS_GCM_DECRYPT 0 +#define MBEDTLS_GCM_ACC_SMALLTABLE 0 +#define MBEDTLS_GCM_ACC_LARGETABLE 1 +#define MBEDTLS_GCM_ACC_AESNI 2 +#define MBEDTLS_GCM_ACC_AESCE 3 + /** Authenticated decryption failed. */ #define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 /** Bad input parameters to function. */ @@ -46,6 +51,12 @@ extern "C" { #if !defined(MBEDTLS_GCM_ALT) +#if defined(MBEDTLS_GCM_LARGETABLE) +#define MBEDTLS_GCM_HTABLE_SIZE 256 +#else +#define MBEDTLS_GCM_HTABLE_SIZE 16 +#endif + /** * \brief The GCM context structure. */ @@ -53,18 +64,22 @@ typedef struct mbedtls_gcm_context { #if defined(MBEDTLS_BLOCK_CIPHER_C) mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx); /*!< The cipher context used. */ #else - mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ #endif - uint64_t MBEDTLS_PRIVATE(HL)[16]; /*!< Precalculated HTable low. */ - uint64_t MBEDTLS_PRIVATE(HH)[16]; /*!< Precalculated HTable high. */ - uint64_t MBEDTLS_PRIVATE(len); /*!< The total length of the encrypted data. */ - uint64_t MBEDTLS_PRIVATE(add_len); /*!< The total length of the additional data. */ - unsigned char MBEDTLS_PRIVATE(base_ectr)[16]; /*!< The first ECTR for tag. */ - unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working value. */ - unsigned char MBEDTLS_PRIVATE(buf)[16]; /*!< The buf working value. */ - int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: - #MBEDTLS_GCM_ENCRYPT or - #MBEDTLS_GCM_DECRYPT. */ + uint64_t MBEDTLS_PRIVATE(H)[MBEDTLS_GCM_HTABLE_SIZE][2]; /*!< Precalculated HTable. */ + uint64_t MBEDTLS_PRIVATE(len); /*!< The total length of the encrypted data. */ + uint64_t MBEDTLS_PRIVATE(add_len); /*!< The total length of the additional data. */ + unsigned char MBEDTLS_PRIVATE(base_ectr)[16]; /*!< The first ECTR for tag. */ + unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working value. */ + unsigned char MBEDTLS_PRIVATE(buf)[16]; /*!< The buf working value. */ + unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform: + #MBEDTLS_GCM_ENCRYPT or + #MBEDTLS_GCM_DECRYPT. */ + unsigned char MBEDTLS_PRIVATE(acceleration); /*!< The acceleration to use: + #MBEDTLS_GCM_ACC_SMALLTABLE, + #MBEDTLS_GCM_ACC_LARGETABLE, + #MBEDTLS_GCM_ACC_AESNI, + #MBEDTLS_GCM_ACC_AESCE */ } mbedtls_gcm_context; diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 6a5828c..f467737 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2801,6 +2801,20 @@ #define MBEDTLS_GCM_C /** + * \def MBEDTLS_GCM_LARGETABLE + * + * Enable large precomputer tables for Galois/Counter Mode (GCM). + * Can significantly increase throughput on systems without GCM hardware + * acceleration (e.g., AESNI, AESCE). + * + * Module: library/gcm.c + * + * Requires: MBEDTLS_GCM_C + * + */ +//#define MBEDTLS_GCM_LARGETABLE + +/** * \def MBEDTLS_HKDF_C * * Enable the HKDF algorithm (RFC 5869). diff --git a/library/gcm.c b/library/gcm.c index 033cb59..4a01f5c 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -49,6 +49,39 @@ void mbedtls_gcm_init(mbedtls_gcm_context *ctx) memset(ctx, 0, sizeof(mbedtls_gcm_context)); } +static inline void gcm_set_acceleration(mbedtls_gcm_context *ctx) +{ +#if defined(MBEDTLS_GCM_LARGETABLE) + ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE; +#else + ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE; +#endif + +#if defined(MBEDTLS_AESNI_HAVE_CODE) + /* With CLMUL support, we need only h, not the rest of the table */ + if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { + ctx->acceleration = MBEDTLS_GCM_ACC_AESNI; + } +#endif + +#if defined(MBEDTLS_AESCE_HAVE_CODE) + if (MBEDTLS_AESCE_HAS_SUPPORT()) { + ctx->acceleration = MBEDTLS_GCM_ACC_AESCE; + } +#endif +} + +static inline void gcm_gen_table_rightshift(uint64_t dst[2], const uint64_t src[2]) +{ + uint8_t *u8Dst = (uint8_t *) dst; + uint8_t *u8Src = (uint8_t *) src; + + MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[1], 0) >> 1, &dst[1], 0); + u8Dst[8] |= (u8Src[7] & 0x01) << 7; + MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[0], 0) >> 1, &dst[0], 0); + u8Dst[0] ^= (u8Src[15] & 0x01) ? 0xE1 : 0; +} + /* * Precompute small multiples of H, that is set * HH[i] || HL[i] = H times i, @@ -60,11 +93,8 @@ void mbedtls_gcm_init(mbedtls_gcm_context *ctx) static int gcm_gen_table(mbedtls_gcm_context *ctx) { int ret, i, j; - uint64_t hi, lo; - uint64_t vl, vh; - unsigned char h[16]; - - memset(h, 0, 16); + uint64_t u64h[2] = { 0 }; + uint8_t *h = (uint8_t *) u64h; #if defined(MBEDTLS_BLOCK_CIPHER_C) ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, h, h); @@ -76,53 +106,48 @@ static int gcm_gen_table(mbedtls_gcm_context *ctx) return ret; } - /* pack h as two 64-bits ints, big-endian */ - hi = MBEDTLS_GET_UINT32_BE(h, 0); - lo = MBEDTLS_GET_UINT32_BE(h, 4); - vh = (uint64_t) hi << 32 | lo; - - hi = MBEDTLS_GET_UINT32_BE(h, 8); - lo = MBEDTLS_GET_UINT32_BE(h, 12); - vl = (uint64_t) hi << 32 | lo; + gcm_set_acceleration(ctx); - /* 8 = 1000 corresponds to 1 in GF(2^128) */ - ctx->HL[8] = vl; - ctx->HH[8] = vh; + /* MBEDTLS_GCM_HTABLE_SIZE/2 = 1000 corresponds to 1 in GF(2^128) */ + ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][0] = u64h[0]; + ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][1] = u64h[1]; + switch (ctx->acceleration) { #if defined(MBEDTLS_AESNI_HAVE_CODE) - /* With CLMUL support, we need only h, not the rest of the table */ - if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - return 0; - } + case MBEDTLS_GCM_ACC_AESNI: + return 0; #endif #if defined(MBEDTLS_AESCE_HAVE_CODE) - if (MBEDTLS_AESCE_HAS_SUPPORT()) { - return 0; - } + case MBEDTLS_GCM_ACC_AESCE: + return 0; #endif - /* 0 corresponds to 0 in GF(2^128) */ - ctx->HH[0] = 0; - ctx->HL[0] = 0; + default: + /* 0 corresponds to 0 in GF(2^128) */ + ctx->H[0][0] = 0; + ctx->H[0][1] = 0; - for (i = 4; i > 0; i >>= 1) { - uint32_t T = (vl & 1) * 0xe1000000U; - vl = (vh << 63) | (vl >> 1); - vh = (vh >> 1) ^ ((uint64_t) T << 32); + for (i = MBEDTLS_GCM_HTABLE_SIZE/4; i > 0; i >>= 1) { + gcm_gen_table_rightshift(ctx->H[i], ctx->H[i*2]); + } - ctx->HL[i] = vl; - ctx->HH[i] = vh; - } +#if !defined(MBEDTLS_GCM_LARGETABLE) + /* pack elements of H as 64-bits ints, big-endian */ + for (i = MBEDTLS_GCM_HTABLE_SIZE/2; i > 0; i >>= 1) { + MBEDTLS_PUT_UINT64_BE(ctx->H[i][0], &ctx->H[i][0], 0); + MBEDTLS_PUT_UINT64_BE(ctx->H[i][1], &ctx->H[i][1], 0); + } +#endif - for (i = 2; i <= 8; i *= 2) { - uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i; - vh = *HiH; - vl = *HiL; - for (j = 1; j < i; j++) { - HiH[j] = vh ^ ctx->HH[j]; - HiL[j] = vl ^ ctx->HL[j]; - } + for (i = 2; i < MBEDTLS_GCM_HTABLE_SIZE; i <<= 1) { + for (j = 1; j < i; j++) { + mbedtls_xor_no_simd((unsigned char *) ctx->H[i+j], + (unsigned char *) ctx->H[i], + (unsigned char *) ctx->H[j], + 16); + } + } } return 0; @@ -181,6 +206,69 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx, return 0; } +#if defined(MBEDTLS_GCM_LARGETABLE) +static const uint16_t last8[256] = { + 0x0000, 0xc201, 0x8403, 0x4602, 0x0807, 0xca06, 0x8c04, 0x4e05, + 0x100e, 0xd20f, 0x940d, 0x560c, 0x1809, 0xda08, 0x9c0a, 0x5e0b, + 0x201c, 0xe21d, 0xa41f, 0x661e, 0x281b, 0xea1a, 0xac18, 0x6e19, + 0x3012, 0xf213, 0xb411, 0x7610, 0x3815, 0xfa14, 0xbc16, 0x7e17, + 0x4038, 0x8239, 0xc43b, 0x063a, 0x483f, 0x8a3e, 0xcc3c, 0x0e3d, + 0x5036, 0x9237, 0xd435, 0x1634, 0x5831, 0x9a30, 0xdc32, 0x1e33, + 0x6024, 0xa225, 0xe427, 0x2626, 0x6823, 0xaa22, 0xec20, 0x2e21, + 0x702a, 0xb22b, 0xf429, 0x3628, 0x782d, 0xba2c, 0xfc2e, 0x3e2f, + 0x8070, 0x4271, 0x0473, 0xc672, 0x8877, 0x4a76, 0x0c74, 0xce75, + 0x907e, 0x527f, 0x147d, 0xd67c, 0x9879, 0x5a78, 0x1c7a, 0xde7b, + 0xa06c, 0x626d, 0x246f, 0xe66e, 0xa86b, 0x6a6a, 0x2c68, 0xee69, + 0xb062, 0x7263, 0x3461, 0xf660, 0xb865, 0x7a64, 0x3c66, 0xfe67, + 0xc048, 0x0249, 0x444b, 0x864a, 0xc84f, 0x0a4e, 0x4c4c, 0x8e4d, + 0xd046, 0x1247, 0x5445, 0x9644, 0xd841, 0x1a40, 0x5c42, 0x9e43, + 0xe054, 0x2255, 0x6457, 0xa656, 0xe853, 0x2a52, 0x6c50, 0xae51, + 0xf05a, 0x325b, 0x7459, 0xb658, 0xf85d, 0x3a5c, 0x7c5e, 0xbe5f, + 0x00e1, 0xc2e0, 0x84e2, 0x46e3, 0x08e6, 0xcae7, 0x8ce5, 0x4ee4, + 0x10ef, 0xd2ee, 0x94ec, 0x56ed, 0x18e8, 0xdae9, 0x9ceb, 0x5eea, + 0x20fd, 0xe2fc, 0xa4fe, 0x66ff, 0x28fa, 0xeafb, 0xacf9, 0x6ef8, + 0x30f3, 0xf2f2, 0xb4f0, 0x76f1, 0x38f4, 0xfaf5, 0xbcf7, 0x7ef6, + 0x40d9, 0x82d8, 0xc4da, 0x06db, 0x48de, 0x8adf, 0xccdd, 0x0edc, + 0x50d7, 0x92d6, 0xd4d4, 0x16d5, 0x58d0, 0x9ad1, 0xdcd3, 0x1ed2, + 0x60c5, 0xa2c4, 0xe4c6, 0x26c7, 0x68c2, 0xaac3, 0xecc1, 0x2ec0, + 0x70cb, 0xb2ca, 0xf4c8, 0x36c9, 0x78cc, 0xbacd, 0xfccf, 0x3ece, + 0x8091, 0x4290, 0x0492, 0xc693, 0x8896, 0x4a97, 0x0c95, 0xce94, + 0x909f, 0x529e, 0x149c, 0xd69d, 0x9898, 0x5a99, 0x1c9b, 0xde9a, + 0xa08d, 0x628c, 0x248e, 0xe68f, 0xa88a, 0x6a8b, 0x2c89, 0xee88, + 0xb083, 0x7282, 0x3480, 0xf681, 0xb884, 0x7a85, 0x3c87, 0xfe86, + 0xc0a9, 0x02a8, 0x44aa, 0x86ab, 0xc8ae, 0x0aaf, 0x4cad, 0x8eac, + 0xd0a7, 0x12a6, 0x54a4, 0x96a5, 0xd8a0, 0x1aa1, 0x5ca3, 0x9ea2, + 0xe0b5, 0x22b4, 0x64b6, 0xa6b7, 0xe8b2, 0x2ab3, 0x6cb1, 0xaeb0, + 0xf0bb, 0x32ba, 0x74b8, 0xb6b9, 0xf8bc, 0x3abd, 0x7cbf, 0xbebe +}; + +static void gcm_mult_largetable(uint8_t *output, const uint8_t *x, uint64_t H[256][2]) +{ + int i; + uint64_t u64z[2]; + uint16_t *u16z = (uint16_t *) u64z; + uint8_t *u8z = (uint8_t *) u64z; + uint8_t rem; + + u64z[0] = 0; + u64z[1] = 0; + + for (i = 15; i > 0; i--) { + mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16); + + rem = u8z[15]; + + u64z[1] <<= 8; + u8z[8] = u8z[7]; + u64z[0] <<= 8; + + u8z[0] = 0; + u16z[0] ^= last8[rem]; + } + + mbedtls_xor_no_simd(output, u8z, (uint8_t *) H[x[0]], 16); +} +#else /* * Shoup's method for multiplication use this table with * last4[x] = x times P^128 @@ -194,78 +282,81 @@ static const uint16_t last4[16] = 0x9180, 0x8da0, 0xa9c0, 0xb5e0 }; -/* - * Sets output to x times H using the precomputed tables. - * x and output are seen as elements of GF(2^128) as in [MGV]. - */ -static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16], - unsigned char output[16]) +static void gcm_mult_smalltable(uint8_t *output, const uint8_t *x, uint64_t H[16][2]) { int i = 0; unsigned char lo, hi, rem; - uint64_t zh, zl; - -#if defined(MBEDTLS_AESNI_HAVE_CODE) - if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - unsigned char h[16]; + uint64_t u64z[2]; + const uint64_t *pu64z = 0; + uint8_t *u8z = (uint8_t *) u64z; - /* mbedtls_aesni_gcm_mult needs big-endian input */ - MBEDTLS_PUT_UINT32_BE(ctx->HH[8] >> 32, h, 0); - MBEDTLS_PUT_UINT32_BE(ctx->HH[8], h, 4); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8] >> 32, h, 8); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8], h, 12); + lo = x[15] & 0xf; + hi = (x[15] >> 4) & 0xf; - mbedtls_aesni_gcm_mult(output, x, h); - return; - } -#endif /* MBEDTLS_AESNI_HAVE_CODE */ + pu64z = H[lo]; -#if defined(MBEDTLS_AESCE_HAVE_CODE) - if (MBEDTLS_AESCE_HAS_SUPPORT()) { - unsigned char h[16]; + rem = (unsigned char) pu64z[1] & 0xf; + u64z[1] = (pu64z[0] << 60) | (pu64z[1] >> 4); + u64z[0] = (pu64z[0] >> 4); + u64z[0] ^= (uint64_t) last4[rem] << 48; + mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16); - /* mbedtls_aesce_gcm_mult needs big-endian input */ - MBEDTLS_PUT_UINT32_BE(ctx->HH[8] >> 32, h, 0); - MBEDTLS_PUT_UINT32_BE(ctx->HH[8], h, 4); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8] >> 32, h, 8); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8], h, 12); + for (i = 14; i >= 0; i--) { + lo = x[i] & 0xf; + hi = (x[i] >> 4) & 0xf; - mbedtls_aesce_gcm_mult(output, x, h); - return; + rem = (unsigned char) u64z[1] & 0xf; + u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4); + u64z[0] = (u64z[0] >> 4); + u64z[0] ^= (uint64_t) last4[rem] << 48; + mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[lo], 16); + + rem = (unsigned char) u64z[1] & 0xf; + u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4); + u64z[0] = (u64z[0] >> 4); + u64z[0] ^= (uint64_t) last4[rem] << 48; + mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16); } -#endif - lo = x[15] & 0xf; - - zh = ctx->HH[lo]; - zl = ctx->HL[lo]; - - for (i = 15; i >= 0; i--) { - lo = x[i] & 0xf; - hi = (x[i] >> 4) & 0xf; + MBEDTLS_PUT_UINT32_BE(u64z[0] >> 32, output, 0); + MBEDTLS_PUT_UINT32_BE(u64z[0], output, 4); + MBEDTLS_PUT_UINT32_BE(u64z[1] >> 32, output, 8); + MBEDTLS_PUT_UINT32_BE(u64z[1], output, 12); +} +#endif - if (i != 15) { - rem = (unsigned char) zl & 0xf; - zl = (zh << 60) | (zl >> 4); - zh = (zh >> 4); - zh ^= (uint64_t) last4[rem] << 48; - zh ^= ctx->HH[lo]; - zl ^= ctx->HL[lo]; +/* + * Sets output to x times H using the precomputed tables. + * x and output are seen as elements of GF(2^128) as in [MGV]. + */ +static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16], + unsigned char output[16]) +{ + switch (ctx->acceleration) { +#if defined(MBEDTLS_AESNI_HAVE_CODE) + case MBEDTLS_GCM_ACC_AESNI: + mbedtls_aesni_gcm_mult(output, x, (uint8_t *) ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2]); + break; +#endif - } +#if defined(MBEDTLS_AESCE_HAVE_CODE) + case MBEDTLS_GCM_ACC_AESCE: + mbedtls_aesce_gcm_mult(output, x, (uint8_t *) ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2]); + break; +#endif - rem = (unsigned char) zl & 0xf; - zl = (zh << 60) | (zl >> 4); - zh = (zh >> 4); - zh ^= (uint64_t) last4[rem] << 48; - zh ^= ctx->HH[hi]; - zl ^= ctx->HL[hi]; +#if defined(MBEDTLS_GCM_LARGETABLE) + case MBEDTLS_GCM_ACC_LARGETABLE: + gcm_mult_largetable(output, x, ctx->H); + break; +#else + case MBEDTLS_GCM_ACC_SMALLTABLE: + gcm_mult_smalltable(output, x, ctx->H); + break; +#endif } - MBEDTLS_PUT_UINT32_BE(zh >> 32, output, 0); - MBEDTLS_PUT_UINT32_BE(zh, output, 4); - MBEDTLS_PUT_UINT32_BE(zl >> 32, output, 8); - MBEDTLS_PUT_UINT32_BE(zl, output, 12); + return; } int mbedtls_gcm_starts(mbedtls_gcm_context *ctx, diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8d3b46e..a21566c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4941,6 +4941,58 @@ component_test_aes_only_128_bit_keys_have_builtins () { programs/test/selftest } +component_test_gcm_largetable () { + msg "build: default config + GCM_LARGETABLE - AESNI_C - AESCE_C" + scripts/config.py set MBEDTLS_GCM_LARGETABLE + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AESCE_C + + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config + GCM_LARGETABLE - AESNI_C - AESCE_C" + make test +} + +component_test_gcm_largetable_gcc () { + msg "build: default config + GCM_LARGETABLE - AESNI_C - AESCE_C" + scripts/config.py set MBEDTLS_GCM_LARGETABLE + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AESCE_C + + make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" + make test +} + +component_test_gcm_smalltable () { + msg "build: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" + scripts/config.py unset MBEDTLS_GCM_LARGETABLE + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AESCE_C + + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" + make test +} + +component_test_gcm_smalltable_gcc () { + msg "build: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" + scripts/config.py unset MBEDTLS_GCM_LARGETABLE + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AESCE_C + + make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" + make test +} + component_test_aes_fewer_tables () { msg "build: default config with AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES -- cgit v1.1 From 7889fe79175f893e208c0eb29ca13cda08e87d3a Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Wed, 7 Feb 2024 13:01:33 +0000 Subject: Make check_config aware of MBEDTLS_PSA_CRYPTO_CLIENT When check_config needs to evaluate the availability of a feature through a PSA API, it should look for MBEDTLS_PSA_CRYPTO_CLIENT instead of MBEDTLS_PSA_CRYPTO_C, to be able to cover the case where the API is provided through a client/service interface. Signed-off-by: Antonio de Angelis --- include/mbedtls/check_config.h | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b211356..47de2e9 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -56,7 +56,7 @@ /* Check that each MBEDTLS_ECP_DP_xxx symbol has its PSA_WANT_ECC_xxx counterpart * when PSA crypto is enabled. */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) || defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) || defined(MBEDTLS_PSA_CRYPTO_CLIENT) #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) #error "MBEDTLS_ECP_DP_BP256R1_ENABLED defined, but not its PSA counterpart" @@ -154,7 +154,7 @@ #endif /* some curve accelerated */ #if defined(MBEDTLS_CTR_DRBG_C) && !(defined(MBEDTLS_AES_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_AES) && \ + (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_KEY_TYPE_AES) && \ defined(PSA_WANT_ALG_ECB_NO_PADDING))) #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites" #endif @@ -236,7 +236,7 @@ #if defined(MBEDTLS_ECJPAKE_C) && \ ( !defined(MBEDTLS_ECP_C) || \ - !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) ) + !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT) ) ) #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" #endif @@ -284,15 +284,15 @@ /* Helpers for hash dependencies, will be undefined at the end of the file */ /* Do SHA-256, 384, 512 to cover Entropy and TLS. */ #if defined(MBEDTLS_SHA256_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256)) + (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_256) #define MBEDTLS_MD_HAVE_SHA256 #endif #if defined(MBEDTLS_SHA384_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384)) + (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_384)) #define MBEDTLS_MD_HAVE_SHA384 #endif #if defined(MBEDTLS_SHA512_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512)) + (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_512)) #define MBEDTLS_MD_HAVE_SHA512 #endif @@ -491,7 +491,7 @@ defined(MBEDTLS_SHA256_C) || \ defined(MBEDTLS_SHA384_C) || \ defined(MBEDTLS_SHA512_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ (defined(PSA_WANT_ALG_MD5) || \ defined(PSA_WANT_ALG_RIPEMD160) || \ defined(PSA_WANT_ALG_SHA_1) || \ @@ -503,7 +503,7 @@ #endif #if defined(MBEDTLS_LMS_C) && \ - ! ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) ) + ! ( defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_256) ) #error "MBEDTLS_LMS_C requires MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256" #endif @@ -891,7 +891,7 @@ * Note: for dependencies common with TLS 1.2 (running handshake hash), * see MBEDTLS_SSL_TLS_C. */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ - !(defined(MBEDTLS_PSA_CRYPTO_C) && \ + !(defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ defined(PSA_WANT_ALG_HKDF_EXTRACT) && \ defined(PSA_WANT_ALG_HKDF_EXPAND) && \ (defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384))) @@ -1089,7 +1089,7 @@ #endif #undef MBEDTLS_THREADING_IMPL -#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_CLIENT) #error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites" #endif -- cgit v1.1 From a8082c43d5f8a389ec843b17886673efa14c8667 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 7 Feb 2024 13:31:19 +0000 Subject: Add MBEDTLS_CIPHER_C dependencies to new pkparse tests Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkparse.data | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 5e9f0e7..6af0702 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -891,27 +891,27 @@ depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #99.3 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.4 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.5 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.6 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384 DER, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der":"PolarSSLTest":0 Parse RSA Key #99.7 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384 DER, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der":"PolarSSLTest":0 Parse RSA Key #99.8 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384 DER, 2048-bit) -depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0 Parse Public RSA Key #1 (PKCS#8 wrapped) -- cgit v1.1 From affba30833d7b38d22670ba389fe9b71aaf158a5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 15:03:33 +0100 Subject: psa_util: update documentation for mbedtls_ecdsa_raw_to_der() Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index a5f09a4..984f031 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -192,12 +192,13 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. - * \param der_size Size of \p der in bytes. Given \p bits parameter: - * * #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) can be used - * to determine a large enough buffer for any - * \p raw input vector. - * * The minimum size might be smaller in case - * \p raw input vector contains padding zeros. + * \param der_size Size of \p der in bytes. It is enough if \p der_size + * is at least the size of the actual output. (The size + * of the output can vary depending on the presence of + * leading zeros in the data.) You can use + * #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) to determine a + * size that is large enough for all signatures for a + * given value of \p bits. * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. -- cgit v1.1 From ef07fa0fc3a6d0a7ebff1777978a7799678f0bd4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 15:16:45 +0100 Subject: test_suite_psa_crypto_util: add more test for raw->der Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 1d17029..86f63ab 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -2,10 +2,6 @@ ECDSA Raw -> DER, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA Raw -> DER, 256bit, Raw data too short -depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA - ECDSA Raw -> DER, 256bit, DER buffer too small depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL @@ -38,14 +34,22 @@ ECDSA Raw -> DER, 256bit, r and s only 1 byte of data with MSb set depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000A2":"300802020091020200A2":0 -ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) +ECDSA Raw -> DER, 256bit, Invalid raw signature (r 1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) +ECDSA Raw -> DER, 256bit, Invalid raw signature (r and s 1 byte shorter) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, Invalid raw signature (r 1 byte longer) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ECDSA Raw -> DER, 256bit, Invalid raw signature (r and s 1 byte longer) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -- cgit v1.1 From bda577bb0bd003206c7234ced60950faaa8a7ef7 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 6 Feb 2024 17:49:20 +0000 Subject: Fix confusing comment in ctr drbg thread test Make it clearer where the magic number chosen for entropy_len actually comes from, and why we chose this value. Signed-off-by: Paul Elliott --- tests/suites/test_suite_ctr_drbg.function | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function index 425c43e..63524f2 100644 --- a/tests/suites/test_suite_ctr_drbg.function +++ b/tests/suites/test_suite_ctr_drbg.function @@ -354,7 +354,12 @@ void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count) const size_t n_random_calls = thread_count * thread_random_reps + 1; - /* Based on the size of MBEDTLS_CTR_DRBG_ENTROPY_LEN for SHA512. */ + /* This is a known-answer test, and although tests use a mock entropy + * function the input entropy length will still affect the output. + * We therefore need to pick a fixed entropy length, rather than using the + * default entropy length (MBEDTLS_CTR_DRBG_ENTROPY_LEN). We've chosen to + * use the default value of MBEDTLS_CTR_DRBG_ENTROPY_LEN for SHA-512, + * as this was the value used when the expected answers were calculated. */ const size_t entropy_len = 48; AES_PSA_INIT(); @@ -367,8 +372,8 @@ void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count) test_offset_idx = 0; - /* Need to do this, otherwise if we are forced into using SHA256 for - * whaever reason, output will differ. */ + /* Need to set a non-default fixed entropy len, to ensure same output across + * all configs - see above for details. */ mbedtls_ctr_drbg_set_entropy_len(&ctx, entropy_len); if (reseed == 0) { -- cgit v1.1 From 1910390b4a819d5eaa582ad4a57483b4278e473f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 16:16:58 +0100 Subject: psa_util: improve leading zeros check in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 15 +++++++++------ tests/suites/test_suite_psa_crypto_util.data | 16 ++++++++++++---- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 970274e..fd119bf 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -488,18 +488,21 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } - /* It's invalid to have MSb set without a leading 0x00 (leading 0x00 is - * checked below). */ - if ((*p & 0x80) != 0) { + /* It's invalid to have: + * - unpadded_len == 0. + * - MSb set without a leading 0x00 (leading 0x00 is checked below). */ + if (((unpadded_len == 0) || (*p & 0x80) != 0)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } /* Skip possible leading zero */ - if ((unpadded_len > 0) && (*p == 0x00)) { + if (*p == 0x00) { p++; unpadded_len--; - /* Only 1 leading zero is allowed, otherwise that's an error. */ - if (*p == 0x00) { + /* It is not allowed to have more than 1 leading zero. + * Ignore the case in which unpadded_len = 0 because that's a 0 encoded + * in ASN.1 format (i.e. 020100). */ + if ((unpadded_len > 0) && (*p == 0x00)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 86f63ab..807007b 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -110,13 +110,21 @@ ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 -ECDSA DER -> Raw, 256bit, Valid 0-length r +ECDSA DER -> Raw, 256bit, Invalid 0-length r depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Valid 0-length s +ECDSA DER -> Raw, 256bit, Invalid 0-length s depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA DER -> Raw, 256bit, Invalid r 2 leading zeros +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_der_to_raw:256:"3027020300000102202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA DER -> Raw, 256bit, Invalid s 2 leading zeros +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_der_to_raw:256:"3027022011111111111111111111111111111111111111111111111111111111111111110203000001":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -- cgit v1.1 From 3c19b237d142da31c1dc28e6100482323e2b75d4 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Wed, 7 Feb 2024 17:10:12 +0000 Subject: Fix trailing parenthesis Signed-off-by: Antonio de Angelis --- include/mbedtls/check_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 47de2e9..5283e26 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -284,7 +284,7 @@ /* Helpers for hash dependencies, will be undefined at the end of the file */ /* Do SHA-256, 384, 512 to cover Entropy and TLS. */ #if defined(MBEDTLS_SHA256_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_256) + (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_256)) #define MBEDTLS_MD_HAVE_SHA256 #endif #if defined(MBEDTLS_SHA384_C) || \ -- cgit v1.1 From a3172d1e9644aa6b19f264b5e411c69be21dd7c4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 8 Feb 2024 10:47:08 +0100 Subject: Inline the SHA3 parameters table into a switch This saves a few bytes of code size. Signed-off-by: Gilles Peskine --- library/sha3.c | 49 ++++++++++++++++++------------------------------- 1 file changed, 18 insertions(+), 31 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index f420a12..5df08f9 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -26,25 +26,6 @@ #define XOR_BYTE 0x6 -typedef struct mbedtls_sha3_family_functions { - mbedtls_sha3_id id; - - uint16_t r; - uint16_t olen; -} -mbedtls_sha3_family_functions; - -/* - * List of supported SHA-3 families - */ -static const mbedtls_sha3_family_functions sha3_families[] = { - { MBEDTLS_SHA3_224, 1152, 224 }, - { MBEDTLS_SHA3_256, 1088, 256 }, - { MBEDTLS_SHA3_384, 832, 384 }, - { MBEDTLS_SHA3_512, 576, 512 }, - { MBEDTLS_SHA3_NONE, 0, 0 } -}; - static const uint64_t rc[24] = { 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009, @@ -180,21 +161,27 @@ void mbedtls_sha3_clone(mbedtls_sha3_context *dst, */ int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id) { - const mbedtls_sha3_family_functions *p = NULL; - - for (p = sha3_families; p->id != MBEDTLS_SHA3_NONE; p++) { - if (p->id == id) { + switch (id) { + case MBEDTLS_SHA3_224: + ctx->olen = 224 / 8; + ctx->max_block_size = 1152 / 8; break; - } - } - - if (p->id == MBEDTLS_SHA3_NONE) { - return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA; + case MBEDTLS_SHA3_256: + ctx->olen = 256 / 8; + ctx->max_block_size = 1088 / 8; + break; + case MBEDTLS_SHA3_384: + ctx->olen = 384 / 8; + ctx->max_block_size = 832 / 8; + break; + case MBEDTLS_SHA3_512: + ctx->olen = 512 / 8; + ctx->max_block_size = 576 / 8; + break; + default: + return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA; } - ctx->olen = p->olen / 8; - ctx->max_block_size = p->r / 8; - memset(ctx->state, 0, sizeof(ctx->state)); ctx->index = 0; -- cgit v1.1 From 058c9a34ec30246ae582f549fb95851ae1010708 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Thu, 8 Feb 2024 10:24:06 +0000 Subject: build_info should look for MBEDTLS_PSA_CRYPTO_CLIENT as well Similarly to check_config.h, also build_info.h should consider MBEDTLS_PSA_CRYPTO_CLIENT as the define which signals that PSA Crypto APIs feature are being required in the build (possibly due to the client/service architecture). It is automatically enabled if CRYPTO_C is enabled, but only at config_adjust_legacy_crypto.h which happens after the inclusion of the config_psa.h is needed Signed-off-by: Antonio de Angelis --- include/mbedtls/build_info.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 2f336ba..99a449b 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -158,7 +158,8 @@ * (e.g. MBEDTLS_MD_LIGHT) */ #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \ - defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ + defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ || \ + defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* The same as the previous, but with separation only */ #include "mbedtls/config_psa.h" #endif -- cgit v1.1 From 68608b23177faf654dc3d774122b478d7a5d0a06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 11:51:39 +0100 Subject: Remove redundant helper macros in check_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b211356..40936cd 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -281,23 +281,8 @@ #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites" #endif -/* Helpers for hash dependencies, will be undefined at the end of the file */ -/* Do SHA-256, 384, 512 to cover Entropy and TLS. */ -#if defined(MBEDTLS_SHA256_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256)) -#define MBEDTLS_MD_HAVE_SHA256 -#endif -#if defined(MBEDTLS_SHA384_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384)) -#define MBEDTLS_MD_HAVE_SHA384 -#endif -#if defined(MBEDTLS_SHA512_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512)) -#define MBEDTLS_MD_HAVE_SHA512 -#endif - #if defined(MBEDTLS_ENTROPY_C) && \ - !(defined(MBEDTLS_MD_HAVE_SHA512) || defined(MBEDTLS_MD_HAVE_SHA256)) + !(defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA256)) #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_ENTROPY_C) && \ @@ -305,12 +290,12 @@ #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high" #endif #if defined(MBEDTLS_ENTROPY_C) && \ - (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_HAVE_SHA512)) \ + (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_CAN_SHA512)) \ && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32) #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high" #endif #if defined(MBEDTLS_ENTROPY_C) && \ - defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_HAVE_SHA256) + defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_CAN_SHA256) #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites" #endif @@ -471,7 +456,7 @@ /* Use of EC J-PAKE in TLS requires SHA-256. */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - !defined(MBEDTLS_MD_HAVE_SHA256) + !defined(MBEDTLS_MD_CAN_SHA256) #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif @@ -975,7 +960,7 @@ #endif #else /* MBEDTLS_USE_PSA_CRYPTO */ #if !defined(MBEDTLS_MD_C) || \ - !(defined(MBEDTLS_MD_HAVE_SHA256) || defined(MBEDTLS_MD_HAVE_SHA384)) + !(defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA384)) #error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites" #endif #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -1220,9 +1205,6 @@ /* Undefine helper symbols */ #undef MBEDTLS_PK_HAVE_JPAKE -#undef MBEDTLS_MD_HAVE_SHA256 -#undef MBEDTLS_MD_HAVE_SHA384 -#undef MBEDTLS_MD_HAVE_SHA512 #undef MBEDTLS_PK_HAVE_CURVE_SECP256R1 /* -- cgit v1.1 From 7eb3f9a5237e9b18ca1ec6df948b0a710b140151 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 11:56:54 +0100 Subject: Simplify and fix dependency of MD_C on a hash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Simplify: let's take advantage of the MD_CAN macros instead of doing it again ourselves. Fix: SHA-3 was forgotten. Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 40936cd..7852859 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -468,23 +468,19 @@ #error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" #endif -#if defined(MBEDTLS_MD_C) && !( \ - defined(MBEDTLS_MD5_C) || \ - defined(MBEDTLS_RIPEMD160_C) || \ - defined(MBEDTLS_SHA1_C) || \ - defined(MBEDTLS_SHA224_C) || \ - defined(MBEDTLS_SHA256_C) || \ - defined(MBEDTLS_SHA384_C) || \ - defined(MBEDTLS_SHA512_C) || \ - (defined(MBEDTLS_PSA_CRYPTO_C) && \ - (defined(PSA_WANT_ALG_MD5) || \ - defined(PSA_WANT_ALG_RIPEMD160) || \ - defined(PSA_WANT_ALG_SHA_1) || \ - defined(PSA_WANT_ALG_SHA_224) || \ - defined(PSA_WANT_ALG_SHA_256) || \ - defined(PSA_WANT_ALG_SHA_384) || \ - defined(PSA_WANT_ALG_SHA_512)))) -#error "MBEDTLS_MD_C defined, but not all prerequisites" +#if defined(MBEDTLS_MD_C) && \ + !defined(MBEDTLS_MD_CAN_MD5) && \ + !defined(MBEDTLS_MD_CAN_RIPEMD160) && \ + !defined(MBEDTLS_MD_CAN_SHA1) && \ + !defined(MBEDTLS_MD_CAN_SHA224) && \ + !defined(MBEDTLS_MD_CAN_SHA256) && \ + !defined(MBEDTLS_MD_CAN_SHA384) && \ + !defined(MBEDTLS_MD_CAN_SHA512) && \ + !defined(MBEDTLS_MD_CAN_SHA3_224) && \ + !defined(MBEDTLS_MD_CAN_SHA3_256) && \ + !defined(MBEDTLS_MD_CAN_SHA3_384) && \ + !defined(MBEDTLS_MD_CAN_SHA3_512) +#error "MBEDTLS_MD_C defined, but no hash algorithm" #endif #if defined(MBEDTLS_LMS_C) && \ -- cgit v1.1 From 49f64b4cac9a34405f16bcf9e4e20c7fa0ee3792 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:00:28 +0100 Subject: Fix dependency on low-level hash modules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit None of the TLS code is calling low-level hash functions directly. So the correct dependencies here are MD_CAN. (I checked and this was the only occurrence.) Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7852859..8c8130b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -461,11 +461,11 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ - !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ - ( !defined(MBEDTLS_SHA256_C) && \ - !defined(MBEDTLS_SHA512_C) && \ - !defined(MBEDTLS_SHA1_C) ) -#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ + !defined(MBEDTLS_MD_CAN_SHA256) && \ + !defined(MBEDTLS_MD_CAN_SHA512) && \ + !defined(MBEDTLS_MD_CAN_SHA1) +#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires SHA-512, SHA-256 or SHA-1". #endif #if defined(MBEDTLS_MD_C) && \ -- cgit v1.1 From 61758e606ea226c275d8c667e539c964ecc0dcfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:03:28 +0100 Subject: Fix wrong dependency of ECJPAKE_C MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It always uses MD now. (The "fall back" to PSA Crypto was only in the 1st iteration of driver-only hash support, before we changed the architecture to make everything go through MD.) Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 8c8130b..3be200d 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -234,9 +234,8 @@ #endif #endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_ECJPAKE_C) && \ - ( !defined(MBEDTLS_ECP_C) || \ - !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) ) +#if defined(MBEDTLS_ECJPAKE_C) && \ + (!defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C)) #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" #endif -- cgit v1.1 From e1f3faf5bf920c7788f113b22f50096028360214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:17:20 +0100 Subject: Remove temporary macros that are not needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Those were only used for KEY_EXCHANGE_ECJPAKE, but had a much larger scope than needed. We actually don't need those macros if we distinguish between cases when expressing dependencies for this key exchange. The remaining helper macros are all short lived. Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 53 ++++++++++++++---------------------------- 1 file changed, 17 insertions(+), 36 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 3be200d..1dcd903 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -300,13 +300,13 @@ #if defined(__has_feature) #if __has_feature(memory_sanitizer) -#define MBEDTLS_HAS_MEMSAN +#define MBEDTLS_HAS_MEMSAN // #undef at the end of this paragraph #endif #endif #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN) #error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer" #endif -#undef MBEDTLS_HAS_MEMSAN +#undef MBEDTLS_HAS_MEMSAN // temporary macro defined above #if defined(MBEDTLS_CCM_C) && \ !(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \ @@ -372,28 +372,6 @@ #error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites" #endif -/* Helper for JPAKE dependencies, will be undefined at the end of the file */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#if defined(PSA_WANT_ALG_JPAKE) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) -#define MBEDTLS_PK_HAVE_JPAKE -#endif -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_ECJPAKE_C) -#define MBEDTLS_PK_HAVE_JPAKE -#endif -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -/* Helper for curve SECP256R1 */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#if defined(PSA_WANT_ECC_SECP_R1_256) -#define MBEDTLS_PK_HAVE_CURVE_SECP256R1 -#endif -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) -#define MBEDTLS_PK_HAVE_CURVE_SECP256R1 -#endif -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) && \ ( !defined(MBEDTLS_CAN_ECDH) || \ !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) || \ @@ -447,11 +425,20 @@ #error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - ( !defined(MBEDTLS_PK_HAVE_JPAKE) || \ - !defined(MBEDTLS_PK_HAVE_CURVE_SECP256R1) ) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + ( !defined(PSA_WANT_ALG_JPAKE) || \ + !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \ + !defined(PSA_WANT_ECC_SECP_R1_256) ) +#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" +#endif +#else /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + ( !defined(MBEDTLS_ECJPAKE_C) || \ + !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ) #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Use of EC J-PAKE in TLS requires SHA-256. */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ @@ -1054,20 +1041,18 @@ #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites" #endif -#define MBEDTLS_THREADING_IMPL +#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph #endif - #if defined(MBEDTLS_THREADING_ALT) #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_ALT defined, but not all prerequisites" #endif -#define MBEDTLS_THREADING_IMPL +#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph #endif - #if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_C defined, single threading implementation required" #endif -#undef MBEDTLS_THREADING_IMPL +#undef MBEDTLS_THREADING_IMPL // temporary macro defined above #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C) #error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites" @@ -1198,10 +1183,6 @@ #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif -/* Undefine helper symbols */ -#undef MBEDTLS_PK_HAVE_JPAKE -#undef MBEDTLS_PK_HAVE_CURVE_SECP256R1 - /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the -- cgit v1.1 From 1463e49a3c2f2bdd7cac52964c0c0c599ef63d94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:28:30 +0100 Subject: Move config adjustment to config_adjust MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After this change, check_config.h does not have any #defined except: - the standard header double-inclusion guard - short-lived helpers that are #undef-ed in the same paragraph Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 14 ++------------ include/mbedtls/config_adjust_legacy_crypto.h | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1dcd903..1741d8b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -27,18 +27,8 @@ #if !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_C is required on Windows" #endif - -/* Fix the config here. Not convenient to put an #ifdef _WIN32 in mbedtls_config.h as - * it would confuse config.py. */ -#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \ - !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) -#define MBEDTLS_PLATFORM_SNPRINTF_ALT -#endif - -#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \ - !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) -#define MBEDTLS_PLATFORM_VSNPRINTF_ALT -#endif +/* See auto-enabling SNPRINTF_ALT and VSNPRINTF_ALT + * in * config_adjust_legacy_crypto.h */ #endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */ #if defined(TARGET_LIKE_MBED) && defined(MBEDTLS_NET_C) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 696266c..6126a1e 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -22,6 +22,22 @@ #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H +/* Ideally, we'd set those as defaults in mbedtls_config.h, but + * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py. + * + * So, adjust it here. + * Not related to crypto, but this is the bottom of the stack. */ +#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900) +#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \ + !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) +#define MBEDTLS_PLATFORM_SNPRINTF_ALT +#endif +#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \ + !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) +#define MBEDTLS_PLATFORM_VSNPRINTF_ALT +#endif +#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */ + /* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin * in PSA. */ #if defined(MBEDTLS_PSA_CRYPTO_C) && \ -- cgit v1.1 From a6184b2cc88eeb018d6fb1b8c715f98345b00c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 12:30:56 +0100 Subject: Remove redundant check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're already making sure of that in include/mbedtls/config_adjust_psa_superset_legacy.h - no need to double-check here. Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 59 ------------------------------------------ 1 file changed, 59 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1741d8b..429bf3e 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -44,65 +44,6 @@ #error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense" #endif -/* Check that each MBEDTLS_ECP_DP_xxx symbol has its PSA_WANT_ECC_xxx counterpart - * when PSA crypto is enabled. */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) || defined(MBEDTLS_PSA_CRYPTO_C) - -#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) -#error "MBEDTLS_ECP_DP_BP256R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) -#error "MBEDTLS_ECP_DP_BP384R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) -#error "MBEDTLS_ECP_DP_BP512R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && !defined(PSA_WANT_ECC_MONTGOMERY_255) -#error "MBEDTLS_ECP_DP_CURVE25519_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) && !defined(PSA_WANT_ECC_MONTGOMERY_448) -#error "MBEDTLS_ECP_DP_CURVE448_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_192) -#error "MBEDTLS_ECP_DP_SECP192R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_224) -#error "MBEDTLS_ECP_DP_SECP224R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_256) -#error "MBEDTLS_ECP_DP_SECP256R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_384) -#error "MBEDTLS_ECP_DP_SECP384R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_521) -#error "MBEDTLS_ECP_DP_SECP521R1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_192) -#error "MBEDTLS_ECP_DP_SECP192K1_ENABLED defined, but not its PSA counterpart" -#endif - -/* SECP224K1 is buggy in PSA API so we skip this check */ -#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_224) -#error "MBEDTLS_ECP_DP_SECP224K1_ENABLED defined, but not its PSA counterpart" -#endif - -#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_256) -#error "MBEDTLS_ECP_DP_SECP256K1_ENABLED defined, but not its PSA counterpart" -#endif - -#endif /* MBEDTLS_PSA_CRYPTO_CONFIG || MBEDTLS_PSA_CRYPTO_C */ - /* Limitations on ECC key types acceleration: if we have any of `PUBLIC_KEY`, * `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, `KEY_PAIR_EXPORT` then we must have * all 4 of them. -- cgit v1.1 From 782667883a77abc7283b4cfc9b5fca0bb2badeb5 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Thu, 8 Feb 2024 13:54:48 +0100 Subject: Fix: - Remove unnecessary tests. - Update description of MBEDTLS_GCM_LARGETABLE parameter. - Move acceleration defines from gcm.h to gcm.c. - Remove unnecessary zero setting after shift. - Fix implementation for big-endian architectures. Signed-off-by: Matthias Schulz --- include/mbedtls/gcm.h | 5 ----- include/mbedtls/mbedtls_config.h | 3 +++ library/gcm.c | 39 +++++++++++++++++++++++++++------------ tests/scripts/all.sh | 39 --------------------------------------- 4 files changed, 30 insertions(+), 56 deletions(-) diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index f475710..2f9a2cd 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -33,11 +33,6 @@ #define MBEDTLS_GCM_ENCRYPT 1 #define MBEDTLS_GCM_DECRYPT 0 -#define MBEDTLS_GCM_ACC_SMALLTABLE 0 -#define MBEDTLS_GCM_ACC_LARGETABLE 1 -#define MBEDTLS_GCM_ACC_AESNI 2 -#define MBEDTLS_GCM_ACC_AESCE 3 - /** Authenticated decryption failed. */ #define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 /** Bad input parameters to function. */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f467737..18dbcd1 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2807,6 +2807,9 @@ * Can significantly increase throughput on systems without GCM hardware * acceleration (e.g., AESNI, AESCE). * + * The mbedtls_gcm_context size will increase by 3840 bytes. + * The code size will increase by roughly 344 bytes. + * * Module: library/gcm.c * * Requires: MBEDTLS_GCM_C diff --git a/library/gcm.c b/library/gcm.c index 4a01f5c..fc03acd 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -41,6 +41,12 @@ #if !defined(MBEDTLS_GCM_ALT) +/* Used to select the acceleration mechanism */ +#define MBEDTLS_GCM_ACC_SMALLTABLE 0 +#define MBEDTLS_GCM_ACC_LARGETABLE 1 +#define MBEDTLS_GCM_ACC_AESNI 2 +#define MBEDTLS_GCM_ACC_AESCE 3 + /* * Initialize a context */ @@ -253,17 +259,28 @@ static void gcm_mult_largetable(uint8_t *output, const uint8_t *x, uint64_t H[25 u64z[0] = 0; u64z[1] = 0; - for (i = 15; i > 0; i--) { - mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16); + if (MBEDTLS_IS_BIG_ENDIAN) { + for (i = 15; i > 0; i--) { + mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16); + rem = u8z[15]; - rem = u8z[15]; + u64z[1] >>= 8; + u8z[8] = u8z[7]; + u64z[0] >>= 8; - u64z[1] <<= 8; - u8z[8] = u8z[7]; - u64z[0] <<= 8; + u16z[0] ^= MBEDTLS_GET_UINT16_LE(&last8[rem], 0); + } + } else { + for (i = 15; i > 0; i--) { + mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16); + rem = u8z[15]; - u8z[0] = 0; - u16z[0] ^= last8[rem]; + u64z[1] <<= 8; + u8z[8] = u8z[7]; + u64z[0] <<= 8; + + u16z[0] ^= last8[rem]; + } } mbedtls_xor_no_simd(output, u8z, (uint8_t *) H[x[0]], 16); @@ -318,10 +335,8 @@ static void gcm_mult_smalltable(uint8_t *output, const uint8_t *x, uint64_t H[16 mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16); } - MBEDTLS_PUT_UINT32_BE(u64z[0] >> 32, output, 0); - MBEDTLS_PUT_UINT32_BE(u64z[0], output, 4); - MBEDTLS_PUT_UINT32_BE(u64z[1] >> 32, output, 8); - MBEDTLS_PUT_UINT32_BE(u64z[1], output, 12); + MBEDTLS_PUT_UINT64_BE(u64z[0], output, 0); + MBEDTLS_PUT_UINT64_BE(u64z[1], output, 8); } #endif diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a21566c..5a61c3c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4950,45 +4950,6 @@ component_test_gcm_largetable () { make CFLAGS='-O2 -Werror -Wall -Wextra' - msg "test: default config + GCM_LARGETABLE - AESNI_C - AESCE_C" - make test -} - -component_test_gcm_largetable_gcc () { - msg "build: default config + GCM_LARGETABLE - AESNI_C - AESCE_C" - scripts/config.py set MBEDTLS_GCM_LARGETABLE - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AESCE_C - - make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" - make test -} - -component_test_gcm_smalltable () { - msg "build: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" - scripts/config.py unset MBEDTLS_GCM_LARGETABLE - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AESCE_C - - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" - make test -} - -component_test_gcm_smalltable_gcc () { - msg "build: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" - scripts/config.py unset MBEDTLS_GCM_LARGETABLE - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AESCE_C - - make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra' - msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" make test } -- cgit v1.1 From afb2eee263a9fa2aae940e3ff19114194ed00167 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 8 Feb 2024 14:31:54 +0000 Subject: Add PKCS5/12 exceptions to analyze_block_cipher_dispatch Signed-off-by: Ryan Everett --- tests/scripts/analyze_outcomes.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 6503f9a..a54ece6 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -562,6 +562,18 @@ KNOWN_TASKS = { # but these are not available in the accelerated component. re.compile('Set( non-existent)? padding with (AES|CAMELLIA).*'), ], + 'test_suite_pkcs12': [ + # The en/decryption part of PKCS#12 is not yet supported. + # The rest of PKCS#12 (key derivation) works, though. + re.compile(r'PBE Encrypt, .*'), + re.compile(r'PBE Decrypt, .*'), + ], + 'test_suite_pkcs5': [ + # The en/decryption part of PKCS#5 is not yet supported. + # The rest of PKCS#5 (PBKDF2) works, though. + re.compile(r'PBES2 Encrypt, .*'), + re.compile(r'PBES2 Decrypt .*'), + ], 'test_suite_pkparse': [ # PEM (called by pkparse) requires AES_C in order to decrypt # the key, but this is not available in the accelerated -- cgit v1.1 From 75e65fe24b4ba67f92bcb44dec768e6b0f5aadfc Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 8 Feb 2024 15:43:02 +0000 Subject: Reformat AES encryption test data in pkcs5 tests The added comma is needed so that these tests match the regex exceptions in analyze_outcomes.py. Moved the Encryption tests so that they are separate to decryption. Signed-off-by: Ryan Everett --- tests/suites/test_suite_pkcs5.data | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 939c82f..52e6823 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -126,6 +126,18 @@ PBES2 Encrypt, pad=8 (PKCS7 padding disabled) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D5510101010101010101010101010101010":138:MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:"" +PBES2 Encrypt, AES-128-CBC (OK, generated with OpenSSL) +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" + +PBES2 Encrypt, AES-192-CBC (OK, generated with OpenSSL) +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7 +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94" + +PBES2 Encrypt, AES-256-CBC (OK, generated with OpenSSL) +depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7 +pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302706092A864886F70D01050C301a0408010203040506070802022710300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" + PBES2 Decrypt (OK) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":144:0:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF" @@ -142,18 +154,6 @@ PBES2 Decrypt (Invalid padding & PKCS7 padding enabled) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607" -PBES2 Encrypt AES-128-CBC (OK, generated with OpenSSL) -depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e" - -PBES2 Encrypt AES-192-CBC (OK, generated with OpenSSL) -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7 -pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94" - -PBES2 Encrypt AES-256-CBC (OK, generated with OpenSSL) -depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7 -pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302706092A864886F70D01050C301a0408010203040506070802022710300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566" - PBES2 Decrypt AES-128-CBC (OK, generated with OpenSSL) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629" -- cgit v1.1 From f3116341e2a2ee5b86346e32489857098324a837 Mon Sep 17 00:00:00 2001 From: Matthias Schulz <140500342+mschulz-at-hilscher@users.noreply.github.com> Date: Thu, 8 Feb 2024 18:35:36 +0100 Subject: spelling Co-authored-by: Dave Rodgman Signed-off-by: Matthias Schulz <140500342+mschulz-at-hilscher@users.noreply.github.com> --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 18dbcd1..bf11377 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2803,7 +2803,7 @@ /** * \def MBEDTLS_GCM_LARGETABLE * - * Enable large precomputer tables for Galois/Counter Mode (GCM). + * Enable large pre-computed tables for Galois/Counter Mode (GCM). * Can significantly increase throughput on systems without GCM hardware * acceleration (e.g., AESNI, AESCE). * -- cgit v1.1 From 0e690d3c0b350f285eaad4a5833c91feb76fe254 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Thu, 8 Feb 2024 18:37:20 +0100 Subject: Add changelog. Signed-off-by: Matthias Schulz --- ChangeLog.d/gcm-large-tables.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/gcm-large-tables.txt diff --git a/ChangeLog.d/gcm-large-tables.txt b/ChangeLog.d/gcm-large-tables.txt new file mode 100644 index 0000000..84f9c14 --- /dev/null +++ b/ChangeLog.d/gcm-large-tables.txt @@ -0,0 +1,4 @@ +Features + * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM + operations when hardware accelerated AES is not present (27-34% on 64-bit + Intel, 125-127% on ARMv7) -- cgit v1.1 From 4a9610bffede9b709453d3200e1e15b35beb82b8 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Thu, 8 Feb 2024 18:39:17 +0100 Subject: Remove comments referencing private defines. Signed-off-by: Matthias Schulz --- include/mbedtls/gcm.h | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index 2f9a2cd..745cd28 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -70,11 +70,7 @@ typedef struct mbedtls_gcm_context { unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform: #MBEDTLS_GCM_ENCRYPT or #MBEDTLS_GCM_DECRYPT. */ - unsigned char MBEDTLS_PRIVATE(acceleration); /*!< The acceleration to use: - #MBEDTLS_GCM_ACC_SMALLTABLE, - #MBEDTLS_GCM_ACC_LARGETABLE, - #MBEDTLS_GCM_ACC_AESNI, - #MBEDTLS_GCM_ACC_AESCE */ + unsigned char MBEDTLS_PRIVATE(acceleration); /*!< The acceleration to use. */ } mbedtls_gcm_context; -- cgit v1.1 From ac60afc2d295cc1d0ac2b46f3e04a1c5ea7ead7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 8 Feb 2024 18:45:56 +0100 Subject: Remove useless overly strong dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ECJPAKE_C only needs MD_LIGHT and it allready auto-enables it in config_adjust_legacy_crypto.h, so nothing to check here. Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- include/mbedtls/check_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 429bf3e..a7a346f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -166,7 +166,7 @@ #endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_ECJPAKE_C) && \ - (!defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C)) + !defined(MBEDTLS_ECP_C) #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" #endif -- cgit v1.1 From 9de84bd67775e05fabca1907cd9f2ea33078d99a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Feb 2024 17:40:27 +0100 Subject: rsa: reject buffers with data outside main SEQUENCE when parsing keys Signed-off-by: Valerio Setti --- library/rsa.c | 10 ++++++++-- tests/suites/test_suite_psa_crypto.data | 4 ++-- tests/suites/test_suite_rsa.data | 6 +++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index f4c0862..2c33869 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -108,7 +108,10 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si return ret; } - /* mbedtls_asn1_get_tag() already ensures that len is valid (i.e. p+len <= end)*/ + if (end != p + len) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + end = p + len; if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { @@ -241,7 +244,10 @@ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, return ret; } - /* mbedtls_asn1_get_tag() already ensures that len is valid (i.e. p+len <= end)*/ + if (end != p + len) { + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + } + end = p + len; /* Import N */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 34af94a..dc43599 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -106,7 +106,7 @@ import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa24 PSA import/export RSA keypair: trailing garbage ignored depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT -import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:-1:PSA_SUCCESS:0 +import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT PSA import/export RSA public key: good, 1024-bit, opaque depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:PSA_CRYPTO_DRIVER_TEST @@ -158,7 +158,7 @@ import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa24 PSA import/export RSA keypair: trailing garbage ignored, opaque depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST -import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:-1:PSA_SUCCESS:0 +import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT PSA import RSA keypair: truncated depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index b89d158..1964b32 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -662,7 +662,7 @@ RSA parse private key - correct values, extra integer inside the SEQUENCE rsa_parse_pkcs1_key:0:"3066020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH RSA parse private key - correct values, extra integer outside the SEQUENCE -rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":0 +rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse private key - correct values, n wrong tag rsa_parse_pkcs1_key:0:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG @@ -707,7 +707,7 @@ RSA parse public key - public exponent 0 rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203000000":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse public key - wrong sequence length -rsa_parse_pkcs1_key:1:"308188028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_OUT_OF_DATA +rsa_parse_pkcs1_key:1:"308188028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA parse public key - wrong modulus length rsa_parse_pkcs1_key:1:"308189028180009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG @@ -725,7 +725,7 @@ RSA parse public key - correct values, extra integer inside the SEQUENCE rsa_parse_pkcs1_key:1:"30818c028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH RSA parse public key - correct values, extra integer outside the SEQUENCE -rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":0 +rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA priv key write - incremental output buffer size rsa_key_write_incremental:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c" -- cgit v1.1 From b1f6d2ad6fa2621772d35bda1835d8b0e1fa1d02 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Feb 2024 17:41:45 +0100 Subject: asn1: enable mbedtls_asn1_get_tag() when PEM_PARSE_C is defined Signed-off-by: Valerio Setti --- include/mbedtls/asn1.h | 5 +++-- library/asn1parse.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index ff019f4..d8ee469 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -198,7 +198,7 @@ typedef struct mbedtls_asn1_named_data { mbedtls_asn1_named_data; #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ - defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) || defined(MBEDTLS_PEM_PARSE_C) /** * \brief Get the length of an ASN.1 element. * Updates the pointer to immediately behind the length. @@ -245,7 +245,8 @@ int mbedtls_asn1_get_len(unsigned char **p, int mbedtls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag); -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || + MBEDTLS_PSA_UTIL_HAVE_ECDSA || MBEDTLS_PEM_PARSE_C */ #if defined(MBEDTLS_ASN1_PARSE_C) /** diff --git a/library/asn1parse.c b/library/asn1parse.c index e33fdf7..644b43b 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -8,7 +8,7 @@ #include "common.h" #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ - defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) || defined(MBEDTLS_PEM_PARSE_C) #include "mbedtls/asn1.h" #include "mbedtls/platform_util.h" @@ -74,7 +74,8 @@ int mbedtls_asn1_get_tag(unsigned char **p, return mbedtls_asn1_get_len(p, end, len); } -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || + MBEDTLS_PSA_UTIL_HAVE_ECDSA || MBEDTLS_PEM_PARSE_C */ #if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, -- cgit v1.1 From 2653e92a578fbe027579150b8c94f2a5d36baf48 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Feb 2024 17:51:00 +0100 Subject: pem: fix valid data length returned by mbedtls_pem_read_buffer() ctx->buflen now returns the amount of valid data in ctx->buf. Unencrypted buffers were already ok, but encrypted ones were used to return the length of the encrypted buffer, not the unencrypted one. This commit fix this behavior for encrypted buffers. Signed-off-by: Valerio Setti --- include/mbedtls/pem.h | 6 +++--- library/pem.c | 20 +++++++++++++------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index cc617a9..3c6a28d 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -73,11 +73,11 @@ void mbedtls_pem_init(mbedtls_pem_context *ctx); * \param data source data to look in (must be nul-terminated) * \param pwd password for decryption (can be NULL) * \param pwdlen length of password - * \param use_len destination for total length used (set after header is - * correctly read, so unless you get + * \param use_len destination for total length used from data buffer. It is + * set after header is correctly read, so unless you get * MBEDTLS_ERR_PEM_BAD_INPUT_DATA or * MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is - * the length to skip) + * the length to skip. * * \note Attempts to check password correctness by verifying if * the decrypted text starts with an ASN.1 sequence of diff --git a/library/pem.c b/library/pem.c index 539134c..7e7f86f 100644 --- a/library/pem.c +++ b/library/pem.c @@ -17,6 +17,7 @@ #include "mbedtls/cipher.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "mbedtls/asn1.h" #include @@ -431,15 +432,20 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const } /* - * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3 - * length bytes (allow 4 to be sure) in all known use cases. - * - * Use that as a heuristic to try to detect password mismatches. + * The result will be ASN.1 starting with a SEQUENCE tag. Parse it + * with ASN.1 functions in order to: + * - Have an heuristic guess about password mismatches. + * - Update len variable to the amount of valid data inside buf. */ - if (len <= 2 || buf[0] != 0x30 || buf[1] > 0x83) { - mbedtls_zeroize_and_free(buf, len); - return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH; + unsigned char *p = buf; + ret = mbedtls_asn1_get_tag(&p, buf + len, &len, + MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED); + if (ret != 0) { + mbedtls_free(buf); + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret); } + /* Add also the sequence block (tag + len) to the total amount of valid data. */ + len += (p - buf); #else mbedtls_zeroize_and_free(buf, len); return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE; -- cgit v1.1 From 010d23f9af824f58910cf3898ce4e6da5ea0ea35 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 8 Feb 2024 17:56:03 +0100 Subject: test_suite_[pkparse|x509parse]: fix return values of some PEM related error tests Signed-off-by: Valerio Setti --- tests/suites/test_suite_pkparse.data | 2 +- tests/suites/test_suite_x509parse.data | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 762fd52..5b2dbb9 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -8,7 +8,7 @@ pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0 Parse RSA Key #3 (Wrong password) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C -pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG Parse RSA Key #4 (DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index b9ae20c..2b0920d 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1774,7 +1774,7 @@ x509parse_crt:"307d3068a0030201008204deadbeef300d06092a864886f70d01010b0500300c3 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring length) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_OUT_OF_DATA +x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring tag) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -- cgit v1.1 From 7fdee8b7102d5525ef3d331b76b6c9b86cd4d8d9 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Feb 2024 09:26:12 +0100 Subject: ssl_session: Reorder some fields to reduce padding Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index f4b96d8..d8cc76f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1194,12 +1194,12 @@ struct mbedtls_ssl_session { #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ unsigned char MBEDTLS_PRIVATE(exported); + uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ /** TLS version negotiated in the session. Used if and when renegotiating * or resuming a session instead of the configured minor TLS version. */ mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); - uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ #if defined(MBEDTLS_HAVE_TIME) mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< start time of current session */ @@ -1250,9 +1250,9 @@ struct mbedtls_ssl_session { #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) - uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ - uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ - uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */ + uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ + uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ + uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */ unsigned char MBEDTLS_PRIVATE(resumption_key)[MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN]; #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C) -- cgit v1.1 From c7fa82ee3318941eddf73ee757464c0ca29e315c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Feb 2024 09:33:09 +0100 Subject: tests: ssl: Improve test parameter sanity check Signed-off-by: Ronald Cron --- tests/src/test_helpers/ssl_helpers.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index c0c5ca4..1b6f060 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -1645,8 +1645,11 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, session->start = mbedtls_time(NULL) - 42; #endif session->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; - session->endpoint = endpoint_type == MBEDTLS_SSL_IS_CLIENT ? - MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER; + + TEST_ASSERT(endpoint_type == MBEDTLS_SSL_IS_CLIENT || + endpoint_type == MBEDTLS_SSL_IS_SERVER); + + session->endpoint = endpoint_type; session->ciphersuite = 0xabcd; session->id_len = sizeof(session->id); memset(session->id, 66, session->id_len); @@ -1739,6 +1742,7 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, session->encrypt_then_mac = 1; #endif +exit: return 0; } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -- cgit v1.1 From 7b0ac0b98087c209cae540576d4d4a8a9e0f8743 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Feb 2024 09:50:18 +0100 Subject: Add change log for mbedtls_ssl_session_get_ticket_creation_time() Signed-off-by: Ronald Cron --- ChangeLog.d/get_ticket_creation_time.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/get_ticket_creation_time.txt diff --git a/ChangeLog.d/get_ticket_creation_time.txt b/ChangeLog.d/get_ticket_creation_time.txt new file mode 100644 index 0000000..7b5166c --- /dev/null +++ b/ChangeLog.d/get_ticket_creation_time.txt @@ -0,0 +1,3 @@ +Features + * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access + `mbedtls_ssl_session.ticket_creation_time`. -- cgit v1.1 From a93e25e7499eb672a71f409ab124d753a24b3a32 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Feb 2024 10:01:30 +0100 Subject: tls12: Fix documentation of TLS 1.2 session serialized data Signed-off-by: Ronald Cron --- library/ssl_tls.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 806cc03..e57bee2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8941,19 +8941,24 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( /* Serialization of TLS 1.2 sessions: * * struct { - * uint64 start_time; - * uint8 session_id_len; // at most 32 - * opaque session_id[32]; - * opaque master[48]; // fixed length in the standard - * uint32 verify_result; - * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert - * opaque ticket<0..2^24-1>; // length 0 means no ticket - * uint32 ticket_lifetime; - * uint64 ticket_creation_time; - * uint8 mfl_code; // up to 255 according to standard - * uint8 encrypt_then_mac; // 0 or 1 - * } serialized_session_tls12; + * opaque ticket<0..2^24-1>; // length 0 means no ticket + * uint32 ticket_lifetime; + * } ClientOnlyData; * + * struct { + * uint64 start_time; + * uint8 session_id_len; // at most 32 + * opaque session_id[32]; + * opaque master[48]; // fixed length in the standard + * uint32 verify_result; + * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert + * select (endpoint) { + * case client: ClientOnlyData; + * case server: uint64 ticket_creation_time; + * }; + * uint8 mfl_code; // up to 255 according to standard + * uint8 encrypt_then_mac; // 0 or 1 + * } serialized_session_tls12; */ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, unsigned char *buf, -- cgit v1.1 From cdf9894e604c40071bee2bcc6177cc31e148f214 Mon Sep 17 00:00:00 2001 From: Matthias Schulz <140500342+mschulz-at-hilscher@users.noreply.github.com> Date: Fri, 9 Feb 2024 11:11:38 +0100 Subject: Ajdusted change log. Co-authored-by: Dave Rodgman Signed-off-by: Matthias Schulz <140500342+mschulz-at-hilscher@users.noreply.github.com> --- ChangeLog.d/gcm-large-tables.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/gcm-large-tables.txt b/ChangeLog.d/gcm-large-tables.txt index 84f9c14..f9bba5b 100644 --- a/ChangeLog.d/gcm-large-tables.txt +++ b/ChangeLog.d/gcm-large-tables.txt @@ -1,4 +1,4 @@ Features * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM - operations when hardware accelerated AES is not present (27-34% on 64-bit - Intel, 125-127% on ARMv7) + operations when hardware accelerated AES is not present. Improves + performance by around 30% on 64-bit Intel; 125% on Armv7-M. -- cgit v1.1 From 10902c56405f73614ab4f4cbf4961639fa9206aa Mon Sep 17 00:00:00 2001 From: Matthias Schulz <140500342+mschulz-at-hilscher@users.noreply.github.com> Date: Fri, 9 Feb 2024 11:14:50 +0100 Subject: Use NULL for pointer initialization Co-authored-by: Dave Rodgman Signed-off-by: Matthias Schulz <140500342+mschulz-at-hilscher@users.noreply.github.com> --- library/gcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/gcm.c b/library/gcm.c index fc03acd..d7acace 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -304,7 +304,7 @@ static void gcm_mult_smalltable(uint8_t *output, const uint8_t *x, uint64_t H[16 int i = 0; unsigned char lo, hi, rem; uint64_t u64z[2]; - const uint64_t *pu64z = 0; + const uint64_t *pu64z = NULL; uint8_t *u8z = (uint8_t *) u64z; lo = x[15] & 0xf; -- cgit v1.1 From 67f35688954e7920b58a5765942154da82a64cca Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 9 Feb 2024 13:02:23 +0000 Subject: Reduce analyze_block_cipher_dispatch exceptions Signed-off-by: Ryan Everett --- tests/scripts/analyze_outcomes.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index a54ece6..8c7f21f 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -562,17 +562,10 @@ KNOWN_TASKS = { # but these are not available in the accelerated component. re.compile('Set( non-existent)? padding with (AES|CAMELLIA).*'), ], - 'test_suite_pkcs12': [ - # The en/decryption part of PKCS#12 is not yet supported. - # The rest of PKCS#12 (key derivation) works, though. - re.compile(r'PBE Encrypt, .*'), - re.compile(r'PBE Decrypt, .*'), - ], 'test_suite_pkcs5': [ - # The en/decryption part of PKCS#5 is not yet supported. + # The AES part of PKCS#5 PBES2 is not yet supported. # The rest of PKCS#5 (PBKDF2) works, though. - re.compile(r'PBES2 Encrypt, .*'), - re.compile(r'PBES2 Decrypt .*'), + re.compile(r'PBES2 .* AES-.*') ], 'test_suite_pkparse': [ # PEM (called by pkparse) requires AES_C in order to decrypt -- cgit v1.1 From 7fee4f731895aa13a11dd353ead4ee9e9e260e9e Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 9 Feb 2024 14:11:27 +0000 Subject: Fix mutex unlock error handling in psa_destroy_key Signed-off-by: Ryan Everett --- library/psa_crypto.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9d7b72f..27ea3b8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1167,17 +1167,19 @@ exit: /* Unregister from reading the slot. If we are the last active reader * then this will wipe the slot. */ status = psa_unregister_read(slot); + /* Prioritize CORRUPTION_DETECTED from unregistering over + * a storage error. */ + if (status != PSA_SUCCESS) { + overall_status = status; + } #if defined(MBEDTLS_THREADING_C) + /* Don't overwrite existing errors if the unlock fails. */ + status = overall_status; PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( &mbedtls_threading_key_slot_mutex)); #endif - /* Prioritize CORRUPTION_DETECTED from unregistering or - * SERVICE_FAILURE from unlocking over a storage error. */ - if (status != PSA_SUCCESS) { - overall_status = status; - } return overall_status; } -- cgit v1.1 From 9dc076b4f49ceedb2bfae13c74ae58c3251d1a95 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 9 Feb 2024 14:20:09 +0000 Subject: Fix issue with lock failures returning CORRUPTION_DETECTED Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 9890de6..dc38662 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -529,6 +529,9 @@ psa_status_t psa_close_key(psa_key_handle_t handle) } #if defined(MBEDTLS_THREADING_C) + /* We need to set status as success, otherwise CORRUPTION_DETECTED + * would be returned if the lock fails. */ + status = PSA_SUCCESS; PSA_THREADING_CHK_RET(mbedtls_mutex_lock( &mbedtls_threading_key_slot_mutex)); #endif @@ -563,6 +566,9 @@ psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) psa_key_slot_t *slot; #if defined(MBEDTLS_THREADING_C) + /* We need to set status as success, otherwise CORRUPTION_DETECTED + * would be returned if the lock fails. */ + status = PSA_SUCCESS; PSA_THREADING_CHK_RET(mbedtls_mutex_lock( &mbedtls_threading_key_slot_mutex)); #endif -- cgit v1.1 From 5d2bcc63cd24f28006e22fa641c9ce7eabf76a1d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 9 Feb 2024 14:41:24 +0000 Subject: Fix typo / improve documentation for test step fns Signed-off-by: Paul Elliott --- tests/include/test/helpers.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 4e59e20..d08100f 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -116,10 +116,10 @@ int mbedtls_test_get_line_no(void); /** * \brief Increment the current test step. * - * \note Calling this function from within multiple threads at the - * same time is not recommended - whilst it is entirely thread - * safe, the order of calls to this function can obviously not - * be ensured, so unexpected results may occur. + * \note It is not recommended for multiple threads to call this + * function concurrently - whilst it is entirely thread safe, + * the order of calls to this function can obviously not be + * ensured, so unexpected results may occur. */ void mbedtls_test_increment_step(void); @@ -231,10 +231,10 @@ void mbedtls_test_skip(const char *test, int line_no, const char *filename); * "step number" is the index of a for loop but it can be * whatever you want. * - * \note Calling this function from a within multiple threads at the - * same time is not recommended - whilst it is entirely thread - * safe, the order of calls to this function can obviously not - * be ensured, so unexpected results may occur. + * \note It is not recommended for multiple threads to call this + * function concurrently - whilst it is entirely thread safe, + * the order of calls to this function can obviously not be + * ensured, so unexpected results may occur. * * \param step The step number to report. */ -- cgit v1.1 From a6ac0f1330f427362a349af4fb2560636b6fe023 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Fri, 9 Feb 2024 17:09:42 +0100 Subject: Replaced MBEDTLS_GCM_LARGETABLE by MBEDTLS_GCM_LARGE_TABLE. Removed empty comment line in doc block. Signed-off-by: Matthias Schulz --- include/mbedtls/gcm.h | 2 +- include/mbedtls/mbedtls_config.h | 5 ++--- library/gcm.c | 8 ++++---- tests/scripts/all.sh | 6 +++--- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index 745cd28..98faa43 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -46,7 +46,7 @@ extern "C" { #if !defined(MBEDTLS_GCM_ALT) -#if defined(MBEDTLS_GCM_LARGETABLE) +#if defined(MBEDTLS_GCM_LARGE_TABLE) #define MBEDTLS_GCM_HTABLE_SIZE 256 #else #define MBEDTLS_GCM_HTABLE_SIZE 16 diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index bf11377..ada6204 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2801,7 +2801,7 @@ #define MBEDTLS_GCM_C /** - * \def MBEDTLS_GCM_LARGETABLE + * \def MBEDTLS_GCM_LARGE_TABLE * * Enable large pre-computed tables for Galois/Counter Mode (GCM). * Can significantly increase throughput on systems without GCM hardware @@ -2813,9 +2813,8 @@ * Module: library/gcm.c * * Requires: MBEDTLS_GCM_C - * */ -//#define MBEDTLS_GCM_LARGETABLE +//#define MBEDTLS_GCM_LARGE_TABLE /** * \def MBEDTLS_HKDF_C diff --git a/library/gcm.c b/library/gcm.c index d7acace..90c1d1d 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -57,7 +57,7 @@ void mbedtls_gcm_init(mbedtls_gcm_context *ctx) static inline void gcm_set_acceleration(mbedtls_gcm_context *ctx) { -#if defined(MBEDTLS_GCM_LARGETABLE) +#if defined(MBEDTLS_GCM_LARGE_TABLE) ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE; #else ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE; @@ -138,7 +138,7 @@ static int gcm_gen_table(mbedtls_gcm_context *ctx) gcm_gen_table_rightshift(ctx->H[i], ctx->H[i*2]); } -#if !defined(MBEDTLS_GCM_LARGETABLE) +#if !defined(MBEDTLS_GCM_LARGE_TABLE) /* pack elements of H as 64-bits ints, big-endian */ for (i = MBEDTLS_GCM_HTABLE_SIZE/2; i > 0; i >>= 1) { MBEDTLS_PUT_UINT64_BE(ctx->H[i][0], &ctx->H[i][0], 0); @@ -212,7 +212,7 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx, return 0; } -#if defined(MBEDTLS_GCM_LARGETABLE) +#if defined(MBEDTLS_GCM_LARGE_TABLE) static const uint16_t last8[256] = { 0x0000, 0xc201, 0x8403, 0x4602, 0x0807, 0xca06, 0x8c04, 0x4e05, 0x100e, 0xd20f, 0x940d, 0x560c, 0x1809, 0xda08, 0x9c0a, 0x5e0b, @@ -360,7 +360,7 @@ static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16], break; #endif -#if defined(MBEDTLS_GCM_LARGETABLE) +#if defined(MBEDTLS_GCM_LARGE_TABLE) case MBEDTLS_GCM_ACC_LARGETABLE: gcm_mult_largetable(output, x, ctx->H); break; diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5a61c3c..736d944 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4942,15 +4942,15 @@ component_test_aes_only_128_bit_keys_have_builtins () { } component_test_gcm_largetable () { - msg "build: default config + GCM_LARGETABLE - AESNI_C - AESCE_C" - scripts/config.py set MBEDTLS_GCM_LARGETABLE + msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" + scripts/config.py set MBEDTLS_GCM_LARGE_TABLE scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C make CFLAGS='-O2 -Werror -Wall -Wextra' - msg "test: default config - GCM_LARGETABLE - AESNI_C - AESCE_C" + msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" make test } -- cgit v1.1 From 4ade8ee5b96a0cb0331efa2e2dd2b795fc2cb2cd Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 9 Feb 2024 17:44:07 +0100 Subject: test_suite_pem: more tests for ASN.1 parsing after decoding Signed-off-by: Valerio Setti --- tests/suites/test_suite_pem.data | 13 +++++++++++++ tests/suites/test_suite_pem.function | 1 + 2 files changed, 14 insertions(+) diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index a4dff45..32d3c27 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -49,3 +49,16 @@ mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KE PEM read (malformed PEM AES-128-CBC) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:"" + +# The output sequence's length is not multiple of block size (16 bytes). This +# proves that the pem_context->len value is properly updated based on the SEQUENCE +# length read from the decoded ASN.1 data (i.e. extra padding, if any, is ignored). +PEM read (valid EC key encoded with AES-128-CBC) +depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,151F851B6A7F3FBDAA5B7173117D0127\n\nLw+0OM+0Bwcl+ls/vxQbLrVshGc7bsNPvvtj2sJeMFFEq3V1mj/IO++0KK/CDhMH\nh6CZPsmgVOeM5uFpqYaq0fJbUduN2eDMWszWRm0SFkY=\n-----END EC PRIVATE KEY-----":"pwdpwd":0:"3041020101040f00d8023c809afd45e426d1a4dbe0ffa00706052b81040004a1220320000400da1ecfa53d528237625e119e2e0500d2eb671724f16deb6a63749516b7" + +# The text "hello world" (which is clearly not a valid ASN.1 SEQUENCE) is encoded +# with AES-128-CBC to prove that ASN.1 parsing after decoding fails. +PEM read (Invalid SEQUENCE encoded with AES-128-CBC) +depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,765FCB151B573FC9E5FB3A0E5A198785\n\nU2FsdGVkX1/+Vl2WMhEy3zcdg14R+flkg/pW4ei4d0I=\n-----END EC PRIVATE KEY-----":"pwdpwd":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:"" diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function index 413dc55..2acc16e 100644 --- a/tests/suites/test_suite_pem.function +++ b/tests/suites/test_suite_pem.function @@ -3,6 +3,7 @@ #include "mbedtls/pem.h" #include "mbedtls/des.h" #include "mbedtls/aes.h" +#include "mbedtls/asn1.h" /* END_HEADER */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */ -- cgit v1.1 From 48b87ebde37d55af636e1f778e39d9263fe6d8e6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 Feb 2024 18:40:25 +0100 Subject: Choose a curve for tests at compile time This makes it possible to use the curve in test data. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 135 ++++++++++++++++++++---------------- 1 file changed, 77 insertions(+), 58 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 2574307..9c088e1 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -36,29 +36,85 @@ #define MBEDTLS_TEST_PK_PSA_SIGN #endif -/* MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE is enabled when PSA supports - * at least one elliptic curve. This is distinct from - * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY because that symbol can be enabled even - * when there are no curves. This happens in particular in a configuration - * with MBEDTLS_PSA_CRYPTO_CONFIG disabled and where the only legacy curve - * is secp224k1, which is not supported in PSA. */ #if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) -#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) || \ - defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) || \ - defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) || \ - defined(PSA_WANT_ECC_MONTGOMERY_255) || \ - defined(PSA_WANT_ECC_MONTGOMERY_448) || \ - defined(PSA_WANT_ECC_SECP_K1_192) || \ - defined(PSA_WANT_ECC_SECP_K1_224) || \ - defined(PSA_WANT_ECC_SECP_K1_256) || \ - defined(PSA_WANT_ECC_SECP_R1_192) || \ - defined(PSA_WANT_ECC_SECP_R1_224) || \ - defined(PSA_WANT_ECC_SECP_R1_256) || \ - defined(PSA_WANT_ECC_SECP_R1_384) || \ - defined(PSA_WANT_ECC_SECP_R1_521) +/* Pick an elliptic curve that's supported by PSA. Note that the curve is + * not guaranteed to be supported by the ECP module. + * + * This should always find a curve if ECC is enabled in the build, except in + * one edge case: in a build with MBEDTLS_PSA_CRYPTO_CONFIG disabled and + * where the only legacy curve is secp224k1, which is not supported in PSA, + * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY ends up enabled but PSA does not + * support any curve. + */ + +/* First try all the curves that can do both ECDSA and ECDH, then try + * the ECDH-only curves. (There are no curves that can do ECDSA but not ECDH.) + * This way, if ECDSA is enabled then the curve that's selected here will + * be ECDSA-capable, and likewise for ECDH. */ +#if defined(PSA_WANT_ECC_SECP_R1_192) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192R1 +#elif defined(PSA_WANT_ECC_SECP_R1_224) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 224 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224R1 +#elif defined(PSA_WANT_ECC_SECP_R1_256) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256R1 +#elif defined(PSA_WANT_ECC_SECP_R1_384) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 384 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP384R1 +#elif defined(PSA_WANT_ECC_SECP_R1_521) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 521 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP521R1 +#elif defined(PSA_WANT_ECC_SECP_K1_192) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192K1 +#elif defined(PSA_WANT_ECC_SECP_K1_224) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 224 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224K1 +#elif defined(PSA_WANT_ECC_SECP_K1_256) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256K1 +#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP256R1 +#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 384 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP384R1 +#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 512 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP512R1 +#elif defined(PSA_WANT_ECC_MONTGOMERY_255) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 255 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE25519 +#elif defined(PSA_WANT_ECC_MONTGOMERY_448) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 448 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE448 +#endif /* curve selection */ + +#if defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY) #define MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +#else +/* Always define the macros so that we can use them in test data. */ +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY 0 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 0 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0 #endif -#endif + +#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */ #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) @@ -211,43 +267,6 @@ size_t mbedtls_rsa_key_len_func(void *ctx) } #endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) -static mbedtls_ecp_group_id ecc_pick_grp_id(void) -{ -#if defined(MBEDTLS_ECP_LIGHT) - return mbedtls_ecp_grp_id_list()[0]; -#elif defined(PSA_WANT_ECC_SECP_R1_192) - return MBEDTLS_ECP_DP_SECP192R1; -#elif defined(PSA_WANT_ECC_SECP_R1_224) - return MBEDTLS_ECP_DP_SECP224R1; -#elif defined(PSA_WANT_ECC_SECP_R1_256) - return MBEDTLS_ECP_DP_SECP256R1; -#elif defined(PSA_WANT_ECC_SECP_R1_384) - return MBEDTLS_ECP_DP_SECP384R1; -#elif defined(PSA_WANT_ECC_SECP_R1_521) - return MBEDTLS_ECP_DP_SECP521R1; -#elif defined(PSA_WANT_ECC_SECP_K1_192) - return MBEDTLS_ECP_DP_SECP192K1; -#elif defined(PSA_WANT_ECC_SECP_K1_224) - return MBEDTLS_ECP_DP_SECP224K1; -#elif defined(PSA_WANT_ECC_SECP_K1_256) - return MBEDTLS_ECP_DP_SECP256K1; -#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) - return MBEDTLS_ECP_DP_BP256R1; -#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) - return MBEDTLS_ECP_DP_BP384R1; -#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) - return MBEDTLS_ECP_DP_BP512R1; -#elif defined(PSA_WANT_ECC_MONTGOMERY_255) - return MBEDTLS_ECP_DP_CURVE25519; -#elif defined(PSA_WANT_ECC_MONTGOMERY_448) - return MBEDTLS_ECP_DP_CURVE448; -#else - return 0; -#endif -} -#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) */ - #if defined(MBEDTLS_PSA_CRYPTO_C) static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, mbedtls_pk_context *pk, psa_key_type_t *psa_type) @@ -291,7 +310,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, case MBEDTLS_PK_ECKEY_DH: case MBEDTLS_PK_ECDSA: { - mbedtls_ecp_group_id grp_id = ecc_pick_grp_id(); + mbedtls_ecp_group_id grp_id = MBEDTLS_TEST_ECP_DP_ONE_CURVE; size_t bits; *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits)); TEST_EQUAL(pk_genkey(pk, grp_id), 0); -- cgit v1.1 From 05ee3fbdc013e99de876e4740a6d34eaf025759e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 Feb 2024 18:58:10 +0100 Subject: mbedtls_pk_import_into_psa: documentation Signed-off-by: Gilles Peskine --- ChangeLog.d/mbedtls_pk_import_into_psa.txt | 4 +++ include/mbedtls/pk.h | 48 ++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 ChangeLog.d/mbedtls_pk_import_into_psa.txt diff --git a/ChangeLog.d/mbedtls_pk_import_into_psa.txt b/ChangeLog.d/mbedtls_pk_import_into_psa.txt new file mode 100644 index 0000000..c294f44 --- /dev/null +++ b/ChangeLog.d/mbedtls_pk_import_into_psa.txt @@ -0,0 +1,4 @@ +Features + * The new functions mbedtls_pk_get_psa_attributes() and + mbedtls_pk_import_into_psa() provide a uniform way to create a PSA + key from a PK key. diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 66f3901..b5d65e3 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -599,6 +599,54 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, psa_key_usage_t usage, psa_key_attributes_t *attributes); + +/** + * \brief Import a key into the PSA key store. + * + * This function is equivalent to calling psa_import_key() + * with the key material from \p pk. + * + * The typical way to use this function is: + * -# Call mbedtls_pk_get_psa_attributes() to obtain + * attributes for the given key. + * -# If desired, modify the attributes, for example: + * - To create a persistent key, call + * psa_set_key_identifier() and optionally + * psa_set_key_lifetime(). + * - To import only the public part of a key pair: + * ``` + * psa_set_key_type(&attributes, + * PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + * psa_get_key_type(&attributes))); + * ``` + * - Restrict the key usage if desired. + * -# Call mbedtls_pk_import_into_psa(). + * + * \note This function does not support RSA-alt contexts + * (set up with mbedtls_pk_setup_rsa_alt()). + * + * \param[in] pk The PK context to use. It must have been set up. + * It can either contain a key pair or just a public key. + * \param[in] attributes + * The attributes to use for the new key. They must be + * compatible with \p pk. In particular, the key type + * must match the content of \p pk. + * If \p pk contains a key pair, the key type in + * attributes can be either the key pair type or the + * corresponding public key type (to import only the + * public part). + * \param[out] key_id + * On success, the identifier of the newly created key. + * On error, this is #MBEDTLS_SVC_KEY_ID_INIT. + * + * \return 0 on success. + * #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain + * a key of the type identified in \p attributes. + * Another error code on other failures. + */ +int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *key_id); #endif /* MBEDTLS_PSA_CRYPTO_C */ /** -- cgit v1.1 From 2b20ff62fc8c5fbb73d0c796f69edd063edccf33 Mon Sep 17 00:00:00 2001 From: PiotrBzdrega Date: Sun, 11 Feb 2024 01:56:45 +0100 Subject: move entropy init prior arguments number recognition Signed-off-by: PiotrBzdrega --- programs/pkey/gen_key.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 6914c93..26453cc 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -248,7 +248,7 @@ int main(int argc, char *argv[]) mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP); mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP); #endif /* MBEDTLS_RSA_C */ - + mbedtls_entropy_init(&entropy); mbedtls_pk_init(&key); mbedtls_ctr_drbg_init(&ctr_drbg); memset(buf, 0, sizeof(buf)); @@ -336,7 +336,6 @@ usage: mbedtls_printf("\n . Seeding the random number generator..."); fflush(stdout); - mbedtls_entropy_init(&entropy); #if !defined(_WIN32) && defined(MBEDTLS_FS_IO) if (opt.use_dev_random) { if ((ret = mbedtls_entropy_add_source(&entropy, dev_random_entropy_poll, -- cgit v1.1 From f6a9cfa5d201cc588171fe879577c57a26b58b2a Mon Sep 17 00:00:00 2001 From: PiotrBzdrega Date: Sun, 11 Feb 2024 09:41:56 +0100 Subject: adjust indentation Signed-off-by: PiotrBzdrega --- programs/pkey/gen_key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 26453cc..194a5cb 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -248,7 +248,8 @@ int main(int argc, char *argv[]) mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP); mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP); #endif /* MBEDTLS_RSA_C */ - mbedtls_entropy_init(&entropy); + + mbedtls_entropy_init(&entropy); mbedtls_pk_init(&key); mbedtls_ctr_drbg_init(&ctr_drbg); memset(buf, 0, sizeof(buf)); -- cgit v1.1 From 19f1adfc69a315fc703d202bb6ccad815acebdca Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 22:17:44 +0100 Subject: New function mbedtls_rsa_get_bitlen() Document, implement and test mbedtls_rsa_get_bitlen(). Signed-off-by: Gilles Peskine --- ChangeLog.d/rsa-bitlen.txt | 3 + include/mbedtls/rsa.h | 10 +++ library/rsa.c | 8 ++ tests/suites/test_suite_rsa.data | 138 ++++++++++++++++++++++++++++++----- tests/suites/test_suite_rsa.function | 35 ++++++--- 5 files changed, 165 insertions(+), 29 deletions(-) create mode 100644 ChangeLog.d/rsa-bitlen.txt diff --git a/ChangeLog.d/rsa-bitlen.txt b/ChangeLog.d/rsa-bitlen.txt new file mode 100644 index 0000000..85a9894 --- /dev/null +++ b/ChangeLog.d/rsa-bitlen.txt @@ -0,0 +1,3 @@ +Features + * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus + in bits, i.e. the key size for an RSA key. diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 9136375..c1e76b3 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -427,6 +427,16 @@ int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx, mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP); /** + * \brief This function retrieves the length of the RSA modulus in bits. + * + * \param ctx The initialized RSA context. + * + * \return The length of the RSA modulus in bits. + * + */ +size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx); + +/** * \brief This function retrieves the length of RSA modulus in Bytes. * * \param ctx The initialized RSA context. diff --git a/library/rsa.c b/library/rsa.c index f4c0862..8351463 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1015,6 +1015,14 @@ int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx) } /* + * Get length in bits of RSA modulus + */ +size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx) +{ + return mbedtls_mpi_bitlen(&ctx->N); +} + +/* * Get length in bytes of RSA modulus */ size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index b89d158..778ec67 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -468,58 +468,160 @@ RSA Deduce Moduli, corrupted mbedtls_rsa_deduce_primes:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":1:MBEDTLS_ERR_MPI_BAD_INPUT_DATA RSA Import (N,P,Q,D,E) -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:0:0 RSA Import (N,P,Q,D,E), inconsistent -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 RSA Import (N,P,Q,D,E), successive -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:0:0 RSA Import (N,P,Q,D,E), successive, inconsistent -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 RSA Import (-,P,Q,D,E) -mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:0:0 +mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:0:0 RSA Import (-,P,Q,D,E), successive -mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:0:0 +mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:0:0 RSA Import (N,-,-,D,E) -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:0:0 RSA Import (N,-,-,D,E), successive -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:0:0 RSA Import (N,P,Q,-,E) -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":0:1:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:0:1:0:0 RSA Import (N,P,Q,-,E), successive -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":1:1:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:1:1:0:0 RSA Import (-,P,Q,-,E) -mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":0:1:0:0 +mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:0:1:0:0 RSA Import (-,P,Q,-,E), successive -mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":1:1:0:0 +mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:1:1:0:0 RSA Import (N,-,Q,-,E) -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":0:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:0:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA Import (N,-,Q,-,E), successive -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":1:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:1:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSA Import (N,-,-,-,E), complete public key -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":0:0:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":2048:0:0:0:0 RSA Import (N,-,-,-,E), complete public key, successive -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":1:0:0:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":2048:1:0:0:0 RSA Import (N,-,-,-,E), complete public key, corrupted -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":0:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":2048:0:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 RSA Import (N,-,-,-,E), complete public key, successive, corrupted -mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":1:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 +mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":2048:1:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0 + +RSA Import (N,P,Q,D,E) 512-bit complete pair +mbedtls_rsa_import:"cbc23c9751d5b0dc4f7ea5f871d6e31d7fb8a414eacfa006cf9c782385ce177b2a41b52cd80ddf75c4f14ffb679c388b4d0fe828413c2b8dd651e5039b2e14b3":"fbf724e9d31cb074dd117e96c4f9ad8ff6b4fe6dc72c7b9bc5af370c0833314d":"cf057bde49ab3cc354d731c03925e4cb34d7ecc41335948bca6d3438a0e35dff":"5705d006f8a68170b66aeacb9f231dc0bd89c85a3ea70a3b9e73bf43bca3f69699bfd123ec6fc533d3163dc8645d1e45342ad38b110659e96656f4763ec318f1":"10001":512:0:1:0:0 + +RSA Import (N,-,-,-,E) 512-bit public +mbedtls_rsa_import:"cbc23c9751d5b0dc4f7ea5f871d6e31d7fb8a414eacfa006cf9c782385ce177b2a41b52cd80ddf75c4f14ffb679c388b4d0fe828413c2b8dd651e5039b2e14b3":"":"":"":"10001":512:0:0:0:0 + +RSA Import (N,P,Q,D,E) 513-bit complete pair +mbedtls_rsa_import:"16798857c4718f9367a715b29038d042ea41686a457279db149d4da54146262305da39b02b764f2b56902e4c45425c2c3f404da82f86d8ed3b067da70899c5149":"18486f2d2df61d10ebe578caff5142047cae635909946b57c33028d35e4abac0b":"ecefea558b614138e773e1cd25380e49a910d6dd4b584457c1bfabf86922f87b":"1c3dbb460e6364b725989f7b321f3213e3a92d3bdce86c970ee05ba13cd4993758140f790489b61188c26354a6b372d32081750cecb84db563ec5724d78388ad":"10001":513:0:1:0:0 + +RSA Import (N,-,-,-,E) 513-bit public +mbedtls_rsa_import:"16798857c4718f9367a715b29038d042ea41686a457279db149d4da54146262305da39b02b764f2b56902e4c45425c2c3f404da82f86d8ed3b067da70899c5149":"":"":"":"10001":513:0:0:0:0 + +RSA Import (N,P,Q,D,E) 514-bit complete pair +mbedtls_rsa_import:"32f54232899f45a415e7a7728fc744703f4b4466e56d7d6900f125950bb9a42082d2f0162ce1ac9949da5be37af8c20178d79d8ac1ab860d5ed55b14f49d064ab":"1d2cc9d59be8079457a5f28c3e74d1d4c7763acc1a7e725dff09198a5b99d35cf":"1bf23921dfe89a0f681bf10fd27fd2bc914f8888b8addb1d102255e586827b665":"1d9f13ebecb3f8f7790440020831fd4682846e2ea20f13678674a7340caccd0b37ccaf79b7d4005adafb7e6f84e0ff7bbe28a27fd7337cdf100fe63afe967419":"10001":514:0:1:0:0 + +RSA Import (N,-,-,-,E) 514-bit public +mbedtls_rsa_import:"32f54232899f45a415e7a7728fc744703f4b4466e56d7d6900f125950bb9a42082d2f0162ce1ac9949da5be37af8c20178d79d8ac1ab860d5ed55b14f49d064ab":"":"":"":"10001":514:0:0:0:0 + +RSA Import (N,P,Q,D,E) 515-bit complete pair +mbedtls_rsa_import:"5f47dbe0d15f66c13ce0ff8af2edc7942ef4ff8b6b6e49ef5518ce3754efb5270204cb727c3f325b4a51dc02688eae0a6bfd7549854a7ede8b31f0e4adb835f85":"30c23bf1faf7515ed3e63abcda5b88b6387d213854da798e6662afb09441f192f":"1f4419ac839887606a8d299bc430f8e48f8984ae81982eaf03775fbe1a347bd8b":"5e8416fece5337c84acedb5007a98e4855c85d52fd2ffb91b9b590a2dcd3a8bc88e6e61573daa526a1b37ebae41401e6811d0d1e5458f1a5074178fb274a275a5":"10001":515:0:1:0:0 + +RSA Import (N,-,-,-,E) 515-bit public +mbedtls_rsa_import:"5f47dbe0d15f66c13ce0ff8af2edc7942ef4ff8b6b6e49ef5518ce3754efb5270204cb727c3f325b4a51dc02688eae0a6bfd7549854a7ede8b31f0e4adb835f85":"":"":"":"10001":515:0:0:0:0 + +RSA Import (N,P,Q,D,E) 516-bit complete pair +mbedtls_rsa_import:"bcc54a5a10ef1a3241c60aeec9c5ec54cd63407ee2b69748ad5ec53d1a3d7fea540811ba0eed19574cad6dca28691e2711fdf0e76d2bc6eec508e7a864ee13b03":"3a83434f8995a87a977f0e15e9b39f55551968a5f3cbaf6f7e0f177215c3a69bb":"339e4b5aef4912382ee5f6dd82c2cb5255e604279477ca22ed0b02cab66a75b59":"60a460bc5b8f0dca4d0226f6b9362b17ff4ea0e6550b45c85f79f560a2de796e35d51da40d1eae356cca05626a3686cee2dbcaa5b71b76ffa0cb313fb4a412f1":"10001":516:0:1:0:0 + +RSA Import (N,-,-,-,E) 516-bit public +mbedtls_rsa_import:"bcc54a5a10ef1a3241c60aeec9c5ec54cd63407ee2b69748ad5ec53d1a3d7fea540811ba0eed19574cad6dca28691e2711fdf0e76d2bc6eec508e7a864ee13b03":"":"":"":"10001":516:0:0:0:0 + +RSA Import (N,P,Q,D,E) 517-bit complete pair +mbedtls_rsa_import:"1a7b2e3d43f1b3e060d2f598939d0542178feac3310be308f4fd05872ec91048ea79543c0b00e5f61ec8b577ffa33c26bb74c2bc079033f006e6af59ec15cef529":"72e502be06a9fcb3ef64801055d10ecf8ec2b4a9429423813760e4258cf575373":"3b00e49f541091dce4940c9a36f203d195a81c7812111d9a89fc5971f363085f3":"19297286444925e1ce1ea5be94845ebaae28d1a926b164c8de008d8025b46704d77326956f97ceaadc3ebb74f94edbe1b7df5236693e7bb97cdd77b4569420fd01":"10001":517:0:1:0:0 + +RSA Import (N,-,-,-,E) 517-bit public +mbedtls_rsa_import:"1a7b2e3d43f1b3e060d2f598939d0542178feac3310be308f4fd05872ec91048ea79543c0b00e5f61ec8b577ffa33c26bb74c2bc079033f006e6af59ec15cef529":"":"":"":"10001":517:0:0:0:0 + +RSA Import (N,P,Q,D,E) 518-bit complete pair +mbedtls_rsa_import:"31defca6f97dac931fea5bd182c801b6512065929b327443dad9421379e15b37e33a6d3b11e51bd6905c9df9ec15980e91f10c34607749085456e85c1aad9cae1d":"725f1a4b37008897949b12bc9ba249d60d2df673b5a5367f9b490e79cc798446d":"6fa09a0615754b14f9aa4b5613e60e6d4988437c25b97fc056cb4841931902271":"1bcd08df3439e0d86b7444173966b1bda6dffe7f89d0c88b83169605316e75615c84cf7ea7c9cb16204e67329584d56f1840d247e4b392b627622d2101a2af2781":"10001":518:0:1:0:0 + +RSA Import (N,-,-,-,E) 518-bit public +mbedtls_rsa_import:"31defca6f97dac931fea5bd182c801b6512065929b327443dad9421379e15b37e33a6d3b11e51bd6905c9df9ec15980e91f10c34607749085456e85c1aad9cae1d":"":"":"":"10001":518:0:0:0:0 + +RSA Import (N,P,Q,D,E) 519-bit complete pair +mbedtls_rsa_import:"6de4c503dd2e6d74d6dbc95bdd85b177f3737c3da6b00860db6585d1026ae043450888773afd259ee52e7c70de86a1d805dec0d201b2cd9d91e5e1f323020b47b5":"f4c3d0904f80c3ee121aa94edda195415ddd21e4503ebbaf294993a649f896251":"72f01bc834d3eae97dea004f8af566b6030362fb3eb1063211d1dd699ece87225":"8361ce69203631864e99d5d28eb517c760b7e101941740ed0b6004ec2d07b9b6982132c9cff11ef49f715b04b6d76edd0e936b05efb4acf2cfdf6ea58f1149b41":"10001":519:0:1:0:0 + +RSA Import (N,-,-,-,E) 519-bit public +mbedtls_rsa_import:"6de4c503dd2e6d74d6dbc95bdd85b177f3737c3da6b00860db6585d1026ae043450888773afd259ee52e7c70de86a1d805dec0d201b2cd9d91e5e1f323020b47b5":"":"":"":"10001":519:0:0:0:0 + +RSA Import (N,P,Q,D,E) 520-bit complete pair +mbedtls_rsa_import:"c27fbd5b63f60f14b6fbbda29444aa6639cef01ec2b89b607ca0e5cf64f4f8ea41131c8c2a0204099b2030c8b155553404464fb351a7b44e77138412164997de31":"feb75ab38c05618105c1d7f1459475520cb64d8b477804f6f48b2bcc44ca6c147":"c37ab0c657015601027454c1e45d4abc85f7177d0757312b2811d4dc46f1b60c7":"4b4d2365a79cd317e5042fd62aeb2ec1a72dec1f2caa4655a3cab34e893aa2c81c06e18bd79a0d247dc109ab540c7eb6bf8ef27f02de66e4d8dc511bff7ce33c15":"10001":520:0:1:0:0 + +RSA Import (N,-,-,-,E) 520-bit public +mbedtls_rsa_import:"c27fbd5b63f60f14b6fbbda29444aa6639cef01ec2b89b607ca0e5cf64f4f8ea41131c8c2a0204099b2030c8b155553404464fb351a7b44e77138412164997de31":"":"":"":"10001":520:0:0:0:0 + +RSA Import (N,P,Q,D,E) 521-bit complete pair +mbedtls_rsa_import:"1993ce720408e69a459c96df92b90040b88b0f7234c46b96413d177ed08e562c9b7ed7c1fb351cafc4028d3d9a9792e35ddb8a3770cc5cf7011f778f78e75ff60af":"1f2d345a210b5f085447d9534abe78d77e820dddbb24b2eb334b7c6ba91634a0f9":"d205f332807775231b96e06f47e7c0cec8981f41c6b6e6a96eafdbc40773b20e7":"15ec8c594efc122ecadc9eb6a59dce89aba607676db3b044eb46e28ce15820a5b984349a7b74a9f86c17a8503f29c0cc5b3f68790653bce30d8b0a5ba7730a16b1":"10001":521:0:1:0:0 + +RSA Import (N,-,-,-,E) 521-bit public +mbedtls_rsa_import:"1993ce720408e69a459c96df92b90040b88b0f7234c46b96413d177ed08e562c9b7ed7c1fb351cafc4028d3d9a9792e35ddb8a3770cc5cf7011f778f78e75ff60af":"":"":"":"10001":521:0:0:0:0 + +RSA Import (N,P,Q,D,E) 522-bit complete pair +mbedtls_rsa_import:"2eeccbdf4fb0385fefd27583bdc9ac8b99e57fd6acf0c71010ae65ee0531dbf45686bb737a2a64124ab2f695a73394f7d5dd2ba7a668d872684cb49e12a7d6a49ad":"1c5785f5108bb49e43ee0b3d7261eb0efe10334ac101893a59d67e79fb3f640951":"1a7da635573970c989ca4aaa051d3a51641eed09516f8200d15effb86c3082a39d":"1e2042a744c6f2fa8cc28655a5140425c010fa68fdb0bb6c51f95551619e68034d128406fa6fc7ccd5d35a493ee8ecf98b9e987fed18353ff7e0d50ae0b65f2b841":"10001":522:0:1:0:0 + +RSA Import (N,-,-,-,E) 522-bit public +mbedtls_rsa_import:"2eeccbdf4fb0385fefd27583bdc9ac8b99e57fd6acf0c71010ae65ee0531dbf45686bb737a2a64124ab2f695a73394f7d5dd2ba7a668d872684cb49e12a7d6a49ad":"":"":"":"10001":522:0:0:0:0 + +RSA Import (N,P,Q,D,E) 523-bit complete pair +mbedtls_rsa_import:"6a8c9774b37c37d6f6c95aaf60ab27ebb426a26cd6b22fa44fe1e09f4fa47abeac2d1f84aaff436ef3f07801c617a1f990ca4ece42388d1493723ee9768730d8799":"36f10cb3d7fa6af6616991827dd988fd0687761243126e563a24977d95b3075855":"1f0771656d359a2d4907ded0e0471e27242a59f89e30a4e21fc3cffb5da3dd4635":"4cafcdde87c452e85c0d06410dc1826509ef789dff5496279bfb05d183dfed1c452fda00deb3b345fc31cd255aa1c7e2f19e50191793a7b16e6340f0723e0d5ad11":"10001":523:0:1:0:0 + +RSA Import (N,-,-,-,E) 523-bit public +mbedtls_rsa_import:"6a8c9774b37c37d6f6c95aaf60ab27ebb426a26cd6b22fa44fe1e09f4fa47abeac2d1f84aaff436ef3f07801c617a1f990ca4ece42388d1493723ee9768730d8799":"":"":"":"10001":523:0:0:0:0 + +RSA Import (N,P,Q,D,E) 524-bit complete pair +mbedtls_rsa_import:"c04c05bc77eca9c05702402622b3855ac150a737132c66d6900dc8f512e752f32ce3c777d51da5cca9105b7f8f57da571cec42a450d49e43ea359538acb3610dacf":"3f78102778bec177c9bb4f313a29afbb9c2d0089539f57aeb2976b59d17b1de699":"3079f8628b827258bb785cd0bb40623207ecf6194e65871571bf004bf0c537f5a7":"9c161921de060fd3bbcc6bdd8895474d5f54e425e43e4a4b272ac94f844498241d41f7ee7a6b90775cf5a73b3ce3015b15620494130e9198550cb3f07bdba184ac1":"10001":524:0:1:0:0 + +RSA Import (N,-,-,-,E) 524-bit public +mbedtls_rsa_import:"c04c05bc77eca9c05702402622b3855ac150a737132c66d6900dc8f512e752f32ce3c777d51da5cca9105b7f8f57da571cec42a450d49e43ea359538acb3610dacf":"":"":"":"10001":524:0:0:0:0 + +RSA Import (N,P,Q,D,E) 525-bit complete pair +mbedtls_rsa_import:"18197b4f054a0347a8e81576cf16fdb5d22ce9bb71b11df029c30e047b418ebb4b2d759f8c72f9b24a79b46ddeeeadb17b197911442f6e7bf3ea2106752e901c64fb":"676ee11f6bb61d7094148bb326d0267eb7a105549d72d360707001af8e03ecc6dd":"3ba5a5ba28f8adee0883947963c037e3a2c9e557b3edc5cca35b155e63ed3ae1b7":"d75e61ecbe87c0e817427d0f57874fb224a7dbe79912114ac6ecb1c8bafa146512b1b728d2d860e96fd283ae981ebb3272647841cdd254a5e1f075eb17df596e2c9":"10001":525:0:1:0:0 + +RSA Import (N,-,-,-,E) 525-bit public +mbedtls_rsa_import:"18197b4f054a0347a8e81576cf16fdb5d22ce9bb71b11df029c30e047b418ebb4b2d759f8c72f9b24a79b46ddeeeadb17b197911442f6e7bf3ea2106752e901c64fb":"":"":"":"10001":525:0:0:0:0 + +RSA Import (N,P,Q,D,E) 526-bit complete pair +mbedtls_rsa_import:"2de74b63625125b31a3d4ae2719d74dae2a0dacb84f220c295e8fea55080b3bacad98593ef3dd710a949b84498ba59ac0353f8e6cd4355e9bfc0ddef8ef25ce41309":"766d695ac399679b33cdc68e7bf9b604d922dee04fa60a4aa2fab3263a8b323109":"633a53fef2f6b08daddd9e496625819753284b72f41290dcc8db82e55746555201":"1ff9c25614a29a344cceed5f17edaafcde69567ff6b80382089328ef57488fea49d3e660180107bb0b1770005d814216dbd493fd7aae4891fb2320226615d67e4001":"10001":526:0:1:0:0 + +RSA Import (N,-,-,-,E) 526-bit public +mbedtls_rsa_import:"2de74b63625125b31a3d4ae2719d74dae2a0dacb84f220c295e8fea55080b3bacad98593ef3dd710a949b84498ba59ac0353f8e6cd4355e9bfc0ddef8ef25ce41309":"":"":"":"10001":526:0:0:0:0 + +RSA Import (N,P,Q,D,E) 527-bit complete pair +mbedtls_rsa_import:"54e6bb611922620e32e0e402446e3a2b8eb1be1f44a750a833ac56635a2aca00fa20cdddf6d185e60623da0ba4dd33011d5df7f7f69d95c98c4ca7fddde08ec209db":"d36b6f6e6828bc2cb35b9b5ecca60ea4d33406b11ff4fafc3b439f3fa9c521733b":"66cdc1ad01f31f5eeafff4774bf4ba95ccb58a5afae6744b560e7181f8b0a119e1":"32e1d958f7044939f33a1ecc5110b2a21a31e21cc13b793665499ab88e78687a2eb19a570263370532aac0c418867027c6275b604899b26f9913a10aaacb7895ddc1":"10001":527:0:1:0:0 + +RSA Import (N,-,-,-,E) 527-bit public +mbedtls_rsa_import:"54e6bb611922620e32e0e402446e3a2b8eb1be1f44a750a833ac56635a2aca00fa20cdddf6d185e60623da0ba4dd33011d5df7f7f69d95c98c4ca7fddde08ec209db":"":"":"":"10001":527:0:0:0:0 + +RSA Import (N,P,Q,D,E) 528-bit complete pair +mbedtls_rsa_import:"d158d6f8bf79fd0721ad50c08ada2f023bec6970a43cc709dba277046d6e2cfd65b72239c7856c7aea7d40906c4880ce828dc4906d364600cd2dd62a284c9ebfcb59":"ebdbfc4ea38f0dac4032c21663be46d045ce4bec7e6d2d773980fd92ca6aaf0f73":"e33947ec6dccc2ca956495f34923b00a490fdfef67b5332d6f084dccf58191af03":"b2e7b0373e337b1848207c5d3f8c7c15f5adf0e1f1897b33a27e7225d77b0b79b4928fd89ca267c7b334fa39949397a8870a204c9b9e98037bfd8716f0dec4802d3d":"10001":528:0:1:0:0 + +RSA Import (N,-,-,-,E) 528-bit public +mbedtls_rsa_import:"d158d6f8bf79fd0721ad50c08ada2f023bec6970a43cc709dba277046d6e2cfd65b72239c7856c7aea7d40906c4880ce828dc4906d364600cd2dd62a284c9ebfcb59":"":"":"":"10001":528:0:0:0:0 RSA Import Raw (N,P,Q,D,E), complete private key mbedtls_rsa_import_raw:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"03":0:1:0:0 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 2f70028..e824529 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -183,7 +183,8 @@ void mbedtls_rsa_pkcs1_sign(data_t *message_str, int padding_mode, TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0); TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0); @@ -221,7 +222,8 @@ void mbedtls_rsa_pkcs1_verify(data_t *message_str, int padding_mode, TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0); TEST_ASSERT(mbedtls_rsa_pkcs1_verify(&ctx, digest, message_str->len, message_str->x, @@ -262,7 +264,8 @@ void rsa_pkcs1_sign_raw(data_t *hash_result, TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0); TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0); @@ -305,7 +308,8 @@ void rsa_pkcs1_verify_raw(data_t *hash_result, TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0); @@ -341,7 +345,8 @@ void mbedtls_rsa_pkcs1_encrypt(data_t *message_str, int padding_mode, TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0); @@ -382,7 +387,8 @@ void rsa_pkcs1_encrypt_bad_rng(data_t *message_str, int padding_mode, TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0); @@ -432,7 +438,8 @@ void mbedtls_rsa_pkcs1_decrypt(data_t *message_str, int padding_mode, TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0); TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0); @@ -477,8 +484,9 @@ void mbedtls_rsa_public(data_t *message_str, int mod, TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0); /* Check test data consistency */ - TEST_ASSERT(message_str->len == (size_t) (mod / 8)); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(message_str->len, (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0); TEST_ASSERT(mbedtls_rsa_public(&ctx, message_str->x, output) == result); @@ -537,8 +545,9 @@ void mbedtls_rsa_private(data_t *message_str, int mod, TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0); /* Check test data consistency */ - TEST_ASSERT(message_str->len == (size_t) (mod / 8)); - TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8)); + TEST_EQUAL(message_str->len, (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8)); + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod); TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0); TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0); @@ -851,6 +860,7 @@ void mbedtls_rsa_import(char *input_N, char *input_Q, char *input_D, char *input_E, + int bitlen, int successive, int is_priv, int res_check, @@ -936,6 +946,9 @@ void mbedtls_rsa_import(char *input_N, /* On expected success, perform some public and private * key operations to check if the key is working properly. */ if (res_complete == 0) { + TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), bitlen); + TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (bitlen + 7) / 8); + if (is_priv) { TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == res_check); } else { -- cgit v1.1 From 92fb6041391bca83b0e50836991c980066d9a66c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 1 Feb 2024 22:33:06 +0100 Subject: Fix mbedtls_pk_get_bitlen() for RSA with non-byte-aligned sizes Add non-regression tests. Update some test functions to not assume that byte_length == bit_length / 8. Signed-off-by: Gilles Peskine --- ChangeLog.d/rsa-bitlen.txt | 4 ++++ library/pk_wrap.c | 2 +- tests/suites/test_suite_pk.data | 16 +++++++++++++++- tests/suites/test_suite_pk.function | 22 +++++++++++++++------- tests/suites/test_suite_pkparse.data | 12 ++++++++++++ tests/suites/test_suite_pkparse.function | 4 ++++ 6 files changed, 51 insertions(+), 9 deletions(-) diff --git a/ChangeLog.d/rsa-bitlen.txt b/ChangeLog.d/rsa-bitlen.txt index 85a9894..9f0b324 100644 --- a/ChangeLog.d/rsa-bitlen.txt +++ b/ChangeLog.d/rsa-bitlen.txt @@ -1,3 +1,7 @@ +Bugfix + * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a + multiple of 8. Fixes #868. + Features * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus in bits, i.e. the key size for an RSA key. diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 2e00d4a..69e1baf 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -58,7 +58,7 @@ static int rsa_can_do(mbedtls_pk_type_t type) static size_t rsa_get_bitlen(mbedtls_pk_context *pk) { const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx; - return 8 * mbedtls_rsa_get_len(rsa); + return mbedtls_rsa_get_bitlen(rsa); } #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 3414958..35f02cb 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -10,7 +10,21 @@ valid_parameters_pkwrite:"308204a20201000282010100a9021f3d406ad555538bfd36ee8265 PK utils: RSA Minimum key depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_GEN_KEY_MIN_BITS:(MBEDTLS_RSA_GEN_KEY_MIN_BITS /8):"RSA" +pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_GEN_KEY_MIN_BITS:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 7) / 8:"RSA" + +# mbedtls_rsa_gen_key() only supports even sizes, so we don't test min+1, +# min+3, etc. +PK utils: RSA Minimum key + 2 bits +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 2:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 2:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 2 + 7) / 8:"RSA" + +PK utils: RSA Minimum key + 4 bits +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 4:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 4:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 4 + 7) / 8:"RSA" + +PK utils: RSA Minimum key + 6 bits +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 6:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 6:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 6 + 7) / 8:"RSA" PK utils: ECKEY SECP192R1 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 2574307..681de0f 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -427,7 +427,7 @@ void pk_psa_utils(int key_is_rsa) TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0); TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == bitlen); - TEST_ASSERT(mbedtls_pk_get_len(&pk) == bitlen / 8); + TEST_ASSERT(mbedtls_pk_get_len(&pk) == (bitlen + 7) / 8); if (key_is_rsa) { TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 0); @@ -822,7 +822,7 @@ void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod, TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); rsa = mbedtls_pk_rsa(pk); - rsa->len = mod / 8; + rsa->len = (mod + 7) / 8; TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); @@ -862,7 +862,7 @@ void pk_rsa_verify_ext_test_vec(data_t *message_str, int digest, TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); rsa = mbedtls_pk_rsa(pk); - rsa->len = mod / 8; + rsa->len = (mod + 7) / 8; TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); @@ -1143,7 +1143,7 @@ void pk_rsa_encrypt_decrypt_test(data_t *message, int mod, rsa = mbedtls_pk_rsa(pk); /* load public key */ - rsa->len = mod / 8; + rsa->len = (mod + 7) / 8; TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); @@ -1169,9 +1169,12 @@ void pk_rsa_encrypt_decrypt_test(data_t *message, int mod, TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0); TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8); TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0); + TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8); + TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); + memset(result, 0, sizeof(result)); rlen = 0; TEST_ASSERT(mbedtls_pk_decrypt(&pk, output, olen, @@ -1222,9 +1225,12 @@ void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0); TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0); - TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8); TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0); + TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); + TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8); + /* decryption test */ memset(output, 0, sizeof(output)); olen = 0; @@ -1278,7 +1284,7 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, TEST_EQUAL(mbedtls_test_read_mpi(&P, input_P), 0); TEST_EQUAL(mbedtls_test_read_mpi(&Q, input_Q), 0); TEST_EQUAL(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E), 0); - TEST_EQUAL(mbedtls_rsa_get_len(rsa), (size_t) (mod / 8)); + TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8); TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); /* Turn PK context into an opaque one. */ @@ -1287,6 +1293,8 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, PSA_KEY_USAGE_DECRYPT, PSA_ALG_NONE), 0); + TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); + /* decryption test */ memset(output, 0, sizeof(output)); olen = 0; diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 707da7f..e526311 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -914,6 +914,18 @@ Parse RSA Key #99.8 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384 DER, depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0 +Parse RSA Key #100.1 (512-bit) +pk_parse_keyfile_rsa:"data_files/rsa512.key":"":0 + +Parse RSA Key #100.1 (521-bit) +pk_parse_keyfile_rsa:"data_files/rsa521.key":"":0 + +Parse RSA Key #100.1 (522-bit) +pk_parse_keyfile_rsa:"data_files/rsa522.key":"":0 + +Parse RSA Key #100.1 (528-bit) +pk_parse_keyfile_rsa:"data_files/rsa528.key":"":0 + Parse Public RSA Key #1 (PKCS#8 wrapped) depends_on:MBEDTLS_PEM_PARSE_C pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.pem":0 diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index 14afef6..f4bbb21 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -42,6 +42,10 @@ void pk_parse_keyfile_rsa(char *key_file, char *password, int result) rsa = mbedtls_pk_rsa(ctx); TEST_EQUAL(mbedtls_rsa_check_privkey(rsa), 0); + size_t bitlen = mbedtls_rsa_get_bitlen(rsa); + TEST_EQUAL(mbedtls_pk_get_bitlen(&ctx), bitlen); + TEST_EQUAL(mbedtls_pk_get_len(&ctx), (bitlen + 7) / 8); + #if defined(MBEDTLS_PSA_CRYPTO_C) psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, -- cgit v1.1 From 34a074af37e21c64ea567fcf240ef187c7356ad0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 2 Feb 2024 10:51:59 +0100 Subject: Add missing dependency on PEM Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkparse.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index e526311..1650f51 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -915,15 +915,19 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C: pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0 Parse RSA Key #100.1 (512-bit) +depends_on:MBEDTLS_PEM_C pk_parse_keyfile_rsa:"data_files/rsa512.key":"":0 Parse RSA Key #100.1 (521-bit) +depends_on:MBEDTLS_PEM_C pk_parse_keyfile_rsa:"data_files/rsa521.key":"":0 Parse RSA Key #100.1 (522-bit) +depends_on:MBEDTLS_PEM_C pk_parse_keyfile_rsa:"data_files/rsa522.key":"":0 Parse RSA Key #100.1 (528-bit) +depends_on:MBEDTLS_PEM_C pk_parse_keyfile_rsa:"data_files/rsa528.key":"":0 Parse Public RSA Key #1 (PKCS#8 wrapped) -- cgit v1.1 From 91ce79225381c83d4f9c04e09ebaeaa7504e8659 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Mon, 12 Feb 2024 12:17:28 +0000 Subject: Fix return code error when locking mutex Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 53ebf31..b0744bd 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -349,6 +349,9 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, } #if defined(MBEDTLS_THREADING_C) + /* We need to set status as success, otherwise CORRUPTION_DETECTED + * would be returned if the lock fails. */ + status = PSA_SUCCESS; /* If the key is persistent and not loaded, we cannot unlock the mutex * between checking if the key is loaded and setting the slot as FULL, * as otherwise another thread may load and then destroy the key @@ -462,6 +465,9 @@ psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_THREADING_C) + /* We need to set status as success, otherwise CORRUPTION_DETECTED + * would be returned if the lock fails. */ + status = PSA_SUCCESS; PSA_THREADING_CHK_RET(mbedtls_mutex_lock( &mbedtls_threading_key_slot_mutex)); #endif -- cgit v1.1 From 59d09486dcf930e090920a6a64325bfa30fb2beb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 16:58:39 +0100 Subject: Cosmetic fix Signed-off-by: Gilles Peskine --- ChangeLog.d/rsa-bitlen.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/rsa-bitlen.txt b/ChangeLog.d/rsa-bitlen.txt index 9f0b324..bcd185f 100644 --- a/ChangeLog.d/rsa-bitlen.txt +++ b/ChangeLog.d/rsa-bitlen.txt @@ -1,6 +1,6 @@ Bugfix * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a - multiple of 8. Fixes #868. + multiple of 8. Fixes #868. Features * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus -- cgit v1.1 From 069cec1737bc346615035ec63c2033c1a3de9116 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 16:59:17 +0100 Subject: Also check the RSA length for public keys Do for public keys what "Fix mbedtls_pk_get_bitlen() for RSA with non-byte-aligned sizes" did for key pairs. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkparse.function | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index f4bbb21..829e789 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -100,6 +100,10 @@ void pk_parse_public_keyfile_rsa(char *key_file, int result) rsa = mbedtls_pk_rsa(ctx); TEST_EQUAL(mbedtls_rsa_check_pubkey(rsa), 0); + size_t bitlen = mbedtls_rsa_get_bitlen(rsa); + TEST_EQUAL(mbedtls_pk_get_bitlen(&ctx), bitlen); + TEST_EQUAL(mbedtls_pk_get_len(&ctx), (bitlen + 7) / 8); + #if defined(MBEDTLS_PSA_CRYPTO_C) psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, -- cgit v1.1 From 4781bd9773d9213325bce1ab9d0139ace3cf97be Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 9 Feb 2024 17:32:45 +0100 Subject: exercise_key: allow SIGN_MESSAGE/VERIFY_MESSAGE with PSA_ALG_ANY_HASH There was already code to instantiate the wildcard for sign/verify-hash. Make that work with sign/verify-message as well. Signed-off-by: Gilles Peskine --- tests/src/psa_exercise_key.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 560b711..c594cee 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -283,23 +283,25 @@ static int exercise_signature_key(mbedtls_svc_key_id_t key, psa_key_usage_t usage, psa_algorithm_t alg) { + /* If the policy allows signing with any hash, just pick one. */ + psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); + if (PSA_ALG_IS_SIGN_HASH(alg) && hash_alg == PSA_ALG_ANY_HASH && + usage & (PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | + PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE)) { +#if defined(KNOWN_SUPPORTED_HASH_ALG) + hash_alg = KNOWN_SUPPORTED_HASH_ALG; + alg ^= PSA_ALG_ANY_HASH ^ hash_alg; +#else + TEST_FAIL("No hash algorithm for hash-and-sign testing"); +#endif + } + if (usage & (PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH) && PSA_ALG_IS_SIGN_HASH(alg)) { unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 }; size_t payload_length = 16; unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 }; size_t signature_length = sizeof(signature); - psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); - - /* If the policy allows signing with any hash, just pick one. */ - if (PSA_ALG_IS_SIGN_HASH(alg) && hash_alg == PSA_ALG_ANY_HASH) { - #if defined(KNOWN_SUPPORTED_HASH_ALG) - hash_alg = KNOWN_SUPPORTED_HASH_ALG; - alg ^= PSA_ALG_ANY_HASH ^ hash_alg; - #else - TEST_FAIL("No hash algorithm for hash-and-sign testing"); - #endif - } /* Some algorithms require the payload to have the size of * the hash encoded in the algorithm. Use this input size -- cgit v1.1 From fdb809ef86901dfceadb73c106830d9f149311f3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 9 Feb 2024 19:22:30 +0100 Subject: exercise_key: fix asymmetric encrypt/decrypt with >2028-bit RSA Signed-off-by: Gilles Peskine --- tests/src/psa_exercise_key.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index c594cee..618b83f 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -364,8 +364,10 @@ static int exercise_asymmetric_encryption_key(mbedtls_svc_key_id_t key, psa_key_usage_t usage, psa_algorithm_t alg) { - unsigned char plaintext[256] = "Hello, world..."; - unsigned char ciphertext[256] = "(wabblewebblewibblewobblewubble)"; + unsigned char plaintext[PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE] = + "Hello, world..."; + unsigned char ciphertext[PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE] = + "(wabblewebblewibblewobblewubble)"; size_t ciphertext_length = sizeof(ciphertext); size_t plaintext_length = 16; -- cgit v1.1 From fc3d866ad27cdcdbc0ad4c45ccc4b0d0e0fb21f3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 9 Feb 2024 19:26:37 +0100 Subject: mbedtls_pk_import_into_psa: implement and test Implement mbedtls_pk_import_into_psa for all PK types except RSA_ALT. This covers importing a key pair, importing a public key and importing the public part of a key pair. Test mbedtls_pk_import_into_psa() with the output of mbedtls_pk_get_psa_attributes(). Also unit-test mbedtls_pk_import_into_psa() on its own to get extra coverage, mostly for negative cases. Signed-off-by: Gilles Peskine --- library/pk.c | 280 +++++++++++++++++++++++++++++++++++- library/pk_internal.h | 4 +- library/psa_util.c | 2 + tests/suites/test_suite_pk.data | 185 ++++++++++++++++++++++++ tests/suites/test_suite_pk.function | 147 +++++++++++++++++-- 5 files changed, 606 insertions(+), 12 deletions(-) diff --git a/library/pk.c b/library/pk.c index 1b481e1..f623af9 100644 --- a/library/pk.c +++ b/library/pk.c @@ -18,10 +18,8 @@ #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" -#if defined(MBEDTLS_PKCS1_V21) && !defined(MBEDTLS_USE_PSA_CRYPTO) #include "rsa_internal.h" #endif -#endif #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) #include "mbedtls/ecp.h" #endif @@ -579,6 +577,284 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, return 0; } + +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) || defined(MBEDTLS_USE_PSA_CRYPTO) +static psa_status_t export_import_into_psa(mbedtls_svc_key_id_t old_key_id, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *new_key_id) +{ + unsigned char key_buffer[PSA_EXPORT_KEY_PAIR_MAX_SIZE]; + size_t key_length = 0; + psa_status_t status = psa_export_key(old_key_id, + key_buffer, sizeof(key_buffer), + &key_length); + if (status != PSA_SUCCESS) { + return status; + } + status = psa_import_key(attributes, key_buffer, key_length, new_key_id); + mbedtls_platform_zeroize(key_buffer, key_length); + return status; +} + +static int copy_into_psa(mbedtls_svc_key_id_t old_key_id, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *new_key_id) +{ + /* Normally, we prefer copying: it's more efficient and works even + * for non-exportable keys. */ + psa_status_t status = psa_copy_key(old_key_id, attributes, new_key_id); + if (status == PSA_ERROR_NOT_PERMITTED /*missing COPY usage*/ || + status == PSA_ERROR_INVALID_ARGUMENT /*incompatible policy*/) { + /* There are edge cases where copying won't work, but export+import + * might: + * - If the old key does not allow PSA_KEY_USAGE_COPY. + * - If the old key's usage does not allow what attributes wants. + * Because the key was intended for use in the pk module, and may + * have had a policy chosen solely for what pk needs rather than + * based on a detailed understanding of PSA policies, we are a bit + * more liberal than psa_copy_key() here. + */ + /* Here we need to check that the types match, otherwise we risk + * importing nonsensical data. */ + psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT; + status = psa_get_key_attributes(old_key_id, &old_attributes); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + psa_key_type_t old_type = psa_get_key_type(&old_attributes); + psa_reset_key_attributes(&old_attributes); + if (old_type != psa_get_key_type(attributes)) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + status = export_import_into_psa(old_key_id, attributes, new_key_id); + } + return PSA_PK_TO_MBEDTLS_ERR(status); +} +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_USE_PSA_CRYPTO */ + +static int import_pair_into_psa(const mbedtls_pk_context *pk, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *key_id) +{ + switch (mbedtls_pk_get_type(pk)) { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_PK_RSA: + { + if (psa_get_key_type(attributes) != PSA_KEY_TYPE_RSA_KEY_PAIR) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + unsigned char key_buffer[ + PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)]; + unsigned char *const key_end = key_buffer + sizeof(key_buffer); + unsigned char *key_data = key_end; + int ret = mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk), + key_buffer, &key_data); + if (ret < 0) { + return ret; + } + size_t key_length = key_end - key_data; + ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes, + key_data, key_length, + key_id)); + mbedtls_platform_zeroize(key_data, key_length); + return ret; + } +#endif /* MBEDTLS_RSA_C */ + +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + { + /* We need to check the curve family, otherwise the import could + * succeed with nonsensical data. + * We don't check the bit-size: it's optional in attributes, + * and if it's specified, psa_import_key() will know from the key + * data length and will check that the bit-size matches. */ + psa_key_type_t to_type = psa_get_key_type(attributes); +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_ecc_family_t from_family = pk->ec_family; +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + /* We're only reading the key, but mbedtls_ecp_write_key() + * is missing a const annotation on its key parameter, so + * we need the non-const accessor here. */ + mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); + size_t from_bits = 0; + psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id, + &from_bits); +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + if (to_type != PSA_KEY_TYPE_ECC_KEY_PAIR(from_family)) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + if (mbedtls_svc_key_id_is_null(pk->priv_id)) { + /* We have a public key and want a key pair. */ + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + return copy_into_psa(pk->priv_id, attributes, key_id); +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + if (ec->d.n == 0) { + /* Private key not set. Assume the input is a public key only. + * (The other possibility is that it's an incomplete object + * where the group is set but neither the public key nor + * the private key. This is not possible through ecp.h + * functions, so we don't bother reporting a more suitable + * error in that case.) */ + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + unsigned char key_buffer[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; + int ret = mbedtls_ecp_write_key(ec, + key_buffer, sizeof(key_buffer)); + if (ret < 0) { + return ret; + } + size_t key_length = PSA_BITS_TO_BYTES(ec->grp.nbits); + unsigned char *key_data = key_buffer + sizeof(key_buffer) - key_length; + ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes, + key_data, key_length, + key_id)); + mbedtls_platform_zeroize(key_data, key_length); + return ret; +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + } +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + case MBEDTLS_PK_OPAQUE: + return copy_into_psa(pk->priv_id, attributes, key_id); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + default: + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } +} + +static int import_public_into_psa(const mbedtls_pk_context *pk, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *key_id) +{ + psa_key_type_t psa_type = psa_get_key_type(attributes); + +#if defined(MBEDTLS_RSA_C) || \ + (defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)) || \ + defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char key_buffer[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; +#endif + unsigned char *key_data = NULL; + size_t key_length = 0; + + switch (mbedtls_pk_get_type(pk)) { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_PK_RSA: + { + if (psa_type != PSA_KEY_TYPE_RSA_PUBLIC_KEY) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + unsigned char *const key_end = key_buffer + sizeof(key_buffer); + key_data = key_end; + int ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*pk), + key_buffer, &key_data); + if (ret < 0) { + return ret; + } + key_length = (size_t) ret; + break; + } +#endif /*MBEDTLS_RSA_C */ + +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + { + /* We need to check the curve family, otherwise the import could + * succeed with nonsensical data. + * We don't check the bit-size: it's optional in attributes, + * and if it's specified, psa_import_key() will know from the key + * data length and will check that the bit-size matches. */ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + if (psa_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family)) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + key_data = (unsigned char *) pk->pub_raw; + key_length = pk->pub_raw_len; +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk); + size_t from_bits = 0; + psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id, + &from_bits); + psa_key_type_t to_type = psa_get_key_type(attributes); + if (to_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(from_family)) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + int ret = mbedtls_ecp_write_public_key( + ec, MBEDTLS_ECP_PF_UNCOMPRESSED, + &key_length, key_buffer, sizeof(key_buffer)); + if (ret < 0) { + return ret; + } + key_data = key_buffer; +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + break; + } +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + case MBEDTLS_PK_OPAQUE: + { + psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = + psa_get_key_attributes(pk->priv_id, &old_attributes); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + psa_key_type_t old_type = psa_get_key_type(&old_attributes); + psa_reset_key_attributes(&old_attributes); + if (psa_type != PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(old_type)) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + status = psa_export_public_key(pk->priv_id, + key_buffer, sizeof(key_buffer), + &key_length); + if (status != PSA_SUCCESS) { + return PSA_PK_TO_MBEDTLS_ERR(status); + } + key_data = key_buffer; + break; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + default: + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + + return PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes, + key_data, key_length, + key_id)); +} + +int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk, + const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *key_id) +{ + /* Set the output immediately so that it won't contain garbage even + * if we error out before calling psa_import_key(). */ + *key_id = MBEDTLS_SVC_KEY_ID_INIT; + +#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) + if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA_ALT) { + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; + } +#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ + + int want_public = PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_get_key_type(attributes)); + if (want_public) { + return import_public_into_psa(pk, attributes, key_id); + } else { + return import_pair_into_psa(pk, attributes, key_id); + } +} #endif /* MBEDTLS_PSA_CRYPTO_C */ /* diff --git a/library/pk_internal.h b/library/pk_internal.h index da6c7f1..f5924ad 100644 --- a/library/pk_internal.h +++ b/library/pk_internal.h @@ -17,7 +17,7 @@ #include "mbedtls/ecp.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #include "psa/crypto.h" #include "psa_util_internal.h" @@ -28,7 +28,7 @@ #define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ psa_to_pk_ecdsa_errors, \ psa_pk_status_to_mbedtls) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ /* Headers/footers for PEM files */ #define PEM_BEGIN_PUBLIC_KEY "-----BEGIN PUBLIC KEY-----" diff --git a/library/psa_util.c b/library/psa_util.c index fd119bf..125b173 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -164,6 +164,8 @@ int psa_pk_status_to_mbedtls(psa_status_t status) return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; case PSA_ERROR_INVALID_ARGUMENT: return MBEDTLS_ERR_PK_INVALID_ALG; + case PSA_ERROR_NOT_PERMITTED: + return MBEDTLS_ERR_PK_TYPE_MISMATCH; case PSA_ERROR_INSUFFICIENT_MEMORY: return MBEDTLS_ERR_PK_ALLOC_FAILED; case PSA_ERROR_BAD_STATE: diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 3414958..e310a59 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1004,8 +1004,23 @@ PSA attributes for pk: opaque RSA pair, SIGN|DECRYPT & SIGN_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT +# For a PK_OPAQUE key with a key pair type output, +# mbedtls_pk_import_into_psa() requires the key to be copyable or exportable. +# Try all combinations of COPY/not, EXPORT/not. PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT + +PSA attributes for pk: opaque RSA pair, SIGN|EXPORT|... & SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT + +PSA attributes for pk: opaque RSA pair, SIGN|COPY|... & SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT + +PSA attributes for pk: opaque RSA pair, SIGN|COPY|EXPORT... & SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_HASH (bad policy) @@ -1109,3 +1124,173 @@ pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):2 PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0 + +PSA import into PSA: RSA pair to ECC (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_import_into_psa_fail:MBEDTLS_PK_RSA:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: RSA public to RSA pair (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_import_into_psa_fail:MBEDTLS_PK_RSA:0:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +PSA import into PSA: ECKEY pair to RSA (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH pair to RSA (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA pair to RSA (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY public to pair (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH public to pair (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA public to pair (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque RSA, COPY (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +PSA import into PSA: opaque RSA, EXPORT (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +PSA import into PSA: opaque RSA, no COPY/EXPORT (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH + +# Detail that isn't precisely documented: since this copies the key, +# the new key has the intersection of the usage flags. +PSA import into PSA: opaque RSA, COPY|EXPORT, different usage (restricted) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +# Detail that isn't precisely documented: since this copies the key, +# the new key has the intersection of the usage flags. +PSA import into PSA: opaque RSA, COPY, different usage (restricted) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +# Detail that isn't precisely documented: since this exports the key, +# the new key has all the requested usage flags. +PSA import into PSA: opaque RSA, EXPORT, different usage (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +PSA import into PSA: opaque RSA, COPY|EXPORT, different algorithm (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0 + +PSA import into PSA: opaque RSA, COPY, different algorithm (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque RSA, EXPORT, different algorithm (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0 + +PSA import into PSA: opaque RSA, implicit bits (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +PSA import into PSA: opaque RSA, different bits (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque RSA, different type (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque RSA to public (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +PSA import into PSA: opaque RSA to public, implicit bits (ok) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 + +# MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation +# of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably +# be more appropriate. +PSA import into PSA: opaque RSA to public, different bits (bad) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_INVALID_ALG + +PSA import into PSA: opaque ECC, COPY (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +PSA import into PSA: opaque ECC, EXPORT (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +PSA import into PSA: opaque ECC, no COPY/EXPORT (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH + +# Detail that isn't precisely documented: since this copies the key, +# the new key has the intersection of the usage flags. +PSA import into PSA: opaque ECC, COPY|EXPORT, different usage (restricted) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +# Detail that isn't precisely documented: since this copies the key, +# the new key has the intersection of the usage flags. +PSA import into PSA: opaque ECC, COPY, different usage (restricted) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +# Detail that isn't precisely documented: since this exports the key, +# the new key has all the requested usage flags. +PSA import into PSA: opaque ECC, EXPORT, different usage (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +PSA import into PSA: opaque ECC, COPY|EXPORT, different algorithm (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 + +PSA import into PSA: opaque ECC, COPY, different algorithm (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque ECC, EXPORT, different algorithm (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 + +PSA import into PSA: opaque ECC, implicit bits (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +PSA import into PSA: opaque ECC, different bits (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque ECC, different type (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: opaque ECC to public (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +PSA import into PSA: opaque ECC to public, implicit bits (ok) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 + +# MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation +# of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably +# be more appropriate. +PSA import into PSA: opaque ECC to public, different bits (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_INVALID_ALG diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 9c088e1..b9841a9 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -131,14 +131,31 @@ static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); psa_set_key_bits(&key_attr, curve_bits); - psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT | - PSA_KEY_USAGE_SIGN_HASH | - PSA_KEY_USAGE_SIGN_MESSAGE); + psa_key_usage_t usage = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; + psa_algorithm_t sign_alg = 0; + psa_algorithm_t derive_alg = 0; + if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECDSA) { + usage |= PSA_KEY_USAGE_DERIVE; + derive_alg = PSA_ALG_ECDH; + } + if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECKEY_DH && + curve != PSA_ECC_FAMILY_MONTGOMERY) { + usage |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; #if defined(MBEDTLS_ECDSA_DETERMINISTIC) - psa_set_key_algorithm(&key_attr, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); + sign_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH); #else - psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); + sign_alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH); #endif + } + if (derive_alg != 0) { + psa_set_key_algorithm(&key_attr, derive_alg); + if (sign_alg != 0) { + psa_set_key_enrollment_algorithm(&key_attr, sign_alg); + } + } else { + psa_set_key_algorithm(&key_attr, sign_alg); + } + psa_set_key_usage_flags(&key_attr, usage); status = psa_generate_key(&key_attr, &pk->priv_id); if (status != PSA_SUCCESS) { @@ -1458,6 +1475,9 @@ void pk_rsa_alt() PSA_KEY_USAGE_ENCRYPT, &attributes), MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + TEST_EQUAL(mbedtls_pk_import_into_psa(&alt, &attributes, &key_id), + MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); #endif /* MBEDTLS_PSA_CRYPTO_C */ /* Test signature */ @@ -1776,6 +1796,7 @@ void pk_get_psa_attributes(int pk_type, int from_pair, mbedtls_pk_init(&pk); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_usage_t usage = usage_arg; + mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; PSA_INIT(); @@ -1816,9 +1837,12 @@ void pk_get_psa_attributes(int pk_type, int from_pair, TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); + exit: mbedtls_pk_free(&pk); psa_reset_key_attributes(&attributes); + psa_destroy_key(new_key_id); PSA_DONE(); } /* END_CASE */ @@ -1832,6 +1856,7 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, mbedtls_pk_init(&pk); psa_key_usage_t usage = usage_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; PSA_INIT(); @@ -1857,9 +1882,12 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); + exit: mbedtls_pk_free(&pk); psa_reset_key_attributes(&attributes); + psa_destroy_key(new_key_id); PSA_DONE(); } /* END_CASE */ @@ -1900,13 +1928,14 @@ void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, mbedtls_pk_context pk; mbedtls_pk_init(&pk); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + mbedtls_svc_key_id_t old_key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t from_type = from_type_arg; size_t bits = from_bits_arg; psa_key_usage_t from_usage = from_usage_arg; psa_algorithm_t alg = from_alg_arg; psa_key_usage_t usage = usage_arg; psa_key_usage_t expected_usage = expected_usage_arg; + mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; PSA_INIT(); @@ -1916,8 +1945,8 @@ void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, psa_set_key_algorithm(&attributes, alg); psa_set_key_enrollment_algorithm(&attributes, 42); //TODO: test with persistent key - PSA_ASSERT(psa_generate_key(&attributes, &key_id)); - TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); + PSA_ASSERT(psa_generate_key(&attributes, &old_key_id)); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0); psa_key_type_t expected_psa_type = to_pair ? from_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(from_type); @@ -1934,12 +1963,114 @@ void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); TEST_EQUAL(psa_get_key_algorithm(&attributes), alg); TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); + + int expected_import_ret = 0; + if (to_pair && + !(from_usage & (PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT))) { + expected_import_ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), + expected_import_ret); } exit: mbedtls_pk_free(&pk); + psa_destroy_key(old_key_id); + psa_destroy_key(new_key_id); + psa_reset_key_attributes(&attributes); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ +void pk_import_into_psa_fail(int pk_type, int from_pair, + int type_arg, + int expected_ret) +{ + mbedtls_pk_context pk; + mbedtls_pk_init(&pk); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_type_t type = type_arg; + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(0, 42); + + PSA_INIT(); + + psa_key_type_t expected_psa_type; + TEST_EQUAL(pk_setup_for_type(pk_type, from_pair, + &pk, &expected_psa_type), 0); + + psa_set_key_type(&attributes, type); + + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), + expected_ret); + TEST_ASSERT(mbedtls_svc_key_id_equal(key_id, MBEDTLS_SVC_KEY_ID_INIT)); + +exit: psa_destroy_key(key_id); + mbedtls_pk_free(&pk); psa_reset_key_attributes(&attributes); PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ +void pk_import_into_psa_opaque(int from_type, int from_bits, + int from_usage, int from_alg, + int to_type, int to_bits, + int to_usage, int to_alg, + int expected_ret) +{ + mbedtls_pk_context pk; + mbedtls_pk_init(&pk); + psa_key_attributes_t from_attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t from_key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t to_attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t to_key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t actual_attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_INIT(); + + psa_set_key_type(&from_attributes, from_type); + psa_set_key_bits(&from_attributes, from_bits); + psa_set_key_usage_flags(&from_attributes, from_usage); + psa_set_key_algorithm(&from_attributes, from_alg); + PSA_ASSERT(psa_generate_key(&from_attributes, &from_key_id)); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, from_key_id), 0); + + psa_set_key_type(&to_attributes, to_type); + psa_set_key_bits(&to_attributes, to_bits); + psa_set_key_usage_flags(&to_attributes, to_usage); + psa_set_key_algorithm(&to_attributes, to_alg); + + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &to_attributes, &to_key_id), + expected_ret); + + if (expected_ret == 0) { + PSA_ASSERT(psa_get_key_attributes(to_key_id, &actual_attributes)); + TEST_EQUAL(to_type, psa_get_key_type(&actual_attributes)); + if (to_bits != 0) { + TEST_EQUAL(to_bits, psa_get_key_bits(&actual_attributes)); + } + TEST_EQUAL(to_alg, psa_get_key_algorithm(&actual_attributes)); + psa_key_usage_t expected_usage = to_usage; + if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { + expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; + } + if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { + expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; + } + TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&actual_attributes)); + } else { + TEST_ASSERT(mbedtls_svc_key_id_equal(to_key_id, MBEDTLS_SVC_KEY_ID_INIT)); + } + +exit: + mbedtls_pk_free(&pk); + psa_destroy_key(from_key_id); + psa_destroy_key(to_key_id); + psa_reset_key_attributes(&from_attributes); + psa_reset_key_attributes(&to_attributes); + psa_reset_key_attributes(&actual_attributes); + PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From 10e9c412c05b7d0a49f31e720eb73942de0e83ee Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 9 Feb 2024 19:29:08 +0100 Subject: mbedtls_pk_import_into_psa: negative tests for different ECC curve Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 44 +++++++++++++++++++++++++++++++++++++ tests/suites/test_suite_pk.function | 20 +++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index e310a59..9086508 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1145,6 +1145,42 @@ PSA import into PSA: ECDSA pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +PSA import into PSA: ECKEY pair to different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH pair to different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA pair to different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY pair to public, different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH pair to public, different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA pair to public, different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY public to different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH public to different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA public to different curve (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH + PSA import into PSA: ECKEY public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH @@ -1280,6 +1316,10 @@ PSA import into PSA: opaque ECC, different type (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH +PSA import into PSA: opaque ECC, different family (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH + PSA import into PSA: opaque ECC to public (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 @@ -1294,3 +1334,7 @@ pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAM PSA import into PSA: opaque ECC to public, different bits (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_INVALID_ALG + +PSA import into PSA: opaque ECC to public, different family (bad) +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index b9841a9..8e51aaa 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -114,6 +114,26 @@ #define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0 #endif +/* Pick a second curve, for tests that need two supported curves of the + * same size. For simplicity, we only handle a subset of configurations, + * and both curves will support both ECDH and ECDSA. */ +#if defined(PSA_WANT_ECC_SECP_R1_192) && defined(PSA_WANT_ECC_SECP_K1_192) +/* Identical redefinition of the ONE macros, to confirm that they have + * the values we expect here. */ +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_K1_256) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES +#else +/* Always define the macros so that we can use them in test data. */ +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY 0 +#endif + #endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */ #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) -- cgit v1.1 From 157679c0d5a4f8de312ef88f6191807461b5d4bb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 9 Feb 2024 19:29:44 +0100 Subject: mbedtls_pk_import_into_psa: positive tests with pkparse output Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkparse.function | 168 ++++++++++++++++++------------- 1 file changed, 100 insertions(+), 68 deletions(-) diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index 14afef6..6c904a3 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -6,10 +6,82 @@ #include "mbedtls/psa_util.h" #include "pk_internal.h" +#if defined(MBEDTLS_PSA_CRYPTO_C) +#include "test/psa_exercise_key.h" +#endif + #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) #define HAVE_mbedtls_pk_parse_key_pkcs8_encrypted_der #endif +#if defined(MBEDTLS_PSA_CRYPTO_C) +static int test_psa_bridge(const mbedtls_pk_context *ctx, + psa_key_usage_t usage_flag) +{ + switch (usage_flag) { + case PSA_KEY_USAGE_SIGN_HASH: + mbedtls_test_set_step(0); + break; + case PSA_KEY_USAGE_SIGN_MESSAGE: + mbedtls_test_set_step(1); + break; + case PSA_KEY_USAGE_DECRYPT: + mbedtls_test_set_step(2); + break; + case PSA_KEY_USAGE_DERIVE: + mbedtls_test_set_step(3); + break; + case PSA_KEY_USAGE_VERIFY_HASH: + mbedtls_test_set_step(4); + break; + case PSA_KEY_USAGE_VERIFY_MESSAGE: + mbedtls_test_set_step(5); + break; + case PSA_KEY_USAGE_ENCRYPT: + mbedtls_test_set_step(6); + break; + } + + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t psa_key = MBEDTLS_SVC_KEY_ID_INIT; + int ok = 0; + + TEST_EQUAL(mbedtls_pk_get_psa_attributes(ctx, usage_flag, &attributes), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key), 0); + psa_algorithm_t exercise_usage = psa_get_key_usage_flags(&attributes); + psa_algorithm_t exercise_alg = psa_get_key_algorithm(&attributes); + TEST_ASSERT(mbedtls_test_psa_exercise_key(psa_key, + exercise_usage, exercise_alg)); + + mbedtls_test_set_step((unsigned long) -1); + ok = 1; + +exit: + psa_destroy_key(psa_key); + psa_reset_key_attributes(&attributes); + return ok; +} + +/* Whether a pk key can do ECDSA. Opaque keys are not supported since this + * test suite does not create opaque keys. */ +static int pk_can_ecdsa(const mbedtls_pk_context *ctx) +{ + /* Check whether we have an EC key. Unfortunately this also accepts + * keys on Montgomery curves, which can only do ECDH, so we'll have + * to dig further. */ + if (!mbedtls_pk_can_do(ctx, MBEDTLS_PK_ECDSA)) { + return 0; + } +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + return ctx->ec_family != PSA_ECC_FAMILY_MONTGOMERY; +#elif defined(MBEDTLS_ECDSA_C) + return mbedtls_ecdsa_can_do(mbedtls_pk_ec_ro(*ctx)->grp.id); +#else + return 0; +#endif +} +#endif /* MBEDTLS_PSA_CRYPTO_C */ + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -43,36 +115,19 @@ void pk_parse_keyfile_rsa(char *key_file, char *password, int result) TEST_EQUAL(mbedtls_rsa_check_privkey(rsa), 0); #if defined(MBEDTLS_PSA_CRYPTO_C) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_SIGN_HASH, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_SIGN_MESSAGE, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_DECRYPT, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_HASH, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_MESSAGE, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_ENCRYPT, - &attributes), 0); + PSA_INIT(); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_HASH)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_MESSAGE)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_DECRYPT)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_ENCRYPT)); #endif } exit: mbedtls_pk_free(&ctx); - MD_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ @@ -97,24 +152,16 @@ void pk_parse_public_keyfile_rsa(char *key_file, int result) TEST_EQUAL(mbedtls_rsa_check_pubkey(rsa), 0); #if defined(MBEDTLS_PSA_CRYPTO_C) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_ENCRYPT, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_HASH, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_MESSAGE, - &attributes), 0); + PSA_INIT(); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_ENCRYPT)); #endif } exit: mbedtls_pk_free(&ctx); - MD_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ @@ -144,20 +191,17 @@ void pk_parse_public_keyfile_ec(char *key_file, int result) #endif #if defined(MBEDTLS_PSA_CRYPTO_C) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_HASH, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_MESSAGE, - &attributes), 0); + PSA_INIT(); + if (pk_can_ecdsa(&ctx)) { + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE)); + } #endif } exit: mbedtls_pk_free(&ctx); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ @@ -185,32 +229,20 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result) #endif #if defined(MBEDTLS_PSA_CRYPTO_C) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_SIGN_HASH, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_SIGN_MESSAGE, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_DERIVE, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_HASH, - &attributes), 0); - psa_reset_key_attributes(&attributes); - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx, - PSA_KEY_USAGE_VERIFY_MESSAGE, - &attributes), 0); + PSA_INIT(); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_DERIVE)); + if (pk_can_ecdsa(&ctx)) { + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_HASH)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_MESSAGE)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH)); + TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE)); + } #endif } exit: mbedtls_pk_free(&ctx); - MD_OR_USE_PSA_DONE(); + PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From 35cb3198324854226928e63ca261f58db1512e3a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 14:16:05 +0100 Subject: depends.py: set unique configuration names in outcome file Set unique configuration names in the outcome file. This was lost in the rewrite from depends-*.pl to depends.py. Fix #7290 Signed-off-by: Gilles Peskine --- tests/scripts/depends.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 1a84531..1990cd2 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -199,7 +199,10 @@ and subsequent commands are tests that cannot run if the build failed).''' success = True for command in self.commands: log_command(command) - ret = subprocess.call(command) + env = os.environ.copy() + if 'MBEDTLS_TEST_CONFIGURATION' in env: + env['MBEDTLS_TEST_CONFIGURATION'] += '-' + self.name + ret = subprocess.call(command, env=env) if ret != 0: if command[0] not in ['make', options.make_command]: log_line('*** [{}] Error {}'.format(' '.join(command), ret)) -- cgit v1.1 From 74860ddec2486ea63316d77cd4a3f3146c127bda Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 14:25:18 +0100 Subject: Don't define pk_sign_verify in configurations where it's unused MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In some configurations (e.g. ECDH but no ECDSA or RSA), the PK module is useful but cannot perform any signatures. Then modern GCC complains: ``` ../source/tests/suites/test_suite_pk.function: In function ‘test_pk_sign_verify’: ../source/tests/suites/test_suite_pk.function:1136:12: error: array subscript 0 is outside array bounds of ‘unsigned char[0]’ [-Werror=array-bounds] ../source/tests/suites/test_suite_pk.function:1094:19: note: while referencing sig’ 
 ``` This fixes test-ref-configs.pl with a modern GCC (specifically with config-thread.h). Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 8e51aaa..5d0ee1a 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -25,6 +25,13 @@ #define RSA_KEY_SIZE MBEDTLS_RSA_GEN_KEY_MIN_BITS #define RSA_KEY_LEN (MBEDTLS_RSA_GEN_KEY_MIN_BITS/8) +#if defined(MBEDTLS_RSA_C) || \ + defined(MBEDTLS_PK_RSA_ALT_SUPPORT) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_USE_PSA_CRYPTO) +#define PK_CAN_SIGN_SOME +#endif + /* MBEDTLS_TEST_PK_PSA_SIGN is enabled when: * - The build has PK_[PARSE/WRITE]_C for RSA or ECDSA signature. * - The build has built-in ECC and ECDSA signature. @@ -1082,7 +1089,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */ +/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:PK_CAN_SIGN_SOME */ void pk_sign_verify(int type, int curve_or_keybits, int sign_ret, int verify_ret) { mbedtls_pk_context pk; -- cgit v1.1 From 1d33876d3733064a5b8b31c392d8ab5df435e781 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 14:18:26 +0100 Subject: Fix some preprocessor guards Fix the build in some configurations. Signed-off-by: Gilles Peskine --- library/pk.c | 3 +-- tests/suites/test_suite_pk.function | 18 ++++++++++-------- tests/suites/test_suite_pkparse.function | 6 ++++-- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/library/pk.c b/library/pk.c index f623af9..28663a8 100644 --- a/library/pk.c +++ b/library/pk.c @@ -784,8 +784,7 @@ static int import_public_into_psa(const mbedtls_pk_context *pk, size_t from_bits = 0; psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id, &from_bits); - psa_key_type_t to_type = psa_get_key_type(attributes); - if (to_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(from_family)) { + if (psa_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(from_family)) { return MBEDTLS_ERR_PK_TYPE_MISMATCH; } int ret = mbedtls_ecp_write_public_key( diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 5d0ee1a..7671364 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -114,11 +114,6 @@ #if defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY) #define MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -#else -/* Always define the macros so that we can use them in test data. */ -#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY 0 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 0 -#define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0 #endif /* Pick a second curve, for tests that need two supported curves of the @@ -136,13 +131,20 @@ #define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 #define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 #define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -#else -/* Always define the macros so that we can use them in test data. */ -#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY 0 #endif #endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */ +/* Always define the macros so that we can use them in test data. */ +#if !defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY 0 +#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 0 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0 +#endif +#if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY) +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY 0 +#endif + #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) { diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index 6c904a3..3227ce9 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -14,7 +14,7 @@ #define HAVE_mbedtls_pk_parse_key_pkcs8_encrypted_der #endif -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_FS_IO) static int test_psa_bridge(const mbedtls_pk_context *ctx, psa_key_usage_t usage_flag) { @@ -62,6 +62,7 @@ exit: return ok; } +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) /* Whether a pk key can do ECDSA. Opaque keys are not supported since this * test suite does not create opaque keys. */ static int pk_can_ecdsa(const mbedtls_pk_context *ctx) @@ -80,7 +81,8 @@ static int pk_can_ecdsa(const mbedtls_pk_context *ctx) return 0; #endif } -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ +#endif /* MBEDTLS_PSA_CRYPTO_C && && MBEDTLS_FS_IO */ /* END_HEADER */ -- cgit v1.1 From 34955677e5bee237b94ef0b5fe8e6df53dbc53db Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 14:19:24 +0100 Subject: Don't exercise if the algorithm is not supported Parsing a key and importing it into PSA may result in a policy that specifies an algorithm that is not included in the build. This happens if the key type is supported, but not the algorithm, e.g. in a build with MBEDTLS_ECP_C but not MBEDTLS_ECDSA_C. Signed-off-by: Gilles Peskine --- tests/include/test/psa_exercise_key.h | 16 ++++++++++++ tests/src/psa_exercise_key.c | 45 ++++++++++++++++++++++++++++++++ tests/suites/test_suite_pkparse.function | 8 ++++-- 3 files changed, 67 insertions(+), 2 deletions(-) diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h index a658d17..82ef2ad 100644 --- a/tests/include/test/psa_exercise_key.h +++ b/tests/include/test/psa_exercise_key.h @@ -221,4 +221,20 @@ int mbedtls_test_psa_exercise_key(mbedtls_svc_key_id_t key, psa_key_usage_t mbedtls_test_psa_usage_to_exercise(psa_key_type_t type, psa_algorithm_t alg); +/** Whether the specified algorithm can be exercised. + * + * \note This function is solely based on the algorithm and does not + * consider potential issues with the compatibility of a key. + * The idea is that you already have a key, so you know that the + * key type is supported, and you want to exercise the key but + * only if the algorithm given in its policy is enabled in the + * compile-time configuration. + * + * \note This function currently only supports signature algorithms + * (including wildcards). + * TODO: a more general mechanism, which should be automatically + * generated and possibly available as a library function? + */ +int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg); + #endif /* PSA_EXERCISE_KEY_H */ diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 618b83f..3fcf77d 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -1009,4 +1009,49 @@ psa_key_usage_t mbedtls_test_psa_usage_to_exercise(psa_key_type_t type, } +int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg) +{ + /* Reject algorithms that we know are not supported. Default to + * attempting exercise, so that if an algorithm is missing from this + * function, the result will be a test failure and not silently + * omitting exercise. */ +#if !defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) + if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) { + return 0; + } +#endif +#if !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) + if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) { + return 0; + } +#endif +#if !defined(PSA_WANT_ALG_RSA_PSS) + if (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg)) { + return 0; + } +#endif +#if !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) + if (PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) { + return 0; + } +#endif +#if !defined(PSA_WANT_ALG_ECDSA) + if (PSA_ALG_IS_ECDSA(alg)) { + return 0; + } +#endif +#if !defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) + if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) { + return 0; + } +#endif +#if !defined(PSA_WANT_ALG_ECDH) + if (PSA_ALG_IS_ECDH(alg)) { + return 0; + } +#endif + (void) alg; + return 1; +} + #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index 3227ce9..add225d 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -48,10 +48,14 @@ static int test_psa_bridge(const mbedtls_pk_context *ctx, TEST_EQUAL(mbedtls_pk_get_psa_attributes(ctx, usage_flag, &attributes), 0); TEST_EQUAL(mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key), 0); + psa_algorithm_t exercise_usage = psa_get_key_usage_flags(&attributes); psa_algorithm_t exercise_alg = psa_get_key_algorithm(&attributes); - TEST_ASSERT(mbedtls_test_psa_exercise_key(psa_key, - exercise_usage, exercise_alg)); + if (mbedtls_test_can_exercise_psa_algorithm(exercise_alg)) { + TEST_ASSERT(mbedtls_test_psa_exercise_key(psa_key, + exercise_usage, + exercise_alg)); + } mbedtls_test_set_step((unsigned long) -1); ok = 1; -- cgit v1.1 From 465e4ed56b8de28d2fee48408f6538fd33de8b00 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 19:54:53 +0100 Subject: Prioritize SHA2 over MD5 for KNOWN_SUPPORTED_HASH_ALG This fixes the ability to exercise keys in configurations where MD5 is supported for direct use, but not inside some accelerated algorithms. This is the case in `all.sh test_psa_crypto_config_accel_ecc_ecp_light_only` and some other accelerated-ECC components of `all.sh`, where the driver is built without MD5 support but built-in MD5 remains enabled. This is only a hack, not a theoretically correct fix, but a correct fix is out of scope of my current work. Signed-off-by: Gilles Peskine --- tests/include/test/psa_exercise_key.h | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h index 82ef2ad..7d51a4c 100644 --- a/tests/include/test/psa_exercise_key.h +++ b/tests/include/test/psa_exercise_key.h @@ -20,15 +20,7 @@ * * This is used in some smoke tests. */ -#if defined(PSA_WANT_ALG_MD5) -#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_MD5 -/* PSA_WANT_ALG_RIPEMD160 omitted. This is necessary for the sake of - * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160 - * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be - * implausible anyway. */ -#elif defined(PSA_WANT_ALG_SHA_1) -#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_1 -#elif defined(PSA_WANT_ALG_SHA_256) +#if defined(PSA_WANT_ALG_SHA_256) #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_256 #elif defined(PSA_WANT_ALG_SHA_384) #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_384 @@ -36,6 +28,14 @@ #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_512 #elif defined(PSA_WANT_ALG_SHA3_256) #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA3_256 +#elif defined(PSA_WANT_ALG_SHA_1) +#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_1 +#elif defined(PSA_WANT_ALG_MD5) +#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_MD5 +/* PSA_WANT_ALG_RIPEMD160 omitted. This is necessary for the sake of + * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160 + * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be + * implausible anyway. */ #else #undef KNOWN_SUPPORTED_HASH_ALG #endif -- cgit v1.1 From 7238efd13689316d8fc3ef772333a5b0a438d227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20Bzdr=C4=99ga?= Date: Mon, 12 Feb 2024 21:06:54 +0100 Subject: changelog for bugfix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Piotr Bzdręga --- ChangeLog.d/gen-key-segfault.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/gen-key-segfault.txt diff --git a/ChangeLog.d/gen-key-segfault.txt b/ChangeLog.d/gen-key-segfault.txt new file mode 100644 index 0000000..7f8c39b --- /dev/null +++ b/ChangeLog.d/gen-key-segfault.txt @@ -0,0 +1,3 @@ +Bugfix + * Avoid segmentation fault caused by releasing not initialized + entropy resource in gen_key example. Fixes #8809 \ No newline at end of file -- cgit v1.1 From aa7416594884af048ec77d12f42efaba9c4ff7a5 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 13 Feb 2024 13:40:26 +0000 Subject: Fix IAR cast warning Signed-off-by: Dave Rodgman --- library/pk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pk.c b/library/pk.c index 1b481e1..076d3a8 100644 --- a/library/pk.c +++ b/library/pk.c @@ -385,7 +385,7 @@ static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa, { if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { if (want_crypt) { - mbedtls_md_type_t md_type = mbedtls_rsa_get_md_alg(rsa); + mbedtls_md_type_t md_type = (mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa); return PSA_ALG_RSA_OAEP(mbedtls_md_psa_alg_from_type(md_type)); } else { return PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH); -- cgit v1.1 From b4cb8bef42c1751a35b839e721aa3c6a2f3dba56 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 24 Nov 2023 17:08:54 +0000 Subject: Fix remaining warnings from -Wshorten-64-to-32 Signed-off-by: Dave Rodgman --- library/aesce.c | 2 +- library/lms.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index eaaa5b5..6a9e0a1 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -334,7 +334,7 @@ static void aesce_setkey_enc(unsigned char *rk, * - Section 5, Nr = Nk + 6 * - Section 5.2, the length of round keys is Nb*(Nr+1) */ - const uint32_t key_len_in_words = key_bit_length / 32; /* Nk */ + const size_t key_len_in_words = key_bit_length / 32; /* Nk */ const size_t round_key_len_in_words = 4; /* Nb */ const size_t rounds_needed = key_len_in_words + 6; /* Nr */ const size_t round_keys_len_in_words = diff --git a/library/lms.c b/library/lms.c index 08fe753..8d3cae0 100644 --- a/library/lms.c +++ b/library/lms.c @@ -65,7 +65,8 @@ static int local_err_translation(psa_status_t status) #define H_TREE_HEIGHT_MAX 10 #define MERKLE_TREE_NODE_AM(type) ((size_t) 1 << (MBEDTLS_LMS_H_TREE_HEIGHT(type) + 1u)) #define MERKLE_TREE_LEAF_NODE_AM(type) ((size_t) 1 << MBEDTLS_LMS_H_TREE_HEIGHT(type)) -#define MERKLE_TREE_INTERNAL_NODE_AM(type) ((size_t) 1 << MBEDTLS_LMS_H_TREE_HEIGHT(type)) +#define MERKLE_TREE_INTERNAL_NODE_AM(type) ((unsigned int) \ + (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type))) #define D_CONST_LEN (2) static const unsigned char D_LEAF_CONSTANT_BYTES[D_CONST_LEN] = { 0x82, 0x82 }; -- cgit v1.1 From 971820330867c5e8181100641e4dac584bfa98be Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 13 Feb 2024 13:27:06 +0000 Subject: Fix deadlock with test failures Calling mbedtls_test_fail() attempts to lock the test data mutex. Unfortunately we were calling this from places where we already held this mutex, and this mutex is not recursive, so this deadlocks. Split out mbedtls_test_fail() into mbedtls_test_fail_internal() in order to address this. Signed-off-by: Paul Elliott --- tests/src/helpers.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index da0b54a..b9233be 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -341,11 +341,10 @@ int mbedtls_test_ascii2uc(const char c, unsigned char *uc) return 0; } -void mbedtls_test_fail(const char *test, int line_no, const char *filename) +static void mbedtls_test_fail_internal(const char *test, int line_no, const char *filename) { -#ifdef MBEDTLS_THREADING_C - mbedtls_mutex_lock(&mbedtls_test_info_mutex); -#endif /* MBEDTLS_THREADING_C */ + /* Internal function only - mbedtls_test_info_mutex should be held prior + * to calling this function. */ /* Don't use accessor, we already hold mutex. */ if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { @@ -353,6 +352,15 @@ void mbedtls_test_fail(const char *test, int line_no, const char *filename) * overwrite any previous information about the failure. */ mbedtls_test_set_result(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename); } +} + +void mbedtls_test_fail(const char *test, int line_no, const char *filename) +{ +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + mbedtls_test_fail_internal(test, line_no, filename); #ifdef MBEDTLS_THREADING_C mbedtls_mutex_unlock(&mbedtls_test_info_mutex); @@ -412,7 +420,7 @@ int mbedtls_test_equal(const char *test, int line_no, const char *filename, * overwrite any previous information about the failure. */ char buf[MBEDTLS_TEST_LINE_LENGTH]; - mbedtls_test_fail(test, line_no, filename); + mbedtls_test_fail_internal(test, line_no, filename); (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %lld", value1, (long long) value1); @@ -450,7 +458,7 @@ int mbedtls_test_le_u(const char *test, int line_no, const char *filename, * overwrite any previous information about the failure. */ char buf[MBEDTLS_TEST_LINE_LENGTH]; - mbedtls_test_fail(test, line_no, filename); + mbedtls_test_fail_internal(test, line_no, filename); (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %llu", value1, value1); @@ -488,7 +496,7 @@ int mbedtls_test_le_s(const char *test, int line_no, const char *filename, * overwrite any previous information about the failure. */ char buf[MBEDTLS_TEST_LINE_LENGTH]; - mbedtls_test_fail(test, line_no, filename); + mbedtls_test_fail_internal(test, line_no, filename); (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %lld", (unsigned long long) value1, value1); -- cgit v1.1 From fff51ceccdb8b80553ce3d38e266c21e24872e9c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 13 Feb 2024 15:32:29 +0000 Subject: Update ChangeLog.d/pkg-config-files-addition.txt Fix syntax errors in Changelog (and tidy up punctuation) Signed-off-by: Dave Rodgman --- ChangeLog.d/pkg-config-files-addition.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/pkg-config-files-addition.txt b/ChangeLog.d/pkg-config-files-addition.txt index e39f62e..e459470 100644 --- a/ChangeLog.d/pkg-config-files-addition.txt +++ b/ChangeLog.d/pkg-config-files-addition.txt @@ -1,2 +1,4 @@ Features - * Add pc files for pkg-config. eg.) pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) + * Add pc files for pkg-config, e.g.: + pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) + -- cgit v1.1 From e0a6f7d32007836ba25af15f279b277a6f5915df Mon Sep 17 00:00:00 2001 From: PiotrBzdrega Date: Tue, 13 Feb 2024 17:08:40 +0100 Subject: fill out missing dot in changelog Signed-off-by: PiotrBzdrega --- ChangeLog.d/gen-key-segfault.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/gen-key-segfault.txt b/ChangeLog.d/gen-key-segfault.txt index 7f8c39b..4fb2d1f 100644 --- a/ChangeLog.d/gen-key-segfault.txt +++ b/ChangeLog.d/gen-key-segfault.txt @@ -1,3 +1,3 @@ Bugfix * Avoid segmentation fault caused by releasing not initialized - entropy resource in gen_key example. Fixes #8809 \ No newline at end of file + entropy resource in gen_key example. Fixes #8809. \ No newline at end of file -- cgit v1.1 From f8b983c855a3b0620839085cd7c7a33416aaa091 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 13 Feb 2024 18:14:58 +0100 Subject: Pack the iota round constants This saves ~160 bytes of code size, at the cost of a bit of localized complexity in the code. The impact on performance is measurable but small (<5% observed on x86_64) and can go either way (there's a calculation vs memory bandwidth compromise). Signed-off-by: Gilles Peskine --- library/sha3.c | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 5df08f9..27d495f 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -26,14 +26,35 @@ #define XOR_BYTE 0x6 -static const uint64_t rc[24] = { - 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000, - 0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009, - 0x000000000000008a, 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, - 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, 0x8000000000008003, - 0x8000000000008002, 0x8000000000000080, 0x000000000000800a, 0x800000008000000a, - 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008, +/* Precomputed masks for the iota transform. + * + * Each round uses a 64-bit mask value. In each mask values, only + * bits whose position is of the form 2^k-1 can be set, thus only + * 7 of 64 bits of the mask need to be known for each mask value. + * + * We use a compressed encoding of the mask where bits 63, 31 and 15 + * are moved to bits 4-6. This allows us to make each mask value + * 1 byte rather than 8 bytes, saving 7*24 = 168 bytes of data (with + * perhaps a little variation due to alignment). Decompressing this + * requires a little code, but much less than the savings on the table. + * + * The impact on performance depends on the platform and compiler. + * There's a bit more computation, but less memory bandwidth. A quick + * benchmark on x86_64 shows a 7% speed improvement with GCC and a + * 5% speed penalty with Clang, compared to the naive uint64_t[24] table. + * YMMV. + */ +/* Helper macro to set the values of the higher bits in unused low positions */ +#define H(b63, b31, b15) (b63 << 6 | b31 << 5 | b15 << 4) +static const uint8_t iota_r_packed[24] = { + H(0, 0, 0) | 0x01, H(0, 0, 1) | 0x82, H(1, 0, 1) | 0x8a, H(1, 1, 1) | 0x00, + H(0, 0, 1) | 0x8b, H(0, 1, 0) | 0x01, H(1, 1, 1) | 0x81, H(1, 0, 1) | 0x09, + H(0, 0, 0) | 0x8a, H(0, 0, 0) | 0x88, H(0, 1, 1) | 0x09, H(0, 1, 0) | 0x0a, + H(0, 1, 1) | 0x8b, H(1, 0, 0) | 0x8b, H(1, 0, 1) | 0x89, H(1, 0, 1) | 0x03, + H(1, 0, 1) | 0x02, H(1, 0, 0) | 0x80, H(0, 0, 1) | 0x0a, H(1, 1, 0) | 0x0a, + H(1, 1, 1) | 0x81, H(1, 0, 1) | 0x80, H(0, 1, 0) | 0x01, H(1, 1, 1) | 0x08, }; +#undef H static const uint8_t rho[24] = { 1, 62, 28, 27, 36, 44, 6, 55, 20, @@ -132,7 +153,11 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) s[24] ^= (~lane[0]) & lane[1]; /* Iota */ - s[0] ^= rc[round]; + /* Decompress the round masks (see definition of rc) */ + s[0] ^= ((iota_r_packed[round] & 0x40ull) << 57 | + (iota_r_packed[round] & 0x20ull) << 26 | + (iota_r_packed[round] & 0x10ull) << 11 | + (iota_r_packed[round] & 0x8f)); } } -- cgit v1.1 From 255a0f591633531169242d58b0a1c7f95df4470b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 13 Feb 2024 17:55:18 +0000 Subject: Rotate right instead of left Signed-off-by: Dave Rodgman --- library/sha3.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 5df08f9..93c5b7e 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -36,9 +36,7 @@ static const uint64_t rc[24] = { }; static const uint8_t rho[24] = { - 1, 62, 28, 27, 36, 44, 6, 55, 20, - 3, 10, 43, 25, 39, 41, 45, 15, - 21, 8, 18, 2, 61, 56, 14 + 63, 2, 36, 37, 28, 20, 58, 9, 44, 61, 54, 21, 39, 25, 23, 19, 49, 43, 56, 46, 62, 3, 8, 50 }; static const uint8_t pi[24] = { @@ -46,7 +44,7 @@ static const uint8_t pi[24] = { 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1, }; -#define ROT64(x, y) (((x) << (y)) | ((x) >> (64U - (y)))) +#define ROTR64(x, y) (((x) << (64U - (y))) | ((x) >> (y))) // 64-bit rotate right #define ABSORB(ctx, idx, v) do { ctx->state[(idx) >> 3] ^= ((uint64_t) (v)) << (((idx) & 0x7) << 3); \ } while (0) #define SQUEEZE(ctx, idx) ((uint8_t) (ctx->state[(idx) >> 3] >> (((idx) & 0x7) << 3))) @@ -69,24 +67,24 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) lane[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23]; lane[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24]; - t = lane[4] ^ ROT64(lane[1], 1); + t = lane[4] ^ ROTR64(lane[1], 63); s[0] ^= t; s[5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t; - t = lane[0] ^ ROT64(lane[2], 1); + t = lane[0] ^ ROTR64(lane[2], 63); s[1] ^= t; s[6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t; - t = lane[1] ^ ROT64(lane[3], 1); + t = lane[1] ^ ROTR64(lane[3], 63); s[2] ^= t; s[7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t; - t = lane[2] ^ ROT64(lane[4], 1); + t = lane[2] ^ ROTR64(lane[4], 63); s[3] ^= t; s[8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t; - t = lane[3] ^ ROT64(lane[0], 1); + t = lane[3] ^ ROTR64(lane[0], 63); s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t; /* Rho */ for (i = 1; i < 25; i++) { - s[i] = ROT64(s[i], rho[i-1]); + s[i] = ROTR64(s[i], rho[i-1]); } /* Pi */ -- cgit v1.1 From d407e0df1bb74c1628834fc4ad43e56836b48d21 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 13 Feb 2024 18:27:55 +0000 Subject: Read rho table in 4-byte chunks Signed-off-by: Dave Rodgman --- library/sha3.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 93c5b7e..29908fb 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -35,8 +35,8 @@ static const uint64_t rc[24] = { 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008, }; -static const uint8_t rho[24] = { - 63, 2, 36, 37, 28, 20, 58, 9, 44, 61, 54, 21, 39, 25, 23, 19, 49, 43, 56, 46, 62, 3, 8, 50 +static const uint32_t rho[6] = { + 0x3f022425, 0x1c143a09, 0x2c3d3615, 0x27191713, 0x312b382e, 0x3e030832 }; static const uint8_t pi[24] = { @@ -83,8 +83,13 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t; /* Rho */ - for (i = 1; i < 25; i++) { - s[i] = ROTR64(s[i], rho[i-1]); + for (i = 1; i < 25; i += 4) { + uint32_t r = rho[(i - 1) >> 2]; + for (int j = i; j < i + 4; j++) { + uint8_t r8 = r >> 24; + r <<= 8; + s[j] = ROTR64(s[j], r8); + } } /* Pi */ -- cgit v1.1 From cfb126f1baa05c204e7cc5f378f9fdf2c295711b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 13 Feb 2024 18:35:41 +0000 Subject: Read pi table in 4-byte chunks Signed-off-by: Dave Rodgman --- library/sha3.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 29908fb..9b22cfa 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -39,9 +39,8 @@ static const uint32_t rho[6] = { 0x3f022425, 0x1c143a09, 0x2c3d3615, 0x27191713, 0x312b382e, 0x3e030832 }; -static const uint8_t pi[24] = { - 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, - 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1, +static const uint32_t pi[6] = { + 0x0a070b11, 0x12030510, 0x08151804, 0x0f17130d, 0x0c02140e, 0x16090601 }; #define ROTR64(x, y) (((x) << (64U - (y))) | ((x) >> (y))) // 64-bit rotate right @@ -94,8 +93,13 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) /* Pi */ t = s[1]; - for (i = 0; i < 24; i++) { - SWAP(s[pi[i]], t); + for (i = 0; i < 24; i += 4) { + uint32_t p = pi[i >> 2]; + for (unsigned j = 0; j < 4; j++) { + uint8_t p8 = (uint8_t) (p >> 24); + p <<= 8; + SWAP(s[p8], t); + } } /* Chi */ -- cgit v1.1 From 418f85957930e0d4e48b93abe73f0f9097dce50f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 13 Feb 2024 19:22:28 +0000 Subject: fix cast warning Signed-off-by: Dave Rodgman --- library/sha3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/sha3.c b/library/sha3.c index 9b22cfa..6b14a84 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -85,7 +85,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) for (i = 1; i < 25; i += 4) { uint32_t r = rho[(i - 1) >> 2]; for (int j = i; j < i + 4; j++) { - uint8_t r8 = r >> 24; + uint8_t r8 = (uint8_t) (r >> 24); r <<= 8; s[j] = ROTR64(s[j], r8); } -- cgit v1.1 From dc6606b5e3ecc8ea14edadbbf47fb2da7b2bd88c Mon Sep 17 00:00:00 2001 From: PiotrBzdrega Date: Tue, 13 Feb 2024 22:17:08 +0100 Subject: newline at end of changelog file Signed-off-by: PiotrBzdrega --- ChangeLog.d/gen-key-segfault.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/gen-key-segfault.txt b/ChangeLog.d/gen-key-segfault.txt index 4fb2d1f..fefc702 100644 --- a/ChangeLog.d/gen-key-segfault.txt +++ b/ChangeLog.d/gen-key-segfault.txt @@ -1,3 +1,3 @@ Bugfix * Avoid segmentation fault caused by releasing not initialized - entropy resource in gen_key example. Fixes #8809. \ No newline at end of file + entropy resource in gen_key example. Fixes #8809. -- cgit v1.1 From 6fd6542e9cadd0f66042ea5c281c6189c2816dea Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 01:20:33 +0000 Subject: Roll/unroll various bits Signed-off-by: Dave Rodgman --- library/sha3.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/library/sha3.c b/library/sha3.c index 6b14a84..99a8acb 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -10,6 +10,10 @@ * https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf */ +#undef MBEDTLS_SHA3_THETA_UNROLL +#define MBEDTLS_SHA3_RHO_UNROLL +#define MBEDTLS_SHA3_PI_UNROLL + #include "common.h" #if defined(MBEDTLS_SHA3_C) @@ -60,6 +64,15 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) uint64_t t; /* Theta */ +#if !defined(MBEDTLS_SHA3_THETA_UNROLL) + for (i = 0; i < 5; i++) { + lane[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20]; + } + for (i = 0; i < 5; i++) { + t = lane[(i + 4) % 5] ^ ROTR64(lane[(i + 1) % 5], 63); + s[i] ^= t; s[i + 5] ^= t; s[i + 10] ^= t; s[i + 15] ^= t; s[i + 20] ^= t; + } +#else lane[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20]; lane[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21]; lane[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22]; @@ -80,19 +93,28 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) t = lane[3] ^ ROTR64(lane[0], 63); s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t; +#endif /* Rho */ for (i = 1; i < 25; i += 4) { uint32_t r = rho[(i - 1) >> 2]; +#if !defined(MBEDTLS_SHA3_RHO_UNROLL) for (int j = i; j < i + 4; j++) { uint8_t r8 = (uint8_t) (r >> 24); r <<= 8; s[j] = ROTR64(s[j], r8); } +#else + s[i + 0] = ROTR64(s[i + 0], MBEDTLS_BYTE_3(r)); + s[i + 1] = ROTR64(s[i + 1], MBEDTLS_BYTE_2(r)); + s[i + 2] = ROTR64(s[i + 2], MBEDTLS_BYTE_1(r)); + s[i + 3] = ROTR64(s[i + 3], MBEDTLS_BYTE_0(r)); +#endif } /* Pi */ t = s[1]; +#if !defined(MBEDTLS_SHA3_PI_UNROLL) for (i = 0; i < 24; i += 4) { uint32_t p = pi[i >> 2]; for (unsigned j = 0; j < 4; j++) { @@ -101,6 +123,26 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) SWAP(s[p8], t); } } +#else + uint32_t p = pi[0]; + SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); + SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + p = pi[1]; + SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); + SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + p = pi[2]; + SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); + SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + p = pi[3]; + SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); + SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + p = pi[4]; + SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); + SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + p = pi[5]; + SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); + SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); +#endif /* Chi */ lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4]; -- cgit v1.1 From 095e1ac71c2703e285f199f5df8016160026449b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 12 Feb 2024 11:01:37 +0100 Subject: pem: check data padding in DES/AES decrypted buffers Signed-off-by: Valerio Setti --- library/pem.c | 49 +++++++++++++++++++++++++++++++----- tests/suites/test_suite_pkparse.data | 2 +- 2 files changed, 44 insertions(+), 7 deletions(-) diff --git a/library/pem.c b/library/pem.c index 7e7f86f..f090f49 100644 --- a/library/pem.c +++ b/library/pem.c @@ -241,6 +241,28 @@ exit: } #endif /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) +static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len) +{ + size_t pad_len = input[input_len - 1]; + size_t i; + + if (pad_len > input_len) { + return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; + } + + *data_len = input_len - pad_len; + + for (i = *data_len; i < input_len; i++) { + if (input[i] != pad_len) { + return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; + } + } + + return 0; +} +#endif /* MBEDTLS_DES_C || MBEDTLS_AES_C */ + #endif /* PEM_RFC1421 */ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer, @@ -431,21 +453,36 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const return ret; } + /* Check PKCS padding and update data length based on padding info. + * This can be used to detect invalid padding data and password + * mismatches. */ + ret = pem_check_pkcs_padding(buf, len, &len); + if (ret != 0) { + mbedtls_free(buf); + return ret; + } + /* - * The result will be ASN.1 starting with a SEQUENCE tag. Parse it - * with ASN.1 functions in order to: - * - Have an heuristic guess about password mismatches. - * - Update len variable to the amount of valid data inside buf. + * In RFC1421 PEM is used as container for DER (ASN.1) content so we + * can use ASN.1 functions to parse the main SEQUENCE tag and to get its + * length. */ unsigned char *p = buf; - ret = mbedtls_asn1_get_tag(&p, buf + len, &len, + size_t sequence_len; + ret = mbedtls_asn1_get_tag(&p, buf + len, &sequence_len, MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED); if (ret != 0) { mbedtls_free(buf); return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret); } /* Add also the sequence block (tag + len) to the total amount of valid data. */ - len += (p - buf); + sequence_len += (p - buf); + + /* Ensure that the reported SEQUENCE length matches the data len (i.e. no + * trailing garbage data). */ + if (len != sequence_len) { + return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; + } #else mbedtls_zeroize_and_free(buf, len); return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE; diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 5b2dbb9..7ee77da 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -8,7 +8,7 @@ pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0 Parse RSA Key #3 (Wrong password) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C -pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PEM_BAD_INPUT_DATA Parse RSA Key #4 (DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -- cgit v1.1 From c1b93751b3091d2d0b9f8b4a197792d692375c3e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 12 Feb 2024 11:03:16 +0100 Subject: test_suite_pem: add more test cases for encrypted PEM buffers Signed-off-by: Valerio Setti --- tests/suites/test_suite_pem.data | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index 32d3c27..df9663b 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -59,6 +59,18 @@ mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KE # The text "hello world" (which is clearly not a valid ASN.1 SEQUENCE) is encoded # with AES-128-CBC to prove that ASN.1 parsing after decoding fails. +# Since PBKDF1 isn't supported in OpenSSL, here's the steps: +# 1. generate the key (password="password"; IV=0x3132333435363738 in hex or "12345678" as string) +# echo -n "password12345678" | openssl md5 +# 2. encode data +# echo -n "hello world" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" PEM read (Invalid SEQUENCE encoded with AES-128-CBC) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,765FCB151B573FC9E5FB3A0E5A198785\n\nU2FsdGVkX1/+Vl2WMhEy3zcdg14R+flkg/pW4ei4d0I=\n-----END EC PRIVATE KEY-----":"pwdpwd":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:"" +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\nDfRGkwS+VjvR0IYsjZwW6Q==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:"" + +# Same as above, but with invalid padding data. +# Generated with: +# echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x01\x02\x03\x04\x05" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad +PEM read (Invalid padding data for AES-128-CBC) +depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" -- cgit v1.1 From 3a4f2040b3e68e6f592eb129e9f2b0deeb600d43 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 12 Feb 2024 11:05:15 +0100 Subject: test_suite_psa_crypto: fix some test descriptions Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index dc43599..38e4046 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -104,7 +104,7 @@ PSA import/export RSA keypair: export buffer too small depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1 -PSA import/export RSA keypair: trailing garbage ignored +PSA import/export RSA keypair: trailing garbage rejected depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT @@ -156,7 +156,7 @@ PSA import/export RSA keypair: export buffer too small, opaque depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1 -PSA import/export RSA keypair: trailing garbage ignored, opaque +PSA import/export RSA keypair: trailing garbage rejected, opaque depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT -- cgit v1.1 From d8840ec6e589b24b6c9b927a095ef11be460f843 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 12 Feb 2024 11:28:06 +0100 Subject: add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/8799.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/8799.txt diff --git a/ChangeLog.d/8799.txt b/ChangeLog.d/8799.txt new file mode 100644 index 0000000..b44bb99 --- /dev/null +++ b/ChangeLog.d/8799.txt @@ -0,0 +1,4 @@ +Bugfix + * mbedtls_pem_read_buffer() now performs a check on the padding data of + decrypted keys and it rejects invalid ones. It also parses and validates + the main ASN.1 SEQUENCE header. -- cgit v1.1 From e273f7203dfa7d6533ed868a02a4a8ae73138a66 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 13 Feb 2024 18:22:26 +0100 Subject: tls13: client: Improve CCS handling Call unconditionally the CCS writing function when sending a CCS may be necessary in the course of an handshake. Enforce in the writing function and only in the writing function that only one CCS is sent. Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 18 ++++++------------ library/ssl_tls13_generic.c | 6 ++++++ library/ssl_tls13_server.c | 9 +++------ 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5d7a495..cedebad 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -3063,23 +3063,17 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) */ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: - ret = 0; - if (ssl->handshake->ccs_count == 0) { - ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); - if (ret != 0) { - break; - } + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret != 0) { + break; } mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); break; case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - ret = 0; - if (ssl->handshake->ccs_count == 0) { - ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); - if (ret != 0) { - break; - } + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret != 0) { + break; } mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 386a754..c6bb770 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1379,6 +1379,12 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec")); + /* Only one CCS to send. */ + if (ssl->handshake->ccs_count > 0) { + ret = 0; + goto cleanup; + } + /* Write CCS message */ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body( ssl, ssl->out_msg, diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 05693f3..f9f3cc5 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3482,12 +3482,9 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) break; case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: - ret = 0; - if (ssl->handshake->ccs_count == 0) { - ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); - if (ret != 0) { - break; - } + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret != 0) { + break; } mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); break; -- cgit v1.1 From a111c0c894238cc134451f267016cc821f903cfd Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 09:31:41 +0000 Subject: Improve docs; pacify check-names Signed-off-by: Dave Rodgman --- library/sha3.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 99a8acb..64a87a8 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -10,9 +10,20 @@ * https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf */ -#undef MBEDTLS_SHA3_THETA_UNROLL -#define MBEDTLS_SHA3_RHO_UNROLL -#define MBEDTLS_SHA3_PI_UNROLL +/* + * These macros select manually unrolled implementations of parts of the main permutation function. + * + * Unrolling has a major impact on both performance and code size. gcc performance benefits a lot + * from manually unrolling at higher optimisation levels. + * + * Rolling up the theta loop saves a lot of code-size at small performance cost. The code-size + * saving then enables us to unroll the other loops for a net code-size saving with a net + * performance win. + */ +#undef MBEDTLS_SHA3_THETA_UNROLL //no-check-names +#define MBEDTLS_SHA3_RHO_UNROLL //no-check-names +#define MBEDTLS_SHA3_PI_UNROLL //no-check-names + #include "common.h" -- cgit v1.1 From aaba623fb4cf9dc4d3c1080255aaad90142965a9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 10:52:54 +0000 Subject: pacify check-names Signed-off-by: Dave Rodgman --- library/sha3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/sha3.c b/library/sha3.c index 64a87a8..9585d01 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -75,7 +75,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) uint64_t t; /* Theta */ -#if !defined(MBEDTLS_SHA3_THETA_UNROLL) +#if !defined(MBEDTLS_SHA3_THETA_UNROLL) //no-check-names for (i = 0; i < 5; i++) { lane[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20]; } -- cgit v1.1 From 865480279c6799e3eeca0ef6d2fd1e6a8ada1b3f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 10:02:58 +0000 Subject: roll-up chi loop on clang Signed-off-by: Dave Rodgman --- library/sha3.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/library/sha3.c b/library/sha3.c index 9585d01..97d45d3 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -23,7 +23,7 @@ #undef MBEDTLS_SHA3_THETA_UNROLL //no-check-names #define MBEDTLS_SHA3_RHO_UNROLL //no-check-names #define MBEDTLS_SHA3_PI_UNROLL //no-check-names - +#undef MBEDTLS_SHA3_CHI_UNROLL //no-check-names #include "common.h" @@ -156,6 +156,17 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) #endif /* Chi */ +#if !defined(MBEDTLS_SHA3_CHI_UNROLL) && !defined(MBEDTLS_COMPILER_IS_GCC) + /* GCC doesn't perform well with the rolled-up version, especially at -O2. */ + for (i = 0; i <= 20; i += 5) { + lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; lane[3] = s[i + 3]; lane[4] = s[i + 4]; + s[i + 0] ^= (~lane[1]) & lane[2]; + s[i + 1] ^= (~lane[2]) & lane[3]; + s[i + 2] ^= (~lane[3]) & lane[4]; + s[i + 3] ^= (~lane[4]) & lane[0]; + s[i + 4] ^= (~lane[0]) & lane[1]; + } +#else lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4]; s[0] ^= (~lane[1]) & lane[2]; s[1] ^= (~lane[2]) & lane[3]; @@ -190,6 +201,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) s[22] ^= (~lane[3]) & lane[4]; s[23] ^= (~lane[4]) & lane[0]; s[24] ^= (~lane[0]) & lane[1]; +#endif /* Iota */ s[0] ^= rc[round]; -- cgit v1.1 From 1cf3585ee4fe188664de6b75d62b280b3d720072 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 12:11:47 +0000 Subject: pacify check-names Signed-off-by: Dave Rodgman --- library/sha3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/sha3.c b/library/sha3.c index 97d45d3..5a854e4 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -156,7 +156,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) #endif /* Chi */ -#if !defined(MBEDTLS_SHA3_CHI_UNROLL) && !defined(MBEDTLS_COMPILER_IS_GCC) +#if !defined(MBEDTLS_SHA3_CHI_UNROLL) && !defined(MBEDTLS_COMPILER_IS_GCC) //no-check-names /* GCC doesn't perform well with the rolled-up version, especially at -O2. */ for (i = 0; i <= 20; i += 5) { lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; lane[3] = s[i + 3]; lane[4] = s[i + 4]; -- cgit v1.1 From 693fb4f0b2ccdde00ffdd7c1b5d2531b10ed79b9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 13:46:30 +0000 Subject: roll up chi loop for gcc -Os Signed-off-by: Dave Rodgman --- library/sha3.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 5a854e4..935a666 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -10,6 +10,8 @@ * https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf */ +#include "common.h" + /* * These macros select manually unrolled implementations of parts of the main permutation function. * @@ -23,9 +25,13 @@ #undef MBEDTLS_SHA3_THETA_UNROLL //no-check-names #define MBEDTLS_SHA3_RHO_UNROLL //no-check-names #define MBEDTLS_SHA3_PI_UNROLL //no-check-names -#undef MBEDTLS_SHA3_CHI_UNROLL //no-check-names - -#include "common.h" +#if !defined(MBEDTLS_COMPILER_IS_GCC) || defined(__OPTIMIZE_SIZE__) +/* GCC doesn't perform well with the rolled-up version, especially at -O2, so only enable on gcc + * if optimising for size. Always enable for other compilers. */ +#undef MBEDTLS_SHA3_CHI_UNROLL //no-check-names +#else +#define MBEDTLS_SHA3_CHI_UNROLL //no-check-names +#endif #if defined(MBEDTLS_SHA3_C) @@ -156,8 +162,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) #endif /* Chi */ -#if !defined(MBEDTLS_SHA3_CHI_UNROLL) && !defined(MBEDTLS_COMPILER_IS_GCC) //no-check-names - /* GCC doesn't perform well with the rolled-up version, especially at -O2. */ +#if !defined(MBEDTLS_SHA3_CHI_UNROLL) //no-check-names for (i = 0; i <= 20; i += 5) { lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; lane[3] = s[i + 3]; lane[4] = s[i + 4]; s[i + 0] ^= (~lane[1]) & lane[2]; -- cgit v1.1 From 427a5a1915fba74849b071e7f41b8e660a0066ad Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 14 Feb 2024 13:57:53 +0000 Subject: Docs; minor tidy-up Signed-off-by: Dave Rodgman --- library/sha3.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 935a666..5ebe9fc 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -12,6 +12,8 @@ #include "common.h" +#if defined(MBEDTLS_SHA3_C) + /* * These macros select manually unrolled implementations of parts of the main permutation function. * @@ -21,6 +23,9 @@ * Rolling up the theta loop saves a lot of code-size at small performance cost. The code-size * saving then enables us to unroll the other loops for a net code-size saving with a net * performance win. + * + * Depending on your compiler and target, it may be beneficial to adjust these; the defaults here + * should give sensible trade-offs for gcc and clang. */ #undef MBEDTLS_SHA3_THETA_UNROLL //no-check-names #define MBEDTLS_SHA3_RHO_UNROLL //no-check-names @@ -33,8 +38,6 @@ #define MBEDTLS_SHA3_CHI_UNROLL //no-check-names #endif -#if defined(MBEDTLS_SHA3_C) - #include "mbedtls/sha3.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" @@ -164,7 +167,8 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) /* Chi */ #if !defined(MBEDTLS_SHA3_CHI_UNROLL) //no-check-names for (i = 0; i <= 20; i += 5) { - lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; lane[3] = s[i + 3]; lane[4] = s[i + 4]; + lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; + lane[3] = s[i + 3]; lane[4] = s[i + 4]; s[i + 0] ^= (~lane[1]) & lane[2]; s[i + 1] ^= (~lane[2]) & lane[3]; s[i + 2] ^= (~lane[3]) & lane[4]; -- cgit v1.1 From 024b395f85162594cc683b1e0d65ae77dfaaafac Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 23 Jan 2024 19:56:32 +0000 Subject: Make psa_reserve_free_key_slot thread safe Everything needs to be done under the mutex here, we operate directly on FULL/EMPTY slots, and we can't let key_slots_initialized change before we operate on slots. Refactor to use an exit label. Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index dc38662..07d7f35 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -160,9 +160,13 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, size_t slot_idx; psa_key_slot_t *selected_slot, *unused_persistent_key_slot; +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif if (!global_data.key_slots_initialized) { status = PSA_ERROR_BAD_STATE; - goto error; + goto exit; } selected_slot = unused_persistent_key_slot = NULL; @@ -194,7 +198,7 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, psa_register_read(selected_slot); status = psa_wipe_key_slot(selected_slot); if (status != PSA_SUCCESS) { - goto error; + goto exit; } } @@ -202,21 +206,27 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, status = psa_key_slot_state_transition(selected_slot, PSA_SLOT_EMPTY, PSA_SLOT_FILLING); if (status != PSA_SUCCESS) { - goto error; + goto exit; } *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + ((psa_key_id_t) (selected_slot - global_data.key_slots)); *p_slot = selected_slot; - return PSA_SUCCESS; + goto exit; } status = PSA_ERROR_INSUFFICIENT_MEMORY; -error: - *p_slot = NULL; - *volatile_key_id = 0; +exit: + if (status != PSA_SUCCESS) { + *p_slot = NULL; + *volatile_key_id = 0; + } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } -- cgit v1.1 From 91ffe5b87187e45a0d58cf0510d773ebe804508d Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 23 Jan 2024 20:05:42 +0000 Subject: Make psa_finish_key_creation thread safe Hold mutex for the entirety of the call. We are writing to storage and writing to the slot state here. If we didn't keep the mutex for the whole duration then we may end up with another thread seeing that a persistent key is in storage before our slot is set to FULL; this would be unlinearizable behaviour. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4a0666b..d53a09d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1799,6 +1799,11 @@ static psa_status_t psa_finish_key_creation( (void) slot; (void) driver; +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif + #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -1838,6 +1843,11 @@ static psa_status_t psa_finish_key_creation( status = psa_save_se_persistent_data(driver); if (status != PSA_SUCCESS) { psa_destroy_persistent_key(slot->attr.id); + +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } status = psa_crypto_stop_transaction(); @@ -1853,6 +1863,10 @@ static psa_status_t psa_finish_key_creation( } } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif return status; } -- cgit v1.1 From b71014406c090349e414dec586845c415ed71dd9 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 23 Jan 2024 20:09:49 +0000 Subject: Make psa_fail_key_creation thread safe Hold the mutex for the entirety of the call. We need the mutex for the wipe, also hold it for aborting driver transactions as this may have side effects. We can't use the macros here as this function returns void. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d53a09d..a0e58a2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1891,6 +1891,10 @@ static void psa_fail_key_creation(psa_key_slot_t *slot, return; } +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); +#endif + #if defined(MBEDTLS_PSA_CRYPTO_SE_C) /* TODO: If the key has already been created in the secure * element, and the failure happened later (when saving metadata @@ -1909,6 +1913,10 @@ static void psa_fail_key_creation(psa_key_slot_t *slot, #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ psa_wipe_key_slot(slot); + +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex); +#endif } /** Validate optional attributes during key creation. -- cgit v1.1 From 3d8118d9dcae661fe2cc7d958d1a6ec8ee444c5c Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Jan 2024 16:58:47 +0000 Subject: Revert psa_reserve_free_key_slot changes, lock in start_key_creation instead This means we can hold the mutex around the call to reserve_free_key_slot in get_and_lock_key_slot, avoiding inefficient rework. (Changes to get_and_lock_key_slot are not in scope in this PR) Signed-off-by: Ryan Everett --- library/psa_crypto.c | 8 ++++++++ library/psa_crypto_slot_management.c | 24 +++++++----------------- library/psa_crypto_slot_management.h | 3 +++ 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a0e58a2..5300126 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1679,7 +1679,15 @@ static psa_status_t psa_start_key_creation( return status; } +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_lock( + &mbedtls_threading_key_slot_mutex)); +#endif status = psa_reserve_free_key_slot(&volatile_key_id, p_slot); +#if defined(MBEDTLS_THREADING_C) + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); +#endif if (status != PSA_SUCCESS) { return status; } diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 07d7f35..dc38662 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -160,13 +160,9 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, size_t slot_idx; psa_key_slot_t *selected_slot, *unused_persistent_key_slot; -#if defined(MBEDTLS_THREADING_C) - PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( - &mbedtls_threading_key_slot_mutex)); -#endif if (!global_data.key_slots_initialized) { status = PSA_ERROR_BAD_STATE; - goto exit; + goto error; } selected_slot = unused_persistent_key_slot = NULL; @@ -198,7 +194,7 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, psa_register_read(selected_slot); status = psa_wipe_key_slot(selected_slot); if (status != PSA_SUCCESS) { - goto exit; + goto error; } } @@ -206,27 +202,21 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, status = psa_key_slot_state_transition(selected_slot, PSA_SLOT_EMPTY, PSA_SLOT_FILLING); if (status != PSA_SUCCESS) { - goto exit; + goto error; } *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + ((psa_key_id_t) (selected_slot - global_data.key_slots)); *p_slot = selected_slot; - goto exit; + return PSA_SUCCESS; } status = PSA_ERROR_INSUFFICIENT_MEMORY; -exit: - if (status != PSA_SUCCESS) { - *p_slot = NULL; - *volatile_key_id = 0; - } +error: + *p_slot = NULL; + *volatile_key_id = 0; -#if defined(MBEDTLS_THREADING_C) - PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( - &mbedtls_threading_key_slot_mutex)); -#endif return status; } diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 18a9144..585de13 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -107,6 +107,9 @@ void psa_wipe_all_key_slots(void); * It is the responsibility of the caller to change the slot's state to * PSA_SLOT_EMPTY/FULL once key creation has finished. * + * If multi-threading is enabled, the caller must hold the + * global key slot mutex. + * * \param[out] volatile_key_id On success, volatile key identifier * associated to the returned slot. * \param[out] p_slot On success, a pointer to the slot. -- cgit v1.1 From 73feaf2682b63b7c405c0360c26f3e066c2f465a Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 11:36:41 +0000 Subject: Comment on locking strategy in psa_fail_key_creation Signed-off-by: Ryan Everett --- library/psa_crypto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5300126..67f6eac 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1900,6 +1900,9 @@ static void psa_fail_key_creation(psa_key_slot_t *slot, } #if defined(MBEDTLS_THREADING_C) + /* If the lock operation fails we still wipe the slot. + * Operations will no longer work after a failed lock, + * but we still need to wipe the slot of confidential data. */ mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); #endif -- cgit v1.1 From e66c841c7362ea0a549d7df383dc1e990b03677d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 13 Feb 2024 15:33:26 +0000 Subject: Make internal test info accessor functions static. Signed-off-by: Paul Elliott --- tests/src/helpers.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index b9233be..b810253 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -50,7 +50,7 @@ mbedtls_test_result_t mbedtls_test_get_result(void) return result; } -void mbedtls_test_set_result(mbedtls_test_result_t result, const char *test, +static void mbedtls_test_set_result(mbedtls_test_result_t result, const char *test, int line_no, const char *filename) { /* Internal function only - mbedtls_test_info_mutex should be held prior @@ -144,7 +144,7 @@ unsigned long mbedtls_test_get_step(void) return step; } -void mbedtls_test_reset_step(void) +static void mbedtls_test_reset_step(void) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -178,7 +178,7 @@ void mbedtls_test_get_line1(char *line) #endif /* MBEDTLS_THREADING_C */ } -void mbedtls_test_set_line1(const char *line) +static void mbedtls_test_set_line1(const char *line) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -203,7 +203,7 @@ void mbedtls_test_get_line2(char *line) #endif /* MBEDTLS_THREADING_C */ } -void mbedtls_test_set_line2(const char *line) +static void mbedtls_test_set_line2(const char *line) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -255,7 +255,7 @@ unsigned mbedtls_test_get_case_uses_negative_0(void) return test_case_uses_negative_0; } -void mbedtls_test_set_case_uses_negative_0(unsigned uses) +static void mbedtls_test_set_case_uses_negative_0(unsigned uses) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ -- cgit v1.1 From b807cc6ebaea1d353bd877a4f7e110619477eab7 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 30 Nov 2023 17:16:20 +0800 Subject: Add checks for PK_[PARSE/WRITE]_C when PK_HAVE_ECC_KEYS is set When PK_HAVE_ECC_KEYS is set with PK_[PARSE/WRITE]_C, it needs OID_C to be enabled. This commit adds proper checks in check_config.h Signed-off-by: Yanray Wang --- include/mbedtls/check_config.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index a7a346f..af78087 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -444,6 +444,16 @@ #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) && \ + !defined(MBEDTLS_OID_C) +#error "MBEDTLS_PK_PARSE_C and MBEDTLS_PK_HAVE_ECC_KEYS require MBEDTLS_OID_C" +#endif + +#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) && \ + !defined(MBEDTLS_OID_C) +#error "MBEDTLS_PK_WRITE_C and MBEDTLS_PK_HAVE_ECC_KEYS require MBEDTLS_OID_C" +#endif + #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites" #endif -- cgit v1.1 From e9954bb9d532acf18796f4babab391a1eb7a790e Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 30 Nov 2023 17:16:33 +0800 Subject: test_suite_pk.function: add correct dependency In valid_parameters_pkwrite, we first parse a public key then test with mbedtls_pk_write_xxx functions. So valid_parameters_pkwrite should depend on both MBEDTLS_PK_WRITE_C and MBEDTLS_PK_PARSE_C. Signed-off-by: Yanray Wang --- tests/suites/test_suite_pk.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 681de0f..ff843cb 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -681,7 +681,7 @@ void valid_parameters() } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C:MBEDTLS_PK_PARSE_C */ void valid_parameters_pkwrite(data_t *key_data) { mbedtls_pk_context pk; -- cgit v1.1 From 687bfcb54ca7cf59cc59dd2ad6b46e705e7b8826 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 1 Dec 2023 12:15:17 +0800 Subject: pk: remove duplicate define of MBEDTLS_PK_HAVE_ECC_KEYS In pk.h, MBEDTLS_PK_HAVE_ECC_KEYS is enabled if ECP_C is defined or USE_PSA_CRYPTO && PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY are defined. But this logic is duplicate with its definition in config_adjust_legacy_crypto.h. Signed-off-by: Yanray Wang --- include/mbedtls/pk.h | 7 ------- 1 file changed, 7 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 66f3901..919543c 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -181,13 +181,6 @@ typedef struct mbedtls_pk_rsassa_pss_options { #define MBEDTLS_PK_USE_PSA_EC_DATA #endif -/* Helper symbol to state that the PK module has support for EC keys. This - * can either be provided through the legacy ECP solution or through the - * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA. */ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) || defined(MBEDTLS_ECP_C) -#define MBEDTLS_PK_HAVE_ECC_KEYS -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */ - /** * \brief Types for interfacing with the debug module */ -- cgit v1.1 From 5b118d4aed8b3e211c00d55c48298aea5f14c03f Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 5 Dec 2023 10:31:54 +0800 Subject: Check MBEDTLS_PK_{PARSE,WRITE}_C requires MBEDTLS_OID_C - check_config.h: add this dependency check - mbedtls_config.h: update corresponding requirement documentation Signed-off-by: Yanray Wang --- include/mbedtls/check_config.h | 16 ++++------------ include/mbedtls/mbedtls_config.h | 4 ++-- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index af78087..6aa87b8 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -436,24 +436,16 @@ #error "MBEDTLS_PK_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C) +#if defined(MBEDTLS_PK_PARSE_C) && \ + (!defined(MBEDTLS_PK_C) || !defined(MBEDTLS_OID_C)) #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C) +#if defined(MBEDTLS_PK_WRITE_C) && \ + (!defined(MBEDTLS_PK_C) || !defined(MBEDTLS_OID_C)) #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) && \ - !defined(MBEDTLS_OID_C) -#error "MBEDTLS_PK_PARSE_C and MBEDTLS_PK_HAVE_ECC_KEYS require MBEDTLS_OID_C" -#endif - -#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) && \ - !defined(MBEDTLS_OID_C) -#error "MBEDTLS_PK_WRITE_C and MBEDTLS_PK_HAVE_ECC_KEYS require MBEDTLS_OID_C" -#endif - #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 6a5828c..edf4a0b 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3059,7 +3059,7 @@ * Caller: library/x509_crt.c * library/x509_csr.c * - * Requires: MBEDTLS_PK_C + * Requires: MBEDTLS_PK_C, MBEDTLS_OID_C * * Uncomment to enable generic public key parse functions. */ @@ -3073,7 +3073,7 @@ * Module: library/pkwrite.c * Caller: library/x509write.c * - * Requires: MBEDTLS_PK_C + * Requires: MBEDTLS_PK_C, MBEDTLS_OID_C * * Uncomment to enable generic public key write functions. */ -- cgit v1.1 From 072a068f9f184a9b2ede7f4e940ca35e3b49ea3e Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 5 Dec 2023 10:53:04 +0800 Subject: check_config: combine check for MBEDTLS_PK_PARSE_C - check_config.h: combine separate check for MBEDTLS_PK_PARSE_C - mbedtls_config.h: update documentation for `Requires` Signed-off-by: Yanray Wang --- include/mbedtls/check_config.h | 8 +++----- include/mbedtls/mbedtls_config.h | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 6aa87b8..1ccd24e 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -207,10 +207,6 @@ #error "MBEDTLS_ECP_C defined (or a subset enabled), but not all prerequisites" #endif -#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C) -#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_ENTROPY_C) && \ !(defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA256)) #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites" @@ -437,7 +433,9 @@ #endif #if defined(MBEDTLS_PK_PARSE_C) && \ - (!defined(MBEDTLS_PK_C) || !defined(MBEDTLS_OID_C)) + (!defined(MBEDTLS_ASN1_PARSE_C) || \ + !defined(MBEDTLS_OID_C) || \ + !defined(MBEDTLS_PK_C)) #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index edf4a0b..2cfb4fc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3059,7 +3059,7 @@ * Caller: library/x509_crt.c * library/x509_csr.c * - * Requires: MBEDTLS_PK_C, MBEDTLS_OID_C + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C * * Uncomment to enable generic public key parse functions. */ -- cgit v1.1 From a8f8eb1e356564bd5aeb3b0c34795188105798f1 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 5 Dec 2023 11:00:33 +0800 Subject: check_config: add missing dependency check for MBEDTLS_PK_WRITE_C MBEDTLS_PK_WRITE_C requires MBEDTLS_ASN1_WRITE_C, but there is no corresponding check in check_config.h. In addition, corresponding documentation for `Requires` is updated in mbedtls_config.h. Signed-off-by: Yanray Wang --- include/mbedtls/check_config.h | 4 +++- include/mbedtls/mbedtls_config.h | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1ccd24e..576efea 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -440,7 +440,9 @@ #endif #if defined(MBEDTLS_PK_WRITE_C) && \ - (!defined(MBEDTLS_PK_C) || !defined(MBEDTLS_OID_C)) + (!defined(MBEDTLS_ASN1_WRITE_C) || \ + !defined(MBEDTLS_OID_C) || \ + !defined(MBEDTLS_PK_C)) #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2cfb4fc..254e75a 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3073,7 +3073,7 @@ * Module: library/pkwrite.c * Caller: library/x509write.c * - * Requires: MBEDTLS_PK_C, MBEDTLS_OID_C + * Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C * * Uncomment to enable generic public key write functions. */ -- cgit v1.1 From 6d81cbc81f1c0d045c3c84e1a59b9be37d1273bc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 16:25:19 +0100 Subject: Document new functions psa_generate_key_ext, psa_key_derivation_output_key_ext Document proposed additions to the PSA API: psa_generate_key_ext(), psa_key_derivation_output_key_ext(). For psa_generate_key_ext(), document the one use case we intend to implement immediately, which is generating an RSA key with a custom public exponent. Subsequent commits will implement the documented functionality. Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 164 ++++++++++++++++++++++++++++++++++++++++++-- include/psa/crypto_struct.h | 23 +++++++ include/psa/crypto_types.h | 24 +++++++ 3 files changed, 204 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index fe10ee0..d6ad969 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -119,8 +119,9 @@ static psa_key_attributes_t psa_key_attributes_init(void); * value in the structure. * The persistent key will be written to storage when the attribute * structure is passed to a key creation function such as - * psa_import_key(), psa_generate_key(), - * psa_key_derivation_output_key() or psa_copy_key(). + * psa_import_key(), psa_generate_key(), psa_generate_key_ext(), + * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext() + * or psa_copy_key(). * * This function may be declared as `static` (i.e. without external * linkage). This function may be provided as a function-like macro, @@ -163,8 +164,9 @@ static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes, * value in the structure. * The persistent key will be written to storage when the attribute * structure is passed to a key creation function such as - * psa_import_key(), psa_generate_key(), - * psa_key_derivation_output_key() or psa_copy_key(). + * psa_import_key(), psa_generate_key(), psa_generate_key_ext(), + * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext() + * or psa_copy_key(). * * This function may be declared as `static` (i.e. without external * linkage). This function may be provided as a function-like macro, @@ -3226,7 +3228,8 @@ static psa_key_derivation_operation_t psa_key_derivation_operation_init(void); * psa_key_derivation_set_capacity(). You may do this before, in the middle * of or after providing inputs. For some algorithms, this step is mandatory * because the output depends on the maximum capacity. - * -# To derive a key, call psa_key_derivation_output_key(). + * -# To derive a key, call psa_key_derivation_output_key() or + * psa_key_derivation_output_key_ext(). * To derive a byte string for a different purpose, call * psa_key_derivation_output_bytes(). * Successive calls to these functions use successive output bytes @@ -3449,7 +3452,8 @@ psa_status_t psa_key_derivation_input_integer( * \note Once all inputs steps are completed, the operations will allow: * - psa_key_derivation_output_bytes() if each input was either a direct input * or a key with #PSA_KEY_USAGE_DERIVE set; - * - psa_key_derivation_output_key() if the input for step + * - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext() + * if the input for step * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD * was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was * either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; @@ -3697,6 +3701,12 @@ psa_status_t psa_key_derivation_output_bytes( * Future versions of this specification may include additional restrictions * on the derived key based on the attributes and strength of the secret key. * + * \note This function is equivalent to calling + * psa_key_derivation_output_key_ext() + * with the method #PSA_KEY_GENERATION_METHOD_INIT and + * `method_length == sizeof(psa_key_generation_method_t)` + * (i.e. `method->flags == 0` and `method->data` is empty). + * * \param[in] attributes The attributes for the new key. * If the key type to be created is * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in @@ -3750,6 +3760,83 @@ psa_status_t psa_key_derivation_output_key( psa_key_derivation_operation_t *operation, mbedtls_svc_key_id_t *key); +/** Derive a key from an ongoing key derivation operation with a custom method. + * + * See the description of psa_key_derivation_out_key() for the operation of + * this function with the default method. + * Mbed TLS currently does not currently support any non-default methods. + * + * \note This function is experimental and may change in future minor + * versions of Mbed TLS. + * + * \param[in] attributes The attributes for the new key. + * If the key type to be created is + * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + * the policy must be the same as in the current + * operation. + * \param[in,out] operation The key derivation operation object to read from. + * \param[in] method Customization parameters for the key generation. + * When this is #PSA_KEY_GENERATION_METHOD_INIT + * with \p method_length = + * `sizeof(psa_key_generation_method_t)`, + * this function is equivalent to + * psa_key_derivation_output_key(). + * Mbed TLS currently only supports the default + * method, i.e. #PSA_KEY_GENERATION_METHOD_INIT, + * for all key types. + * \param method_length Length of \p method in bytes. + * This must be + * `sizeof(psa_key_generation_method_t) + n` + * where `n` is the size of `method->data` in bytes. + * \param[out] key On success, an identifier for the newly created + * key. For persistent keys, this is the key + * identifier defined in \p attributes. + * \c 0 on failure. + * + * \retval #PSA_SUCCESS + * Success. + * If the key is persistent, the key material and the key's metadata + * have been saved to persistent storage. + * \retval #PSA_ERROR_ALREADY_EXISTS + * This is an attempt to create a persistent key, and there is + * already a persistent key with the given identifier. + * \retval #PSA_ERROR_INSUFFICIENT_DATA + * There was not enough data to create the desired key. + * Note that in this case, no output is written to the output buffer. + * The operation's capacity is set to 0, thus subsequent calls to + * this function will not succeed, even with a smaller output buffer. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The key type or key size is not supported, either by the + * implementation in general or in this particular location. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The provided key attributes are not valid for the operation. + * \retval #PSA_ERROR_NOT_PERMITTED + * The #PSA_KEY_DERIVATION_INPUT_SECRET or + * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + * key; or one of the inputs was a key whose policy didn't allow + * #PSA_KEY_USAGE_DERIVE. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active and completed + * all required input steps), or the library has not been previously + * initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_key_derivation_output_key_ext( + const psa_key_attributes_t *attributes, + psa_key_derivation_operation_t *operation, + const psa_key_generation_method_t *method, + size_t method_length, + mbedtls_svc_key_id_t *key); + /** Compare output data from a key derivation operation to an expected value. * * This function calculates output bytes from a key derivation algorithm and @@ -3835,7 +3922,8 @@ psa_status_t psa_key_derivation_verify_bytes( * and the permitted algorithm must match the * operation. The value of this key was likely * computed by a previous call to - * psa_key_derivation_output_key(). + * psa_key_derivation_output_key() or + * psa_key_derivation_output_key_ext(). * * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE @@ -4003,6 +4091,11 @@ psa_status_t psa_generate_random(uint8_t *output, * between 2^{n-1} and 2^n where n is the bit size specified in the * attributes. * + * \note This function is equivalent to calling psa_generate_key_ext() + * with the method #PSA_KEY_GENERATION_METHOD_INIT and + * `method_length == sizeof(psa_key_generation_method_t)` + * (i.e. `method->flags == 0` and `method->data` is empty). + * * \param[in] attributes The attributes for the new key. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key @@ -4035,6 +4128,63 @@ psa_status_t psa_generate_random(uint8_t *output, psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key); +/** + * \brief Generate a key or key pair using a custom method. + * + * See the description of psa_generate_key() for the operation of this + * function with the default method. In addition, this function supports + * the following non-default methods, described in more detail in the + * documentation of ::psa_key_generation_method_t: + * + * - RSA keys: generation with a custom public exponent. + * + * \note This function is experimental and may change in future minor + * versions of Mbed TLS. + * + * \param[in] attributes The attributes for the new key. + * \param[in] method Customization parameters for the key generation. + * When this is #PSA_KEY_GENERATION_METHOD_INIT + * with \p method_length = + * `sizeof(psa_key_generation_method_t)`, + * this function is equivalent to + * psa_key_derivation_output_key(). + * \param method_length Length of \p method in bytes. + * This must be + * `sizeof(psa_key_generation_method_t) + n` + * where `n` is the size of `method->data` in bytes. + * \param[out] key On success, an identifier for the newly created + * key. For persistent keys, this is the key + * identifier defined in \p attributes. + * \c 0 on failure. + * + * \retval #PSA_SUCCESS + * Success. + * If the key is persistent, the key material and the key's metadata + * have been saved to persistent storage. + * \retval #PSA_ERROR_ALREADY_EXISTS + * This is an attempt to create a persistent key, and there is + * already a persistent key with the given identifier. + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, + const psa_key_generation_method_t *method, + size_t method_length, + mbedtls_svc_key_id_t *key); + /**@}*/ /** \defgroup interruptible_hash Interruptible sign/verify hash diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 34d072b..b5e942e 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -223,6 +223,29 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init( return v; } +struct psa_key_generation_method_s { + /* Future versions may add other fields in this structure. */ + uint32_t flags; + uint8_t data[]; +}; + +/** The default method for key generation or key derivation. + * + * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext() + * with `method=PSA_KEY_GENERATION_METHOD_INIT` and + * `method_length=sizeof(psa_key_generation_method_t)` is equivalent to + * calling psa_generate_key() or psa_key_derivation_output_key() + * respectively. + */ +#define PSA_KEY_GENERATION_METHOD_INIT { 0 } + +static inline struct psa_key_generation_method_s psa_key_generation_method_init( + void) +{ + const struct psa_key_generation_method_s v = PSA_KEY_GENERATION_METHOD_INIT; + return v; +} + struct psa_key_policy_s { psa_key_usage_t MBEDTLS_PRIVATE(usage); psa_algorithm_t MBEDTLS_PRIVATE(alg); diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index e2ebd8a..35a3bdb 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -455,6 +455,30 @@ typedef uint64_t psa_key_slot_number_t; */ typedef uint16_t psa_key_derivation_step_t; +/** \brief Custom method for key generation or key derivation. + * + * This is a structure type with at least the following fields: + * + * - \c flags: an unsigned integer type. 0 for the default method. + * - \c data: a flexible array of bytes. + * + * The interpretation of this structure depend on the type of the + * created key. + * + * - #PSA_KEY_TYPE_RSA_KEY_PAIR: + * - \c flags: must be 0. + * - \c data: the public exponent, in little-endian order. + * This must be an odd integer and must not be 1. + * Implementations must support 65535, should support 3 and may + * support other values. + * When not using a driver, Mbed TLS supports values up to \c INT_MAX. + * If this is empty or if the custom method is omitted altogether, + * the default value 65537 is used. + * - Other key types: reserved for future use. \c flags must be 0. + * + */ +typedef struct psa_key_generation_method_s psa_key_generation_method_t; + /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ -- cgit v1.1 From 1d25a0a810313b1002e80cc27e1a5834664fbdd1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 16:40:04 +0100 Subject: Refactoring: extract rsa_test_e Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto.function | 86 ++++++++++++++++------------- 1 file changed, 49 insertions(+), 37 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 95e7a2d..f88121f 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1255,6 +1255,54 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, } #endif /* MBEDTLS_ECP_RESTARTABLE */ +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) +static int rsa_test_e(mbedtls_svc_key_id_t key, + size_t bits, + const data_t *e_arg) +{ + uint8_t *exported = NULL; + size_t exported_size = + PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits); + size_t exported_length = SIZE_MAX; + int ok = 0; + + TEST_CALLOC(exported, exported_size); + PSA_ASSERT(psa_export_public_key(key, + exported, exported_size, + &exported_length)); + uint8_t *p = exported; + uint8_t *end = exported + exported_length; + size_t len; + /* RSAPublicKey ::= SEQUENCE { + * modulus INTEGER, -- n + * publicExponent INTEGER } -- e + */ + TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_SEQUENCE | + MBEDTLS_ASN1_CONSTRUCTED)); + TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1)); + TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_INTEGER)); + if (len >= 1 && p[0] == 0) { + ++p; + --len; + } + if (e_arg->len == 0) { + TEST_EQUAL(len, 3); + TEST_EQUAL(p[0], 1); + TEST_EQUAL(p[1], 0); + TEST_EQUAL(p[2], 1); + } else { + TEST_MEMORY_COMPARE(p, len, e_arg->x, e_arg->len); + } + ok = 1; + +exit: + mbedtls_free(exported); + return ok; +} +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -9699,10 +9747,6 @@ void generate_key_rsa(int bits_arg, psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW; psa_status_t expected_status = expected_status_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - uint8_t *exported = NULL; - size_t exported_size = - PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits); - size_t exported_length = SIZE_MAX; uint8_t *e_read_buffer = NULL; int is_default_public_exponent = 0; size_t e_read_size = PSA_KEY_DOMAIN_PARAMETERS_SIZE(type, bits); @@ -9715,7 +9759,6 @@ void generate_key_rsa(int bits_arg, e_read_size = 0; } TEST_CALLOC(e_read_buffer, e_read_size); - TEST_CALLOC(exported, exported_size); PSA_ASSERT(psa_crypto_init()); @@ -9759,37 +9802,7 @@ void generate_key_rsa(int bits_arg, goto exit; } - /* Export the key and check the public exponent. */ - PSA_ASSERT(psa_export_public_key(key, - exported, exported_size, - &exported_length)); - { - uint8_t *p = exported; - uint8_t *end = exported + exported_length; - size_t len; - /* RSAPublicKey ::= SEQUENCE { - * modulus INTEGER, -- n - * publicExponent INTEGER } -- e - */ - TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_SEQUENCE | - MBEDTLS_ASN1_CONSTRUCTED)); - TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1)); - TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_INTEGER)); - if (len >= 1 && p[0] == 0) { - ++p; - --len; - } - if (e_arg->len == 0) { - TEST_EQUAL(len, 3); - TEST_EQUAL(p[0], 1); - TEST_EQUAL(p[1], 0); - TEST_EQUAL(p[2], 1); - } else { - TEST_MEMORY_COMPARE(p, len, e_arg->x, e_arg->len); - } - } + TEST_ASSERT(rsa_test_e(key, bits, e_arg)); exit: /* @@ -9801,7 +9814,6 @@ exit: psa_destroy_key(key); PSA_DONE(); mbedtls_free(e_read_buffer); - mbedtls_free(exported); } /* END_CASE */ -- cgit v1.1 From f0765fa06a093df0a931974faccbff3582941541 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 16:46:16 +0100 Subject: Implement psa_generate_key_ext, psa_key_derivation_output_key_ext Implement and unit-test the new functions psa_generate_key_ext() and psa_key_derivation_output_key_ext(), only for the default method. Signed-off-by: Gilles Peskine --- library/psa_crypto.c | 62 +++++++++- tests/suites/test_suite_psa_crypto.data | 48 ++++++++ tests/suites/test_suite_psa_crypto.function | 179 ++++++++++++++++++++++++++++ 3 files changed, 284 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4a0666b..6263be9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6023,9 +6023,27 @@ exit: return status; } -psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t *attributes, - psa_key_derivation_operation_t *operation, - mbedtls_svc_key_id_t *key) +static const psa_key_generation_method_t default_method = PSA_KEY_GENERATION_METHOD_INIT; + +static int psa_key_generation_method_is_default( + const psa_key_generation_method_t *method, + size_t method_length) +{ + if (method_length != sizeof(*method)) { + return 0; + } + if (method->flags != 0) { + return 0; + } + return 1; +} + +psa_status_t psa_key_derivation_output_key_ext( + const psa_key_attributes_t *attributes, + psa_key_derivation_operation_t *operation, + const psa_key_generation_method_t *method, + size_t method_length, + mbedtls_svc_key_id_t *key) { psa_status_t status; psa_key_slot_t *slot = NULL; @@ -6039,6 +6057,13 @@ psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t *attribute return PSA_ERROR_INVALID_ARGUMENT; } + if (method_length < sizeof(*method)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (!psa_key_generation_method_is_default(method, method_length)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -6070,6 +6095,16 @@ psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t *attribute return status; } +psa_status_t psa_key_derivation_output_key( + const psa_key_attributes_t *attributes, + psa_key_derivation_operation_t *operation, + mbedtls_svc_key_id_t *key) +{ + return psa_key_derivation_output_key_ext( + attributes, operation, + &default_method, sizeof(default_method), + key); +} /****************************************************************/ @@ -7523,8 +7558,10 @@ psa_status_t psa_generate_key_internal( return PSA_SUCCESS; } -psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, - mbedtls_svc_key_id_t *key) +psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, + const psa_key_generation_method_t *method, + size_t method_length, + mbedtls_svc_key_id_t *key) { psa_status_t status; psa_key_slot_t *slot = NULL; @@ -7544,6 +7581,13 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, return PSA_ERROR_INVALID_ARGUMENT; } + if (method_length < sizeof(*method)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (!psa_key_generation_method_is_default(method, method_length)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes, &slot, &driver); if (status != PSA_SUCCESS) { @@ -7598,6 +7642,14 @@ exit: return status; } +psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t *key) +{ + return psa_generate_key_ext(attributes, + &default_method, sizeof(default_method), + key); +} + /****************************************************************/ /* Module setup */ /****************************************************************/ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 34af94a..bc6ca1b 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6870,6 +6870,26 @@ PSA key derivation: PBKDF2-AES-CMAC-PRF-128-> AES-256 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH derive_key_type:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_AES:256:"28e288c6345bb5ecf7ca70274208a3ba0f1148b5868537d5e09d3ee6813b1f52" +PSA key derivation: default method -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" + +PSA key derivation: null method -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT:"" + +PSA key derivation: method too short by 1 -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:-1:"":PSA_ERROR_INVALID_ARGUMENT:"" + +PSA key derivation: method.flags=1 -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" + +PSA key derivation: method.data non-empty -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" + PSA key derivation: invalid type (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_NOT_SUPPORTED:0 @@ -7461,6 +7481,34 @@ PSA generate key: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0 +PSA generate key ext: RSA, null method +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: RSA, method too short by 1 +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:-1:"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: RSA, method.flags=1 +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:1:"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: ECC, null method +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: ECC, flags=0 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS + +PSA generate key ext: ECC, flags=1 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: ECC, method.data non-empty +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT + +Key generation method initializers +key_generation_method_init: + PSA import persistent key: raw data, 8 bits depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C persistent_key_load_key_from_storage:"2a":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index f88121f..05b49bd 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1303,6 +1303,27 @@ exit: } #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ +static int setup_key_generation_method(psa_key_generation_method_t **method, + size_t *method_length, + int64_t flags_arg, + const data_t *method_data) +{ + if (flags_arg >= 0) { + *method_length = sizeof(**method) + method_data->len; + *method = mbedtls_calloc(1, *method_length); + TEST_ASSERT(*method != NULL); + (*method)->flags = (uint32_t) flags_arg; + memcpy((*method)->data, method_data->x, method_data->len); + } else if (sizeof(**method) + flags_arg > 0) { + *method_length = sizeof(**method) + flags_arg; + *method = mbedtls_calloc(1, *method_length); + TEST_ASSERT(*method != NULL); + } + return 1; +exit: + return 0; +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -9303,6 +9324,81 @@ exit: /* END_CASE */ /* BEGIN_CASE */ +void derive_key_ext(int alg_arg, + data_t *key_data, + data_t *input1, + data_t *input2, + int key_type_arg, int bits_arg, + int64_t flags_arg, /*negative for truncated method*/ + data_t *method_data, + psa_status_t expected_status, + data_t *expected_export) +{ + mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; + mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; + const psa_algorithm_t alg = alg_arg; + const psa_key_type_t key_type = key_type_arg; + const size_t bits = bits_arg; + psa_key_generation_method_t *method = NULL; + size_t method_length = 0; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + const size_t export_buffer_size = + PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); + uint8_t *export_buffer = NULL; + psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t export_length; + + TEST_CALLOC(export_buffer, export_buffer_size); + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&base_attributes, alg); + psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); + PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, + &base_key)); + + if (mbedtls_test_psa_setup_key_derivation_wrap( + &operation, base_key, alg, + input1->x, input1->len, + input2->x, input2->len, + PSA_KEY_DERIVATION_UNLIMITED_CAPACITY) == 0) { + goto exit; + } + + psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); + psa_set_key_algorithm(&derived_attributes, 0); + psa_set_key_type(&derived_attributes, key_type); + psa_set_key_bits(&derived_attributes, bits); + if (!setup_key_generation_method(&method, &method_length, + flags_arg, method_data)) { + goto exit; + } + + TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, + method, method_length, + &derived_key), + expected_status); + + if (expected_status == PSA_SUCCESS) { + PSA_ASSERT(psa_export_key(derived_key, + export_buffer, export_buffer_size, + &export_length)); + TEST_MEMORY_COMPARE(export_buffer, export_length, + expected_export->x, expected_export->len); + } + +exit: + mbedtls_free(export_buffer); + mbedtls_free(method); + psa_key_derivation_abort(&operation); + psa_destroy_key(base_key); + psa_destroy_key(derived_key); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE */ void derive_key(int alg_arg, data_t *key_data, data_t *input1, data_t *input2, int type_arg, int bits_arg, @@ -9817,6 +9913,89 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void generate_key_ext(int type_arg, + int bits_arg, + int usage_arg, + int alg_arg, + int64_t flags_arg, /*negative for truncated method*/ + data_t *method_data, + int expected_status_arg) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t type = type_arg; + psa_key_usage_t usage = usage_arg; + size_t bits = bits_arg; + psa_algorithm_t alg = alg_arg; + psa_status_t expected_status = expected_status_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_generation_method_t *method = NULL; + size_t method_length = 0; + psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, usage); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, type); + psa_set_key_bits(&attributes, bits); + + if (!setup_key_generation_method(&method, &method_length, + flags_arg, method_data)) { + goto exit; + } + + /* Generate a key */ + psa_status_t status = psa_generate_key_ext(&attributes, + method, method_length, + &key); + + TEST_EQUAL(status, expected_status); + if (expected_status != PSA_SUCCESS) { + goto exit; + } + + /* Test the key information */ + PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); + TEST_EQUAL(psa_get_key_type(&got_attributes), type); + TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); + + /* Do something with the key according to its type and permitted usage. */ + if (!mbedtls_test_psa_exercise_key(key, usage, alg)) { + goto exit; + } + +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&got_attributes); + mbedtls_free(method); + psa_destroy_key(key); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void key_generation_method_init() +{ + psa_key_generation_method_t func = psa_key_generation_method_init(); + psa_key_generation_method_t init = PSA_KEY_GENERATION_METHOD_INIT; + psa_key_generation_method_t zero; + memset(&zero, 0, sizeof(zero)); + + /* In order for sizeof(psa_key_generation_method_t) to mean + * empty data, there must not be any padding in the structure: + * the size of the structure must be the offset of the data field. */ + TEST_EQUAL(sizeof(zero), offsetof(psa_key_generation_method_t, data)); + + TEST_EQUAL(func.flags, 0); + TEST_EQUAL(init.flags, 0); + TEST_EQUAL(zero.flags, 0); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ void persistent_key_load_key_from_storage(data_t *data, int type_arg, int bits_arg, -- cgit v1.1 From 1ba40585f9446372f69f19693c20f593283930af Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 13 Feb 2024 12:36:13 +0000 Subject: Use mpi_core_exp_mod in bignum. The two algorithms are not equivalent. The original bignum exponentiation was a sliding window algorithm. The one in mpi_core_exp_mod uses a fixed window approach. This change is intentional. We don't want to maintain two algorithms and decided to keep the fixed window algorithm. Signed-off-by: Janos Follath --- library/bignum.c | 267 +++++++++---------------------------------------------- 1 file changed, 40 insertions(+), 227 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index d3d72ab..3926da4 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1683,13 +1683,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi *prec_RR) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t window_bitsize; - size_t i, j, nblimbs; - size_t bufsize, nbits; - size_t exponent_bits_in_window = 0; - mbedtls_mpi_uint ei, mm, state; - mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos; - int neg; + mbedtls_mpi RR, T, E_core; if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -1704,89 +1698,15 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } - /* - * Init temps and window size - */ - mpi_montg_init(&mm, N); - mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T); - mbedtls_mpi_init(&Apos); - mbedtls_mpi_init(&WW); - memset(W, 0, sizeof(W)); - - i = mbedtls_mpi_bitlen(E); - - window_bitsize = (i > 671) ? 6 : (i > 239) ? 5 : - (i > 79) ? 4 : (i > 23) ? 3 : 1; - -#if (MBEDTLS_MPI_WINDOW_SIZE < 6) - if (window_bitsize > MBEDTLS_MPI_WINDOW_SIZE) { - window_bitsize = MBEDTLS_MPI_WINDOW_SIZE; - } -#endif - - const size_t w_table_used_size = (size_t) 1 << window_bitsize; - - /* - * This function is not constant-trace: its memory accesses depend on the - * exponent value. To defend against timing attacks, callers (such as RSA - * and DHM) should use exponent blinding. However this is not enough if the - * adversary can find the exponent in a single trace, so this function - * takes extra precautions against adversaries who can observe memory - * access patterns. - * - * This function performs a series of multiplications by table elements and - * squarings, and we want the prevent the adversary from finding out which - * table element was used, and from distinguishing between multiplications - * and squarings. Firstly, when multiplying by an element of the window - * W[i], we do a constant-trace table lookup to obfuscate i. This leaves - * squarings as having a different memory access patterns from other - * multiplications. So secondly, we put the accumulator in the table as - * well, and also do a constant-trace table lookup to multiply by the - * accumulator which is W[x_index]. - * - * This way, all multiplications take the form of a lookup-and-multiply. - * The number of lookup-and-multiply operations inside each iteration of - * the main loop still depends on the bits of the exponent, but since the - * other operations in the loop don't have an easily recognizable memory - * trace, an adversary is unlikely to be able to observe the exact - * patterns. - * - * An adversary may still be able to recover the exponent if they can - * observe both memory accesses and branches. However, branch prediction - * exploitation typically requires many traces of execution over the same - * data, which is defeated by randomized blinding. - */ - const size_t x_index = 0; - mbedtls_mpi_init(&W[x_index]); - - j = N->n + 1; - /* All W[i] including the accumulator must have at least N->n limbs for - * the mpi_montmul() and mpi_montred() calls later. Here we ensure that - * W[1] and the accumulator W[x_index] are large enough. later we'll grow - * other W[i] to the same length. They must not be shrunk midway through - * this function! - */ - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j)); - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j)); - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, j * 2)); - - /* - * Compensate for negative A (and correct at the end) - */ - neg = (A->s == -1); - if (neg) { - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Apos, A)); - Apos.s = 1; - A = &Apos; - } + mbedtls_mpi_init(&RR); + mbedtls_mpi_init(&T); + mbedtls_mpi_init(&E_core); /* * If 1st call, pre-compute R^2 mod N */ if (prec_RR == NULL || prec_RR->p == NULL) { - MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&RR, 1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&RR, N->n * 2 * biL)); - MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&RR, &RR, N)); + MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N)); if (prec_RR != NULL) { memcpy(prec_RR, &RR, sizeof(mbedtls_mpi)); @@ -1796,175 +1716,68 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, } /* - * W[1] = A * R^2 * R^-1 mod N = A * R mod N + * Ensure that the exponent that we are passing to the core is not NULL. */ - if (mbedtls_mpi_cmp_mpi(A, N) >= 0) { - MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N)); - /* This should be a no-op because W[1] is already that large before - * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow - * in mpi_montmul() below, so let's make sure. */ - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1)); + if (E->n == 0) { + mbedtls_mpi_lset(&E_core, 0); } else { - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A)); + memcpy(&E_core, E, sizeof(mbedtls_mpi)); } - /* Note that this is safe because W[1] always has at least N->n limbs - * (it grew above and was preserved by mbedtls_mpi_copy()). */ - mpi_montmul(&W[1], &RR, N, mm, &T); - /* - * W[x_index] = R^2 * R^-1 mod N = R mod N + * To preserve constness we need to make a copy of A. Using X for this to + * save memory. */ - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[x_index], &RR)); - mpi_montred(&W[x_index], N, mm, &T); - - - if (window_bitsize > 1) { - /* - * W[i] = W[1] ^ i - * - * The first bit of the sliding window is always 1 and therefore we - * only need to store the second half of the table. - * - * (There are two special elements in the table: W[0] for the - * accumulator/result and W[1] for A in Montgomery form. Both of these - * are already set at this point.) - */ - j = w_table_used_size / 2; - - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[j], N->n + 1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1])); - - for (i = 0; i < window_bitsize - 1; i++) { - mpi_montmul(&W[j], &W[j], N, mm, &T); - } - - /* - * W[i] = W[i - 1] * W[1] - */ - for (i = j + 1; i < w_table_used_size; i++) { - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1)); - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1])); - - mpi_montmul(&W[i], &W[1], N, mm, &T); - } - } - - nblimbs = E->n; - bufsize = 0; - nbits = 0; - state = 0; - - while (1) { - if (bufsize == 0) { - if (nblimbs == 0) { - break; - } - - nblimbs--; - - bufsize = sizeof(mbedtls_mpi_uint) << 3; - } - - bufsize--; - - ei = (E->p[nblimbs] >> bufsize) & 1; - - /* - * skip leading 0s - */ - if (ei == 0 && state == 0) { - continue; - } - - if (ei == 0 && state == 1) { - /* - * out of window, square W[x_index] - */ - MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index)); - mpi_montmul(&W[x_index], &WW, N, mm, &T); - continue; - } - - /* - * add ei to current window - */ - state = 2; - - nbits++; - exponent_bits_in_window |= (ei << (window_bitsize - nbits)); - - if (nbits == window_bitsize) { - /* - * W[x_index] = W[x_index]^window_bitsize R^-1 mod N - */ - for (i = 0; i < window_bitsize; i++) { - MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, - x_index)); - mpi_montmul(&W[x_index], &WW, N, mm, &T); - } - - /* - * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N - */ - MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, - exponent_bits_in_window)); - mpi_montmul(&W[x_index], &WW, N, mm, &T); - - state--; - nbits = 0; - exponent_bits_in_window = 0; - } - } + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A)); /* - * process the remaining bits + * Compensate for negative A (and correct at the end). */ - for (i = 0; i < nbits; i++) { - MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index)); - mpi_montmul(&W[x_index], &WW, N, mm, &T); - - exponent_bits_in_window <<= 1; + X->s = 1; - if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) { - MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1)); - mpi_montmul(&W[x_index], &WW, N, mm, &T); - } + /* + * Make sure that A has exactly as many limbs as N. + */ + if (mbedtls_mpi_cmp_mpi(X, N) >= 0) { + MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N)); } + MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n)); /* - * W[x_index] = A^E * R * R^-1 mod N = A^E mod N + * Allocate working memory for mbedtls_mpi_core_exp_mod() */ - mpi_montred(&W[x_index], N, mm, &T); + MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, + mbedtls_mpi_core_exp_mod_working_limbs(N->n, E_core.n))); - if (neg && E->n != 0 && (E->p[0] & 1) != 0) { - W[x_index].s = -1; - MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&W[x_index], N, &W[x_index])); - } + /* + * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod(). + */ + mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); + mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T.p); + mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E_core.p, E_core.n, RR.p, + T.p); + mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T.p); /* - * Load the result in the output variable. + * Correct for negative A. */ - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index])); + if (A->s == -1 && (E_core.p[0] & 1) != 0) { + X->s = -1; + MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X)); + } cleanup: - /* The first bit of the sliding window is always 1 and therefore the first - * half of the table was unused. */ - for (i = w_table_used_size/2; i < w_table_used_size; i++) { - mbedtls_mpi_free(&W[i]); - } - - mbedtls_mpi_free(&W[x_index]); - mbedtls_mpi_free(&W[1]); mbedtls_mpi_free(&T); - mbedtls_mpi_free(&Apos); - mbedtls_mpi_free(&WW); if (prec_RR == NULL || prec_RR->p == NULL) { mbedtls_mpi_free(&RR); } + if (E->n == 0) { + mbedtls_mpi_free(&E_core); + } + return ret; } -- cgit v1.1 From 4b5edfa0bbdaa2524767e43c6a1976e6b54df0a6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 13 Feb 2024 14:15:45 +0000 Subject: Bignum: remove unused functions Signed-off-by: Janos Follath --- library/bignum.c | 77 -------------------------------------------------------- 1 file changed, 77 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 3926da4..9b8591b 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1598,83 +1598,6 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s return 0; } -static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N) -{ - *mm = mbedtls_mpi_core_montmul_init(N->p); -} - -/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36) - * - * \param[in,out] A One of the numbers to multiply. - * It must have at least as many limbs as N - * (A->n >= N->n), and any limbs beyond n are ignored. - * On successful completion, A contains the result of - * the multiplication A * B * R^-1 mod N where - * R = (2^ciL)^n. - * \param[in] B One of the numbers to multiply. - * It must be nonzero and must not have more limbs than N - * (B->n <= N->n). - * \param[in] N The modulus. \p N must be odd. - * \param mm The value calculated by `mpi_montg_init(&mm, N)`. - * This is -N^-1 mod 2^ciL. - * \param[in,out] T A bignum for temporary storage. - * It must be at least twice the limb size of N plus 1 - * (T->n >= 2 * N->n + 1). - * Its initial content is unused and - * its final content is indeterminate. - * It does not get reallocated. - */ -static void mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B, - const mbedtls_mpi *N, mbedtls_mpi_uint mm, - mbedtls_mpi *T) -{ - mbedtls_mpi_core_montmul(A->p, A->p, B->p, B->n, N->p, N->n, mm, T->p); -} - -/* - * Montgomery reduction: A = A * R^-1 mod N - * - * See mpi_montmul() regarding constraints and guarantees on the parameters. - */ -static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N, - mbedtls_mpi_uint mm, mbedtls_mpi *T) -{ - mbedtls_mpi_uint z = 1; - mbedtls_mpi U; - U.n = 1; - U.s = 1; - U.p = &z; - - mpi_montmul(A, &U, N, mm, T); -} - -/** - * Select an MPI from a table without leaking the index. - * - * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it - * reads the entire table in order to avoid leaking the value of idx to an - * attacker able to observe memory access patterns. - * - * \param[out] R Where to write the selected MPI. - * \param[in] T The table to read from. - * \param[in] T_size The number of elements in the table. - * \param[in] idx The index of the element to select; - * this must satisfy 0 <= idx < T_size. - * - * \return \c 0 on success, or a negative error code. - */ -static int mpi_select(mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - for (size_t i = 0; i < T_size; i++) { - MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(R, &T[i], - (unsigned char) mbedtls_ct_uint_eq(i, idx))); - } -cleanup: - return ret; -} - /* * Sliding-window exponentiation: X = A^E mod N (HAC 14.85) */ -- cgit v1.1 From 1609d57d532b9f4b51424e3882cfa8271418c074 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 14 Feb 2024 14:58:39 +0000 Subject: Increase default exponentiation window size The default window size as default is set to the value that believed to give the best performance. Since the algorithm changed, the fastest window size has changed as well. Signed-off-by: Janos Follath --- include/mbedtls/bignum.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 931e06d..8752072 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -59,7 +59,7 @@ * * Reduction in size, reduces speed. */ -#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */ +#define MBEDTLS_MPI_WINDOW_SIZE 3 /**< Maximum window size used. */ #endif /* !MBEDTLS_MPI_WINDOW_SIZE */ #if !defined(MBEDTLS_MPI_MAX_SIZE) -- cgit v1.1 From f0543becf97d0dbab86745a574b2e38b401dcc5a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 14 Feb 2024 15:12:16 +0000 Subject: Add Changelog Signed-off-by: Janos Follath --- ChangeLog.d/use_exp_mod_core.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/use_exp_mod_core.txt diff --git a/ChangeLog.d/use_exp_mod_core.txt b/ChangeLog.d/use_exp_mod_core.txt new file mode 100644 index 0000000..e145335 --- /dev/null +++ b/ChangeLog.d/use_exp_mod_core.txt @@ -0,0 +1,6 @@ +Changes + * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 2 to 3. + The correlation between this define and RSA decryption performance has + changed lately due to security hardening. + To fix the performance degradation when using default values the + window was increased from 2 to 3. -- cgit v1.1 From 7a18f9645c94cfffcf78e06b2631daa88c4546ba Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 12 Feb 2024 16:48:11 +0100 Subject: psa_generate_key_ext: RSA: support custom public exponent Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_generate_key_ext.txt | 3 + library/psa_crypto.c | 30 ++++++++- library/psa_crypto_core.h | 6 ++ .../psa_crypto_driver_wrappers.h.jinja | 7 ++- tests/suites/test_suite_psa_crypto.data | 73 +++++++++++++++++++--- tests/suites/test_suite_psa_crypto.function | 14 ++++- 6 files changed, 119 insertions(+), 14 deletions(-) create mode 100644 ChangeLog.d/psa_generate_key_ext.txt diff --git a/ChangeLog.d/psa_generate_key_ext.txt b/ChangeLog.d/psa_generate_key_ext.txt new file mode 100644 index 0000000..8340f01 --- /dev/null +++ b/ChangeLog.d/psa_generate_key_ext.txt @@ -0,0 +1,3 @@ +Features + * The new function psa_generate_key_ext() allows generating an RSA + key pair with a custom public exponent. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6263be9..98823de 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7501,11 +7501,16 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation( psa_status_t psa_generate_key_internal( const psa_key_attributes_t *attributes, + const psa_key_generation_method_t *method, size_t method_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t type = attributes->core.type; + /* Only used for RSA */ + (void) method; + (void) method_length; + if ((attributes->domain_parameters == NULL) && (attributes->domain_parameters_size != 0)) { return PSA_ERROR_INVALID_ARGUMENT; @@ -7526,7 +7531,17 @@ psa_status_t psa_generate_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - return mbedtls_psa_rsa_generate_key(attributes, + /* Hack: if the method specifies a non-default e, pass it + * via the domain parameters. TODO: refactor this code so + * that mbedtls_psa_rsa_generate_key() gets e via a new + * parameter instead. */ + psa_key_attributes_t override_attributes = *attributes; + if (method_length > sizeof(*method)) { + override_attributes.domain_parameters_size = + method_length - offsetof(psa_key_generation_method_t, data); + override_attributes.domain_parameters = (uint8_t *) &method->data; + } + return mbedtls_psa_rsa_generate_key(&override_attributes, key_buffer, key_buffer_size, key_buffer_length); @@ -7584,6 +7599,14 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, if (method_length < sizeof(*method)) { return PSA_ERROR_INVALID_ARGUMENT; } + +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) + if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + if (method->flags != 0) { + return PSA_ERROR_INVALID_ARGUMENT; + } + } else +#endif if (!psa_key_generation_method_is_default(method, method_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7625,8 +7648,9 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } status = psa_driver_wrapper_generate_key(attributes, - slot->key.data, slot->key.bytes, &slot->key.bytes); - + method, method_length, + slot->key.data, slot->key.bytes, + &slot->key.bytes); if (status != PSA_SUCCESS) { psa_remove_key_data_from_memory(slot); } diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index dc376d7..99aea9d 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -403,6 +403,10 @@ psa_status_t psa_export_public_key_internal( * entry point. * * \param[in] attributes The attributes for the key to generate. + * \param[in] method The generation method from + * psa_generate_key_ext(). + * This can be \c NULL if \p method_length is 0. + * \param method_length The size of \p method in bytes. * \param[out] key_buffer Buffer where the key data is to be written. * \param[in] key_buffer_size Size of \p key_buffer in bytes. * \param[out] key_buffer_length On success, the number of bytes written in @@ -417,6 +421,8 @@ psa_status_t psa_export_public_key_internal( * The size of \p key_buffer is too small. */ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes, + const psa_key_generation_method_t *method, + size_t method_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index 924b08c..e6d827b 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -731,12 +731,16 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( static inline psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, + const psa_key_generation_method_t *method, size_t method_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime); + /* TODO: if method is non-default, we need a driver that supports + * passing a method. */ + /* Try dynamically-registered SE interface first */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) const psa_drv_se_t *drv; @@ -793,7 +797,8 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Software fallback */ status = psa_generate_key_internal( - attributes, key_buffer, key_buffer_size, key_buffer_length ); + attributes, method, method_length, + key_buffer, key_buffer_size, key_buffer_length ); break; /* Add cases for opaque driver here */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index bc6ca1b..2d0cf2c 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -7439,22 +7439,22 @@ PSA generate key: ECC, Curve448, good depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_448 generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0 -PSA generate key: RSA, default e +PSA generate key: RSA, domain parameters: default e generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"":PSA_SUCCESS -PSA generate key: RSA, e=3 +PSA generate key: RSA, domain parameters: e=3 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"03":PSA_SUCCESS -PSA generate key: RSA, e=65537 +PSA generate key: RSA, domain parameters: e=65537 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"010001":PSA_SUCCESS -PSA generate key: RSA, e=513 +PSA generate key: RSA, domain parameters: e=513 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"0201":PSA_SUCCESS -PSA generate key: RSA, e=1 +PSA generate key: RSA, domain parameters: e=1 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT -PSA generate key: RSA, e=2 +PSA generate key: RSA, domain parameters: e=2 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"02":PSA_ERROR_INVALID_ARGUMENT PSA generate key: FFDH, 2048 bits, good @@ -7482,13 +7482,68 @@ depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0 PSA generate key ext: RSA, null method -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT PSA generate key ext: RSA, method too short by 1 -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:-1:"":PSA_ERROR_INVALID_ARGUMENT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:-1:"":PSA_ERROR_INVALID_ARGUMENT PSA generate key ext: RSA, method.flags=1 -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:1:"":PSA_ERROR_INVALID_ARGUMENT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: RSA, empty e +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS + +PSA generate key ext: RSA, e=3 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS + +PSA generate key ext: RSA, e=3 with leading zeros +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS + +# TODO: currently errors with NOT_SUPPORTED because e is converted to an int +# and the conversion errors out if there are too many digits without checking +# for leading zeros. This is a very minor bug. Re-enable this test when this +# bug is fixed. +#PSA generate key ext: RSA, e=3 with many leading zeros +#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +#generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS + +PSA generate key ext: RSA, e=513 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS + +PSA generate key ext: RSA, e=65537 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS + +PSA generate key ext: RSA, e=2^31-1 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS + +PSA generate key ext: RSA, e=2^31+3 (too large for built-in RSA) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED + +PSA generate key ext: RSA, e=2^64+3 (too large for built-in RSA) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED + +PSA generate key ext: RSA, e=1 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: RSA, e=0 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key ext: RSA, e=2 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT PSA generate key ext: ECC, null method depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 05b49bd..34baa1b 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1293,7 +1293,13 @@ static int rsa_test_e(mbedtls_svc_key_id_t key, TEST_EQUAL(p[1], 0); TEST_EQUAL(p[2], 1); } else { - TEST_MEMORY_COMPARE(p, len, e_arg->x, e_arg->len); + const uint8_t *expected = e_arg->x; + size_t expected_len = e_arg->len; + while (expected_len > 0 && *expected == 0) { + ++expected; + --expected_len; + } + TEST_MEMORY_COMPARE(p, len, expected, expected_len); } ok = 1; @@ -9960,6 +9966,12 @@ void generate_key_ext(int type_arg, TEST_EQUAL(psa_get_key_type(&got_attributes), type); TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) + if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + TEST_ASSERT(rsa_test_e(key, bits, method_data)); + } +#endif + /* Do something with the key according to its type and permitted usage. */ if (!mbedtls_test_psa_exercise_key(key, usage, alg)) { goto exit; -- cgit v1.1 From c81393b2ed29f95648ee77698490a597a1362ca6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 14 Feb 2024 20:51:28 +0100 Subject: generate/derive key ext: pass method_data_length rather than method_length Instead of passing the size of the whole structure, just pass the data length and let the implementation worry about adding the size of the structure. The intent with passing the structure size was to allow the client code in a client-server implementation to know nothing about the structure and just copy the bytes to the server. But that was not really a useful consideration since the application has to know the structure layout, so it has to be available in the client implementation's headers. Passing the method data length makes life simpler for everyone by not having to worry about possible padding at the end of the structure, and removes a potential error condition (method_length < sizeof(psa_key_generation_method_t)). Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 28 +++++------- include/psa/crypto_struct.h | 2 +- library/psa_crypto.c | 41 +++++++---------- library/psa_crypto_core.h | 5 +-- .../psa_crypto_driver_wrappers.h.jinja | 4 +- tests/suites/test_suite_psa_crypto.data | 20 --------- tests/suites/test_suite_psa_crypto.function | 51 +++++++++++----------- 7 files changed, 56 insertions(+), 95 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index d6ad969..da1418f 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3704,8 +3704,7 @@ psa_status_t psa_key_derivation_output_bytes( * \note This function is equivalent to calling * psa_key_derivation_output_key_ext() * with the method #PSA_KEY_GENERATION_METHOD_INIT and - * `method_length == sizeof(psa_key_generation_method_t)` - * (i.e. `method->flags == 0` and `method->data` is empty). + * `method_data_length == 0` (i.e. `method->data` is empty). * * \param[in] attributes The attributes for the new key. * If the key type to be created is @@ -3777,17 +3776,14 @@ psa_status_t psa_key_derivation_output_key( * \param[in,out] operation The key derivation operation object to read from. * \param[in] method Customization parameters for the key generation. * When this is #PSA_KEY_GENERATION_METHOD_INIT - * with \p method_length = - * `sizeof(psa_key_generation_method_t)`, + * with \p method_data_length = 0, * this function is equivalent to * psa_key_derivation_output_key(). * Mbed TLS currently only supports the default * method, i.e. #PSA_KEY_GENERATION_METHOD_INIT, * for all key types. - * \param method_length Length of \p method in bytes. - * This must be - * `sizeof(psa_key_generation_method_t) + n` - * where `n` is the size of `method->data` in bytes. + * \param method_data_length + * Length of `method.data` in bytes. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key * identifier defined in \p attributes. @@ -3834,7 +3830,7 @@ psa_status_t psa_key_derivation_output_key_ext( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, const psa_key_generation_method_t *method, - size_t method_length, + size_t method_data_length, mbedtls_svc_key_id_t *key); /** Compare output data from a key derivation operation to an expected value. @@ -4093,8 +4089,7 @@ psa_status_t psa_generate_random(uint8_t *output, * * \note This function is equivalent to calling psa_generate_key_ext() * with the method #PSA_KEY_GENERATION_METHOD_INIT and - * `method_length == sizeof(psa_key_generation_method_t)` - * (i.e. `method->flags == 0` and `method->data` is empty). + * `method_data_length == 0` (i.e. `method->data` is empty). * * \param[in] attributes The attributes for the new key. * \param[out] key On success, an identifier for the newly created @@ -4144,14 +4139,11 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * \param[in] attributes The attributes for the new key. * \param[in] method Customization parameters for the key generation. * When this is #PSA_KEY_GENERATION_METHOD_INIT - * with \p method_length = - * `sizeof(psa_key_generation_method_t)`, + * with \p method_data_length = 0, * this function is equivalent to * psa_key_derivation_output_key(). - * \param method_length Length of \p method in bytes. - * This must be - * `sizeof(psa_key_generation_method_t) + n` - * where `n` is the size of `method->data` in bytes. + * \param method_data_length + * Length of `method.data` in bytes. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key * identifier defined in \p attributes. @@ -4182,7 +4174,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, */ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, const psa_key_generation_method_t *method, - size_t method_length, + size_t method_data_length, mbedtls_svc_key_id_t *key); /**@}*/ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index b5e942e..248caa2 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -233,7 +233,7 @@ struct psa_key_generation_method_s { * * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext() * with `method=PSA_KEY_GENERATION_METHOD_INIT` and - * `method_length=sizeof(psa_key_generation_method_t)` is equivalent to + * `method_data_length == 0` is equivalent to * calling psa_generate_key() or psa_key_derivation_output_key() * respectively. */ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 98823de..3c328c4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6027,12 +6027,12 @@ static const psa_key_generation_method_t default_method = PSA_KEY_GENERATION_MET static int psa_key_generation_method_is_default( const psa_key_generation_method_t *method, - size_t method_length) + size_t method_data_length) { - if (method_length != sizeof(*method)) { + if (method->flags != 0) { return 0; } - if (method->flags != 0) { + if (method_data_length != 0) { return 0; } return 1; @@ -6042,7 +6042,7 @@ psa_status_t psa_key_derivation_output_key_ext( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, const psa_key_generation_method_t *method, - size_t method_length, + size_t method_data_length, mbedtls_svc_key_id_t *key) { psa_status_t status; @@ -6057,10 +6057,7 @@ psa_status_t psa_key_derivation_output_key_ext( return PSA_ERROR_INVALID_ARGUMENT; } - if (method_length < sizeof(*method)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - if (!psa_key_generation_method_is_default(method, method_length)) { + if (!psa_key_generation_method_is_default(method, method_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -6100,10 +6097,9 @@ psa_status_t psa_key_derivation_output_key( psa_key_derivation_operation_t *operation, mbedtls_svc_key_id_t *key) { - return psa_key_derivation_output_key_ext( - attributes, operation, - &default_method, sizeof(default_method), - key); + return psa_key_derivation_output_key_ext(attributes, operation, + &default_method, 0, + key); } @@ -7501,7 +7497,7 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation( psa_status_t psa_generate_key_internal( const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, size_t method_length, + const psa_key_generation_method_t *method, size_t method_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -7509,7 +7505,7 @@ psa_status_t psa_generate_key_internal( /* Only used for RSA */ (void) method; - (void) method_length; + (void) method_data_length; if ((attributes->domain_parameters == NULL) && (attributes->domain_parameters_size != 0)) { @@ -7536,9 +7532,8 @@ psa_status_t psa_generate_key_internal( * that mbedtls_psa_rsa_generate_key() gets e via a new * parameter instead. */ psa_key_attributes_t override_attributes = *attributes; - if (method_length > sizeof(*method)) { - override_attributes.domain_parameters_size = - method_length - offsetof(psa_key_generation_method_t, data); + if (method_data_length != 0) { + override_attributes.domain_parameters_size = method_data_length; override_attributes.domain_parameters = (uint8_t *) &method->data; } return mbedtls_psa_rsa_generate_key(&override_attributes, @@ -7575,7 +7570,7 @@ psa_status_t psa_generate_key_internal( psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, const psa_key_generation_method_t *method, - size_t method_length, + size_t method_data_length, mbedtls_svc_key_id_t *key) { psa_status_t status; @@ -7596,10 +7591,6 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, return PSA_ERROR_INVALID_ARGUMENT; } - if (method_length < sizeof(*method)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { if (method->flags != 0) { @@ -7607,7 +7598,7 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } } else #endif - if (!psa_key_generation_method_is_default(method, method_length)) { + if (!psa_key_generation_method_is_default(method, method_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7648,7 +7639,7 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } status = psa_driver_wrapper_generate_key(attributes, - method, method_length, + method, method_data_length, slot->key.data, slot->key.bytes, &slot->key.bytes); if (status != PSA_SUCCESS) { @@ -7670,7 +7661,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key) { return psa_generate_key_ext(attributes, - &default_method, sizeof(default_method), + &default_method, 0, key); } diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 99aea9d..3a9b02d 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -405,8 +405,7 @@ psa_status_t psa_export_public_key_internal( * \param[in] attributes The attributes for the key to generate. * \param[in] method The generation method from * psa_generate_key_ext(). - * This can be \c NULL if \p method_length is 0. - * \param method_length The size of \p method in bytes. + * \param method_data_length The size of `method.data` in bytes. * \param[out] key_buffer Buffer where the key data is to be written. * \param[in] key_buffer_size Size of \p key_buffer in bytes. * \param[out] key_buffer_length On success, the number of bytes written in @@ -422,7 +421,7 @@ psa_status_t psa_export_public_key_internal( */ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes, const psa_key_generation_method_t *method, - size_t method_length, + size_t method_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index e6d827b..b1a952b 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -731,7 +731,7 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( static inline psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, size_t method_length, + const psa_key_generation_method_t *method, size_t method_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -797,7 +797,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Software fallback */ status = psa_generate_key_internal( - attributes, method, method_length, + attributes, method, method_data_length, key_buffer, key_buffer_size, key_buffer_length ); break; diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 2d0cf2c..1a0f08b 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6874,14 +6874,6 @@ PSA key derivation: default method -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" -PSA key derivation: null method -> AES-128 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT:"" - -PSA key derivation: method too short by 1 -> AES-128 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:-1:"":PSA_ERROR_INVALID_ARGUMENT:"" - PSA key derivation: method.flags=1 -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" @@ -7481,14 +7473,6 @@ PSA generate key: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0 -PSA generate key ext: RSA, null method -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT - -PSA generate key ext: RSA, method too short by 1 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:-1:"":PSA_ERROR_INVALID_ARGUMENT - PSA generate key ext: RSA, method.flags=1 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT @@ -7545,10 +7529,6 @@ PSA generate key ext: RSA, e=2 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: ECC, null method -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:-offsetof(psa_key_generation_method_t, data):"":PSA_ERROR_INVALID_ARGUMENT - PSA generate key ext: ECC, flags=0 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 34baa1b..e946f4e 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1310,21 +1310,25 @@ exit: #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ static int setup_key_generation_method(psa_key_generation_method_t **method, - size_t *method_length, - int64_t flags_arg, + size_t *method_data_length, + int flags_arg, const data_t *method_data) { - if (flags_arg >= 0) { - *method_length = sizeof(**method) + method_data->len; - *method = mbedtls_calloc(1, *method_length); - TEST_ASSERT(*method != NULL); - (*method)->flags = (uint32_t) flags_arg; - memcpy((*method)->data, method_data->x, method_data->len); - } else if (sizeof(**method) + flags_arg > 0) { - *method_length = sizeof(**method) + flags_arg; - *method = mbedtls_calloc(1, *method_length); - TEST_ASSERT(*method != NULL); - } + *method_data_length = method_data->len; + /* If there are N bytes of padding at the end of + * psa_key_generation_method_t, then it's enough to allocate + * MIN(sizeof(psa_key_generation_method_t), + * offsetof(psa_key_generation_method_t, data) + method_data_length). + * + * For simplicity, here, we allocate up to N more bytes than necessary. + * In practice, the current layout of psa_key_generation_method_t + * makes padding extremely unlikely, so we don't worry about testing + * that the library code doesn't try to access these extra N bytes. + */ + *method = mbedtls_calloc(1, sizeof(**method) + *method_data_length); + TEST_ASSERT(*method != NULL); + (*method)->flags = (uint32_t) flags_arg; + memcpy((*method)->data, method_data->x, method_data->len); return 1; exit: return 0; @@ -9335,7 +9339,7 @@ void derive_key_ext(int alg_arg, data_t *input1, data_t *input2, int key_type_arg, int bits_arg, - int64_t flags_arg, /*negative for truncated method*/ + int flags_arg, data_t *method_data, psa_status_t expected_status, data_t *expected_export) @@ -9346,7 +9350,7 @@ void derive_key_ext(int alg_arg, const psa_key_type_t key_type = key_type_arg; const size_t bits = bits_arg; psa_key_generation_method_t *method = NULL; - size_t method_length = 0; + size_t method_data_length = 0; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; const size_t export_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); @@ -9376,13 +9380,13 @@ void derive_key_ext(int alg_arg, psa_set_key_algorithm(&derived_attributes, 0); psa_set_key_type(&derived_attributes, key_type); psa_set_key_bits(&derived_attributes, bits); - if (!setup_key_generation_method(&method, &method_length, + if (!setup_key_generation_method(&method, &method_data_length, flags_arg, method_data)) { goto exit; } TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, - method, method_length, + method, method_data_length, &derived_key), expected_status); @@ -9924,7 +9928,7 @@ void generate_key_ext(int type_arg, int bits_arg, int usage_arg, int alg_arg, - int64_t flags_arg, /*negative for truncated method*/ + int flags_arg, data_t *method_data, int expected_status_arg) { @@ -9936,7 +9940,7 @@ void generate_key_ext(int type_arg, psa_status_t expected_status = expected_status_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_generation_method_t *method = NULL; - size_t method_length = 0; + size_t method_data_length = 0; psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; PSA_ASSERT(psa_crypto_init()); @@ -9946,14 +9950,14 @@ void generate_key_ext(int type_arg, psa_set_key_type(&attributes, type); psa_set_key_bits(&attributes, bits); - if (!setup_key_generation_method(&method, &method_length, + if (!setup_key_generation_method(&method, &method_data_length, flags_arg, method_data)) { goto exit; } /* Generate a key */ psa_status_t status = psa_generate_key_ext(&attributes, - method, method_length, + method, method_data_length, &key); TEST_EQUAL(status, expected_status); @@ -9997,11 +10001,6 @@ void key_generation_method_init() psa_key_generation_method_t zero; memset(&zero, 0, sizeof(zero)); - /* In order for sizeof(psa_key_generation_method_t) to mean - * empty data, there must not be any padding in the structure: - * the size of the structure must be the offset of the data field. */ - TEST_EQUAL(sizeof(zero), offsetof(psa_key_generation_method_t, data)); - TEST_EQUAL(func.flags, 0); TEST_EQUAL(init.flags, 0); TEST_EQUAL(zero.flags, 0); -- cgit v1.1 From 69f11c8dfb9c5338fd05e5c1f2d872f295cce9ea Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 14 Feb 2024 23:07:33 +0100 Subject: generate key ext: skip driver invocation with non-default method In the driver wrapper for psa_generate_key() and psa_generate_key_ext(): * Invoke the built-in code if using a non-default method, even if there might be an accelerator. This is ok because we only support non-default methods for RSA and we don't support driver-only RSA, therefore a non-default method will always have built-in code behind it. * Return NOT_SUPPORTED if trying to use a non-default method with an opaque driver. Signed-off-by: Gilles Peskine --- library/psa_crypto.c | 2 +- library/psa_crypto_core.h | 12 ++++++++++++ .../psa_crypto_driver_wrappers.h.jinja | 20 ++++++++++++++++---- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3c328c4..d84d101 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6025,7 +6025,7 @@ exit: static const psa_key_generation_method_t default_method = PSA_KEY_GENERATION_METHOD_INIT; -static int psa_key_generation_method_is_default( +int psa_key_generation_method_is_default( const psa_key_generation_method_t *method, size_t method_data_length) { diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 3a9b02d..965db94 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -396,6 +396,18 @@ psa_status_t psa_export_public_key_internal( const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length); +/** Whether a key generation method is the default. + * + * Calls to a key generation driver with a non-default method + * require a driver supporting custom methods. + * + * \param[in] method The key generation method to check. + * \param method_data_length Size of `method.data` in bytes. + */ +int psa_key_generation_method_is_default( + const psa_key_generation_method_t *method, + size_t method_data_length); + /** * \brief Generate a key. * diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index b1a952b..10843c3 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -738,8 +738,18 @@ static inline psa_status_t psa_driver_wrapper_generate_key( psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime); - /* TODO: if method is non-default, we need a driver that supports - * passing a method. */ +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) + int is_default_method = + psa_key_generation_method_is_default(method, method_data_length); + if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_method ) + { + /* We don't support passing a custom method to drivers yet. */ + return PSA_ERROR_NOT_SUPPORTED; + } +#else + int is_default_method = 1; + (void) is_default_method; +#endif /* Try dynamically-registered SE interface first */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -766,8 +776,10 @@ static inline psa_status_t psa_driver_wrapper_generate_key( { case PSA_KEY_LOCATION_LOCAL_STORAGE: #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) - /* Transparent drivers are limited to generating asymmetric keys */ - if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) ) + /* Transparent drivers are limited to generating asymmetric keys. */ + /* We don't support passing a custom method to drivers yet. */ + if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) && + is_default_method ) { /* Cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_DRIVER_TEST) -- cgit v1.1 From 63072b1f94f6251b37684a3052ab4bcae4ddc03f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 11:48:58 +0100 Subject: Only test custom-e RSA key generation when built in Custom-e RSA key generation is not yet supported in the test driver, and we don't support fallback from the test driver to the built-in implementation (even though we're testing with MBEDTLS_RSA_C). So for the time being, only run psa_generate_key_ext test cases for RSA with a custom public exponent when using the built-in implementation. Add a test case to validate that psa_generate_key_ext test cases for RSA with a custom public exponent returns NOT_SUPPORTED (rather than silently doing the wrong thing) when not using built-in RSA (which is subtly different from when having accelerated RSA: if both are enabled, which we currently don't do in all.sh, then this should be supported and this is validated by the test cases above). This wart will be resolved when we add support for drivers with a generate_key_ext entry point. Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 5 +++++ tests/suites/test_suite_psa_crypto.data | 31 ++++++++++++++++++++----------- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 11e4836..20e2ab7 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -570,6 +570,11 @@ KNOWN_TASKS = { re.compile(r'mbedtls_ct_zeroize_if .*'), re.compile(r'mbedtls_ct_memmove_left .*') ], + 'test_suite_psa_crypto': [ + # We don't support generate_key_ext entry points + # in drivers yet. + re.compile(r'PSA generate key ext: RSA, e=.*'), + ], } } }, diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 1a0f08b..e29e466 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -7482,11 +7482,11 @@ depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRY generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS PSA generate key ext: RSA, e=3 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS PSA generate key ext: RSA, e=3 with leading zeros -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS # TODO: currently errors with NOT_SUPPORTED because e is converted to an int @@ -7494,41 +7494,50 @@ generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS: # for leading zeros. This is a very minor bug. Re-enable this test when this # bug is fixed. #PSA generate key ext: RSA, e=3 with many leading zeros -#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT #generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS PSA generate key ext: RSA, e=513 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS PSA generate key ext: RSA, e=65537 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS PSA generate key ext: RSA, e=2^31-1 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS PSA generate key ext: RSA, e=2^31+3 (too large for built-in RSA) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED PSA generate key ext: RSA, e=2^64+3 (too large for built-in RSA) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED PSA generate key ext: RSA, e=1 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT PSA generate key ext: RSA, e=0 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT PSA generate key ext: RSA, e=2 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT +# Check that with a driver, we reject a custom e as unsupported, +# as opposed to silently using the default e. +# When we add proper driver support, remove this test case and remove +# the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from +# the positive/invalid_argument test cases. +PSA generate key ext: RSA, e=3 with driver and no fallback (not yet supported) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED + PSA generate key ext: ECC, flags=0 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS -- cgit v1.1 From cbd2cbb408426187b817526e8aa9fc9fdaaaf99a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 13:12:44 +0100 Subject: Rename identifier for consistency Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 34 +++++++++++++++++----------------- tests/suites/test_suite_pk.function | 32 ++++++++++++++++---------------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 9086508..0e944db 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1264,77 +1264,77 @@ pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS PSA import into PSA: opaque ECC, COPY (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, EXPORT (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, no COPY/EXPORT (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH # Detail that isn't precisely documented: since this copies the key, # the new key has the intersection of the usage flags. PSA import into PSA: opaque ECC, COPY|EXPORT, different usage (restricted) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 # Detail that isn't precisely documented: since this copies the key, # the new key has the intersection of the usage flags. PSA import into PSA: opaque ECC, COPY, different usage (restricted) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 # Detail that isn't precisely documented: since this exports the key, # the new key has all the requested usage flags. PSA import into PSA: opaque ECC, EXPORT, different usage (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, COPY|EXPORT, different algorithm (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 PSA import into PSA: opaque ECC, COPY, different algorithm (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC, EXPORT, different algorithm (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 PSA import into PSA: opaque ECC, implicit bits (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, different bits (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC, different type (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC, different family (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC to public (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC to public, implicit bits (ok) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 # MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation # of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably # be more appropriate. PSA import into PSA: opaque ECC to public, different bits (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_INVALID_ALG +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: opaque ECC to public, different family (bad) depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA -pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 7671364..3ce7d26 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -60,55 +60,55 @@ * be ECDSA-capable, and likewise for ECDH. */ #if defined(PSA_WANT_ECC_SECP_R1_192) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192R1 #elif defined(PSA_WANT_ECC_SECP_R1_224) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 224 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224R1 #elif defined(PSA_WANT_ECC_SECP_R1_256) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256R1 #elif defined(PSA_WANT_ECC_SECP_R1_384) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 384 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP384R1 #elif defined(PSA_WANT_ECC_SECP_R1_521) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 521 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 521 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP521R1 #elif defined(PSA_WANT_ECC_SECP_K1_192) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192K1 #elif defined(PSA_WANT_ECC_SECP_K1_224) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 224 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224K1 #elif defined(PSA_WANT_ECC_SECP_K1_256) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256K1 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP256R1 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 384 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP384R1 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 512 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 512 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP512R1 #elif defined(PSA_WANT_ECC_MONTGOMERY_255) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 255 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 255 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE25519 #elif defined(PSA_WANT_ECC_MONTGOMERY_448) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 448 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 448 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE448 #endif /* curve selection */ @@ -124,12 +124,12 @@ * the values we expect here. */ #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 #define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES #elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_K1_256) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 #define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES #endif @@ -138,7 +138,7 @@ /* Always define the macros so that we can use them in test data. */ #if !defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY 0 -#define MBEDTLS_PSA_ECC_ONE_CURVE_BITS 0 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 0 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0 #endif #if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY) -- cgit v1.1 From f50cd59b51fd57d5e095134b6c715bcad0b2628a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 13:13:26 +0100 Subject: Fix encrypt/decrypt confusion The values are the same for all supported mechanisms (RSA-based), so no semantic change. Signed-off-by: Gilles Peskine --- tests/src/psa_exercise_key.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 3fcf77d..80419d1 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -364,9 +364,9 @@ static int exercise_asymmetric_encryption_key(mbedtls_svc_key_id_t key, psa_key_usage_t usage, psa_algorithm_t alg) { - unsigned char plaintext[PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE] = + unsigned char plaintext[PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE] = "Hello, world..."; - unsigned char ciphertext[PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE] = + unsigned char ciphertext[PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE] = "(wabblewebblewibblewobblewubble)"; size_t ciphertext_length = sizeof(ciphertext); size_t plaintext_length = 16; -- cgit v1.1 From 0fa6b362574ac657de16443d70d0a638106f6ef1 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 15 Feb 2024 12:27:03 +0000 Subject: Always display make/cmake invocation command Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 14 ++++++++++---- tests/scripts/quiet/make | 14 ++++++++++---- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index ea1474f..2e95c6b 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -18,14 +18,20 @@ TOOL=$(basename "$0") # Locate original tool ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) +if [[ ! " $@ " =~ " --version " ]]; then + # Display the command being invoked - if it succeeds, this is all that will + # be displayed. Don't do this for invocations with --version, because + # this output is often parsed by scripts, so we don't want to modify it. + echo -n "${TOOL} " + printf '%q ' "$@" + echo +fi + if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then + # Run original command with no output supression ${ORIGINAL_TOOL} "$@" EXIT_STATUS=$? else - # Display the command being invoked - if it succeeds, this is all that will - # be displayed. - echo "${TOOL} $@" - # Run original command and capture output & exit status TMPFILE=$(mktemp /tmp/quiet-${TOOL}.XXXXXX) ${ORIGINAL_TOOL} "$@" > ${TMPFILE} 2>&1 diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 633758a..0c48696 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -18,14 +18,20 @@ TOOL=$(basename "$0") # Locate original tool ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) +if [[ ! " $@ " =~ " --version " ]]; then + # Display the command being invoked - if it succeeds, this is all that will + # be displayed. Don't do this for invocations with --version, because + # this output is often parsed by scripts, so we don't want to modify it. + echo -n "${TOOL} " + printf '%q ' "$@" + echo +fi + if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then + # Run original command with no output supression ${ORIGINAL_TOOL} "$@" EXIT_STATUS=$? else - # Display the command being invoked - if it succeeds, this is all that will - # be displayed. - echo "${TOOL} $@" - # Run original command and capture output & exit status TMPFILE=$(mktemp /tmp/quiet-${TOOL}.XXXXXX) ${ORIGINAL_TOOL} "$@" > ${TMPFILE} 2>&1 -- cgit v1.1 From 68a287dc7aed81216c47e0992926f56c112d3cea Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 13:30:55 +0100 Subject: Use named constants FROM_PAIR/FROM_PUBLIC for readability Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 184 ++++++++++++++++++------------------ tests/suites/test_suite_pk.function | 6 ++ 2 files changed, 98 insertions(+), 92 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 0e944db..df665d0 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -682,311 +682,311 @@ depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512 PSA attributes for pk: NONE (bad) -pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA +pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA # There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt(). # Bad usage due to not specifying sign/crypt/derive. PSA attributes for pk: RSA usage=0 (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:0:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH # Bad usage due to not specifying sign/crypt/derive. PSA attributes for pk: RSA usage=EXPORT (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH # Bad usage due to specifying more than one of sign/crypt/derive. PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=SIGN_MESSAGE|SIGN_HASH (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=SIGN_MESSAGE|VERIFY_MESSAGE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair DECRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 pair DECRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 pair DECRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 pair->public ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 pair->public ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 pair->public ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 public ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 public ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 public ENCRYPT depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 public DECRYPT (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair SIGN_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair SIGN_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair SIGN_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair SIGN_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair->public VERIFY_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair->public VERIFY_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public VERIFY_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 public VERIFY_MESSAGE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public VERIFY_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 public VERIFY_HASH depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 -pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) +pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public SIGN_MESSAGE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 public SIGN_HASH (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair DERIVE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 public DERIVE (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 -pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DECRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair DECRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair DECRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DECRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public DECRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public DECRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair ENCRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair ENCRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA pair ENCRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public ENCRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public ENCRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public ENCRYPT (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DERIVE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECKEY_DH pair DERIVE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH +pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH PSA attributes for pk: ECDSA pair DERIVE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public DERIVE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public DERIVE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public DERIVE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair SIGN_MESSAGE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_MESSAGE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair SIGN_HASH depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair SIGN_HASH depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY pair->public VERIFY_HASH depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA pair->public VERIFY_HASH depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_MESSAGE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA public VERIFY_MESSAGE depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public VERIFY_HASH depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECDSA public VERIFY_HASH depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) +pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH) PSA attributes for pk: ECKEY public SIGN_MESSAGE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public SIGN_MESSAGE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY public SIGN_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECDSA public SIGN_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair SIGN_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair VERIFY_MESSAGE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH pair VERIFY_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public SIGN_MESSAGE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public SIGN_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public VERIFY_MESSAGE (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE (bad policy) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME @@ -1127,71 +1127,71 @@ pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):2 PSA import into PSA: RSA pair to ECC (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: RSA public to RSA pair (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:0:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_RSA_BAD_INPUT_DATA +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_RSA_BAD_INPUT_DATA PSA import into PSA: ECKEY pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to public, different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to public, different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to public, different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH public to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA public to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque RSA, COPY (ok) depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 3ce7d26..52d0f68 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -313,6 +313,12 @@ size_t mbedtls_rsa_key_len_func(void *ctx) } #endif /* MBEDTLS_RSA_C */ +typedef enum { + /* The values are compatible with thinking of "from pair" as a boolean. */ + FROM_PUBLIC = 0, + FROM_PAIR = 1 +} from_pair_t; + #if defined(MBEDTLS_PSA_CRYPTO_C) static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, mbedtls_pk_context *pk, psa_key_type_t *psa_type) -- cgit v1.1 From 264e21011acbf06701c1e5da17b3fdbf3c8589ad Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 15 Feb 2024 12:28:56 +0000 Subject: Rename internal test info data accessors Rename internal test info data accessors by adding _internal to mark them as obviously internal. Add to the intial comment block to further explain the mutex locking policy. Signed-off-by: Paul Elliott --- tests/src/helpers.c | 50 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 20 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index b810253..9053aac 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -31,7 +31,17 @@ mbedtls_threading_mutex_t mbedtls_test_info_mutex; #endif /* MBEDTLS_THREADING_C */ /*----------------------------------------------------------------------------*/ -/* Mbedtls Test Info accessors */ +/* Mbedtls Test Info accessors + * + * NOTE - there are two types of accessors here; the _internal functions, which + * are expected to be used from this module *only*. These do not attempt to lock + * the mbedtls_test_info_mutex, as they are designed to be called from within + * public functions which do lock the mutex first (if mutexes are enabled). + * The main reason for this is the need to set some sets of test data + * atomically, without releasing the mutex inbetween to prevent race conditions + * resulting in mixed test info. The other public accessors have prototypes in + * the header and have to lock the mutex for safety as we obviously cannot + * control where they are called from. */ mbedtls_test_result_t mbedtls_test_get_result(void) { @@ -50,8 +60,8 @@ mbedtls_test_result_t mbedtls_test_get_result(void) return result; } -static void mbedtls_test_set_result(mbedtls_test_result_t result, const char *test, - int line_no, const char *filename) +static void mbedtls_test_set_result_internal(mbedtls_test_result_t result, const char *test, + int line_no, const char *filename) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -144,7 +154,7 @@ unsigned long mbedtls_test_get_step(void) return step; } -static void mbedtls_test_reset_step(void) +static void mbedtls_test_reset_step_internal(void) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -178,7 +188,7 @@ void mbedtls_test_get_line1(char *line) #endif /* MBEDTLS_THREADING_C */ } -static void mbedtls_test_set_line1(const char *line) +static void mbedtls_test_set_line1_internal(const char *line) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -203,7 +213,7 @@ void mbedtls_test_get_line2(char *line) #endif /* MBEDTLS_THREADING_C */ } -static void mbedtls_test_set_line2(const char *line) +static void mbedtls_test_set_line2_internal(const char *line) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -255,7 +265,7 @@ unsigned mbedtls_test_get_case_uses_negative_0(void) return test_case_uses_negative_0; } -static void mbedtls_test_set_case_uses_negative_0(unsigned uses) +static void mbedtls_test_set_case_uses_negative_0_internal(unsigned uses) { /* Internal function only - mbedtls_test_info_mutex should be held prior * to calling this function. */ @@ -350,7 +360,7 @@ static void mbedtls_test_fail_internal(const char *test, int line_no, const char if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) { /* If we have already recorded the test as having failed then don't * overwrite any previous information about the failure. */ - mbedtls_test_set_result(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename); + mbedtls_test_set_result_internal(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename); } } @@ -373,7 +383,7 @@ void mbedtls_test_skip(const char *test, int line_no, const char *filename) mbedtls_mutex_lock(&mbedtls_test_info_mutex); #endif /* MBEDTLS_THREADING_C */ - mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SKIPPED, test, line_no, filename); + mbedtls_test_set_result_internal(MBEDTLS_TEST_RESULT_SKIPPED, test, line_no, filename); #ifdef MBEDTLS_THREADING_C mbedtls_mutex_unlock(&mbedtls_test_info_mutex); @@ -386,13 +396,13 @@ void mbedtls_test_info_reset(void) mbedtls_mutex_lock(&mbedtls_test_info_mutex); #endif /* MBEDTLS_THREADING_C */ - mbedtls_test_set_result(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0); - mbedtls_test_reset_step(); - mbedtls_test_set_line1(NULL); - mbedtls_test_set_line2(NULL); + mbedtls_test_set_result_internal(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0); + mbedtls_test_reset_step_internal(); + mbedtls_test_set_line1_internal(NULL); + mbedtls_test_set_line2_internal(NULL); #if defined(MBEDTLS_BIGNUM_C) - mbedtls_test_set_case_uses_negative_0(0); + mbedtls_test_set_case_uses_negative_0_internal(0); #endif #ifdef MBEDTLS_THREADING_C @@ -424,11 +434,11 @@ int mbedtls_test_equal(const char *test, int line_no, const char *filename, (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %lld", value1, (long long) value1); - mbedtls_test_set_line1(buf); + mbedtls_test_set_line1_internal(buf); (void) mbedtls_snprintf(buf, sizeof(buf), "rhs = 0x%016llx = %lld", value2, (long long) value2); - mbedtls_test_set_line2(buf); + mbedtls_test_set_line2_internal(buf); } #ifdef MBEDTLS_THREADING_C @@ -462,11 +472,11 @@ int mbedtls_test_le_u(const char *test, int line_no, const char *filename, (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %llu", value1, value1); - mbedtls_test_set_line1(buf); + mbedtls_test_set_line1_internal(buf); (void) mbedtls_snprintf(buf, sizeof(buf), "rhs = 0x%016llx = %llu", value2, value2); - mbedtls_test_set_line2(buf); + mbedtls_test_set_line2_internal(buf); } #ifdef MBEDTLS_THREADING_C @@ -500,11 +510,11 @@ int mbedtls_test_le_s(const char *test, int line_no, const char *filename, (void) mbedtls_snprintf(buf, sizeof(buf), "lhs = 0x%016llx = %lld", (unsigned long long) value1, value1); - mbedtls_test_set_line1(buf); + mbedtls_test_set_line1_internal(buf); (void) mbedtls_snprintf(buf, sizeof(buf), "rhs = 0x%016llx = %lld", (unsigned long long) value2, value2); - mbedtls_test_set_line2(buf); + mbedtls_test_set_line2_internal(buf); } #ifdef MBEDTLS_THREADING_C -- cgit v1.1 From 114ed5ef1ee57f881d208f3f69772225c54a6f4b Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 13 Feb 2024 15:35:14 +0000 Subject: Fix missing mutex lock for mutex usage error Although this can only be read in a situation where threads should have already stopped, best to fix this as its public. Signed-off-by: Paul Elliott --- tests/src/helpers.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 9053aac..8e1d564 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -229,7 +229,19 @@ static void mbedtls_test_set_line2_internal(const char *line) #if defined(MBEDTLS_TEST_MUTEX_USAGE) const char *mbedtls_test_get_mutex_usage_error(void) { - return mbedtls_test_info.mutex_usage_error; + const char *usage_error; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_lock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + usage_error = mbedtls_test_info.mutex_usage_error; + +#ifdef MBEDTLS_THREADING_C + mbedtls_mutex_unlock(&mbedtls_test_info_mutex); +#endif /* MBEDTLS_THREADING_C */ + + return usage_error; } void mbedtls_test_set_mutex_usage_error(const char *msg) -- cgit v1.1 From ba536dc1dbd74d9d8870a4f874bf82e92859559e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 13 Feb 2024 15:36:47 +0000 Subject: Lock test mutex before doing mutex usage check Although this again should only happen post all threads stopping, guard this just in case things change. Signed-off-by: Paul Elliott --- tests/src/threading_helpers.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index ff0c712..5eac029 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -317,22 +317,26 @@ void mbedtls_test_mutex_usage_init(void) void mbedtls_test_mutex_usage_check(void) { - if (live_mutexes != 0) { - /* A positive number (more init than free) means that a mutex resource - * is leaking (on platforms where a mutex consumes more than the - * mbedtls_threading_mutex_t object itself). The rare case of a - * negative number means a missing init somewhere. */ - mbedtls_fprintf(stdout, "[mutex: %d leaked] ", live_mutexes); - live_mutexes = 0; - mbedtls_test_set_mutex_usage_error("missing free"); - } - if (mbedtls_test_get_mutex_usage_error() != NULL && - mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_FAILED) { - /* Functionally, the test passed. But there was a mutex usage error, - * so mark the test as failed after all. */ - mbedtls_test_fail("Mutex usage error", __LINE__, __FILE__); + if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) { + if (live_mutexes != 0) { + /* A positive number (more init than free) means that a mutex resource + * is leaking (on platforms where a mutex consumes more than the + * mbedtls_threading_mutex_t object itself). The rare case of a + * negative number means a missing init somewhere. */ + mbedtls_fprintf(stdout, "[mutex: %d leaked] ", live_mutexes); + live_mutexes = 0; + mbedtls_test_set_mutex_usage_error("missing free"); + } + if (mbedtls_test_get_mutex_usage_error() != NULL && + mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_FAILED) { + /* Functionally, the test passed. But there was a mutex usage error, + * so mark the test as failed after all. */ + mbedtls_test_fail("Mutex usage error", __LINE__, __FILE__); + } + mbedtls_test_set_mutex_usage_error(NULL); + + mutex_functions.unlock(&mbedtls_test_mutex_mutex); } - mbedtls_test_set_mutex_usage_error(NULL); } void mbedtls_test_mutex_usage_end(void) -- cgit v1.1 From 90dbba5385f7e0eafa23648fd7aed2de9b524c4f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 15 Feb 2024 14:39:48 +0000 Subject: Improve output from make/cmake wrapper Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 25 ++++++++++++++++++++++--- tests/scripts/quiet/make | 25 ++++++++++++++++++++++--- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index 2e95c6b..e3114a8 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -18,13 +18,32 @@ TOOL=$(basename "$0") # Locate original tool ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) +quote_args() { + # similar to printf '%q' "$@" + # but produce more human-readable results for common/simple cases like "a b" + local args=("$@") + s="" + for a in "${args[@]}"; do + simple_pattern='^[[:alnum:] _=+-]*$' + if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then + # a has spaces, but no other special characters that need escaping + # (quoting after removing spaces yields no backslashes) + # simplify quoted form to "$a" - e.g. yield "a b c" instead of a\ b\ c + q="\"$a\"" + else + # get bash to do the quoting + q=$(printf '%q' "$a") + fi + s="$s $q" + done + echo $s +} + if [[ ! " $@ " =~ " --version " ]]; then # Display the command being invoked - if it succeeds, this is all that will # be displayed. Don't do this for invocations with --version, because # this output is often parsed by scripts, so we don't want to modify it. - echo -n "${TOOL} " - printf '%q ' "$@" - echo + echo "${TOOL} $(quote_args "$@")" fi if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 0c48696..257703e 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -18,13 +18,32 @@ TOOL=$(basename "$0") # Locate original tool ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) +quote_args() { + # similar to printf '%q' "$@" + # but produce more human-readable results for common/simple cases like "a b" + local args=("$@") + s="" + for a in "${args[@]}"; do + simple_pattern='^[[:alnum:] _=+-]*$' + if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then + # a has spaces, but no other special characters that need escaping + # (quoting after removing spaces yields no backslashes) + # simplify quoted form to "$a" - e.g. yield "a b c" instead of a\ b\ c + q="\"$a\"" + else + # get bash to do the quoting + q=$(printf '%q' "$a") + fi + s="$s $q" + done + echo $s +} + if [[ ! " $@ " =~ " --version " ]]; then # Display the command being invoked - if it succeeds, this is all that will # be displayed. Don't do this for invocations with --version, because # this output is often parsed by scripts, so we don't want to modify it. - echo -n "${TOOL} " - printf '%q ' "$@" - echo + echo "${TOOL} $(quote_args "$@")" fi if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then -- cgit v1.1 From 93ecbef6a89464e62c3225f423667e9541a48f22 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 14 Feb 2024 11:44:48 +0100 Subject: pk_wrap: set proper PSA algin rsa wrappers based on padding mode set in RSA context Signed-off-by: Valerio Setti --- library/pk_wrap.c | 50 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 20 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 69e1baf..b472cfb 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -74,8 +74,7 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, int key_len; unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; unsigned char *p = buf + sizeof(buf); - psa_algorithm_t psa_alg_md = - PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg)); + psa_algorithm_t psa_alg_md; size_t rsa_len = mbedtls_rsa_get_len(rsa); #if SIZE_MAX > UINT_MAX @@ -84,6 +83,12 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, } #endif + if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { + psa_alg_md = PSA_ALG_RSA_PSS(mbedtls_md_psa_alg_from_type(md_alg)); + } else { + psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg)); + } + if (sig_len < rsa_len) { return MBEDTLS_ERR_RSA_VERIFY_FAILED; } @@ -235,10 +240,14 @@ static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, if (psa_md_alg == 0) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } + psa_algorithm_t psa_alg; + if (mbedtls_rsa_get_padding_mode(mbedtls_pk_rsa(*pk)) == MBEDTLS_RSA_PKCS_V21) { + psa_alg = PSA_ALG_RSA_PSS(psa_md_alg); + } else { + psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg); + } - return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PKCS1V15_SIGN( - psa_md_alg), - pk->pk_ctx, hash, hash_len, + return mbedtls_pk_psa_rsa_sign_ext(psa_alg, pk->pk_ctx, hash, hash_len, sig, sig_size, sig_len); } #else /* MBEDTLS_USE_PSA_CRYPTO */ @@ -276,6 +285,7 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_algorithm_t psa_md_alg, decrypt_alg; psa_status_t status; int key_len; unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES]; @@ -284,12 +294,6 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, ((void) f_rng); ((void) p_rng); -#if !defined(MBEDTLS_RSA_ALT) - if (rsa->padding != MBEDTLS_RSA_PKCS_V15) { - return MBEDTLS_ERR_RSA_INVALID_PADDING; - } -#endif /* !MBEDTLS_RSA_ALT */ - if (ilen != mbedtls_rsa_get_len(rsa)) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } @@ -301,7 +305,13 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); - psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); + if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { + psa_md_alg = mbedtls_md_psa_alg_from_type(mbedtls_rsa_get_md_alg(rsa)); + decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg); + } else { + decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT; + } + psa_set_key_algorithm(&attributes, decrypt_alg); status = psa_import_key(&attributes, buf + sizeof(buf) - key_len, key_len, @@ -311,7 +321,7 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, goto cleanup; } - status = psa_asymmetric_decrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT, + status = psa_asymmetric_decrypt(key_id, decrypt_alg, input, ilen, NULL, 0, output, osize, olen); @@ -358,6 +368,7 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_algorithm_t psa_md_alg; psa_status_t status; int key_len; unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; @@ -366,12 +377,6 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, ((void) f_rng); ((void) p_rng); -#if !defined(MBEDTLS_RSA_ALT) - if (rsa->padding != MBEDTLS_RSA_PKCS_V15) { - return MBEDTLS_ERR_RSA_INVALID_PADDING; - } -#endif - if (mbedtls_rsa_get_len(rsa) > osize) { return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; } @@ -382,7 +387,12 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, } psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); + if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { + psa_md_alg = mbedtls_md_psa_alg_from_type(mbedtls_rsa_get_md_alg(rsa)); + psa_set_key_algorithm(&attributes, PSA_ALG_RSA_OAEP(psa_md_alg)); + } else { + psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); + } psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY); status = psa_import_key(&attributes, -- cgit v1.1 From 1110698ed9b59bf3ff3e0c5da3c189262f626b37 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 15 Feb 2024 16:04:36 +0000 Subject: Improve quote_args output readability Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 8 +++++--- tests/scripts/quiet/make | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index e3114a8..a79d757 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -24,12 +24,14 @@ quote_args() { local args=("$@") s="" for a in "${args[@]}"; do - simple_pattern='^[[:alnum:] _=+-]*$' + simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-]*)$' if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then # a has spaces, but no other special characters that need escaping # (quoting after removing spaces yields no backslashes) - # simplify quoted form to "$a" - e.g. yield "a b c" instead of a\ b\ c - q="\"$a\"" + # simplify quoted form - e.g.: + # a b -> "a b" + # CFLAGS=a b -> CFLAGS="a b" + q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" else # get bash to do the quoting q=$(printf '%q' "$a") diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 257703e..9722029 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -24,12 +24,14 @@ quote_args() { local args=("$@") s="" for a in "${args[@]}"; do - simple_pattern='^[[:alnum:] _=+-]*$' + simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-]*)$' if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then # a has spaces, but no other special characters that need escaping # (quoting after removing spaces yields no backslashes) - # simplify quoted form to "$a" - e.g. yield "a b c" instead of a\ b\ c - q="\"$a\"" + # simplify quoted form - e.g.: + # a b -> "a b" + # CFLAGS=a b -> CFLAGS="a b" + q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" else # get bash to do the quoting q=$(printf '%q' "$a") -- cgit v1.1 From d6fc3501c07f3c0f1704eed372fb09806266ca9b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 13:53:03 +0100 Subject: Test mbedtls_pk_import_into_psa with different bits This was only tested with opaque keys. Since the code paths are different depending on the PK type, we also need to test RSA and ECKEY. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.data | 85 +++++++++++++++++++++++++++++-------- tests/suites/test_suite_pk.function | 24 ++++++++++- 2 files changed, 91 insertions(+), 18 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index df665d0..503d0bc 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1127,71 +1127,122 @@ pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):2 PSA import into PSA: RSA pair to ECC (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: RSA public to RSA pair (bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_RSA_BAD_INPUT_DATA +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +# MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation +# of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably +# be more appropriate. (Applies to all the RSA "different bits" test cases.) +PSA import into PSA: RSA pair to different bits (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:MBEDTLS_ERR_PK_INVALID_ALG + +PSA import into PSA: RSA public to different bits (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:MBEDTLS_ERR_PK_INVALID_ALG + +PSA import into PSA: RSA private to public, different bits (bad) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: ECKEY pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY pair to public, different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH pair to public, different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA pair to public, different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH public to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA public to different curve (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY pair to different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH pair to different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA pair to different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY public to different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH public to different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA public to different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY private to public, different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECKEY_DH private to public, different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH + +PSA import into PSA: ECDSA private to public, different bits (bad) +depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECKEY_DH public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE -pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: ECDSA public to pair (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME -pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque RSA, COPY (ok) depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 52d0f68..4ea7a70 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -133,6 +133,23 @@ #define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES #endif +/* Pick a second bit-size, for tests that need two supported curves of the + * same family. For simplicity, we only handle a subset of configurations, + * and both curves will support both ECDH and ECDSA. */ +#if defined(PSA_WANT_ECC_SECP_R1_192) && defined(PSA_WANT_ECC_SECP_R1_256) +/* Identical redefinition of the ONE macros, to confirm that they have + * the values we expect here. */ +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_R1_384) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 384 +#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS +#endif + #endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */ /* Always define the macros so that we can use them in test data. */ @@ -144,6 +161,9 @@ #if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY) #define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY 0 #endif +#if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS) +#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 0 +#endif #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) @@ -2019,13 +2039,14 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ void pk_import_into_psa_fail(int pk_type, int from_pair, - int type_arg, + int type_arg, int bits_arg, int expected_ret) { mbedtls_pk_context pk; mbedtls_pk_init(&pk); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t type = type_arg; + size_t bits = bits_arg; mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(0, 42); PSA_INIT(); @@ -2035,6 +2056,7 @@ void pk_import_into_psa_fail(int pk_type, int from_pair, &pk, &expected_psa_type), 0); psa_set_key_type(&attributes, type); + psa_set_key_bits(&attributes, bits); TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), expected_ret); -- cgit v1.1 From 4da1f01f8853b79af861624e384bd08e48945020 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 15:32:12 +0100 Subject: Fix copypasta Signed-off-by: Gilles Peskine --- include/psa/crypto_values.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index f311acb..1d678db 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -413,7 +413,7 @@ ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) /** The public key type corresponding to a key pair type. * - * You may also pass a key pair type as \p type, it will be left unchanged. + * You may also pass a public key type as \p type, it will be left unchanged. * * \param type A public key type or key pair type. * -- cgit v1.1 From 5fbd27055d15c8ac234a229389ff4e31977487a0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 10:03:36 +0100 Subject: tls13: Use a flag not a counter for CCS and HRR handling Signed-off-by: Ronald Cron --- library/ssl_misc.h | 17 +++++++++++------ library/ssl_tls13_client.c | 8 ++++---- library/ssl_tls13_generic.c | 4 ++-- library/ssl_tls13_server.c | 6 +++--- tests/suites/test_suite_ssl.function | 10 +++++----- 5 files changed, 25 insertions(+), 20 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 942d4ad..30113d3 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -730,16 +730,21 @@ struct mbedtls_ssl_handshake_params { #if defined(MBEDTLS_SSL_PROTO_TLS1_3) uint8_t key_exchange_mode; /*!< Selected key exchange mode */ - /** Number of HelloRetryRequest messages received/sent from/to the server. */ - uint8_t hello_retry_request_count; + /** + * Flag indicating if, in the course of the current handshake, an + * HelloRetryRequest message has been sent by the server or received by + * the client (<> 0) or not (0). + */ + uint8_t hello_retry_request_flag; #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) /** - * Number of dummy change_cipher_spec (CCS) record sent. Used to send only - * one CCS per handshake without having to complicate the handshake state - * transitions. + * Flag indicating if, in the course of the current handshake, a dummy + * change_cipher_spec (CCS) record has already been sent. Used to send only + * one CCS per handshake while not complicating the handshake state + * transitions for that purpose. */ - uint8_t ccs_count; + uint8_t ccs_sent; #endif #if defined(MBEDTLS_SSL_SRV_C) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index cedebad..a055d4d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1180,7 +1180,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->handshake->hello_retry_request_count == 0) { + if (!ssl->handshake->hello_retry_request_flag) { if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) && ssl_tls13_early_data_has_valid_ticket(ssl) && ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { @@ -1497,7 +1497,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, * to a HelloRetryRequest), it MUST abort the handshake with an * "unexpected_message" alert. */ - if (handshake->hello_retry_request_count > 0) { + if (handshake->hello_retry_request_flag) { MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received")); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, @@ -1519,7 +1519,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } - handshake->hello_retry_request_count++; + handshake->hello_retry_request_flag = 1; break; } @@ -1674,7 +1674,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, * proposed in the HRR, we abort the handshake and send an * "illegal_parameter" alert. */ - else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) && + else if ((!is_hrr) && handshake->hello_retry_request_flag && (cipher_suite != ssl->session_negotiate->ciphersuite)) { fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index c6bb770..3e6d8d0 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1380,7 +1380,7 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec")); /* Only one CCS to send. */ - if (ssl->handshake->ccs_count > 0) { + if (ssl->handshake->ccs_sent) { ret = 0; goto cleanup; } @@ -1396,7 +1396,7 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) /* Dispatch message */ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0)); - ssl->handshake->ccs_count++; + ssl->handshake->ccs_sent = 1; cleanup: diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index f9f3cc5..b9f8870 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1535,7 +1535,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, const unsigned char *extension_data_end; uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH; - if (ssl->handshake->hello_retry_request_count > 0) { + if (ssl->handshake->hello_retry_request_flag) { /* Do not accept early data extension in 2nd ClientHello */ allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA); } @@ -2431,7 +2431,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (ssl->handshake->hello_retry_request_count > 0) { + if (ssl->handshake->hello_retry_request_flag) { MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs")); MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); @@ -2478,7 +2478,7 @@ static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len, msg_len)); - ssl->handshake->hello_retry_request_count++; + ssl->handshake->hello_retry_request_flag = 1; #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) /* The server sends a dummy change_cipher_spec record immediately diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d6a0d74..35eef69 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3903,7 +3903,7 @@ void tls13_cli_early_data_status(int scenario) break; case TEST_EARLY_DATA_HRR: - if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + if (!client_ep.ssl.handshake->hello_retry_request_flag) { TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN); } else { @@ -3928,7 +3928,7 @@ void tls13_cli_early_data_status(int scenario) break; case TEST_EARLY_DATA_HRR: - if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + if (!client_ep.ssl.handshake->hello_retry_request_flag) { TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE); } else { @@ -4089,7 +4089,7 @@ void tls13_cli_early_data_status(int scenario) } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER); #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - TEST_EQUAL(client_ep.ssl.handshake->ccs_count, 1); + TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1); #endif exit: @@ -4248,7 +4248,7 @@ void tls13_write_early_data(int scenario) break; case TEST_EARLY_DATA_HRR: - if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + if (!client_ep.ssl.handshake->hello_retry_request_flag) { TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); } else { @@ -4270,7 +4270,7 @@ void tls13_write_early_data(int scenario) break; case TEST_EARLY_DATA_HRR: - if (client_ep.ssl.handshake->hello_retry_request_count == 0) { + if (!client_ep.ssl.handshake->hello_retry_request_flag) { TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); } else { -- cgit v1.1 From 84dfbf488acca39c08e9e74ee029b47678800646 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 10:38:09 +0100 Subject: tls13: client: Add comment about early data in 2nd ClientHello Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index a055d4d..215c647 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1180,6 +1180,14 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SSL_EARLY_DATA) + /* In the first ClientHello, write the early data indication extension if + * necessary and update the early data status. + * If an HRR has been received and thus we are currently writing the + * second ClientHello, the second ClientHello must not contain an early + * data extension and the early data status must stay as it is: + * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT or + * MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED. + */ if (!ssl->handshake->hello_retry_request_flag) { if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) && ssl_tls13_early_data_has_valid_ticket(ssl) && -- cgit v1.1 From b9a9b1f5a5a08d5ad9f4f72a80bc4087c1003f1e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 11:28:05 +0100 Subject: tls13: Fix/Improve comments Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 30 +++++++++++++++--------------- library/ssl_misc.h | 28 ++++++++++++++-------------- tests/include/test/ssl_helpers.h | 4 +--- 3 files changed, 30 insertions(+), 32 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 9583a15..7299bbb 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1657,31 +1657,31 @@ struct mbedtls_ssl_context { #endif /* MBEDTLS_SSL_RENEGOTIATION */ /** - * Maximum TLS version to be negotiated, then negotiated TLS version. + * Maximum TLS version to be negotiated, then negotiated TLS version. * - * It is initialized as the configured maximum TLS version to be - * negotiated by mbedtls_ssl_setup(). + * It is initialized as the configured maximum TLS version to be + * negotiated by mbedtls_ssl_setup(). * - * When renegotiating or resuming a session, it is overwritten in the - * ClientHello writing preparation stage with the previously negotiated - * TLS version. + * When renegotiating or resuming a session, it is overwritten in the + * ClientHello writing preparation stage with the previously negotiated + * TLS version. * - * On client side, it is updated to the TLS version selected by the server - * for the handshake when the ServerHello is received. + * On client side, it is updated to the TLS version selected by the server + * for the handshake when the ServerHello is received. * - * On server side, it is updated to the TLS version the server selects for - * the handshake when the ClientHello is received. + * On server side, it is updated to the TLS version the server selects for + * the handshake when the ClientHello is received. */ mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) /** - * Status of the negotiation of the use of early data. - * See the documentation of mbedtls_ssl_get_early_data_status() for more - * information. + * Status of the negotiation of the use of early data. + * See the documentation of mbedtls_ssl_get_early_data_status() for more + * information. * - * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT when the context is - * reset. + * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN when the context is + * reset. */ int MBEDTLS_PRIVATE(early_data_status); #endif diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 30113d3..bccfbb2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -665,21 +665,21 @@ struct mbedtls_ssl_handshake_params { #if defined(MBEDTLS_SSL_CLI_C) /** Minimum TLS version to be negotiated. * - * It is set up in the ClientHello writing preparation stage and used - * throughout the ClientHello writing. Not relevant anymore as soon as - * the protocol version has been negotiated thus as soon as the - * ServerHello is received. - * For a fresh handshake not linked to any previous handshake, it is - * equal to the configured minimum minor version to be negotiated. When - * renegotiating or resuming a session, it is equal to the previously - * negotiated minor version. + * It is set up in the ClientHello writing preparation stage and used + * throughout the ClientHello writing. Not relevant anymore as soon as + * the protocol version has been negotiated thus as soon as the + * ServerHello is received. + * For a fresh handshake not linked to any previous handshake, it is + * equal to the configured minimum minor version to be negotiated. When + * renegotiating or resuming a session, it is equal to the previously + * negotiated minor version. * - * There is no maximum TLS version field in this handshake context. - * From the start of the handshake, we need to define a current protocol - * version for the record layer which we define as the maximum TLS - * version to be negotiated. The `tls_version` field of the SSL context is - * used to store this maximum value until it contains the actual - * negotiated value. + * There is no maximum TLS version field in this handshake context. + * From the start of the handshake, we need to define a current protocol + * version for the record layer which we define as the maximum TLS + * version to be negotiated. The `tls_version` field of the SSL context is + * used to store this maximum value until it contains the actual + * negotiated value. */ mbedtls_ssl_protocol_version min_tls_version; #endif diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 3506609..29f3b7c 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -607,9 +607,7 @@ int mbedtls_test_get_tls13_ticket( mbedtls_test_handshake_test_options *client_options, mbedtls_test_handshake_test_options *server_options, mbedtls_ssl_session *session); -#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SRV_C && - MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS && - MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +#endif #define ECJPAKE_TEST_PWD "bla" -- cgit v1.1 From d6d32b9210153862daf54f259c1eea62a65f36e5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 12:01:50 +0100 Subject: tls13: Improve declaration and doc of early data status Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 59 ++++++++++++++++++++++++++++++++++++--------- library/ssl_debug_helpers.h | 4 +++ library/ssl_misc.h | 32 ------------------------ 3 files changed, 52 insertions(+), 43 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7299bbb..6727419 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -734,6 +734,51 @@ typedef enum { } mbedtls_ssl_states; +/* + * Early data status, client side only. + */ + +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +typedef enum { +/* + * The client has not sent the first ClientHello yet, it is unknown if the + * client will send an early data indication extension or not. + */ + MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN, + +/* + * See documentation of mbedtls_ssl_get_early_data_status(). + */ + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT, + MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED, + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED, + +/* + * The client has sent an early data indication extension in its first + * ClientHello, it has not received the response (ServerHello or + * HelloRetryRequest) from the server yet. The transform to protect early data + * is not set and early data cannot be sent yet. + */ + MBEDTLS_SSL_EARLY_DATA_STATUS_SENT, + +/* + * The client has sent an early data indication extension in its first + * ClientHello, it has not received the response (ServerHello or + * HelloRetryRequest) from the server yet. The transform to protect early data + * has been set and early data can be written now. + */ + MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE, + +/* + * The client has sent an early data indication extension in its first + * ClientHello, the server has accepted them and the client has received the + * server Finished message. It cannot send early data to the server anymore. + */ + MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED, +} mbedtls_ssl_early_data_status; + +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ + /** * \brief Callback type: send data on the network. * @@ -1676,14 +1721,10 @@ struct mbedtls_ssl_context { #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) /** - * Status of the negotiation of the use of early data. - * See the documentation of mbedtls_ssl_get_early_data_status() for more - * information. - * - * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN when the context is - * reset. + * Status of the negotiation of the use of early data. Reset to + * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN when the context is reset. */ - int MBEDTLS_PRIVATE(early_data_status); + mbedtls_ssl_early_data_status MBEDTLS_PRIVATE(early_data_status); #endif unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ @@ -5106,10 +5147,6 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_SSL_EARLY_DATA) -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 2 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3 - #if defined(MBEDTLS_SSL_SRV_C) /** * \brief Read at most 'len' bytes of early data diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 2b0e737..a8e3140 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -21,6 +21,10 @@ const char *mbedtls_ssl_states_str(mbedtls_ssl_states in); +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +const char *mbedtls_ssl_early_data_status_str(mbedtls_ssl_early_data_status in); +#endif + const char *mbedtls_ssl_protocol_version_str(mbedtls_ssl_protocol_version in); const char *mbedtls_tls_prf_types_str(mbedtls_tls_prf_types in); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index bccfbb2..d8844fc 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2150,38 +2150,6 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); - -#if defined(MBEDTLS_SSL_CLI_C) -/* - * The client has not sent the first ClientHello yet, it is unknown if the - * client will send an early data indication extension or not. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 - -/* - * The client has sent an early data indication extension in its first - * ClientHello, it has not received the response (ServerHello or - * HelloRetryRequest) from the server yet. The transform to protect early data - * is not set and early data cannot be sent yet. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_SENT 4 - -/* - * The client has sent an early data indication extension in its first - * ClientHello, it has not received the response (ServerHello or - * HelloRetryRequest) from the server yet. The transform to protect early data - * has been set and early data can be written now. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE 5 - -/* - * The client has sent an early data indication extension in its first - * ClientHello, the server has accepted them and the client has received the - * server Finished message. It cannot send early data to the server anymore. - */ -#define MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED 6 -#endif /* MBEDTLS_SSL_CLI_C */ - #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -- cgit v1.1 From 24da9917a6f57713be8e930a4d21a618c7fed733 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 15 Feb 2024 16:13:44 +0100 Subject: tests: ssl: early data: Add systematic default case in scenario switches In TLS 1.3 early data tests, to reduce the risk of not updating a switch over possible scenarios when adding a new scenario, add systematically a default case that fails the test. Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 53 ++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 35eef69..eb5fc12 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3772,6 +3772,9 @@ void tls13_early_data(int scenario) TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); TEST_EQUAL(server_pattern.counter, 1); break; + + default: + TEST_FAIL("Unknown scenario."); } TEST_EQUAL(mbedtls_test_move_handshake_to_state( @@ -3911,6 +3914,9 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); } break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -3936,6 +3942,9 @@ void tls13_cli_early_data_status(int scenario) MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); } break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -3956,6 +3965,9 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -3976,6 +3988,9 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4002,6 +4017,9 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4022,12 +4040,14 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; + + default: + TEST_FAIL("Unknown scenario."); } break; #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: - TEST_ASSERT(scenario != TEST_EARLY_DATA_NO_INDICATION_SENT); switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ @@ -4035,6 +4055,9 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_SENT); break; + + default: + TEST_FAIL("Unexpected or unknown scenario."); } break; @@ -4045,7 +4068,6 @@ void tls13_cli_early_data_status(int scenario) break; case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - TEST_ASSERT(scenario != TEST_EARLY_DATA_ACCEPTED); switch (scenario) { case TEST_EARLY_DATA_NO_INDICATION_SENT: TEST_EQUAL(client_ep.ssl.early_data_status, @@ -4057,6 +4079,9 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; + + default: + TEST_FAIL("Unexpected or unknown scenario."); } break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ @@ -4080,6 +4105,9 @@ void tls13_cli_early_data_status(int scenario) TEST_EQUAL(client_ep.ssl.early_data_status, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4236,6 +4264,7 @@ void tls13_write_early_data(int scenario) if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) { TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, client_state); + goto reset; } switch (client_state) { @@ -4258,6 +4287,9 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO); } break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4279,6 +4311,9 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); } break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4294,6 +4329,9 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4313,6 +4351,9 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); break; + + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4331,6 +4372,8 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, early_data_len); TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); break; + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4341,7 +4384,6 @@ void tls13_write_early_data(int scenario) break; case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - TEST_ASSERT(scenario != TEST_EARLY_DATA_ACCEPTED); switch (scenario) { case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ case TEST_EARLY_DATA_HRR: @@ -4350,6 +4392,8 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); break; + default: + TEST_FAIL("Unexpected or unknown scenario."); } break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ @@ -4366,6 +4410,8 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, client_state); break; + default: + TEST_FAIL("Unknown scenario."); } break; @@ -4373,6 +4419,7 @@ void tls13_write_early_data(int scenario) TEST_FAIL("Unexpected state."); } +reset: mbedtls_test_mock_socket_close(&(client_ep.socket)); mbedtls_test_mock_socket_close(&(server_ep.socket)); -- cgit v1.1 From 6fe8a06f7eae94789d6de9813b1c9cfd0792a8eb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 17:21:17 +0100 Subject: New test helper: mbedtls_test_key_consistency_psa_pk Test that a PK key and a PSA key are consistent, i.e. that they have the same type (or are a key pair and the corresponding public key) and that they have the same public key. Signed-off-by: Gilles Peskine --- tests/include/test/psa_exercise_key.h | 21 +++++++ tests/src/psa_exercise_key.c | 103 ++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+) diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h index 7d51a4c..44f5c08 100644 --- a/tests/include/test/psa_exercise_key.h +++ b/tests/include/test/psa_exercise_key.h @@ -14,6 +14,10 @@ #include +#if defined(MBEDTLS_PK_C) +#include +#endif + /** \def KNOWN_SUPPORTED_HASH_ALG * * A hash algorithm that is known to be supported. @@ -237,4 +241,21 @@ psa_key_usage_t mbedtls_test_psa_usage_to_exercise(psa_key_type_t type, */ int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg); +#if defined(MBEDTLS_PK_C) +/** PK-PSA key consistency test. + * + * This function tests that the pk context and the PSA key are + * consistent. At a minimum: + * + * - The two objects must contain keys of the same type, + * or a key pair and a public key of the matching type. + * - The two objects must have the same public key. + * + * \retval 0 The key failed the consistency tests. + * \retval 1 The key passed the consistency tests. + */ +int mbedtls_test_key_consistency_psa_pk(mbedtls_svc_key_id_t psa_key, + const mbedtls_pk_context *pk); +#endif /* MBEDTLS_PK_C */ + #endif /* PSA_EXERCISE_KEY_H */ diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 80419d1..7b81052 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -20,6 +20,16 @@ #include #include +#if defined(MBEDTLS_PK_C) +#include +#endif +#if defined(MBEDTLS_ECP_C) +#include +#endif +#if defined(MBEDTLS_RSA_C) +#include +#endif + #if defined(MBEDTLS_PSA_CRYPTO_SE_C) static int lifetime_is_dynamic_secure_element(psa_key_lifetime_t lifetime) { @@ -1054,4 +1064,97 @@ int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg) return 1; } +#if defined(MBEDTLS_PK_C) +int mbedtls_test_key_consistency_psa_pk(mbedtls_svc_key_id_t psa_key, + const mbedtls_pk_context *pk) +{ + psa_key_attributes_t psa_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_attributes_t pk_attributes = PSA_KEY_ATTRIBUTES_INIT; + int ok = 0; + + PSA_ASSERT(psa_get_key_attributes(psa_key, &psa_attributes)); + psa_key_type_t psa_type = psa_get_key_type(&psa_attributes); + mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk); + + TEST_ASSERT(PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_type) || + PSA_KEY_TYPE_IS_KEY_PAIR(psa_type)); + TEST_EQUAL(psa_get_key_bits(&psa_attributes), mbedtls_pk_get_bitlen(pk)); + + uint8_t pk_public_buffer[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; + const uint8_t *pk_public = NULL; + size_t pk_public_length = 0; + + switch (pk_type) { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_PK_RSA: + TEST_ASSERT(PSA_KEY_TYPE_IS_RSA(psa_type)); + const mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); + uint8_t *const end = pk_public_buffer + sizeof(pk_public_buffer); + uint8_t *cursor = end; + TEST_LE_U(1, mbedtls_rsa_write_pubkey(rsa, + pk_public_buffer, &cursor)); + pk_public = cursor; + pk_public_length = end - pk_public; + break; +#endif + +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(psa_type)); + TEST_EQUAL(PSA_KEY_TYPE_ECC_GET_FAMILY(psa_type), pk->ec_family); + pk_public = pk->pub_raw; + pk_public_length = pk->pub_raw_len; + break; +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA) + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(psa_get_key_type(&psa_attributes))); + const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk); + TEST_EQUAL(mbedtls_ecp_write_public_key( + ec, MBEDTLS_ECP_PF_UNCOMPRESSED, &pk_public_length, + pk_public_buffer, sizeof(pk_public_buffer)), 0); + pk_public = pk_public_buffer; + break; +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_PK_USE_PSA_EC_DATA */ + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + case MBEDTLS_PK_OPAQUE: + PSA_ASSERT(psa_get_key_attributes(pk->priv_id, &pk_attributes)); + psa_key_type_t pk_psa_type = psa_get_key_type(&pk_attributes); + TEST_EQUAL(PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(psa_type), + PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(pk_psa_type)); + PSA_ASSERT(psa_export_public_key(psa_key, + pk_public_buffer, + sizeof(pk_public_buffer), + &pk_public_length)); + pk_public = pk_public_buffer; + break; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + default: + TEST_FAIL("pk type not supported"); + } + + uint8_t psa_public[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; + size_t psa_public_length = 0; + PSA_ASSERT(psa_export_public_key(psa_key, + psa_public, sizeof(psa_public), + &psa_public_length)); + TEST_MEMORY_COMPARE(pk_public, pk_public_length, + psa_public, psa_public_length); + + ok = 1; + +exit: + psa_reset_key_attributes(&psa_attributes); + psa_reset_key_attributes(&pk_attributes); + return ok; +} +#endif /* MBEDTLS_PK_C */ + #endif /* MBEDTLS_PSA_CRYPTO_C */ -- cgit v1.1 From 2ec141a429635e2a764be7393a57e1ebf00b0545 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 17:22:37 +0100 Subject: After pk_import_into_psa, test that the keys match We were testing the internal consistency of the resulting key, and that the resulting key had the right metadata, but we were not testing that the PSA key had the expected key material. Comparing the public keys fixes that. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 16 ++++++++++++++++ tests/suites/test_suite_pkparse.function | 3 +++ 2 files changed, 19 insertions(+) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 4ea7a70..39e3846 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -19,6 +19,8 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" +#include + /* Used for properly sizing the key buffer in pk_genkey_ec() */ #include "psa_util_internal.h" @@ -1893,6 +1895,9 @@ void pk_get_psa_attributes(int pk_type, int from_pair, TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); + if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { + goto exit; + } exit: mbedtls_pk_free(&pk); @@ -1938,6 +1943,9 @@ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); + if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { + goto exit; + } exit: mbedtls_pk_free(&pk); @@ -2026,6 +2034,11 @@ void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, } TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), expected_import_ret); + if (expected_import_ret == 0) { + if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { + goto exit; + } + } } exit: @@ -2117,6 +2130,9 @@ void pk_import_into_psa_opaque(int from_type, int from_bits, expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; } TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&actual_attributes)); + if (!mbedtls_test_key_consistency_psa_pk(to_key_id, &pk)) { + goto exit; + } } else { TEST_ASSERT(mbedtls_svc_key_id_equal(to_key_id, MBEDTLS_SVC_KEY_ID_INIT)); } diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index add225d..f275c32 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -48,6 +48,9 @@ static int test_psa_bridge(const mbedtls_pk_context *ctx, TEST_EQUAL(mbedtls_pk_get_psa_attributes(ctx, usage_flag, &attributes), 0); TEST_EQUAL(mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key), 0); + if (!mbedtls_test_key_consistency_psa_pk(psa_key, ctx)) { + goto exit; + } psa_algorithm_t exercise_usage = psa_get_key_usage_flags(&attributes); psa_algorithm_t exercise_alg = psa_get_key_algorithm(&attributes); -- cgit v1.1 From 83b8baf8995d8a874dba3b623c486196ad068609 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Feb 2024 17:26:07 +0100 Subject: mbedtls_pk_import_into_psa: fix Montgomery keys in the legacy case Fix the workaround for the weirdness of mbedtls_ecp_write_key(), which assumed a Weierstrass key. This fixes the Montgomery private key parse tests in test_suite_pkparse. Signed-off-by: Gilles Peskine --- library/pk.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/library/pk.c b/library/pk.c index 28663a8..c05ea5d 100644 --- a/library/pk.c +++ b/library/pk.c @@ -704,17 +704,19 @@ static int import_pair_into_psa(const mbedtls_pk_context *pk, return MBEDTLS_ERR_PK_TYPE_MISMATCH; } unsigned char key_buffer[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; - int ret = mbedtls_ecp_write_key(ec, - key_buffer, sizeof(key_buffer)); + /* Make sure to pass the exact key length to + * mbedtls_ecp_write_key(), because it writes Montgomery keys + * at the start of the buffer but Weierstrass keys at the + * end of the buffer. */ + size_t key_length = PSA_BITS_TO_BYTES(ec->grp.nbits); + int ret = mbedtls_ecp_write_key(ec, key_buffer, key_length); if (ret < 0) { return ret; } - size_t key_length = PSA_BITS_TO_BYTES(ec->grp.nbits); - unsigned char *key_data = key_buffer + sizeof(key_buffer) - key_length; ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes, - key_data, key_length, + key_buffer, key_length, key_id)); - mbedtls_platform_zeroize(key_data, key_length); + mbedtls_platform_zeroize(key_buffer, key_length); return ret; #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ } -- cgit v1.1 From 0f286d5453488acbc0ae2191ea80f1156eabbbb4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 16 Feb 2024 14:30:58 +0100 Subject: pem: reject empty PEM contents Signed-off-by: Valerio Setti --- library/pem.c | 5 +++++ tests/suites/test_suite_pem.data | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/library/pem.c b/library/pem.c index f090f49..a111970 100644 --- a/library/pem.c +++ b/library/pem.c @@ -244,6 +244,7 @@ exit: #if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len) { + /* input_len > 0 is guaranteed by mbedtls_pem_read_buffer(). */ size_t pad_len = input[input_len - 1]; size_t i; @@ -412,6 +413,10 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret); } + if (len == 0) { + return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; + } + if ((buf = mbedtls_calloc(1, len)) == NULL) { return MBEDTLS_ERR_PEM_ALLOC_FAILED; } diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index df9663b..a900a33 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -22,6 +22,10 @@ mbedtls_pem_write_buffer_lengths PEM read (unencrypted, valid) mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0:"4d62656420544c53" +PEM read (unencrypted, empty content) +depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\n\n-----END EC PRIVATE KEY-----":"":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" + PEM read (DES-EDE3-CBC + invalid iv) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_DES_C mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV:"" -- cgit v1.1 From 46ee81d2593f456afa1f387d7af139fae1515ae0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 13 Feb 2024 20:05:29 +0100 Subject: test_suite_pk: add test cases for RSA keys (sign/verify & crypt/decrypt) Signed-off-by: Gilles Peskine Signed-off-by: Valerio Setti --- tests/suites/test_suite_pk.data | 86 +++++++++++++++++++++++++++++-------- tests/suites/test_suite_pk.function | 71 ++++++++++++++++++++++++------ 2 files changed, 124 insertions(+), 33 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 35f02cb..9c0bb23 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -326,13 +326,33 @@ PK can do ext: MBEDTLS_PK_RSA, check RSA_PSS(SHA256) depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 -RSA verify test vector #1 (good) +RSA verify test vector: PKCS1v1.5 (explicit), SHA1, good depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15 -pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0 +pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0 -RSA verify test vector #2 (bad) +RSA verify test vector: PKCS1v1.5 (default), SHA1, good depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15 -pk_rsa_verify_test_vec:"9f294f0c7b32da6221a3ef83654322038e8968fa":MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"3203b7647fb7e345aa457681e5131777f1adc371f2fba8534928c4e52ef6206a856425d6269352ecbf64db2f6ad82397768cafdd8cd272e512d617ad67992226da6bc291c31404c17fd4b7e2beb20eff284a44f4d7af47fd6629e2c95809fa7f2241a04f70ac70d3271bb13258af1ed5c5988c95df7fa26603515791075feccd":MBEDTLS_ERR_RSA_VERIFY_FAILED +pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":-1:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0 + +RSA verify test vector: PKCS1v1.5, SHA1, wrong signature +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15 +pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b8":MBEDTLS_ERR_RSA_VERIFY_FAILED + +RSA verify test vector: PSS, SHA1, good +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V21 +pk_rsa_verify_test_vec:"37b66ae0445843353d47ecb0b4fd14c110e62d6a":MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:1024:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":"010001":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":0 + +RSA verify test vector: PSS, SHA1, wrong signature +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V21 +pk_rsa_verify_test_vec:"37b66ae0445843353d47ecb0b4fd14c110e62d6a":MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:1024:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":"010001":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747f":MBEDTLS_ERR_RSA_VERIFY_FAILED + +RSA verify test vector: PSS, SHA1, signature is PKCS1v1.5 +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V21 +pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":MBEDTLS_ERR_RSA_VERIFY_FAILED + +RSA verify test vector: PKCS1v1.5, SHA1, signature is PSS +depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15 +pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":MBEDTLS_ERR_RSA_VERIFY_FAILED ECDSA verify test vector #1 (good) depends_on:MBEDTLS_ECP_HAVE_SECP192R1 @@ -384,51 +404,79 @@ pk_ec_test_vec:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"0437cc56d976091e5a723e ECDSA sign-verify: SECP192R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP192R1 -pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:0:0:0:0 ECDSA sign-verify: SECP256R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1 -pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:0:0:0:0 ECDSA sign-verify: SECP384R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP384R1 -pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:0:0:0:0 ECDSA sign-verify: SECP521R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP521R1 -pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:0:0:0:0 ECDSA sign-verify: BP256R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_BP256R1 -pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP256R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP256R1:0:0:0:0 ECDSA sign-verify: BP512R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_BP512R1 -pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP512R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP512R1:0:0:0:0 EC(DSA) sign-verify: SECP192R1 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP192R1 -pk_sign_verify:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP192R1:0:0 +pk_sign_verify:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP192R1:0:0:0:0 EC_DH (no) sign-verify: SECP192R1 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 -pk_sign_verify:MBEDTLS_PK_ECKEY_DH:MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ERR_PK_TYPE_MISMATCH:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_sign_verify:MBEDTLS_PK_ECKEY_DH:MBEDTLS_ECP_DP_SECP192R1:0:0:MBEDTLS_ERR_PK_TYPE_MISMATCH:MBEDTLS_ERR_PK_TYPE_MISMATCH -RSA sign-verify -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512 -pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:0 +RSA sign-verify, PKCS1v1.5, SHA1 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA1 +pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:0:0 + +RSA sign-verify, PKCS1v2.1, SHA1 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA1 +pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:0:0 + +RSA sign-verify, PKCS1v1.5, SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA256 +pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:0:0 + +RSA sign-verify, PKCS1v2.1, SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA256 +pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA256:0:0 RSA encrypt-decrypt test depends_on:MBEDTLS_PKCS1_V15 pk_rsa_encrypt_decrypt_test:"4E636AF98E40F3ADCFCCB698F4E80B9F":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":0 -RSA decrypt test vector #1 +RSA decrypt test vector - PKCS1v1.5 +depends_on:MBEDTLS_PKCS1_V15 +pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":0 + +RSA decrypt test vector - PKCS1v1.5, corrupted encrypted data depends_on:MBEDTLS_PKCS1_V15 -pk_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"4E636AF98E40F3ADCFCCB698F4E80B9F":0 +pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43d":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING + +RSA decrypt test vector - PKCS1v2.1 +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1 +pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":1024:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":0 -RSA decrypt test vector #2 +RSA decrypt test vector - PKCS1v2.1, corrupted encrypted data +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1 +pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0956":1024:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING + +RSA decrypt test vector - PKCS1v1.5, but data is PKCS1v2.1 encrypted depends_on:MBEDTLS_PKCS1_V15 -pk_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404feb284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_INVALID_PADDING +pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0956":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING + +RSA decrypt test vector - PKCS1v2.1, but data is PKCS1v1.5 encrypted +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1 +pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":1024:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING RSA Opaque decrypt test vector #1 depends_on:MBEDTLS_PKCS1_V15 diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index ff843cb..946c52f 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -800,9 +800,9 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ -void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod, - char *input_N, char *input_E, - data_t *result_str, int result) +void pk_rsa_verify_test_vec(data_t *message_str, int padding, int digest, + int mod, char *input_N, char *input_E, + data_t *result_str, int expected_result) { mbedtls_rsa_context *rsa; mbedtls_pk_context pk; @@ -817,28 +817,54 @@ void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod, #endif mbedtls_pk_init(&pk); - USE_PSA_INIT(); + MD_OR_USE_PSA_INIT(); TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); rsa = mbedtls_pk_rsa(pk); rsa->len = (mod + 7) / 8; + if (padding >= 0) { + TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_NONE), 0); + } + TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); - TEST_ASSERT(mbedtls_pk_verify(&pk, digest, message_str->x, 0, - result_str->x, mbedtls_pk_get_len(&pk)) == result); + int actual_result; + actual_result = mbedtls_pk_verify(&pk, digest, message_str->x, 0, + result_str->x, mbedtls_pk_get_len(&pk)); +#if !defined(MBEDTLS_USE_PSA_CRYPTO) + if (actual_result == MBEDTLS_ERR_RSA_INVALID_PADDING && + expected_result == MBEDTLS_ERR_RSA_VERIFY_FAILED) { + /* Tolerate INVALID_PADDING error for an invalid signature with + * the legacy API (but not with PSA). */ + } else +#endif + { + TEST_EQUAL(actual_result, expected_result); + } - TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0, - result_str->x, mbedtls_pk_get_len( - &pk), rs_ctx) == result); + actual_result = mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0, + result_str->x, + mbedtls_pk_get_len(&pk), + rs_ctx); +#if !defined(MBEDTLS_USE_PSA_CRYPTO) + if (actual_result == MBEDTLS_ERR_RSA_INVALID_PADDING && + expected_result == MBEDTLS_ERR_RSA_VERIFY_FAILED) { + /* Tolerate INVALID_PADDING error for an invalid signature with + * the legacy API (but not with PSA). */ + } else +#endif + { + TEST_EQUAL(actual_result, expected_result); + } exit: #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) mbedtls_pk_restart_free(rs_ctx); #endif mbedtls_pk_free(&pk); - USE_PSA_DONE(); + MD_OR_USE_PSA_DONE(); } /* END_CASE */ @@ -1027,7 +1053,8 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */ -void pk_sign_verify(int type, int curve_or_keybits, int sign_ret, int verify_ret) +void pk_sign_verify(int type, int curve_or_keybits, int rsa_padding, int rsa_md_alg, + int sign_ret, int verify_ret) { mbedtls_pk_context pk; size_t sig_len; @@ -1055,6 +1082,17 @@ void pk_sign_verify(int type, int curve_or_keybits, int sign_ret, int verify_ret TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0); +#if defined(MBEDTLS_RSA_C) + if (type == MBEDTLS_PK_RSA) { + /* Just pick SHA1 here as hashing algorithm as we're more interested + * in checking the compatibility between */ + TEST_ASSERT(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, rsa_md_alg) == 0); + } +#else + (void) rsa_padding; + (void) rsa_md_alg; +#endif /* MBEDTLS_RSA_C */ + TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256, hash, hash_len, sig, sizeof(sig), &sig_len, @@ -1194,7 +1232,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ -void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, +void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, int padding, int md_alg, char *input_P, char *input_Q, char *input_N, char *input_E, data_t *clear, int ret) @@ -1209,7 +1247,7 @@ void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, mbedtls_pk_init(&pk); mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); - USE_PSA_INIT(); + MD_OR_USE_PSA_INIT(); memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); @@ -1231,6 +1269,11 @@ void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8); + /* set padding mode */ + if (padding >= 0) { + TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding, md_alg), 0); + } + /* decryption test */ memset(output, 0, sizeof(output)); olen = 0; @@ -1246,7 +1289,7 @@ exit: mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); mbedtls_pk_free(&pk); - USE_PSA_DONE(); + MD_OR_USE_PSA_DONE(); } /* END_CASE */ -- cgit v1.1 From 90ea4fd201568470044197b2463338c5f32a993b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 15 Feb 2024 15:42:24 +0100 Subject: pk: fix documentation for sign/verify and encrypt/decrypt Remove exception warnings about PKCS1v1.5, since now both padding formats are treated properly no matter if USE_PSA_CRYPTO is defined or not. Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 919543c..c37121f 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -616,10 +616,6 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, * #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid * signature in \p sig but its length is less than \p sig_len, * or a specific error code. - * - * \note For RSA keys, the default padding type is PKCS#1 v1.5. - * Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) - * to verify RSASSA_PSS signatures. */ int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, @@ -708,10 +704,6 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options, * * \return 0 on success, or a specific error code. * - * \note For RSA keys, the default padding type is PKCS#1 v1.5. - * There is no interface in the PK module to make RSASSA-PSS - * signatures yet. - * * \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. * For ECDSA, md_alg may never be MBEDTLS_MD_NONE. */ @@ -806,8 +798,6 @@ int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx, * \param f_rng RNG function, must not be \c NULL. * \param p_rng RNG parameter * - * \note For RSA keys, the default padding type is PKCS#1 v1.5. - * * \return 0 on success, or a specific error code. */ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx, @@ -829,8 +819,6 @@ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx, * * \note \p f_rng is used for padding generation. * - * \note For RSA keys, the default padding type is PKCS#1 v1.5. - * * \return 0 on success, or a specific error code. */ int mbedtls_pk_encrypt(mbedtls_pk_context *ctx, -- cgit v1.1 From 8aff4ef274688be38423820091895a2f30187f28 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 16 Feb 2024 14:31:51 +0100 Subject: test_suite_pem: add more test cases for invalid padding data Signed-off-by: Valerio Setti --- library/pem.c | 2 +- tests/suites/test_suite_pem.data | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/library/pem.c b/library/pem.c index a111970..3f01d3b 100644 --- a/library/pem.c +++ b/library/pem.c @@ -463,7 +463,7 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const * mismatches. */ ret = pem_check_pkcs_padding(buf, len, &len); if (ret != 0) { - mbedtls_free(buf); + mbedtls_zeroize_and_free(buf, len); return ret; } diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index a900a33..e3bb7e4 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -78,3 +78,17 @@ mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KE PEM read (Invalid padding data for AES-128-CBC) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" + +# Padding data (0x11) is larger than AES block size (16). +# Generated with: +# echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x11\x11\x11\x11\x11" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad +PEM read (AES-128-CBC, padding data is larger than AES block length) +depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n5wA/XVXHuMsQAAOGFQmK0g==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" + +# Padding data (0x9) is larger than AES block size (8). +# Generated with: +# echo -n -e "\x68\x65\x6c\x6c\x6f\x09\x09\x09" | openssl des-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad +PEM read (DES-CBC, padding data is larger than DES block length) +depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,3132333435363738\n\n6a+B2WineBM=\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" -- cgit v1.1 From 4cc6522a85473e6ae49e1558988cde408739305e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 16 Feb 2024 14:40:42 +0100 Subject: pem: do not parse ASN1 data after decryption (removes ASN1 dependency) Now that we have padding verification after decryption and since this can be used to validate the password as well there is no need to parse ASN1 content any more, so we can simplify/remove that dependency. Signed-off-by: Valerio Setti --- ChangeLog.d/8799.txt | 3 +-- include/mbedtls/asn1.h | 5 ++--- library/asn1parse.c | 5 ++--- library/pem.c | 23 ----------------------- tests/suites/test_suite_pem.data | 13 +++---------- tests/suites/test_suite_pem.function | 1 - 6 files changed, 8 insertions(+), 42 deletions(-) diff --git a/ChangeLog.d/8799.txt b/ChangeLog.d/8799.txt index b44bb99..50e7c11 100644 --- a/ChangeLog.d/8799.txt +++ b/ChangeLog.d/8799.txt @@ -1,4 +1,3 @@ Bugfix * mbedtls_pem_read_buffer() now performs a check on the padding data of - decrypted keys and it rejects invalid ones. It also parses and validates - the main ASN.1 SEQUENCE header. + decrypted keys and it rejects invalid ones. diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index d8ee469..ff019f4 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -198,7 +198,7 @@ typedef struct mbedtls_asn1_named_data { mbedtls_asn1_named_data; #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ - defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) || defined(MBEDTLS_PEM_PARSE_C) + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) /** * \brief Get the length of an ASN.1 element. * Updates the pointer to immediately behind the length. @@ -245,8 +245,7 @@ int mbedtls_asn1_get_len(unsigned char **p, int mbedtls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag); -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || - MBEDTLS_PSA_UTIL_HAVE_ECDSA || MBEDTLS_PEM_PARSE_C */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_PARSE_C) /** diff --git a/library/asn1parse.c b/library/asn1parse.c index 644b43b..e33fdf7 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -8,7 +8,7 @@ #include "common.h" #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ - defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) || defined(MBEDTLS_PEM_PARSE_C) + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) #include "mbedtls/asn1.h" #include "mbedtls/platform_util.h" @@ -74,8 +74,7 @@ int mbedtls_asn1_get_tag(unsigned char **p, return mbedtls_asn1_get_len(p, end, len); } -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || - MBEDTLS_PSA_UTIL_HAVE_ECDSA || MBEDTLS_PEM_PARSE_C */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, diff --git a/library/pem.c b/library/pem.c index 3f01d3b..48180ee 100644 --- a/library/pem.c +++ b/library/pem.c @@ -17,7 +17,6 @@ #include "mbedtls/cipher.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "mbedtls/asn1.h" #include @@ -466,28 +465,6 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const mbedtls_zeroize_and_free(buf, len); return ret; } - - /* - * In RFC1421 PEM is used as container for DER (ASN.1) content so we - * can use ASN.1 functions to parse the main SEQUENCE tag and to get its - * length. - */ - unsigned char *p = buf; - size_t sequence_len; - ret = mbedtls_asn1_get_tag(&p, buf + len, &sequence_len, - MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED); - if (ret != 0) { - mbedtls_free(buf); - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret); - } - /* Add also the sequence block (tag + len) to the total amount of valid data. */ - sequence_len += (p - buf); - - /* Ensure that the reported SEQUENCE length matches the data len (i.e. no - * trailing garbage data). */ - if (len != sequence_len) { - return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; - } #else mbedtls_zeroize_and_free(buf, len); return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE; diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index e3bb7e4..6f8af6c 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -61,21 +61,14 @@ PEM read (valid EC key encoded with AES-128-CBC) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,151F851B6A7F3FBDAA5B7173117D0127\n\nLw+0OM+0Bwcl+ls/vxQbLrVshGc7bsNPvvtj2sJeMFFEq3V1mj/IO++0KK/CDhMH\nh6CZPsmgVOeM5uFpqYaq0fJbUduN2eDMWszWRm0SFkY=\n-----END EC PRIVATE KEY-----":"pwdpwd":0:"3041020101040f00d8023c809afd45e426d1a4dbe0ffa00706052b81040004a1220320000400da1ecfa53d528237625e119e2e0500d2eb671724f16deb6a63749516b7" -# The text "hello world" (which is clearly not a valid ASN.1 SEQUENCE) is encoded -# with AES-128-CBC to prove that ASN.1 parsing after decoding fails. +# The text "hello world" together with some invalid padding data is encoded +# with AES-128-CBC in order to test padding validation. # Since PBKDF1 isn't supported in OpenSSL, here's the steps: # 1. generate the key (password="password"; IV=0x3132333435363738 in hex or "12345678" as string) # echo -n "password12345678" | openssl md5 # 2. encode data -# echo -n "hello world" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -PEM read (Invalid SEQUENCE encoded with AES-128-CBC) -depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\nDfRGkwS+VjvR0IYsjZwW6Q==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:"" - -# Same as above, but with invalid padding data. -# Generated with: # echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x01\x02\x03\x04\x05" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad -PEM read (Invalid padding data for AES-128-CBC) +PEM read (AES-128-CBC, invalid padding data) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function index 2acc16e..413dc55 100644 --- a/tests/suites/test_suite_pem.function +++ b/tests/suites/test_suite_pem.function @@ -3,7 +3,6 @@ #include "mbedtls/pem.h" #include "mbedtls/des.h" #include "mbedtls/aes.h" -#include "mbedtls/asn1.h" /* END_HEADER */ /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */ -- cgit v1.1 From eba4ca19c6494c2ca81e577696b64e93c158b80a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 19 Feb 2024 07:42:18 +0100 Subject: test_suite_pem: solve driver test disparities Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 3 +-- tests/suites/test_suite_pem.data | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 6503f9a..2da16b9 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -571,8 +571,7 @@ KNOWN_TASKS = { 'test_suite_pem': [ # Following tests require AES_C, but this is diabled in the # accelerated component. - 'PEM read (AES-128-CBC + invalid iv)', - 'PEM read (malformed PEM AES-128-CBC)', + re.compile('PEM read .*AES.*'), 'PEM read (unknown encryption algorithm)', ], 'test_suite_error': [ diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index 6f8af6c..53b8494 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -23,7 +23,6 @@ PEM read (unencrypted, valid) mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0:"4d62656420544c53" PEM read (unencrypted, empty content) -depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\n\n-----END EC PRIVATE KEY-----":"":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" PEM read (DES-EDE3-CBC + invalid iv) -- cgit v1.1 From c9faea0f70f5810dff223ecc341493ec40b37a08 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Feb 2024 10:49:18 +0000 Subject: Bignum: Remove/update obsolete comments - We have moved to fixed window exponentiation and the algorithm used is properly documented and referenced in core already, no need for duplication. - A comment on mbedtls_mpi_copy states that mbedtls_mpi_exp_mod relies on it not to shrink X. This is not the case anymore, however we should probably still state that some functions might rely on this property as we don't know it for sure and it is safer to keep it that way. Signed-off-by: Janos Follath --- library/bignum.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 9b8591b..8a00ff5 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -288,8 +288,7 @@ static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs) * This function is not constant-time. Leading zeros in Y may be removed. * * Ensure that X does not shrink. This is not guaranteed by the public API, - * but some code in the bignum module relies on this property, for example - * in mbedtls_mpi_exp_mod(). + * but some code in the bignum module might still rely on this property. */ int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y) { @@ -1598,9 +1597,6 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s return 0; } -/* - * Sliding-window exponentiation: X = A^E mod N (HAC 14.85) - */ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *prec_RR) -- cgit v1.1 From 701ae1d3d9571d6a28dc65c2a566a7c7abdc6951 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Feb 2024 10:56:54 +0000 Subject: Exp mod: move declarations before use Signed-off-by: Janos Follath --- library/bignum.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/bignum.c b/library/bignum.c index 8a00ff5..674aab7 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1602,7 +1602,6 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi *prec_RR) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_mpi RR, T, E_core; if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) { return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -1617,8 +1616,11 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } + mbedtls_mpi RR; mbedtls_mpi_init(&RR); + mbedtls_mpi T; mbedtls_mpi_init(&T); + mbedtls_mpi E_core; mbedtls_mpi_init(&E_core); /* -- cgit v1.1 From 576087d8366f05e5ceb91e7185049cc5355871fd Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Feb 2024 11:05:01 +0000 Subject: Exp mod: use assignment instead memcpy memcpy() has the advantage of making the reader stop and arguably signal that the shallow copy here is intentional. But that hinges on having the right amount of & and the right size. An assignment is clearer and less risky. Signed-off-by: Janos Follath --- library/bignum.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 674aab7..42b735f 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1630,10 +1630,10 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N)); if (prec_RR != NULL) { - memcpy(prec_RR, &RR, sizeof(mbedtls_mpi)); + *prec_RR = RR; } } else { - memcpy(&RR, prec_RR, sizeof(mbedtls_mpi)); + RR = *prec_RR; } /* @@ -1642,7 +1642,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, if (E->n == 0) { mbedtls_mpi_lset(&E_core, 0); } else { - memcpy(&E_core, E, sizeof(mbedtls_mpi)); + E_core = *E; } /* -- cgit v1.1 From 762f9f9cbb345fe3cfe8d412a876856e2e97785d Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 19 Feb 2024 11:07:50 +0000 Subject: Restore X509 functions erroneously made private Restore the following functions to public headers: * mbedtls_x509_dn_get_next() * mbedtls_x509_serial_gets() * mbedtls_x509_time_cmp() * mbedtls_x509_time_gmtime() * mbedtls_x509_time_is_past() * mbedtls_x509_time_is_future() * mbedtls_x509_parse_subject_alt_name() * mbedtls_x509_free_subject_alt_name() Signed-off-by: David Horstmann --- include/mbedtls/x509.h | 127 ++++++++++++++++++++++++++++++++++++++++++++++++ library/x509_internal.h | 127 ------------------------------------------------ 2 files changed, 127 insertions(+), 127 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index be63612..1dde7af 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -325,6 +325,133 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); /** + * \brief Return the next relative DN in an X509 name. + * + * \note Intended use is to compare function result to dn->next + * in order to detect boundaries of multi-valued RDNs. + * + * \param dn Current node in the X509 name + * + * \return Pointer to the first attribute-value pair of the + * next RDN in sequence, or NULL if end is reached. + */ +static inline mbedtls_x509_name *mbedtls_x509_dn_get_next( + mbedtls_x509_name *dn) +{ + while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) { + dn = dn->next; + } + return dn->next; +} + +/** + * \brief Store the certificate serial in printable form into buf; + * no more than size characters will be written. + * + * \param buf Buffer to write to + * \param size Maximum size of buffer + * \param serial The X509 serial to represent + * + * \return The length of the string written (not including the + * terminated nul byte), or a negative error code. + */ +int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial); + +/** + * \brief Compare pair of mbedtls_x509_time. + * + * \param t1 mbedtls_x509_time to compare + * \param t2 mbedtls_x509_time to compare + * + * \return < 0 if t1 is before t2 + * 0 if t1 equals t2 + * > 0 if t1 is after t2 + */ +int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); + +#if defined(MBEDTLS_HAVE_TIME_DATE) +/** + * \brief Fill mbedtls_x509_time with provided mbedtls_time_t. + * + * \param tt mbedtls_time_t to convert + * \param now mbedtls_x509_time to fill with converted mbedtls_time_t + * + * \return \c 0 on success + * \return A non-zero return value on failure. + */ +int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now); +#endif /* MBEDTLS_HAVE_TIME_DATE */ + +/** + * \brief Check a given mbedtls_x509_time against the system time + * and tell if it's in the past. + * + * \note Intended usage is "if( is_past( valid_to ) ) ERROR". + * Hence the return value of 1 if on internal errors. + * + * \param to mbedtls_x509_time to check + * + * \return 1 if the given time is in the past or an error occurred, + * 0 otherwise. + */ +int mbedtls_x509_time_is_past(const mbedtls_x509_time *to); + +/** + * \brief Check a given mbedtls_x509_time against the system time + * and tell if it's in the future. + * + * \note Intended usage is "if( is_future( valid_from ) ) ERROR". + * Hence the return value of 1 if on internal errors. + * + * \param from mbedtls_x509_time to check + * + * \return 1 if the given time is in the future or an error occurred, + * 0 otherwise. + */ +int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); + +/** + * \brief This function parses an item in the SubjectAlternativeNames + * extension. Please note that this function might allocate + * additional memory for a subject alternative name, thus + * mbedtls_x509_free_subject_alt_name has to be called + * to dispose of this additional memory afterwards. + * + * \param san_buf The buffer holding the raw data item of the subject + * alternative name. + * \param san The target structure to populate with the parsed presentation + * of the subject alternative name encoded in \p san_buf. + * + * \note Supported GeneralName types, as defined in RFC 5280: + * "rfc822Name", "dnsName", "directoryName", + * "uniformResourceIdentifier" and "hardware_module_name" + * of type "otherName", as defined in RFC 4108. + * + * \note This function should be called on a single raw data of + * subject alternative name. For example, after successful + * certificate parsing, one must iterate on every item in the + * \c crt->subject_alt_names sequence, and pass it to + * this function. + * + * \warning The target structure contains pointers to the raw data of the + * parsed certificate, and its lifetime is restricted by the + * lifetime of the certificate. + * + * \return \c 0 on success + * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported + * SAN type. + * \return Another negative value for any other failure. + */ +int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, + mbedtls_x509_subject_alternative_name *san); +/** + * \brief Unallocate all data related to subject alternative name + * + * \param san SAN structure - extra memory owned by this structure will be freed + */ +void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); + +/** * \brief This function parses a CN string as an IP address. * * \param cn The CN string to parse. CN string MUST be null-terminated. diff --git a/library/x509_internal.h b/library/x509_internal.h index 15e097a..8a2d2ed 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -21,133 +21,6 @@ #include "mbedtls/rsa.h" #endif -/** - * \brief Return the next relative DN in an X509 name. - * - * \note Intended use is to compare function result to dn->next - * in order to detect boundaries of multi-valued RDNs. - * - * \param dn Current node in the X509 name - * - * \return Pointer to the first attribute-value pair of the - * next RDN in sequence, or NULL if end is reached. - */ -static inline mbedtls_x509_name *mbedtls_x509_dn_get_next( - mbedtls_x509_name *dn) -{ - while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) { - dn = dn->next; - } - return dn->next; -} - -/** - * \brief Store the certificate serial in printable form into buf; - * no more than size characters will be written. - * - * \param buf Buffer to write to - * \param size Maximum size of buffer - * \param serial The X509 serial to represent - * - * \return The length of the string written (not including the - * terminated nul byte), or a negative error code. - */ -int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial); - -/** - * \brief Compare pair of mbedtls_x509_time. - * - * \param t1 mbedtls_x509_time to compare - * \param t2 mbedtls_x509_time to compare - * - * \return < 0 if t1 is before t2 - * 0 if t1 equals t2 - * > 0 if t1 is after t2 - */ -int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2); - -#if defined(MBEDTLS_HAVE_TIME_DATE) -/** - * \brief Fill mbedtls_x509_time with provided mbedtls_time_t. - * - * \param tt mbedtls_time_t to convert - * \param now mbedtls_x509_time to fill with converted mbedtls_time_t - * - * \return \c 0 on success - * \return A non-zero return value on failure. - */ -int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now); -#endif /* MBEDTLS_HAVE_TIME_DATE */ - -/** - * \brief Check a given mbedtls_x509_time against the system time - * and tell if it's in the past. - * - * \note Intended usage is "if( is_past( valid_to ) ) ERROR". - * Hence the return value of 1 if on internal errors. - * - * \param to mbedtls_x509_time to check - * - * \return 1 if the given time is in the past or an error occurred, - * 0 otherwise. - */ -int mbedtls_x509_time_is_past(const mbedtls_x509_time *to); - -/** - * \brief Check a given mbedtls_x509_time against the system time - * and tell if it's in the future. - * - * \note Intended usage is "if( is_future( valid_from ) ) ERROR". - * Hence the return value of 1 if on internal errors. - * - * \param from mbedtls_x509_time to check - * - * \return 1 if the given time is in the future or an error occurred, - * 0 otherwise. - */ -int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); - -/** - * \brief This function parses an item in the SubjectAlternativeNames - * extension. Please note that this function might allocate - * additional memory for a subject alternative name, thus - * mbedtls_x509_free_subject_alt_name has to be called - * to dispose of this additional memory afterwards. - * - * \param san_buf The buffer holding the raw data item of the subject - * alternative name. - * \param san The target structure to populate with the parsed presentation - * of the subject alternative name encoded in \p san_buf. - * - * \note Supported GeneralName types, as defined in RFC 5280: - * "rfc822Name", "dnsName", "directoryName", - * "uniformResourceIdentifier" and "hardware_module_name" - * of type "otherName", as defined in RFC 4108. - * - * \note This function should be called on a single raw data of - * subject alternative name. For example, after successful - * certificate parsing, one must iterate on every item in the - * \c crt->subject_alt_names sequence, and pass it to - * this function. - * - * \warning The target structure contains pointers to the raw data of the - * parsed certificate, and its lifetime is restricted by the - * lifetime of the certificate. - * - * \return \c 0 on success - * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported - * SAN type. - * \return Another negative value for any other failure. - */ -int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, - mbedtls_x509_subject_alternative_name *san); -/** - * \brief Unallocate all data related to subject alternative name - * - * \param san SAN structure - extra memory owned by this structure will be freed - */ -void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san); - int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur); int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, -- cgit v1.1 From 583f047c9fb95448b10c7a4593bd2ac17e99bee5 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Feb 2024 11:16:44 +0000 Subject: Exp mod: simplify 0 exponent handling Removing E_core and returning early achieves the same and is simpler (easier to read and maintain). Signed-off-by: Janos Follath --- library/bignum.c | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 42b735f..0f63c31 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1616,12 +1616,18 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } + /* + * Ensure that the exponent that we are passing to the core is not NULL. + */ + if (E->n == 0) { + ret = mbedtls_mpi_lset(X, 1); + return ret; + } + mbedtls_mpi RR; mbedtls_mpi_init(&RR); mbedtls_mpi T; mbedtls_mpi_init(&T); - mbedtls_mpi E_core; - mbedtls_mpi_init(&E_core); /* * If 1st call, pre-compute R^2 mod N @@ -1637,15 +1643,6 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, } /* - * Ensure that the exponent that we are passing to the core is not NULL. - */ - if (E->n == 0) { - mbedtls_mpi_lset(&E_core, 0); - } else { - E_core = *E; - } - - /* * To preserve constness we need to make a copy of A. Using X for this to * save memory. */ @@ -1668,21 +1665,21 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, * Allocate working memory for mbedtls_mpi_core_exp_mod() */ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, - mbedtls_mpi_core_exp_mod_working_limbs(N->n, E_core.n))); + mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n))); /* * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod(). */ mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T.p); - mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E_core.p, E_core.n, RR.p, + mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T.p); mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T.p); /* * Correct for negative A. */ - if (A->s == -1 && (E_core.p[0] & 1) != 0) { + if (A->s == -1 && (E->p[0] & 1) != 0) { X->s = -1; MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X)); } @@ -1695,10 +1692,6 @@ cleanup: mbedtls_mpi_free(&RR); } - if (E->n == 0) { - mbedtls_mpi_free(&E_core); - } - return ret; } -- cgit v1.1 From 8de8cc0bd831b9bc0400d262adb0a7f7a3ba86a9 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 19 Feb 2024 11:21:37 +0000 Subject: Add ChangeLog entry for restoring X509 functions Signed-off-by: David Horstmann --- ChangeLog.d/restore-x509-functions-to-public.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/restore-x509-functions-to-public.txt diff --git a/ChangeLog.d/restore-x509-functions-to-public.txt b/ChangeLog.d/restore-x509-functions-to-public.txt new file mode 100644 index 0000000..fef0764 --- /dev/null +++ b/ChangeLog.d/restore-x509-functions-to-public.txt @@ -0,0 +1,6 @@ +Bugfix + * Restore X509 functions erroneously removed from the public interface: + mbedtls_x509_dn_get_next(), mbedtls_x509_serial_gets(), + mbedtls_x509_time_cmp(), mbedtls_x509_time_gmtime(), + mbedtls_x509_time_is_past(), mbedtls_x509_time_is_future() + mbedtls_x509_parse_subject_alt_name(), mbedtls_x509_free_subject_alt_name() -- cgit v1.1 From 467a5499a5466fc304c1ff3b5d0fff470f16fb4b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Feb 2024 11:27:38 +0000 Subject: Exp mod: clarify preprocessing Signed-off-by: Janos Follath --- library/bignum.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/library/bignum.c b/library/bignum.c index 0f63c31..4cebd95 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1654,7 +1654,14 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, X->s = 1; /* - * Make sure that A has exactly as many limbs as N. + * Make sure that X is in a form that is safe for consumption by + * the core functions. + * + * - The core functions will not touch the limbs of X above N->n. The + * result will be correct if those limbs are 0, which the mod call + * ensures. + * - Also, X must have at least as many limbs as N for the calls to the + * core functions. */ if (mbedtls_mpi_cmp_mpi(X, N) >= 0) { MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N)); -- cgit v1.1 From 518b5b60c658f91e0605af5c5dfef2836bbf9d0c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Feb 2024 11:29:34 +0000 Subject: Improve style Signed-off-by: Janos Follath --- library/bignum.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 4cebd95..5ddcf72 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1671,8 +1671,8 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, /* * Allocate working memory for mbedtls_mpi_core_exp_mod() */ - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, - mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n))); + size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n); + MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, T_limbs)); /* * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod(). -- cgit v1.1 From 5bb04e03ac82909d4ab90855597d0fe12aac0544 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 13:24:41 +0100 Subject: mbedtls_ecp_write_key: no FEATURE_UNAVAILABLE error When exporting a key, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE should not happen. This error indicates that the curve is not supported, but that would prevent the creation of the key. Signed-off-by: Gilles Peskine --- include/mbedtls/ecp.h | 2 -- library/ecp.c | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 76aef32..3d14f36 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1339,8 +1339,6 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * \return \c 0 on success. * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key representation is larger than the available space in \p buf. - * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for - * the group is not implemented. * \return Another negative error code on different kinds of failure. */ int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, diff --git a/library/ecp.c b/library/ecp.c index 758d54b..66b3dc1 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -3305,7 +3305,7 @@ cleanup: int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, unsigned char *buf, size_t buflen) { - int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) { -- cgit v1.1 From a395bdd06601da6853b5c50afd3eb1c738aa15f8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 13:30:31 +0100 Subject: mbedtls_ecp_write_key: document and test larger output buffer Signed-off-by: Gilles Peskine --- include/mbedtls/ecp.h | 21 ++++++++++-- tests/suites/test_suite_ecp.data | 64 ++++++++++++++++++++++++++++++++++++ tests/suites/test_suite_ecp.function | 47 ++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 3d14f36..54f2961 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1330,11 +1330,28 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, /** * \brief This function exports an elliptic curve private key. * + * \note Note that although this function accepts an output + * buffer that is larger than the key, most key import + * interfaces require the output to be trimmed to the + * key's nominal length. It is generally simplest to + * pass the key's nominal length as \c buflen, after + * checking that the output buffer is large enough. + * See the description of the \p buflen parameter for + * how to calculate the nominal length. + * * \param key The private key. * \param buf The output buffer for containing the binary representation - * of the key. (Big endian integer for Weierstrass curves, byte - * string for Montgomery curves.) + * of the key. + * For Weierstrass curves, this is the big-endian + * representation, padded with null bytes at the beginning + * to reach \p buflen bytes. + * For Montgomery curves, this is the standard byte string + * representation (which is little-endian), padded with + * null bytes at the end to reach \p buflen bytes. * \param buflen The total length of the buffer in bytes. + * The length of the output is always + * (`grp->nbits` + 7) / 8 bytes + * where `grp->nbits` is the private key size in bits. * * \return \c 0 on success. * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 01fdc47..ac57a68 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -736,6 +736,70 @@ ECP read key #24 (Curve25519 RFC, OK) depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":0:1 +ECP write key: secp256r1, nominal +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":32:0 + +ECP write key: secp256r1, output longer by 1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":33:0 + +ECP write key: secp256r1, output longer by 32 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":64:0 + +ECP write key: secp256r1, output longer by 33 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":65:0 + +ECP write key: secp384r1, nominal +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":48:0 + +ECP write key: secp384r1, output longer by 1 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":49:0 + +ECP write key: secp384r1, output longer by 48 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":96:0 + +ECP write key: secp384r1, output longer by 49 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":97:0 + +ECP write key: Curve25519, nominal +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":32:0 + +ECP write key: Curve25519, output longer by 1 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":33:0 + +ECP write key: Curve25519, output longer by 32 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":64:0 + +ECP write key: Curve25519, output longer by 33 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":65:0 + +ECP write key: Curve448, nominal +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":56:0 + +ECP write key: Curve448, output longer by 1 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":57:0 + +ECP write key: Curve448, output longer by 32 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":112:0 + +ECP write key: Curve448, output longer by 33 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":113:0 + ECP mod p192 small (more than 192 bits, less limbs than 2 * 192 bits) depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_NIST_OPTIM ecp_fast_mod:MBEDTLS_ECP_DP_SECP192R1:"0100000000000103010000000000010201000000000001010100000000000100" diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 295fe7f..80fff20 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1236,6 +1236,53 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void ecp_write_key(int grp_id, data_t *in_key, + int exported_size, int expected_ret) +{ + mbedtls_ecp_keypair key; + mbedtls_ecp_keypair_init(&key); + unsigned char *exported = NULL; + + TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len), 0); + + TEST_CALLOC(exported, exported_size); + TEST_EQUAL(mbedtls_ecp_write_key(&key, exported, exported_size), + expected_ret); + + if (expected_ret == 0) { + size_t length = (key.grp.nbits + 7) / 8; + TEST_LE_U(length, exported_size); + + const unsigned char *key_start = NULL; + const unsigned char *zeros_start = NULL; + switch (mbedtls_ecp_get_type(&key.grp)) { + case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: + key_start = exported + exported_size - length; + zeros_start = exported; + break; + case MBEDTLS_ECP_TYPE_MONTGOMERY: + key_start = exported; + zeros_start = exported + length; + break; + default: + TEST_FAIL("Unknown ECP curve type"); + break; + } + TEST_MEMORY_COMPARE(in_key->x, in_key->len, + key_start, length); + for (size_t i = 0; i < exported_size - length; i++) { + mbedtls_test_set_step(i); + TEST_EQUAL(zeros_start[i], 0); + } + } + +exit: + mbedtls_ecp_keypair_free(&key); + mbedtls_free(exported); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED:MBEDTLS_ECP_LIGHT */ void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected) { -- cgit v1.1 From 1c7ff7ea5371835da8d0473f31557610ee1773cd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 13:49:45 +0100 Subject: mbedtls_ecp_write_key: document and test smaller output buffer Document and test the current behavior, even if it is weird: * For Weierstrass keys, the error is MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, not MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL. * For Weierstrass keys, a smaller output buffer is ok if the output fits. Signed-off-by: Gilles Peskine --- include/mbedtls/ecp.h | 15 ++++-- tests/suites/test_suite_ecp.data | 88 ++++++++++++++++++++++++++++++++++++ tests/suites/test_suite_ecp.function | 27 ++++++++--- 3 files changed, 118 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 54f2961..e3bde01 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1331,8 +1331,8 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * \brief This function exports an elliptic curve private key. * * \note Note that although this function accepts an output - * buffer that is larger than the key, most key import - * interfaces require the output to be trimmed to the + * buffer that is smaller or larger than the key, most key + * import interfaces require the output to have exactly * key's nominal length. It is generally simplest to * pass the key's nominal length as \c buflen, after * checking that the output buffer is large enough. @@ -1349,13 +1349,18 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * representation (which is little-endian), padded with * null bytes at the end to reach \p buflen bytes. * \param buflen The total length of the buffer in bytes. - * The length of the output is always + * The length of the output is * (`grp->nbits` + 7) / 8 bytes * where `grp->nbits` is the private key size in bits. + * For Weierstrass keys, if the output buffer is smaller, + * leading zeros are trimmed to fit if possible. For + * Montgomery keys, the output buffer must always be large + * enough for the nominal length. * * \return \c 0 on success. - * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key - representation is larger than the available space in \p buf. + * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or + * #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key + * representation is larger than the available space in \p buf. * \return Another negative error code on different kinds of failure. */ int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index ac57a68..1dd963a 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -752,6 +752,42 @@ ECP write key: secp256r1, output longer by 33 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":65:0 +ECP write key: secp256r1, output short by 1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":31:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + +ECP write key: secp256r1, output_size=1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":1:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + +ECP write key: secp256r1, output_size=0 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + +ECP write key: secp256r1, top byte = 0, output_size=32 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":32:0 + +ECP write key: secp256r1, top byte = 0, output_size=31 (fits) +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":31:0 + +ECP write key: secp256r1, top byte = 0, output_size=30 (too small) +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":30:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + +ECP write key: secp256r1, mostly-0 key, output_size=32 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":32:0 + +ECP write key: secp256r1, mostly-0 key, output_size=31 (fits) +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":31:0 + +ECP write key: secp256r1, mostly-0 key, output_size=1 (fits) +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":1:0 + ECP write key: secp384r1, nominal depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":48:0 @@ -768,6 +804,18 @@ ECP write key: secp384r1, output longer by 49 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":97:0 +ECP write key: secp384r1, output short by 1 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":47:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + +ECP write key: secp384r1, output_size=1 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":1:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + +ECP write key: secp384r1, output_size=0 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL + ECP write key: Curve25519, nominal depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":32:0 @@ -784,6 +832,26 @@ ECP write key: Curve25519, output longer by 33 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":65:0 +ECP write key: Curve25519, output short by 1 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key: Curve25519, output_size=1 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key: Curve25519, output_size=0 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key: Curve25519, mostly-0 key, output_size=32 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":32:0 + +ECP write key: Curve25519, mostly-0 key, output_size=31 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + ECP write key: Curve448, nominal depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":56:0 @@ -800,6 +868,26 @@ ECP write key: Curve448, output longer by 33 depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":113:0 +ECP write key: Curve448, output short by 1 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key: Curve448, output_size=1 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key: Curve448, output_size=0 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key: Curve448, mostly-0 key, output_size=56 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":56:0 + +ECP write key: Curve448, mostly-0 key, output_size=55 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + ECP mod p192 small (more than 192 bits, less limbs than 2 * 192 bits) depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_NIST_OPTIM ecp_fast_mod:MBEDTLS_ECP_DP_SECP192R1:"0100000000000103010000000000010201000000000001010100000000000100" diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 80fff20..9cf0ce1 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1252,16 +1252,18 @@ void ecp_write_key(int grp_id, data_t *in_key, if (expected_ret == 0) { size_t length = (key.grp.nbits + 7) / 8; - TEST_LE_U(length, exported_size); - const unsigned char *key_start = NULL; const unsigned char *zeros_start = NULL; switch (mbedtls_ecp_get_type(&key.grp)) { case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: + if ((size_t) exported_size < length) { + length = exported_size; + } key_start = exported + exported_size - length; zeros_start = exported; break; case MBEDTLS_ECP_TYPE_MONTGOMERY: + TEST_LE_U(length, exported_size); key_start = exported; zeros_start = exported + length; break; @@ -1269,11 +1271,22 @@ void ecp_write_key(int grp_id, data_t *in_key, TEST_FAIL("Unknown ECP curve type"); break; } - TEST_MEMORY_COMPARE(in_key->x, in_key->len, - key_start, length); - for (size_t i = 0; i < exported_size - length; i++) { - mbedtls_test_set_step(i); - TEST_EQUAL(zeros_start[i], 0); + + if (length < in_key->len) { + /* Shorter output (only possible with Weierstrass keys) */ + for (size_t i = 0; i < in_key->len - length; i++) { + mbedtls_test_set_step(i); + TEST_EQUAL(in_key->x[i], 0); + } + TEST_MEMORY_COMPARE(in_key->x + in_key->len - length, length, + key_start, length); + } else { + TEST_MEMORY_COMPARE(in_key->x, in_key->len, + key_start, length); + for (size_t i = 0; i < exported_size - length; i++) { + mbedtls_test_set_step(i); + TEST_EQUAL(zeros_start[i], 0); + } } } -- cgit v1.1 From 7511d4aed79b58b8d211c2bd31b8014a7380d1bf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 13:56:39 +0100 Subject: ECP write/export key: document that these functions don't detect unset data Fixes #8803. Signed-off-by: Gilles Peskine --- include/mbedtls/ecp.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index e3bde01..0201963 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1339,6 +1339,10 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * See the description of the \p buflen parameter for * how to calculate the nominal length. * + * \note If the private key was not set in \p key, + * the output is unspecified. Future versions + * may return an error in that case. + * * \param key The private key. * \param buf The output buffer for containing the binary representation * of the key. @@ -1369,6 +1373,10 @@ int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, /** * \brief This function exports an elliptic curve public key. * + * \note If the public key was not set in \p key, + * the output is unspecified. Future versions + * may return an error in that case. + * * \param key The public key. * \param format The point format. This must be either * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED. @@ -1451,6 +1459,10 @@ mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id( * Each of the output parameters can be a null pointer * if you do not need that parameter. * + * \note If the private key or the public key was not set in \p key, + * the corresponding output is unspecified. Future versions + * may return an error in that case. + * * \param key The key pair to export from. * \param grp Slot for exported ECP group. * It must either be null or point to an initialized ECP group. -- cgit v1.1 From e10674d54758008fa20c19019511ac04da3abb06 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 19 Feb 2024 14:52:24 +0100 Subject: test_suite_pem: fix comment in test case Signed-off-by: Valerio Setti --- tests/suites/test_suite_pem.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index 53b8494..b5bcb40 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -78,7 +78,7 @@ PEM read (AES-128-CBC, padding data is larger than AES block length) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n5wA/XVXHuMsQAAOGFQmK0g==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" -# Padding data (0x9) is larger than AES block size (8). +# Padding data (0x9) is larger than DES block size (8). # Generated with: # echo -n -e "\x68\x65\x6c\x6c\x6f\x09\x09\x09" | openssl des-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad PEM read (DES-CBC, padding data is larger than DES block length) -- cgit v1.1 From e88a1c5b85163f21d12bda2a6ed64e56bc4cf87c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 19 Feb 2024 15:08:49 +0100 Subject: pem: fix return values in pem_check_pkcs_padding() Return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH instead of MBEDTLS_ERR_PEM_BAD_INPUT_DATA in case of errors. This commit also fix related failures in test pkparse and pem test suites. Signed-off-by: Valerio Setti --- library/pem.c | 4 ++-- tests/suites/test_suite_pem.data | 6 +++--- tests/suites/test_suite_pkparse.data | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/pem.c b/library/pem.c index 48180ee..1b1edc0 100644 --- a/library/pem.c +++ b/library/pem.c @@ -248,14 +248,14 @@ static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t size_t i; if (pad_len > input_len) { - return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; + return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH; } *data_len = input_len - pad_len; for (i = *data_len; i < input_len; i++) { if (input[i] != pad_len) { - return MBEDTLS_ERR_PEM_BAD_INPUT_DATA; + return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH; } } diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index b5bcb40..007ba10 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -69,18 +69,18 @@ mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KE # echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x01\x02\x03\x04\x05" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad PEM read (AES-128-CBC, invalid padding data) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_PASSWORD_MISMATCH:"" # Padding data (0x11) is larger than AES block size (16). # Generated with: # echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x11\x11\x11\x11\x11" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad PEM read (AES-128-CBC, padding data is larger than AES block length) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n5wA/XVXHuMsQAAOGFQmK0g==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n5wA/XVXHuMsQAAOGFQmK0g==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_PASSWORD_MISMATCH:"" # Padding data (0x9) is larger than DES block size (8). # Generated with: # echo -n -e "\x68\x65\x6c\x6c\x6f\x09\x09\x09" | openssl des-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad PEM read (DES-CBC, padding data is larger than DES block length) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC -mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,3132333435363738\n\n6a+B2WineBM=\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:"" +mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,3132333435363738\n\n6a+B2WineBM=\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_PASSWORD_MISMATCH:"" diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 7ee77da..762fd52 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -8,7 +8,7 @@ pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0 Parse RSA Key #3 (Wrong password) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C -pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PEM_BAD_INPUT_DATA +pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #4 (DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -- cgit v1.1 From f966a978067e8358ed9a6ce8404f09fc67579be1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 19 Feb 2024 15:30:27 +0100 Subject: test_suite_pk: remove leftover comment Signed-off-by: Valerio Setti --- tests/suites/test_suite_pk.function | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 946c52f..1aca4bd 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1084,8 +1084,6 @@ void pk_sign_verify(int type, int curve_or_keybits, int rsa_padding, int rsa_md_ #if defined(MBEDTLS_RSA_C) if (type == MBEDTLS_PK_RSA) { - /* Just pick SHA1 here as hashing algorithm as we're more interested - * in checking the compatibility between */ TEST_ASSERT(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, rsa_md_alg) == 0); } #else -- cgit v1.1 From 85e568c76d620347cea08ee345011553bd7550b1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 19 Feb 2024 15:45:00 +0100 Subject: pk: fix documentation for RSA sign/verify and encrypt/decrypt Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index c37121f..df11de6 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -612,6 +612,13 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, * \param sig Signature to verify * \param sig_len Signature length * + * \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + * either PKCS#1 v1.5 or PSS (accepting any salt length), + * depending on the padding mode in the underlying RSA context. + * For a pk object constructed by parsing, this is PKCS#1 v1.5 + * by default. Use mbedtls_pk_verify_ext() to explicitly select + * a different algorithm. + * * \return 0 on success (signature is valid), * #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid * signature in \p sig but its length is less than \p sig_len, @@ -702,6 +709,14 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options, * \param f_rng RNG function, must not be \c NULL. * \param p_rng RNG parameter * + * \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + * either PKCS#1 v1.5 or PSS (using the largest possible salt + * length up to the hash length), depending on the padding mode + * in the underlying RSA context. For a pk object constructed + * by parsing, this is PKCS#1 v1.5 by default. Use + * mbedtls_pk_verify_ext() to explicitly select a different + * algorithm. + * * \return 0 on success, or a specific error code. * * \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. @@ -798,6 +813,11 @@ int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx, * \param f_rng RNG function, must not be \c NULL. * \param p_rng RNG parameter * + * \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + * either PKCS#1 v1.5 or OAEP, depending on the padding mode in + * the underlying RSA context. For a pk object constructed by + * parsing, this is PKCS#1 v1.5 by default. + * * \return 0 on success, or a specific error code. */ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx, @@ -817,6 +837,11 @@ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx, * \param f_rng RNG function, must not be \c NULL. * \param p_rng RNG parameter * + * \note For keys of type #MBEDTLS_PK_RSA, the signature algorithm is + * either PKCS#1 v1.5 or OAEP, depending on the padding mode in + * the underlying RSA context. For a pk object constructed by + * parsing, this is PKCS#1 v1.5 by default. + * * \note \p f_rng is used for padding generation. * * \return 0 on success, or a specific error code. -- cgit v1.1 From 80bc5d6aad7b3ed071af6987b254562030c0cb2c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 19 Feb 2024 16:13:47 +0100 Subject: test_suite_pk: fix data in some RSA related test cases Signed-off-by: Valerio Setti --- tests/suites/test_suite_pk.data | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 9c0bb23..11dc319 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -352,7 +352,7 @@ pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PK RSA verify test vector: PKCS1v1.5, SHA1, signature is PSS depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15 -pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":MBEDTLS_ERR_RSA_VERIFY_FAILED +pk_rsa_verify_test_vec:"37b66ae0445843353d47ecb0b4fd14c110e62d6a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":"010001":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":MBEDTLS_ERR_RSA_VERIFY_FAILED ECDSA verify test vector #1 (good) depends_on:MBEDTLS_ECP_HAVE_SECP192R1 @@ -456,11 +456,11 @@ pk_rsa_encrypt_decrypt_test:"4E636AF98E40F3ADCFCCB698F4E80B9F":2048:"e79a373182b RSA decrypt test vector - PKCS1v1.5 depends_on:MBEDTLS_PKCS1_V15 -pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":0 +pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_NONE:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":0 RSA decrypt test vector - PKCS1v1.5, corrupted encrypted data depends_on:MBEDTLS_PKCS1_V15 -pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43d":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING +pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43d":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_NONE:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING RSA decrypt test vector - PKCS1v2.1 depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1 @@ -472,7 +472,7 @@ pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30 RSA decrypt test vector - PKCS1v1.5, but data is PKCS1v2.1 encrypted depends_on:MBEDTLS_PKCS1_V15 -pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0956":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING +pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_NONE:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING RSA decrypt test vector - PKCS1v2.1, but data is PKCS1v1.5 encrypted depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1 -- cgit v1.1 From 02f30230c4fb8fe8bf4d75e4146620a5bea914a9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 20 Feb 2024 10:22:36 +0100 Subject: pem: zeroize the entire buffer in case of errors in mbedtls_pem_read_buffer() Signed-off-by: Valerio Setti --- library/pem.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/pem.c b/library/pem.c index 1b1edc0..0fee5df 100644 --- a/library/pem.c +++ b/library/pem.c @@ -453,18 +453,20 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const #endif /* MBEDTLS_AES_C */ if (ret != 0) { - mbedtls_free(buf); + mbedtls_zeroize_and_free(buf, len); return ret; } /* Check PKCS padding and update data length based on padding info. * This can be used to detect invalid padding data and password * mismatches. */ - ret = pem_check_pkcs_padding(buf, len, &len); + size_t unpadded_len; + ret = pem_check_pkcs_padding(buf, len, &unpadded_len); if (ret != 0) { mbedtls_zeroize_and_free(buf, len); return ret; } + len = unpadded_len; #else mbedtls_zeroize_and_free(buf, len); return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE; -- cgit v1.1 From 7e1596d24cffb8f0675e6be5cf6d6510b09142dd Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 20 Feb 2024 10:23:49 +0100 Subject: rsa: remove leftovers from mbedtls_rsa_parse_[pub]key() Signed-off-by: Valerio Setti --- library/rsa.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 2c33869..da32659 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -112,8 +112,6 @@ int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, si return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - end = p + len; - if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { return ret; } @@ -248,8 +246,6 @@ int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } - end = p + len; - /* Import N */ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { return ret; -- cgit v1.1 From 56457b9eacb0ab9fe1bf80995b909388bcf52e88 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 20 Feb 2024 10:47:47 +0100 Subject: add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/8824.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/8824.txt diff --git a/ChangeLog.d/8824.txt b/ChangeLog.d/8824.txt new file mode 100644 index 0000000..fb34c01 --- /dev/null +++ b/ChangeLog.d/8824.txt @@ -0,0 +1,6 @@ +Bugfix + * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() or + mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in + the RSA context. Before they always used PKCS#1 v1.5 even when the RSA + context was configured for PKCS#1 v2.1 (PSS/OAEP). Fixes #8824. + -- cgit v1.1 From 3e6ac1b5d1f19c6448d934198960c24b2d7ba523 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 20 Feb 2024 11:28:00 +0100 Subject: fix changelog Signed-off-by: Valerio Setti --- ChangeLog.d/8824.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/8824.txt b/ChangeLog.d/8824.txt index fb34c01..abc305f 100644 --- a/ChangeLog.d/8824.txt +++ b/ChangeLog.d/8824.txt @@ -1,6 +1,7 @@ Bugfix - * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() or + * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in - the RSA context. Before they always used PKCS#1 v1.5 even when the RSA - context was configured for PKCS#1 v2.1 (PSS/OAEP). Fixes #8824. + the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled, they always + used PKCS#1 v1.5 even when the RSA context was configured for PKCS#1 v2.1 + (PSS/OAEP). Fixes #8824. -- cgit v1.1 From dc5597b3dd9487cf41429292bfd7ab7391c88e61 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 20 Feb 2024 11:42:18 +0100 Subject: Fix copypasta Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index da1418f..0878836 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3774,7 +3774,7 @@ psa_status_t psa_key_derivation_output_key( * the policy must be the same as in the current * operation. * \param[in,out] operation The key derivation operation object to read from. - * \param[in] method Customization parameters for the key generation. + * \param[in] method Customization parameters for the key derivation. * When this is #PSA_KEY_GENERATION_METHOD_INIT * with \p method_data_length = 0, * this function is equivalent to @@ -4141,7 +4141,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * When this is #PSA_KEY_GENERATION_METHOD_INIT * with \p method_data_length = 0, * this function is equivalent to - * psa_key_derivation_output_key(). + * psa_key_generation_output_key(). * \param method_data_length * Length of `method.data` in bytes. * \param[out] key On success, an identifier for the newly created -- cgit v1.1 From e7a7013910067fcf7a32a036991a67b66c2dbe6a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 20 Feb 2024 11:49:54 +0100 Subject: Remove initialization function for variable-length struct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Assigning the return value of a function that returns a struct with a flexible array member does not fill the flexible array member, which leaves a gap in the initialization that could be surprising to programmers. Also, this is a borderline case in ABI design which could cause interoperability problems. So remove this function. This gets rid of an annoying note from GCC about ABI compatibility on (at least) x86_64. ``` In file included from include/psa/crypto.h:4820, from :1: include/psa/crypto_struct.h: In function ‘psa_key_generation_method_init’: include/psa/crypto_struct.h:244:1: note: the ABI of passing struct with a flexible array member has changed in GCC 4.4 244 | { | ^ ``` Signed-off-by: Gilles Peskine --- include/psa/crypto_struct.h | 7 ------- tests/suites/test_suite_psa_crypto.function | 2 -- 2 files changed, 9 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 248caa2..f41bc83 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -239,13 +239,6 @@ struct psa_key_generation_method_s { */ #define PSA_KEY_GENERATION_METHOD_INIT { 0 } -static inline struct psa_key_generation_method_s psa_key_generation_method_init( - void) -{ - const struct psa_key_generation_method_s v = PSA_KEY_GENERATION_METHOD_INIT; - return v; -} - struct psa_key_policy_s { psa_key_usage_t MBEDTLS_PRIVATE(usage); psa_algorithm_t MBEDTLS_PRIVATE(alg); diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index e946f4e..6cd1e93 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -9996,12 +9996,10 @@ exit: /* BEGIN_CASE */ void key_generation_method_init() { - psa_key_generation_method_t func = psa_key_generation_method_init(); psa_key_generation_method_t init = PSA_KEY_GENERATION_METHOD_INIT; psa_key_generation_method_t zero; memset(&zero, 0, sizeof(zero)); - TEST_EQUAL(func.flags, 0); TEST_EQUAL(init.flags, 0); TEST_EQUAL(zero.flags, 0); } -- cgit v1.1 From 0512d178e01430ceeb97902a9f219e6575f672ee Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 20 Feb 2024 14:30:46 +0000 Subject: Exp mod: Make sure RR has enough limbs When generated by exp_mod, RR has enough limbs to be passed as a parameter to core functions. If it is received from the caller, it might be of any length. Signed-off-by: Janos Follath --- library/bignum.c | 1 + tests/suites/test_suite_bignum.function | 31 +++++++++++++++++++++++++++++++ tests/suites/test_suite_bignum.misc.data | 6 ++++++ 3 files changed, 38 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index 5ddcf72..0b8fec3 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1639,6 +1639,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, *prec_RR = RR; } } else { + MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n)); RR = *prec_RR; } diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 50be2d2..61df16e 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -966,6 +966,37 @@ exit: /* END_CASE */ /* BEGIN_CASE */ +void mpi_exp_mod_min_RR(char *input_A, char *input_E, + char *input_N, char *input_X, + int exp_result) +{ + mbedtls_mpi A, E, N, RR, Z, X; + int res; + mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); + mbedtls_mpi_init(&RR); mbedtls_mpi_init(&Z); mbedtls_mpi_init(&X); + + TEST_ASSERT(mbedtls_test_read_mpi(&A, input_A) == 0); + TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); + TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); + TEST_ASSERT(mbedtls_test_read_mpi(&X, input_X) == 0); + + TEST_ASSERT(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N) == 0); + TEST_ASSERT(mbedtls_mpi_shrink(&RR, 0) == 0); + + res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR); + TEST_ASSERT(res == exp_result); + if (res == 0) { + TEST_ASSERT(sign_is_valid(&Z)); + TEST_ASSERT(mbedtls_mpi_cmp_mpi(&Z, &X) == 0); + } + +exit: + mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); + mbedtls_mpi_free(&RR); mbedtls_mpi_free(&Z); mbedtls_mpi_free(&X); +} +/* END_CASE */ + +/* BEGIN_CASE */ void mpi_exp_mod(char *input_A, char *input_E, char *input_N, char *input_X, int exp_result) diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index c53e42a..8f5218c 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1391,6 +1391,12 @@ Test mbedtls_mpi_exp_mod (Negative base) [#2] depends_on:MPI_MAX_BITS_LARGER_THAN_792 mpi_exp_mod:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0 +Test mbedtls_mpi_exp_mod (N.n=3, RR.n=1 on 32 bit) +mpi_exp_mod_min_RR:"10":"2":"10000000100000001":"100":0 + +Test mbedtls_mpi_exp_mod (N.n=3, RR.n=1 on 64 bit) +mpi_exp_mod_min_RR:"10":"2":"100000000000000010000000000000001":"100":0 + Base test GCD #1 mpi_gcd:"2b5":"261":"15" -- cgit v1.1 From 092ce51c470fabe0c1895048b61ad713fe342ad7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 20 Feb 2024 12:31:24 +0100 Subject: Rename "key generation method" to "key production parameters" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit "Key generation method" was misleading since it also applies to key derivation. Change "key generation" to "key production", which we aren't using yet and has roughly the right intuition. Change "method" to "parameters" which there seems to be a slight preference for. Discussion thread: https://github.com/Mbed-TLS/mbedtls/pull/8815#discussion_r1486524295 Identifiers renamed: psa_key_generation_method_t → psa_key_production_parameters_t psa_key_generation_method_s → psa_key_production_parameters_s PSA_KEY_GENERATION_METHOD_INIT → PSA_KEY_PRODUCTION_PARAMETERS_INIT method → params method_data_length → params_data_length default_method → default_production_parameters psa_key_generation_method_is_default → psa_key_production_parameters_are_default setup_key_generation_method → setup_key_production_parameters key_generation_method_init → key_production_parameters_init Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 54 ++++++++++--------- include/psa/crypto_struct.h | 10 ++-- include/psa/crypto_types.h | 2 +- library/psa_crypto.c | 45 ++++++++-------- library/psa_crypto_core.h | 24 ++++----- .../psa_crypto_driver_wrappers.h.jinja | 22 ++++---- tests/suites/test_suite_psa_crypto.data | 4 +- tests/suites/test_suite_psa_crypto.function | 61 +++++++++++----------- 8 files changed, 113 insertions(+), 109 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 0878836..18c783c 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3703,8 +3703,8 @@ psa_status_t psa_key_derivation_output_bytes( * * \note This function is equivalent to calling * psa_key_derivation_output_key_ext() - * with the method #PSA_KEY_GENERATION_METHOD_INIT and - * `method_data_length == 0` (i.e. `method->data` is empty). + * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT + * and `params_data_length == 0` (i.e. `params->data` is empty). * * \param[in] attributes The attributes for the new key. * If the key type to be created is @@ -3759,11 +3759,13 @@ psa_status_t psa_key_derivation_output_key( psa_key_derivation_operation_t *operation, mbedtls_svc_key_id_t *key); -/** Derive a key from an ongoing key derivation operation with a custom method. +/** Derive a key from an ongoing key derivation operation with custom + * production parameters. * * See the description of psa_key_derivation_out_key() for the operation of - * this function with the default method. - * Mbed TLS currently does not currently support any non-default methods. + * this function with the default production parameters. + * Mbed TLS currently does not currently support any non-default production + * parameters. * * \note This function is experimental and may change in future minor * versions of Mbed TLS. @@ -3774,16 +3776,16 @@ psa_status_t psa_key_derivation_output_key( * the policy must be the same as in the current * operation. * \param[in,out] operation The key derivation operation object to read from. - * \param[in] method Customization parameters for the key derivation. - * When this is #PSA_KEY_GENERATION_METHOD_INIT - * with \p method_data_length = 0, + * \param[in] params Customization parameters for the key derivation. + * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + * with \p params_data_length = 0, * this function is equivalent to * psa_key_derivation_output_key(). * Mbed TLS currently only supports the default - * method, i.e. #PSA_KEY_GENERATION_METHOD_INIT, + * method, i.e. #PSA_KEY_PRODUCTION_PARAMETERS_INIT, * for all key types. - * \param method_data_length - * Length of `method.data` in bytes. + * \param params_data_length + * Length of `params->data` in bytes. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key * identifier defined in \p attributes. @@ -3829,8 +3831,8 @@ psa_status_t psa_key_derivation_output_key( psa_status_t psa_key_derivation_output_key_ext( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, - const psa_key_generation_method_t *method, - size_t method_data_length, + const psa_key_production_parameters_t *params, + size_t params_data_length, mbedtls_svc_key_id_t *key); /** Compare output data from a key derivation operation to an expected value. @@ -4088,8 +4090,8 @@ psa_status_t psa_generate_random(uint8_t *output, * attributes. * * \note This function is equivalent to calling psa_generate_key_ext() - * with the method #PSA_KEY_GENERATION_METHOD_INIT and - * `method_data_length == 0` (i.e. `method->data` is empty). + * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT + * and `params_data_length == 0` (i.e. `params->data` is empty). * * \param[in] attributes The attributes for the new key. * \param[out] key On success, an identifier for the newly created @@ -4124,12 +4126,12 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key); /** - * \brief Generate a key or key pair using a custom method. + * \brief Generate a key or key pair using custom production parameters. * * See the description of psa_generate_key() for the operation of this - * function with the default method. In addition, this function supports - * the following non-default methods, described in more detail in the - * documentation of ::psa_key_generation_method_t: + * function with the default production parameters. In addition, this function + * supports the following production customizations, described in more detail + * in the documentation of ::psa_key_production_parameters_t: * * - RSA keys: generation with a custom public exponent. * @@ -4137,13 +4139,13 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * versions of Mbed TLS. * * \param[in] attributes The attributes for the new key. - * \param[in] method Customization parameters for the key generation. - * When this is #PSA_KEY_GENERATION_METHOD_INIT - * with \p method_data_length = 0, + * \param[in] params Customization parameters for the key generation. + * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT + * with \p params_data_length = 0, * this function is equivalent to * psa_key_generation_output_key(). - * \param method_data_length - * Length of `method.data` in bytes. + * \param params_data_length + * Length of `params->data` in bytes. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key * identifier defined in \p attributes. @@ -4173,8 +4175,8 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * results in this error code. */ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, - size_t method_data_length, + const psa_key_production_parameters_t *params, + size_t params_data_length, mbedtls_svc_key_id_t *key); /**@}*/ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index f41bc83..e2068e8 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -223,21 +223,21 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init( return v; } -struct psa_key_generation_method_s { +struct psa_key_production_parameters_s { /* Future versions may add other fields in this structure. */ uint32_t flags; uint8_t data[]; }; -/** The default method for key generation or key derivation. +/** The default production parameters for key generation or key derivation. * * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext() - * with `method=PSA_KEY_GENERATION_METHOD_INIT` and - * `method_data_length == 0` is equivalent to + * with `params=PSA_KEY_PRODUCTION_PARAMETERS_INIT` and + * `params_data_length == 0` is equivalent to * calling psa_generate_key() or psa_key_derivation_output_key() * respectively. */ -#define PSA_KEY_GENERATION_METHOD_INIT { 0 } +#define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 } struct psa_key_policy_s { psa_key_usage_t MBEDTLS_PRIVATE(usage); diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 35a3bdb..c509807 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -477,7 +477,7 @@ typedef uint16_t psa_key_derivation_step_t; * - Other key types: reserved for future use. \c flags must be 0. * */ -typedef struct psa_key_generation_method_s psa_key_generation_method_t; +typedef struct psa_key_production_parameters_s psa_key_production_parameters_t; /**@}*/ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d84d101..4df3dc5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6023,16 +6023,17 @@ exit: return status; } -static const psa_key_generation_method_t default_method = PSA_KEY_GENERATION_METHOD_INIT; +static const psa_key_production_parameters_t default_production_parameters = + PSA_KEY_PRODUCTION_PARAMETERS_INIT; -int psa_key_generation_method_is_default( - const psa_key_generation_method_t *method, - size_t method_data_length) +int psa_key_production_parameters_are_default( + const psa_key_production_parameters_t *params, + size_t params_data_length) { - if (method->flags != 0) { + if (params->flags != 0) { return 0; } - if (method_data_length != 0) { + if (params_data_length != 0) { return 0; } return 1; @@ -6041,8 +6042,8 @@ int psa_key_generation_method_is_default( psa_status_t psa_key_derivation_output_key_ext( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, - const psa_key_generation_method_t *method, - size_t method_data_length, + const psa_key_production_parameters_t *params, + size_t params_data_length, mbedtls_svc_key_id_t *key) { psa_status_t status; @@ -6057,7 +6058,7 @@ psa_status_t psa_key_derivation_output_key_ext( return PSA_ERROR_INVALID_ARGUMENT; } - if (!psa_key_generation_method_is_default(method, method_data_length)) { + if (!psa_key_production_parameters_are_default(params, params_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -6098,7 +6099,7 @@ psa_status_t psa_key_derivation_output_key( mbedtls_svc_key_id_t *key) { return psa_key_derivation_output_key_ext(attributes, operation, - &default_method, 0, + &default_production_parameters, 0, key); } @@ -7497,15 +7498,15 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation( psa_status_t psa_generate_key_internal( const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, size_t method_data_length, + const psa_key_production_parameters_t *params, size_t params_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t type = attributes->core.type; /* Only used for RSA */ - (void) method; - (void) method_data_length; + (void) params; + (void) params_data_length; if ((attributes->domain_parameters == NULL) && (attributes->domain_parameters_size != 0)) { @@ -7532,9 +7533,9 @@ psa_status_t psa_generate_key_internal( * that mbedtls_psa_rsa_generate_key() gets e via a new * parameter instead. */ psa_key_attributes_t override_attributes = *attributes; - if (method_data_length != 0) { - override_attributes.domain_parameters_size = method_data_length; - override_attributes.domain_parameters = (uint8_t *) &method->data; + if (params_data_length != 0) { + override_attributes.domain_parameters_size = params_data_length; + override_attributes.domain_parameters = (uint8_t *) ¶ms->data; } return mbedtls_psa_rsa_generate_key(&override_attributes, key_buffer, @@ -7569,8 +7570,8 @@ psa_status_t psa_generate_key_internal( } psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, - size_t method_data_length, + const psa_key_production_parameters_t *params, + size_t params_data_length, mbedtls_svc_key_id_t *key) { psa_status_t status; @@ -7593,12 +7594,12 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - if (method->flags != 0) { + if (params->flags != 0) { return PSA_ERROR_INVALID_ARGUMENT; } } else #endif - if (!psa_key_generation_method_is_default(method, method_data_length)) { + if (!psa_key_production_parameters_are_default(params, params_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7639,7 +7640,7 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } status = psa_driver_wrapper_generate_key(attributes, - method, method_data_length, + params, params_data_length, slot->key.data, slot->key.bytes, &slot->key.bytes); if (status != PSA_SUCCESS) { @@ -7661,7 +7662,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key) { return psa_generate_key_ext(attributes, - &default_method, 0, + &default_production_parameters, 0, key); } diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 965db94..6db533c 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -396,17 +396,17 @@ psa_status_t psa_export_public_key_internal( const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length); -/** Whether a key generation method is the default. +/** Whether a key production parameters structure is the default. * - * Calls to a key generation driver with a non-default method - * require a driver supporting custom methods. + * Calls to a key generation driver with non-default production parameters + * require a driver supporting custom production parameters. * - * \param[in] method The key generation method to check. - * \param method_data_length Size of `method.data` in bytes. + * \param[in] params The key production parameters to check. + * \param params_data_length Size of `params->data` in bytes. */ -int psa_key_generation_method_is_default( - const psa_key_generation_method_t *method, - size_t method_data_length); +int psa_key_production_parameters_are_default( + const psa_key_production_parameters_t *params, + size_t params_data_length); /** * \brief Generate a key. @@ -415,9 +415,9 @@ int psa_key_generation_method_is_default( * entry point. * * \param[in] attributes The attributes for the key to generate. - * \param[in] method The generation method from + * \param[in] params The production parameters from * psa_generate_key_ext(). - * \param method_data_length The size of `method.data` in bytes. + * \param params_data_length The size of `params->data` in bytes. * \param[out] key_buffer Buffer where the key data is to be written. * \param[in] key_buffer_size Size of \p key_buffer in bytes. * \param[out] key_buffer_length On success, the number of bytes written in @@ -432,8 +432,8 @@ int psa_key_generation_method_is_default( * The size of \p key_buffer is too small. */ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, - size_t method_data_length, + const psa_key_production_parameters_t *params, + size_t params_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index 10843c3..4f9764d 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -731,7 +731,7 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( static inline psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, - const psa_key_generation_method_t *method, size_t method_data_length, + const psa_key_production_parameters_t *params, size_t params_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -739,16 +739,17 @@ static inline psa_status_t psa_driver_wrapper_generate_key( PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime); #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) - int is_default_method = - psa_key_generation_method_is_default(method, method_data_length); - if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_method ) + int is_default_production = + psa_key_production_parameters_are_default(params, params_data_length); + if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production ) { - /* We don't support passing a custom method to drivers yet. */ + /* We don't support passing custom production parameters + * to drivers yet. */ return PSA_ERROR_NOT_SUPPORTED; } #else - int is_default_method = 1; - (void) is_default_method; + int is_default_production = 1; + (void) is_default_production; #endif /* Try dynamically-registered SE interface first */ @@ -777,9 +778,10 @@ static inline psa_status_t psa_driver_wrapper_generate_key( case PSA_KEY_LOCATION_LOCAL_STORAGE: #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) /* Transparent drivers are limited to generating asymmetric keys. */ - /* We don't support passing a custom method to drivers yet. */ + /* We don't support passing custom production parameters + * to drivers yet. */ if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) && - is_default_method ) + is_default_production ) { /* Cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_DRIVER_TEST) @@ -809,7 +811,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Software fallback */ status = psa_generate_key_internal( - attributes, method, method_data_length, + attributes, params, params_data_length, key_buffer, key_buffer_size, key_buffer_length ); break; diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index e29e466..8139469 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -7550,8 +7550,8 @@ PSA generate key ext: ECC, method.data non-empty depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT -Key generation method initializers -key_generation_method_init: +Key production parameters initializers +key_production_parameters_init: PSA import persistent key: raw data, 8 bits depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 6cd1e93..b40b5f8 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1309,26 +1309,25 @@ exit: } #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ -static int setup_key_generation_method(psa_key_generation_method_t **method, - size_t *method_data_length, - int flags_arg, - const data_t *method_data) +static int setup_key_production_parameters( + psa_key_production_parameters_t **params, size_t *params_data_length, + int flags_arg, const data_t *params_data) { - *method_data_length = method_data->len; + *params_data_length = params_data->len; /* If there are N bytes of padding at the end of - * psa_key_generation_method_t, then it's enough to allocate - * MIN(sizeof(psa_key_generation_method_t), - * offsetof(psa_key_generation_method_t, data) + method_data_length). + * psa_key_production_parameters_t, then it's enough to allocate + * MIN(sizeof(psa_key_production_parameters_t), + * offsetof(psa_key_production_parameters_t, data) + params_data_length). * * For simplicity, here, we allocate up to N more bytes than necessary. - * In practice, the current layout of psa_key_generation_method_t + * In practice, the current layout of psa_key_production_parameters_t * makes padding extremely unlikely, so we don't worry about testing * that the library code doesn't try to access these extra N bytes. */ - *method = mbedtls_calloc(1, sizeof(**method) + *method_data_length); - TEST_ASSERT(*method != NULL); - (*method)->flags = (uint32_t) flags_arg; - memcpy((*method)->data, method_data->x, method_data->len); + *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length); + TEST_ASSERT(*params != NULL); + (*params)->flags = (uint32_t) flags_arg; + memcpy((*params)->data, params_data->x, params_data->len); return 1; exit: return 0; @@ -9340,7 +9339,7 @@ void derive_key_ext(int alg_arg, data_t *input2, int key_type_arg, int bits_arg, int flags_arg, - data_t *method_data, + data_t *params_data, psa_status_t expected_status, data_t *expected_export) { @@ -9349,8 +9348,8 @@ void derive_key_ext(int alg_arg, const psa_algorithm_t alg = alg_arg; const psa_key_type_t key_type = key_type_arg; const size_t bits = bits_arg; - psa_key_generation_method_t *method = NULL; - size_t method_data_length = 0; + psa_key_production_parameters_t *params = NULL; + size_t params_data_length = 0; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; const size_t export_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); @@ -9380,13 +9379,13 @@ void derive_key_ext(int alg_arg, psa_set_key_algorithm(&derived_attributes, 0); psa_set_key_type(&derived_attributes, key_type); psa_set_key_bits(&derived_attributes, bits); - if (!setup_key_generation_method(&method, &method_data_length, - flags_arg, method_data)) { + if (!setup_key_production_parameters(¶ms, ¶ms_data_length, + flags_arg, params_data)) { goto exit; } TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, - method, method_data_length, + params, params_data_length, &derived_key), expected_status); @@ -9400,7 +9399,7 @@ void derive_key_ext(int alg_arg, exit: mbedtls_free(export_buffer); - mbedtls_free(method); + mbedtls_free(params); psa_key_derivation_abort(&operation); psa_destroy_key(base_key); psa_destroy_key(derived_key); @@ -9929,7 +9928,7 @@ void generate_key_ext(int type_arg, int usage_arg, int alg_arg, int flags_arg, - data_t *method_data, + data_t *params_data, int expected_status_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; @@ -9939,8 +9938,8 @@ void generate_key_ext(int type_arg, psa_algorithm_t alg = alg_arg; psa_status_t expected_status = expected_status_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_generation_method_t *method = NULL; - size_t method_data_length = 0; + psa_key_production_parameters_t *params = NULL; + size_t params_data_length = 0; psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; PSA_ASSERT(psa_crypto_init()); @@ -9950,14 +9949,14 @@ void generate_key_ext(int type_arg, psa_set_key_type(&attributes, type); psa_set_key_bits(&attributes, bits); - if (!setup_key_generation_method(&method, &method_data_length, - flags_arg, method_data)) { + if (!setup_key_production_parameters(¶ms, ¶ms_data_length, + flags_arg, params_data)) { goto exit; } /* Generate a key */ psa_status_t status = psa_generate_key_ext(&attributes, - method, method_data_length, + params, params_data_length, &key); TEST_EQUAL(status, expected_status); @@ -9972,7 +9971,7 @@ void generate_key_ext(int type_arg, #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - TEST_ASSERT(rsa_test_e(key, bits, method_data)); + TEST_ASSERT(rsa_test_e(key, bits, params_data)); } #endif @@ -9987,17 +9986,17 @@ exit: * thus reset them as required. */ psa_reset_key_attributes(&got_attributes); - mbedtls_free(method); + mbedtls_free(params); psa_destroy_key(key); PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE */ -void key_generation_method_init() +void key_production_parameters_init() { - psa_key_generation_method_t init = PSA_KEY_GENERATION_METHOD_INIT; - psa_key_generation_method_t zero; + psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT; + psa_key_production_parameters_t zero; memset(&zero, 0, sizeof(zero)); TEST_EQUAL(init.flags, 0); -- cgit v1.1 From aab7f7f517c01e8d21ff0fb72fdd10378f5a0073 Mon Sep 17 00:00:00 2001 From: Bill Roberts Date: Tue, 20 Feb 2024 08:16:57 -0600 Subject: project: set version Set the version of the project within the project() declaration so other cmake scripts can use PROJECT_VERSION. Signed-off-by: Bill Roberts --- CMakeLists.txt | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5585c78..179c3f6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,9 +34,15 @@ cmake_policy(SET CMP0011 NEW) cmake_policy(SET CMP0012 NEW) if(TEST_CPP) - project("Mbed TLS" LANGUAGES C CXX) + project("Mbed TLS" + LANGUAGES C CXX + VERSION 3.5.2 + ) else() - project("Mbed TLS" LANGUAGES C) + project("Mbed TLS" + LANGUAGES C + VERSION 3.5.2 + ) endif() include(GNUInstallDirs) -- cgit v1.1 From 23605d19d9849c394dd4fe95cf0f84d94081651e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 20 Feb 2024 17:10:56 +0100 Subject: More renaming: method -> production parameters Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 3 ++- include/psa/crypto_types.h | 8 ++++---- tests/suites/test_suite_psa_crypto.data | 10 +++++----- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 18c783c..e54af34 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3782,7 +3782,8 @@ psa_status_t psa_key_derivation_output_key( * this function is equivalent to * psa_key_derivation_output_key(). * Mbed TLS currently only supports the default - * method, i.e. #PSA_KEY_PRODUCTION_PARAMETERS_INIT, + * production parameters, i.e. + * #PSA_KEY_PRODUCTION_PARAMETERS_INIT, * for all key types. * \param params_data_length * Length of `params->data` in bytes. diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index c509807..31ea686 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -455,11 +455,11 @@ typedef uint64_t psa_key_slot_number_t; */ typedef uint16_t psa_key_derivation_step_t; -/** \brief Custom method for key generation or key derivation. +/** \brief Custom parameters for key generation or key derivation. * * This is a structure type with at least the following fields: * - * - \c flags: an unsigned integer type. 0 for the default method. + * - \c flags: an unsigned integer type. 0 for the default production parameters. * - \c data: a flexible array of bytes. * * The interpretation of this structure depend on the type of the @@ -472,8 +472,8 @@ typedef uint16_t psa_key_derivation_step_t; * Implementations must support 65535, should support 3 and may * support other values. * When not using a driver, Mbed TLS supports values up to \c INT_MAX. - * If this is empty or if the custom method is omitted altogether, - * the default value 65537 is used. + * If this is empty or if the custom production parameters are omitted + * altogether, the default value 65537 is used. * - Other key types: reserved for future use. \c flags must be 0. * */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 8139469..e9570b1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6870,15 +6870,15 @@ PSA key derivation: PBKDF2-AES-CMAC-PRF-128-> AES-256 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH derive_key_type:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_AES:256:"28e288c6345bb5ecf7ca70274208a3ba0f1148b5868537d5e09d3ee6813b1f52" -PSA key derivation: default method -> AES-128 +PSA key derivation: default params -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" -PSA key derivation: method.flags=1 -> AES-128 +PSA key derivation: params.flags=1 -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" -PSA key derivation: method.data non-empty -> AES-128 +PSA key derivation: params.data non-empty -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" @@ -7473,7 +7473,7 @@ PSA generate key: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0 -PSA generate key ext: RSA, method.flags=1 +PSA generate key ext: RSA, params.flags=1 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT @@ -7546,7 +7546,7 @@ PSA generate key ext: ECC, flags=1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: ECC, method.data non-empty +PSA generate key ext: ECC, params.data non-empty depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT -- cgit v1.1 From 93cea578b9a44740d11a3571ecc736f14746c4a0 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 20 Feb 2024 18:01:29 +0000 Subject: Clarify which unregister operation needs to be used Signed-off-by: Ryan Everett --- library/psa_crypto.c | 18 ++++++++++++++---- library/psa_crypto_core.h | 4 +++- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 43b597c..07edd0a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -909,8 +909,13 @@ static psa_status_t psa_restrict_key_policy( * into a key slot if not already done. * * On success, the returned key slot has been registered for reading. - * It is the responsibility of the caller to call psa_unregister_read(slot) - * when they have finished reading the contents of the slot. + * It is the responsibility of the caller to then unregister + * once they have finished reading the contents of the slot. + * The caller unregisters by calling psa_unregister_read() or + * psa_unregister_read_under_mutex(). psa_unregister_read() must be called + * if and only if the caller already holds the global key slot mutex + * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates + * the unregister with mutex lock and unlock operations. */ static psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, @@ -970,8 +975,13 @@ error: * for a cryptographic operation. * * On success, the returned key slot has been registered for reading. - * It is the responsibility of the caller to call psa_unregister_read(slot) - * when they have finished reading the contents of the slot. + * It is the responsibility of the caller to then unregister + * once they have finished reading the contents of the slot. + * The caller unregisters by calling psa_unregister_read() or + * psa_unregister_read_under_mutex(). psa_unregister_read() must be called + * if and only if the caller already holds the global key slot mutex + * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates + * psa_unregister_read() with mutex lock and unlock operations. */ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( mbedtls_svc_key_id_t key, diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index dc376d7..0d7322c 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -89,7 +89,9 @@ typedef struct { * A function must call psa_register_read(slot) before reading the current * contents of the slot for an operation. * They then must call psa_unregister_read(slot) once they have finished - * reading the current contents of the slot. + * reading the current contents of the slot. If the key slot mutex is not + * held (when mutexes are enabled), this call must be done via a call to + * psa_unregister_read_under_mutex(slot). * A function must call psa_key_slot_has_readers(slot) to check if * the slot is in use for reading. * -- cgit v1.1 From 424c2655b98ab00fa35aa4a25fe553d24a17e638 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 21 Feb 2024 09:26:36 +0000 Subject: Exp mod: tidy up temporary storage allocation Signed-off-by: Janos Follath --- library/bignum.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 0b8fec3..7681982 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1624,10 +1624,17 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, return ret; } + /* + * Allocate working memory for mbedtls_mpi_core_exp_mod() + */ + size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n); + mbedtls_mpi_uint *T = (mbedtls_mpi_uint*) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint)); + if (T == NULL) { + return MBEDTLS_ERR_MPI_ALLOC_FAILED; + } + mbedtls_mpi RR; mbedtls_mpi_init(&RR); - mbedtls_mpi T; - mbedtls_mpi_init(&T); /* * If 1st call, pre-compute R^2 mod N @@ -1670,19 +1677,13 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n)); /* - * Allocate working memory for mbedtls_mpi_core_exp_mod() - */ - size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n); - MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, T_limbs)); - - /* * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod(). */ mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); - mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T.p); + mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T); mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, - T.p); - mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T.p); + T); + mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T); /* * Correct for negative A. @@ -1694,7 +1695,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, cleanup: - mbedtls_mpi_free(&T); + mbedtls_mpi_zeroize_and_free(T, T_limbs); if (prec_RR == NULL || prec_RR->p == NULL) { mbedtls_mpi_free(&RR); -- cgit v1.1 From 946491360b7d67dfe69021980300d50329a90070 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 21 Feb 2024 10:31:39 +0000 Subject: Unrestore mbedtls_x509_string_to_names() This function should be internal, being exposed only via functions like mbedtls_x509write_crt_set_subject_name(). Signed-off-by: David Horstmann --- include/mbedtls/x509.h | 2 -- library/x509_internal.h | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 1dde7af..7158555 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -322,8 +322,6 @@ mbedtls_x509_san_list; */ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); -int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); - /** * \brief Return the next relative DN in an X509 name. * diff --git a/library/x509_internal.h b/library/x509_internal.h index 8a2d2ed..09b6fc5 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -21,6 +21,7 @@ #include "mbedtls/rsa.h" #endif +int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur); int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, -- cgit v1.1 From 8ed3c60504145fb01fd32f4ffb93467f1207a27f Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 21 Feb 2024 10:36:54 +0000 Subject: Remove unnecessary ChangeLog entry This bug was never present in a release, so no ChangeLog entry is needed. Signed-off-by: David Horstmann --- ChangeLog.d/restore-x509-functions-to-public.txt | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 ChangeLog.d/restore-x509-functions-to-public.txt diff --git a/ChangeLog.d/restore-x509-functions-to-public.txt b/ChangeLog.d/restore-x509-functions-to-public.txt deleted file mode 100644 index fef0764..0000000 --- a/ChangeLog.d/restore-x509-functions-to-public.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Restore X509 functions erroneously removed from the public interface: - mbedtls_x509_dn_get_next(), mbedtls_x509_serial_gets(), - mbedtls_x509_time_cmp(), mbedtls_x509_time_gmtime(), - mbedtls_x509_time_is_past(), mbedtls_x509_time_is_future() - mbedtls_x509_parse_subject_alt_name(), mbedtls_x509_free_subject_alt_name() -- cgit v1.1 From aec1a868fe783a85cd057b78163bd0b1e143f0c6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 21 Feb 2024 11:24:20 +0000 Subject: Use mbedtls_ct_condition_t in mpi_core_check_zero Signed-off-by: Janos Follath --- library/bignum_core.c | 6 +++--- library/bignum_core.h | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index dfed60d..f66739d 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -856,8 +856,8 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, return c; } -mbedtls_mpi_uint mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, - size_t limbs) +mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, + size_t limbs) { mbedtls_mpi_uint bits = 0; @@ -865,7 +865,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, bits |= A[i]; } - return bits; + return mbedtls_ct_bool(bits); } void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X, diff --git a/library/bignum_core.h b/library/bignum_core.h index b56be0a..92c8d47 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -662,11 +662,11 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, * \param[in] A The MPI to test. * \param limbs Number of limbs in \p A. * - * \return 0 if `A == 0` - * non-0 (may be any value) if `A != 0`. + * \return MBEDTLS_CT_FALSE if `A == 0` + * MBEDTLS_CT_TRUE if `A != 0`. */ -mbedtls_mpi_uint mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, - size_t limbs); +mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, + size_t limbs); /** * \brief Returns the number of limbs of working memory required for -- cgit v1.1 From 86258f51b5bcbe4e2f8cbad6ef3c2e162f0d619b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 21 Feb 2024 11:25:41 +0000 Subject: Exp mod: handle negative zero Signed-off-by: Janos Follath --- library/bignum.c | 4 +++- tests/suites/test_suite_bignum.misc.data | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/library/bignum.c b/library/bignum.c index 7681982..08b8b34 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1689,7 +1689,9 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, * Correct for negative A. */ if (A->s == -1 && (E->p[0] & 1) != 0) { - X->s = -1; + mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n); + X->s = mbedtls_ct_uint_if(is_x_non_zero, -1, 1); + MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X)); } diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 8f5218c..a953153 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1362,6 +1362,9 @@ mpi_exp_mod:"04":"00":"09":"1":0 Test mbedtls_mpi_exp_mod: 10 ^ 0 (1 limb) mod 9 mpi_exp_mod:"0a":"00":"09":"1":0 +Test mbedtls_mpi_exp_mod: -3 ^ 3 mod 27 +mpi_exp_mod:"-3":"3":"1b":"1b":0 + Test mbedtls_mpi_exp_mod: MAX_SIZE exponent mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:10:"":0 -- cgit v1.1 From 6bd5cae3e690054b3d5c8ae65841d01698ea9ecf Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 21 Feb 2024 11:27:31 +0000 Subject: Fix MBEDTLS_MPI_WINDOW_SIZE documentation Signed-off-by: Janos Follath --- include/mbedtls/bignum.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 8752072..71d7b97 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -51,11 +51,11 @@ #if !defined(MBEDTLS_MPI_WINDOW_SIZE) /* - * Maximum window size used for modular exponentiation. Default: 2 + * Maximum window size used for modular exponentiation. Default: 3 * Minimum value: 1. Maximum value: 6. * * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used - * for the sliding window calculation. (So 64 by default) + * for the sliding window calculation. (So 8 by default) * * Reduction in size, reduces speed. */ -- cgit v1.1 From 0902572aa4f977a0ca067a3e2a149ada2b84520b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 21 Feb 2024 11:50:25 +0000 Subject: Fix style Signed-off-by: Janos Follath --- library/bignum.c | 2 +- tests/suites/test_suite_bignum.function | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 08b8b34..0e3eb4b 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1628,7 +1628,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, * Allocate working memory for mbedtls_mpi_core_exp_mod() */ size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n); - mbedtls_mpi_uint *T = (mbedtls_mpi_uint*) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_uint *T = (mbedtls_mpi_uint *) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint)); if (T == NULL) { return MBEDTLS_ERR_MPI_ALLOC_FAILED; } diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 61df16e..47a6c98 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -967,8 +967,8 @@ exit: /* BEGIN_CASE */ void mpi_exp_mod_min_RR(char *input_A, char *input_E, - char *input_N, char *input_X, - int exp_result) + char *input_N, char *input_X, + int exp_result) { mbedtls_mpi A, E, N, RR, Z, X; int res; -- cgit v1.1 From 49221900b0c8edd214902014281203f297290fbb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 13:39:14 +0100 Subject: tls13: write_early_data: Add endpoint check Return in error of the API is not called from a client endpoint. Signed-off-by: Ronald Cron --- library/ssl_msg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index f3bb323..68f5cf1 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -6072,6 +6072,10 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + if (conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) || (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) || (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) { -- cgit v1.1 From d4069247b828fee6423a28811e41e14ad223f768 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 13:45:52 +0100 Subject: Improve comments/documentation Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 32 +++++++++++++++++++++++++++++--- library/ssl_msg.c | 19 ++++++++++++++----- tests/suites/test_suite_ssl.function | 7 +++++-- 3 files changed, 48 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6727419..83d2ab8 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5199,17 +5199,43 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, * \brief Try to write exactly 'len' application data bytes while * performing the handshake (early data). * + * \warning Early data is defined in the TLS 1.3 specification, RFC 8446. + * IMPORTANT NOTE from section 2.3 of the specification: + * + * The security properties for 0-RTT data are weaker than + * those for other kinds of TLS data. Specifically: + * - This data is not forward secret, as it is encrypted + * solely under keys derived using the offered PSK. + * - There are no guarantees of non-replay between connections. + * Protection against replay for ordinary TLS 1.3 1-RTT data + * is provided via the server's Random value, but 0-RTT data + * does not depend on the ServerHello and therefore has + * weaker guarantees. This is especially relevant if the + * data is authenticated either with TLS client + * authentication or inside the application protocol. The + * same warnings apply to any use of the + * early_exporter_master_secret. + * * \note This function behaves mainly as mbedtls_ssl_write(). The * specification of mbedtls_ssl_write() relevant to TLS 1.3 * (thus not the parts specific to (D)TLS1.2) applies to this - * function and the present documentation is restricted to the - * differences with mbedtls_ssl_write(). + * function and the present documentation is mainly restricted + * to the differences with mbedtls_ssl_write(). One noticeable + * difference though is that mbedtls_ssl_write() aims to + * complete the handshake before to write application data + * while mbedtls_ssl_write_early() aims to drive the handshake + * just past the point where it is not possible to send early + * data anymore. * * \param ssl SSL context * \param buf buffer holding the data * \param len how many bytes must be written * - * \return One additional specific return value: + * \return The (non-negative) number of bytes actually written if + * successful (may be less than \p len). + * + * \return One additional specific error code compared to + * mbedtls_ssl_write(): * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA. * * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA is returned when it diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 68f5cf1..2a6d434 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -6087,14 +6087,17 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, } /* - * If we are at the beginning of the handshake, advance the handshake just + * If we are at the beginning of the handshake, the early data status being + * equal to MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN or + * MBEDTLS_SSL_EARLY_DATA_STATUS_SENT advance the handshake just * enough to be able to send early data if possible. That way, we can * guarantee that when starting the handshake with this function we will - * send at least one record of early data. - * Otherwise, resume the handshake and if the handshake sequence stops - * waiting for some message from the server, send early data if we can. + * send at least one record of early data. Note that when the status is + * MBEDTLS_SSL_EARLY_DATA_STATUS_SENT and not yet + * MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE, we cannot send early data yet + * as the early data outbound transform has not been set as we may have to + * first send a dummy CCS in clear. */ - if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN) || (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT)) { while ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN) || @@ -6112,6 +6115,12 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, } } } else { + /* + * If we are past the point where we can send early data, return + * immediatly. Otherwise, progress the handshake as much as possible to + * not delay it too much. If we reach a point where we can still send + * early data, then we will send some. + */ if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) && (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index eb5fc12..f6319ee 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4217,8 +4217,11 @@ void tls13_write_early_data(int scenario) TEST_EQUAL(ret, 0); /* - * Run handshakes and test the writing of early data in each possible - * state. + * Run handshakes going one state further in the handshake sequence at each + * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER + * state. For each reached handshake state, check the result of the call + * to mbedtls_ssl_write_early_data() and then restart the handshake from + * scratch (see reset label). */ previous_client_state = MBEDTLS_SSL_HELLO_REQUEST; client_state = MBEDTLS_SSL_HELLO_REQUEST; -- cgit v1.1 From b4fd47e8976585dc948e84135685a225f31c9925 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 14:37:25 +0100 Subject: ssl_client2: Default to library default for early data enablement Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 0723be8..bcf44b7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -52,7 +52,7 @@ int main(void) #define DFL_KEY_OPAQUE 0 #define DFL_KEY_PWD "" #define DFL_PSK "" -#define DFL_EARLY_DATA MBEDTLS_SSL_EARLY_DATA_DISABLED +#define DFL_EARLY_DATA -1 #define DFL_PSK_OPAQUE 0 #define DFL_PSK_IDENTITY "Client_identity" #define DFL_ECJPAKE_PW NULL @@ -347,7 +347,7 @@ int main(void) #if defined(MBEDTLS_SSL_EARLY_DATA) #define USAGE_EARLY_DATA \ - " early_data=%%d default: 0 (disabled)\n" \ + " early_data=%%d default: library default\n" \ " options: 0 (disabled), 1 (enabled)\n" #else #define USAGE_EARLY_DATA "" @@ -2026,7 +2026,9 @@ usage: } #if defined(MBEDTLS_SSL_EARLY_DATA) - mbedtls_ssl_conf_early_data(&conf, opt.early_data); + if (opt.early_data != DFL_EARLY_DATA) { + mbedtls_ssl_conf_early_data(&conf, opt.early_data); + } #endif /* MBEDTLS_SSL_EARLY_DATA */ if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) { @@ -3041,7 +3043,7 @@ reconnect: } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (opt.early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED) { + if (ssl.conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { frags = 0; written = 0; do { -- cgit v1.1 From 0aead12706a1d340c014bfd1edc93b1aa0746638 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 14:46:56 +0100 Subject: ssl_client2: Improve loop writing early data Signed-off-by: Ronald Cron --- programs/ssl/ssl_client2.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index bcf44b7..0597298 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -3050,7 +3050,7 @@ reconnect: while ((ret = mbedtls_ssl_write_early_data(&ssl, buf + written, len - written)) < 0) { if (ret == MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) { - break; + goto end_of_early_data; } if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && @@ -3069,15 +3069,14 @@ reconnect: #endif } } - if (ret == MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) { - break; - } frags++; written += ret; } while (written < len); } +end_of_early_data: + buf[written] = '\0'; mbedtls_printf( " %" MBEDTLS_PRINTF_SIZET " bytes of early data written in %" MBEDTLS_PRINTF_SIZET " fragments\n\n%s\n", -- cgit v1.1 From bf5e909467269d54e3fe21fb989b487409a9c5d4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 15:31:36 +0100 Subject: tests: write early data: Check we can complete handshake after writing Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index f6319ee..b9d8c61 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4147,7 +4147,8 @@ void tls13_write_early_data(int scenario) const char *early_data_string = "This is early data."; const unsigned char *early_data = (const unsigned char *) early_data_string; size_t early_data_len = strlen(early_data_string); - int write_early_data_ret; + int write_early_data_ret, read_early_data_ret; + unsigned char read_buf[64]; mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); @@ -4220,8 +4221,9 @@ void tls13_write_early_data(int scenario) * Run handshakes going one state further in the handshake sequence at each * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER * state. For each reached handshake state, check the result of the call - * to mbedtls_ssl_write_early_data() and then restart the handshake from - * scratch (see reset label). + * to mbedtls_ssl_write_early_data(), make sure we can complete the + * handshake successfully and then reset the connection to restart the + * handshake from scratch. */ previous_client_state = MBEDTLS_SSL_HELLO_REQUEST; client_state = MBEDTLS_SSL_HELLO_REQUEST; @@ -4267,7 +4269,7 @@ void tls13_write_early_data(int scenario) if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) { TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); TEST_EQUAL(client_ep.ssl.state, client_state); - goto reset; + goto complete_handshake; } switch (client_state) { @@ -4422,7 +4424,25 @@ void tls13_write_early_data(int scenario) TEST_FAIL("Unexpected state."); } -reset: +complete_handshake: + do { + ret = mbedtls_test_move_handshake_to_state( + &(server_ep.ssl), &(client_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER); + + if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) { + read_early_data_ret = mbedtls_ssl_read_early_data( + &(server_ep.ssl), read_buf, sizeof(read_buf)); + + TEST_EQUAL(read_early_data_ret, early_data_len); + } + } while (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); + + TEST_EQUAL(ret, 0); + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_HANDSHAKE_OVER), 0); + mbedtls_test_mock_socket_close(&(client_ep.socket)); mbedtls_test_mock_socket_close(&(server_ep.socket)); -- cgit v1.1 From 00046007023ffc2a4f05186c25620b8cc2a0599a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 16:00:12 +0100 Subject: tests: write early data: Inverse loop over state logic Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 89 +++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 43 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index b9d8c61..bcc0b1f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4143,12 +4143,7 @@ void tls13_write_early_data(int scenario) MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; - int client_state, previous_client_state, beyond_first_hello = 0; - const char *early_data_string = "This is early data."; - const unsigned char *early_data = (const unsigned char *) early_data_string; - size_t early_data_len = strlen(early_data_string); - int write_early_data_ret, read_early_data_ret; - unsigned char read_buf[64]; + int beyond_first_hello = 0; mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); @@ -4225,43 +4220,15 @@ void tls13_write_early_data(int scenario) * handshake successfully and then reset the connection to restart the * handshake from scratch. */ - previous_client_state = MBEDTLS_SSL_HELLO_REQUEST; - client_state = MBEDTLS_SSL_HELLO_REQUEST; - - while (client_state != MBEDTLS_SSL_HANDSHAKE_OVER) { - /* In case of HRR scenario, once we have been through it, move over - * the first ClientHello and ServerHello otherwise we just keep playing - * this first part of the handshake with HRR. - */ - if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) { - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(client_ep.ssl), &(server_ep.ssl), - MBEDTLS_SSL_SERVER_HELLO) == 0); - TEST_ASSERT(mbedtls_test_move_handshake_to_state( - &(client_ep.ssl), &(server_ep.ssl), - MBEDTLS_SSL_CLIENT_HELLO) == 0); - } - - TEST_EQUAL(mbedtls_test_move_handshake_to_state( - &(client_ep.ssl), &(server_ep.ssl), - previous_client_state), 0); - - /* Progress the handshake from at least one state */ - while (client_ep.ssl.state == previous_client_state) { - ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); - TEST_ASSERT((ret == 0) || - (ret == MBEDTLS_ERR_SSL_WANT_READ) || - (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); - if (client_ep.ssl.state != previous_client_state) { - break; - } - ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); - TEST_ASSERT((ret == 0) || - (ret == MBEDTLS_ERR_SSL_WANT_READ) || - (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); - } + do { + int client_state = client_ep.ssl.state; + int previous_client_state; + const char *early_data_string = "This is early data."; + const unsigned char *early_data = (const unsigned char *) early_data_string; + size_t early_data_len = strlen(early_data_string); + int write_early_data_ret, read_early_data_ret; + unsigned char read_buf[64]; - client_state = client_ep.ssl.state; write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), early_data, early_data_len); @@ -4273,6 +4240,7 @@ void tls13_write_early_data(int scenario) } switch (client_state) { + case MBEDTLS_SSL_HELLO_REQUEST: /* Intentional fallthrough */ case MBEDTLS_SSL_CLIENT_HELLO: switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ @@ -4460,7 +4428,42 @@ complete_handshake: TEST_EQUAL(ret, 0); previous_client_state = client_state; - } + if (previous_client_state == MBEDTLS_SSL_HANDSHAKE_OVER) { + break; + } + + /* In case of HRR scenario, once we have been through it, move over + * the first ClientHello and ServerHello otherwise we just keep playing + * this first part of the handshake with HRR. + */ + if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) { + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_SERVER_HELLO) == 0); + TEST_ASSERT(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_CLIENT_HELLO) == 0); + } + + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + previous_client_state), 0); + + /* Progress the handshake from at least one state */ + while (client_ep.ssl.state == previous_client_state) { + ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + if (client_ep.ssl.state != previous_client_state) { + break; + } + ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); + TEST_ASSERT((ret == 0) || + (ret == MBEDTLS_ERR_SSL_WANT_READ) || + (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); + } + } while (1); exit: mbedtls_test_ssl_endpoint_free(&client_ep, NULL); -- cgit v1.1 From e21c2d2ce18d46818c3a22d552e9190aaebdb954 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 16:37:16 +0100 Subject: tls13: cli: Add missing MBEDTLS_SSL_EARLY_DATA guards Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 215c647..635c703 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2280,6 +2280,7 @@ cleanup: } +#if defined(MBEDTLS_SSL_EARLY_DATA) /* * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA * @@ -2317,6 +2318,7 @@ cleanup: MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData")); return ret; } +#endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* @@ -3040,9 +3042,11 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) ret = ssl_tls13_process_server_finished(ssl); break; +#if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_SSL_END_OF_EARLY_DATA: ret = ssl_tls13_write_end_of_early_data(ssl); break; +#endif case MBEDTLS_SSL_CLIENT_CERTIFICATE: ret = ssl_tls13_write_client_certificate(ssl); -- cgit v1.1 From 9f2c3c09dfad7443e8c8bcae96b689d4fbb28a29 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 17:03:22 +0100 Subject: tls13: cli: Add mbedtls_ssl_get_early_data_status() API Add mbedtls_ssl_get_early_data_status() API and its testing. Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 25 +++++++++++++++++++++++++ tests/suites/test_suite_ssl.function | 24 ++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 635c703..5fbcf45 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2318,6 +2318,31 @@ cleanup: MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData")); return ret; } + +int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl) +{ + if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) || + (!mbedtls_ssl_is_handshake_over(ssl))) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + switch (ssl->early_data_status) { + case MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT: + return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; + break; + + case MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED: + return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + break; + + case MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED: + return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + break; + + default: + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } +} #endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index bcc0b1f..3baa859 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3895,6 +3895,11 @@ void tls13_cli_early_data_status(int scenario) (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); } + if (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { + TEST_EQUAL(mbedtls_ssl_get_early_data_status(&(client_ep.ssl)), + MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + } + switch (client_ep.ssl.state) { case MBEDTLS_SSL_CLIENT_HELLO: switch (scenario) { @@ -4116,6 +4121,25 @@ void tls13_cli_early_data_status(int scenario) } } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER); + ret = mbedtls_ssl_get_early_data_status(&(client_ep.ssl)); + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); + break; + + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + break; + + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: + TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); + break; + + default: + TEST_FAIL("Unknown scenario."); + } + #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1); #endif -- cgit v1.1 From 984352d6f1abc80d8a3f21b7462ff9a5892b275f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 10:50:12 +0100 Subject: Benchmark: remove the legacy-context ECDH block We have two blocks of code to benchmark ECDH. One uses the legacy context structure, which is only enabled when MBEDTLS_ECP_RESTARTABLE is enabled. That block doesn't convey any information that's specific to restartable ECC, it exists only for historical reasons (it came first). The other block uses only the implementation-agnostic API. Remove the block that uses the legacy context. It doesn't provide much extra information and most users won't even see it. Signed-off-by: Gilles Peskine --- programs/test/benchmark.c | 129 ---------------------------------------------- 1 file changed, 129 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 8fa5d62..152e073 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -1188,135 +1188,6 @@ int main(int argc, char *argv[]) } #endif -#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - if (todo.ecdh) { - mbedtls_ecdh_context ecdh; - mbedtls_mpi z; - const mbedtls_ecp_curve_info montgomery_curve_list[] = { -#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) - { MBEDTLS_ECP_DP_CURVE25519, 0, 0, "Curve25519" }, -#endif -#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) - { MBEDTLS_ECP_DP_CURVE448, 0, 0, "Curve448" }, -#endif - { MBEDTLS_ECP_DP_NONE, 0, 0, 0 } - }; - const mbedtls_ecp_curve_info *curve_info; - size_t olen; - const mbedtls_ecp_curve_info *selected_montgomery_curve_list = - montgomery_curve_list; - - if (curve_list == (const mbedtls_ecp_curve_info *) &single_curve) { - mbedtls_ecp_group grp; - - mbedtls_ecp_group_init(&grp); - if (mbedtls_ecp_group_load(&grp, curve_list->grp_id) != 0) { - mbedtls_exit(1); - } - if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) { - selected_montgomery_curve_list = single_curve; - } else { /* empty list */ - selected_montgomery_curve_list = single_curve + 1; - } - mbedtls_ecp_group_free(&grp); - } - - for (curve_info = curve_list; - curve_info->grp_id != MBEDTLS_ECP_DP_NONE; - curve_info++) { - if (!mbedtls_ecdh_can_do(curve_info->grp_id)) { - continue; - } - - mbedtls_ecdh_init(&ecdh); - - CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id)); - CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf), - myrand, NULL)); - CHECK_AND_CONTINUE(mbedtls_ecp_copy(&ecdh.Qp, &ecdh.Q)); - - mbedtls_snprintf(title, sizeof(title), "ECDHE-%s", - curve_info->name); - TIME_PUBLIC(title, "handshake", - CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf), - myrand, NULL)); - CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh, &olen, buf, sizeof(buf), - myrand, NULL))); - mbedtls_ecdh_free(&ecdh); - } - - /* Montgomery curves need to be handled separately */ - for (curve_info = selected_montgomery_curve_list; - curve_info->grp_id != MBEDTLS_ECP_DP_NONE; - curve_info++) { - mbedtls_ecdh_init(&ecdh); - mbedtls_mpi_init(&z); - - CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id)); - CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Qp, myrand, NULL)); - - mbedtls_snprintf(title, sizeof(title), "ECDHE-%s", - curve_info->name); - TIME_PUBLIC(title, "handshake", - CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Q, - myrand, NULL)); - CHECK_AND_CONTINUE(mbedtls_ecdh_compute_shared(&ecdh.grp, &z, &ecdh.Qp, - &ecdh.d, - myrand, NULL))); - - mbedtls_ecdh_free(&ecdh); - mbedtls_mpi_free(&z); - } - - for (curve_info = curve_list; - curve_info->grp_id != MBEDTLS_ECP_DP_NONE; - curve_info++) { - if (!mbedtls_ecdh_can_do(curve_info->grp_id)) { - continue; - } - - mbedtls_ecdh_init(&ecdh); - - CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id)); - CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf), - myrand, NULL)); - CHECK_AND_CONTINUE(mbedtls_ecp_copy(&ecdh.Qp, &ecdh.Q)); - CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf), - myrand, NULL)); - - mbedtls_snprintf(title, sizeof(title), "ECDH-%s", - curve_info->name); - TIME_PUBLIC(title, "handshake", - CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh, &olen, buf, sizeof(buf), - myrand, NULL))); - mbedtls_ecdh_free(&ecdh); - } - - /* Montgomery curves need to be handled separately */ - for (curve_info = selected_montgomery_curve_list; - curve_info->grp_id != MBEDTLS_ECP_DP_NONE; - curve_info++) { - mbedtls_ecdh_init(&ecdh); - mbedtls_mpi_init(&z); - - CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id)); - CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Qp, - myrand, NULL)); - CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Q, myrand, NULL)); - - mbedtls_snprintf(title, sizeof(title), "ECDH-%s", - curve_info->name); - TIME_PUBLIC(title, "handshake", - CHECK_AND_CONTINUE(mbedtls_ecdh_compute_shared(&ecdh.grp, &z, &ecdh.Qp, - &ecdh.d, - myrand, NULL))); - - mbedtls_ecdh_free(&ecdh); - mbedtls_mpi_free(&z); - } - } -#endif - #if defined(MBEDTLS_ECDH_C) if (todo.ecdh) { mbedtls_ecdh_context ecdh_srv, ecdh_cli; -- cgit v1.1 From 7a3059ac923b8054068eeacccc0cb1278d7578ac Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 10:53:31 +0100 Subject: Benchmark: not using private fields anymore Signed-off-by: Gilles Peskine --- programs/test/benchmark.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 152e073..0861d0f 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -5,8 +5,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include "mbedtls/build_info.h" #include "mbedtls/platform.h" -- cgit v1.1 From fb9857ff9eaa980411ac58831f42fd93b1471ecd Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 12:16:41 +0000 Subject: Make multi-part MAC operations thread-safe Within setup we create a copy of the key and put it in the operation field. After setup, we only ever use the new copy - and do not interact with any key slots. Therefore we need only register as a reader of the key during setup, then unregister after we stop accessing the key. Simultaneous API calls on the same operation object are not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6cd6557..f9b2fff 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2565,7 +2565,7 @@ exit: psa_mac_abort(operation); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } -- cgit v1.1 From dcc03d552da30d1168562431f9d6abee31b80c87 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 15:44:13 +0000 Subject: Make restartable signature operations thread-safe We copy the key from a slot to the operation object in _start. _complete and _abort do not access any key slots, instead using the local copy. Concurrently using the same operation object is not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f9b2fff..0a221d1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3371,7 +3371,7 @@ exit: psa_sign_hash_abort_internal(operation); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); if (unlock_status != PSA_SUCCESS) { operation->error_occurred = 1; -- cgit v1.1 From 291267f4866c87e8e79e31453775cbebcb0f20c3 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 15:59:15 +0000 Subject: Make restartable signature verifications thread-safe We copy the key from a slot to the operation object in _start. _complete and _abort do not access any key slots, instead using the local copy. Concurrently using the same operation object is not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0a221d1..66af7cf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3516,7 +3516,7 @@ psa_status_t psa_verify_hash_start( psa_verify_hash_abort_internal(operation); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); if (unlock_status != PSA_SUCCESS) { operation->error_occurred = 1; -- cgit v1.1 From c0053cc4999a8265736ad5df24afd03ac13f042c Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 16:27:13 +0000 Subject: Make multi-part cipher operations thread-safe Within setup we create a copy of the key and put it in the operation field. After setup, we only ever use the new copy, and do not interact with any key slots. Therefore we need only register as a reader of the key during setup, then unregister after we stop accessing the key. Simultaneous API calls on the same operation object are not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 66af7cf..c51bb8d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4088,7 +4088,7 @@ exit: psa_cipher_abort(operation); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } -- cgit v1.1 From 5ac6fa7aaec44913d6cceaa99e8fcbf472ebf33d Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 17:11:36 +0000 Subject: Make multi-part key derivation operations thread-safe One can input a key using a key identifier through the two changed functions. Inputted keys are copied into the operation object. Any material inputted in byte form is separate to the key slot system. Outputting a key is threadsafe as per the key loading work. The verification API is yet to be implemented. Simultaneous API calls on the same operation object are not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c51bb8d..b7c891e 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7061,7 +7061,7 @@ psa_status_t psa_key_derivation_input_key( slot->key.data, slot->key.bytes); - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -7218,7 +7218,7 @@ psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *op } } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } -- cgit v1.1 From bbedfcec2ea5877c3a333b8c2c09642bca1797d0 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 18:22:09 +0000 Subject: Make multi-part PAKE operations thread-safe The only interaction with key IDs here is in the changed function. Simultaneous API calls on the same operation object are not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b7c891e..b16fac1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7953,7 +7953,7 @@ exit: if (status != PSA_SUCCESS) { psa_pake_abort(operation); } - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); return (status == PSA_SUCCESS) ? unlock_status : status; } -- cgit v1.1 From 9af70e51c13372161ab3b33d3dc290a3aaa2d6d0 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 14 Feb 2024 18:38:56 +0000 Subject: Make multi-part AEAD operations thread-safe The setup calls are the only calls to use a key ID. The key is then copied into the operation object, all future API calls use the copy instead of the key in the slot. Simultaneous API calls on the same operation object are not thread-safe. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b16fac1..87444e1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4687,7 +4687,7 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, operation->key_type = psa_get_key_type(&attributes); exit: - unlock_status = psa_unregister_read(slot); + unlock_status = psa_unregister_read_under_mutex(slot); if (status == PSA_SUCCESS) { status = unlock_status; -- cgit v1.1 From 86d288c0d4eb0eb1d0486a781a95eaea8f051ee7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 11:28:29 +0100 Subject: tests: ssl: Rename tls13_early_data to tls13_read_early_data Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 12 ++++++------ tests/suites/test_suite_ssl.function | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index b30fc93..6cfda5d 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3274,14 +3274,14 @@ elliptic_curve_get_properties TLS 1.3 resume session with ticket tls13_resume_session_with_ticket -TLS 1.3 early data, early data accepted -tls13_early_data:TEST_EARLY_DATA_ACCEPTED +TLS 1.3 read early data, early data accepted +tls13_read_early_data:TEST_EARLY_DATA_ACCEPTED -TLS 1.3 early data, server rejects early data -tls13_early_data:TEST_EARLY_DATA_SERVER_REJECTS +TLS 1.3 read early data, server rejects early data +tls13_read_early_data:TEST_EARLY_DATA_SERVER_REJECTS -TLS 1.3 early data, discard after HRR -tls13_early_data:TEST_EARLY_DATA_HRR +TLS 1.3 read early data, discard after HRR +tls13_read_early_data:TEST_EARLY_DATA_HRR TLS 1.3 cli, early data status, early data accepted tls13_cli_early_data_status:TEST_EARLY_DATA_ACCEPTED diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 3baa859..78b0222 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3647,12 +3647,12 @@ exit: /* END_CASE */ /* - * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is + * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_read_early_data() below is * a temporary workaround to not run the test in Windows-2013 where there is * an issue with mbedtls_vsnprintf(). */ /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ -void tls13_early_data(int scenario) +void tls13_read_early_data(int scenario) { int ret = -1; unsigned char buf[64]; -- cgit v1.1 From e110a4c9006c616e56684d2c6543808cc2aa748c Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 22 Feb 2024 10:43:03 +0000 Subject: Make psa_open_key threadsafe This is a simple case of register then unregister Signed-off-by: Ryan Everett --- library/psa_crypto_slot_management.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index f7b7fbe..b2a3c7e 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -542,7 +542,7 @@ psa_status_t psa_open_key(mbedtls_svc_key_id_t key, psa_key_handle_t *handle) *handle = key; - return psa_unregister_read(slot); + return psa_unregister_read_under_mutex(slot); #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ (void) key; -- cgit v1.1 From 110303fbe5c059d3c0a2d8580c5724959a0f069a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 11:35:21 +0100 Subject: tests: read early data: Add no early data indication sent scenario Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 21 +++++++++++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6cfda5d..385682a 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3277,6 +3277,9 @@ tls13_resume_session_with_ticket TLS 1.3 read early data, early data accepted tls13_read_early_data:TEST_EARLY_DATA_ACCEPTED +TLS 1.3 read early data, no early data indication +tls13_read_early_data:TEST_EARLY_DATA_NO_INDICATION_SENT + TLS 1.3 read early data, server rejects early data tls13_read_early_data:TEST_EARLY_DATA_SERVER_REJECTS diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 78b0222..61f3833 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3699,6 +3699,10 @@ void tls13_read_early_data(int scenario) case TEST_EARLY_DATA_ACCEPTED: break; + case TEST_EARLY_DATA_NO_INDICATION_SENT: + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + case TEST_EARLY_DATA_SERVER_REJECTS: mbedtls_debug_set_threshold(3); server_pattern.pattern = @@ -3746,12 +3750,12 @@ void tls13_read_early_data(int scenario) &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_SERVER_HELLO), 0); - TEST_ASSERT(client_ep.ssl.early_data_status != - MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); - - ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data, - early_data_len); - TEST_EQUAL(ret, early_data_len); + if (client_ep.ssl.early_data_status != + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) { + ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data, + early_data_len); + TEST_EQUAL(ret, early_data_len); + } ret = mbedtls_test_move_handshake_to_state( &(server_ep.ssl), &(client_ep.ssl), @@ -3766,6 +3770,11 @@ void tls13_read_early_data(int scenario) TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); break; + case TEST_EARLY_DATA_NO_INDICATION_SENT: + TEST_EQUAL(ret, 0); + TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); + break; + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ case TEST_EARLY_DATA_HRR: TEST_EQUAL(ret, 0); -- cgit v1.1 From 7d158f41ca083ac76b151b9e6df610341f67ffc1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 11:39:39 +0100 Subject: tests: read early data: Use write API to send early data Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 51 +++++------------------------------- 1 file changed, 6 insertions(+), 45 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 61f3833..9a95489 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -18,49 +18,6 @@ #define TEST_EARLY_DATA_SERVER_REJECTS 2 #define TEST_EARLY_DATA_HRR 3 -#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ - defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ - defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ - defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ - defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ - defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \ - defined(MBEDTLS_MD_CAN_SHA256) && \ - defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \ - defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS) -/* - * The implementation of the function should be based on - * mbedtls_ssl_write_early_data() eventually. The current version aims at - * removing the dependency on mbedtls_ssl_write_early_data() for the - * development and testing of reading early data. - */ -static int write_early_data(mbedtls_ssl_context *ssl, - unsigned char *buf, size_t len) -{ - int ret = mbedtls_ssl_get_max_out_record_payload(ssl); - - TEST_ASSERT(ret > 0); - TEST_ASSERT(len <= (size_t) ret); - - ret = mbedtls_ssl_flush_output(ssl); - TEST_EQUAL(ret, 0); - TEST_EQUAL(ssl->out_left, 0); - - ssl->out_msglen = len; - ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; - if (len > 0) { - memcpy(ssl->out_msg, buf, len); - } - - ret = mbedtls_ssl_write_record(ssl, 1); - TEST_EQUAL(ret, 0); - - ret = len; - -exit: - return ret; -} -#endif - /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -3750,11 +3707,15 @@ void tls13_read_early_data(int scenario) &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_SERVER_HELLO), 0); + ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), + (unsigned char *) early_data, + early_data_len); + if (client_ep.ssl.early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) { - ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data, - early_data_len); TEST_EQUAL(ret, early_data_len); + } else { + TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); } ret = mbedtls_test_move_handshake_to_state( -- cgit v1.1 From 8f1de7e029abba12d1ef7007dc603be0246bb2c0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 12:02:39 +0100 Subject: tls13: Improve documentation Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 83d2ab8..4b2206d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5256,9 +5256,11 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, * already completed. * * It is not possible to write early data for the SSL context - * \p ssl but this does not preclude for using it with + * \p ssl and any subsequent call to this API will return this + * error code. But this does not preclude for using it with * mbedtls_ssl_write(), mbedtls_ssl_read() or - * mbedtls_ssl_handshake(). + * mbedtls_ssl_handshake() and the handshake can be + * completed by calling one of these APIs. * * \note This function may write early data only if the SSL context * has been configured for the handshake with a PSK for which -- cgit v1.1 From d5f68976e807611e1dc54f9f2e19b4aef9a995a1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 12:05:35 +0100 Subject: fuzz_pubkey, fuzz_privkey: no real need to access private fields Signed-off-by: Gilles Peskine --- programs/fuzz/fuzz_privkey.c | 4 +--- programs/fuzz/fuzz_pubkey.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index ce75624..7530964 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -1,5 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include #include #include @@ -73,7 +71,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY || mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY_DH) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk); - mbedtls_ecp_group_id grp_id = ecp->grp.id; + mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(ecp); const mbedtls_ecp_curve_info *curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id); diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c index 9203b4e..0b153b1 100644 --- a/programs/fuzz/fuzz_pubkey.c +++ b/programs/fuzz/fuzz_pubkey.c @@ -1,5 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include #include #include "mbedtls/pk.h" @@ -49,7 +47,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY || mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY_DH) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk); - mbedtls_ecp_group_id grp_id = ecp->grp.id; + mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(ecp); const mbedtls_ecp_curve_info *curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id); @@ -61,9 +59,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) /* It's a public key, so the private value should not have * been changed from its initialization to 0. */ - if (mbedtls_mpi_cmp_int(&ecp->d, 0) != 0) { + mbedtls_mpi d; + mbedtls_mpi_init(&d); + if (mbedtls_ecp_export(ecp, NULL, &d, NULL) != 0) { + abort(); + } + if (mbedtls_mpi_cmp_int(&d, 0) != 0) { abort(); } + mbedtls_mpi_free(&d); } else #endif { -- cgit v1.1 From abf0be392ab3ee13d51b3130907fdeec9930cbbf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 12:07:09 +0100 Subject: fuzz_dtlsserver: explicitly note the one access to a private field Signed-off-by: Gilles Peskine --- programs/fuzz/fuzz_dtlsserver.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 1632e9d..fd3e0aa 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -1,5 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include #include #include @@ -137,7 +135,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) ret = mbedtls_ssl_handshake(&ssl); if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) { - biomemfuzz.Offset = ssl.next_record_offset; + biomemfuzz.Offset = ssl.MBEDTLS_PRIVATE(next_record_offset); mbedtls_ssl_session_reset(&ssl); mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout); if (mbedtls_ssl_set_client_transport_id(&ssl, client_ip, sizeof(client_ip)) != 0) { -- cgit v1.1 From 72da8b35210342c547a484c8e76a8d33daa1ca6f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 12:07:29 +0100 Subject: Don't authorize private access to fields where not actually needed Signed-off-by: Gilles Peskine --- programs/fuzz/fuzz_client.c | 1 - programs/fuzz/fuzz_dtlsclient.c | 1 - programs/fuzz/fuzz_server.c | 1 - programs/fuzz/fuzz_x509crl.c | 1 - programs/fuzz/fuzz_x509crt.c | 1 - programs/fuzz/fuzz_x509csr.c | 1 - programs/ssl/ssl_test_lib.c | 1 - programs/test/metatest.c | 1 - programs/test/selftest.c | 2 -- programs/test/udp_proxy.c | 1 - 10 files changed, 11 deletions(-) diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index d4e1d74..21d03a3 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -1,4 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index 3659026..53f3f78 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -1,4 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include #include diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index e767859..0c88767 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -1,4 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 313540d..89c3ff6 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -1,4 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include #include "mbedtls/x509_crl.h" diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index 8442090..9f40cb6 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -1,4 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include #include "mbedtls/x509_crt.h" diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index 395d3c2..e19005a 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -1,4 +1,3 @@ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include #include "mbedtls/x509_csr.h" diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index a65332a..d3ac526 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -8,7 +8,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "ssl_test_lib.h" diff --git a/programs/test/metatest.c b/programs/test/metatest.c index 8e798cd..5a45f71 100644 --- a/programs/test/metatest.c +++ b/programs/test/metatest.c @@ -26,7 +26,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include #include diff --git a/programs/test/selftest.c b/programs/test/selftest.c index e132e4c..043209b 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -5,8 +5,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include "mbedtls/build_info.h" #include "mbedtls/entropy.h" diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index c6b56ec..beaa8bd 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -11,7 +11,6 @@ * example of good general usage. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "mbedtls/build_info.h" -- cgit v1.1 From 74589ba31c7244c1586ac1146938fd7fd5e02815 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 12:12:01 +0100 Subject: ssl_context_info: explicitly note accesses to private fields Signed-off-by: Gilles Peskine --- programs/ssl/ssl_context_info.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c index c3ae942..1e3e269 100644 --- a/programs/ssl/ssl_context_info.c +++ b/programs/ssl/ssl_context_info.c @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS +//#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "mbedtls/build_info.h" #include "mbedtls/debug.h" @@ -551,23 +551,23 @@ void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len, const mbedtls_md_info_t *md_info; #endif - printf("\tciphersuite : %s\n", ciphersuite_info->name); - printf("\tcipher flags : 0x%02X\n", ciphersuite_info->flags); + printf("\tciphersuite : %s\n", mbedtls_ssl_ciphersuite_get_name(ciphersuite_info)); + printf("\tcipher flags : 0x%02X\n", ciphersuite_info->MBEDTLS_PRIVATE(flags)); #if defined(MBEDTLS_CIPHER_C) const mbedtls_cipher_info_t *cipher_info; - cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher); + cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->MBEDTLS_PRIVATE(cipher)); if (cipher_info == NULL) { printf_err("Cannot find cipher info\n"); } else { - printf("\tcipher : %s\n", cipher_info->name); + printf("\tcipher : %s\n", mbedtls_cipher_info_get_name(cipher_info)); } #else /* MBEDTLS_CIPHER_C */ - printf("\tcipher type : %d\n", ciphersuite_info->cipher); + printf("\tcipher type : %d\n", ciphersuite_info->MBEDTLS_PRIVATE(cipher)); #endif /* MBEDTLS_CIPHER_C */ #if defined(MBEDTLS_MD_C) - md_info = mbedtls_md_info_from_type(ciphersuite_info->mac); + md_info = mbedtls_md_info_from_type(ciphersuite_info->MBEDTLS_PRIVATE(mac)); if (md_info == NULL) { printf_err("Cannot find Message-Digest info\n"); } else { -- cgit v1.1 From f19989da313724e54a624c22846f18bb90cb4cba Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 12:05:42 +0100 Subject: tls13: Improve sanity check in get_early_data_status Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5fbcf45..df0519a 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2321,7 +2321,7 @@ cleanup: int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl) { - if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) || + if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) || (!mbedtls_ssl_is_handshake_over(ssl))) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -- cgit v1.1 From dcb09ca6dfc90e7ac31855fe699eecba6586217d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 12:12:45 +0100 Subject: tests: write early data: Improve get_early_data_status testing Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 9a95489..394fbbc 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4110,6 +4110,9 @@ void tls13_cli_early_data_status(int scenario) TEST_FAIL("Unknown scenario."); } + ret = mbedtls_ssl_get_early_data_status(&(server_ep.ssl)); + TEST_EQUAL(ret, MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1); #endif -- cgit v1.1 From dd9cbf99c237ba26b645ce379740206c82acd4df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 22 Feb 2024 12:14:28 +0100 Subject: Benchmark only one side of ECDH, both static and ephemeral MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Static ECDH is of interest to us as developers because it's a generic scalar multiplication (as opposed to using the standard base point) and it's useful to have that handy. For reference the other operations of interest to developers are: - multiplication of the conventional base point: ECDSA signing is almost exactly that (just a few field ops on top, notably 1 inversion); - linear combination: ECDSA verification is almost exactly that too. Including ephemeral as well, because it's hopefully what's of interest to most users. Compared to the previous version, include only one side of the operations. I don't think including both sides is of interest to anyone. Signed-off-by: Manuel PĂ©gouriĂ©-Gonnard --- programs/test/benchmark.c | 57 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 15 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 0861d0f..93c1729 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -1191,7 +1191,7 @@ int main(int argc, char *argv[]) mbedtls_ecdh_context ecdh_srv, ecdh_cli; unsigned char buf_srv[BUFSIZE], buf_cli[BUFSIZE]; const mbedtls_ecp_curve_info *curve_info; - size_t olen; + size_t params_len, publen, seclen; for (curve_info = curve_list; curve_info->grp_id != MBEDTLS_ECP_DP_NONE; @@ -1201,33 +1201,60 @@ int main(int argc, char *argv[]) } mbedtls_ecdh_init(&ecdh_srv); - mbedtls_ecdh_init(&ecdh_cli); + + CHECK_AND_CONTINUE(mbedtls_ecdh_setup(&ecdh_srv, curve_info->grp_id)); + CHECK_AND_CONTINUE(mbedtls_ecdh_make_params(&ecdh_srv, ¶ms_len, buf_srv, + sizeof(buf_srv), myrand, NULL)); mbedtls_snprintf(title, sizeof(title), "ECDHE-%s", curve_info->name); TIME_PUBLIC(title, - "full handshake", + "ephemeral handshake", const unsigned char *p_srv = buf_srv; - - CHECK_AND_CONTINUE(mbedtls_ecdh_setup(&ecdh_srv, curve_info->grp_id)); - CHECK_AND_CONTINUE(mbedtls_ecdh_make_params(&ecdh_srv, &olen, buf_srv, - sizeof(buf_srv), myrand, NULL)); + mbedtls_ecdh_init(&ecdh_cli); CHECK_AND_CONTINUE(mbedtls_ecdh_read_params(&ecdh_cli, &p_srv, - p_srv + olen)); - CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh_cli, &olen, buf_cli, + p_srv + params_len)); + CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh_cli, &publen, buf_cli, sizeof(buf_cli), myrand, NULL)); - CHECK_AND_CONTINUE(mbedtls_ecdh_read_public(&ecdh_srv, buf_cli, olen)); - CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_srv, &olen, buf_srv, - sizeof(buf_srv), myrand, NULL)); - - CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_cli, &olen, buf_cli, + CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_cli, &seclen, buf_cli, sizeof(buf_cli), myrand, NULL)); mbedtls_ecdh_free(&ecdh_cli); + ); - mbedtls_ecdh_free(&ecdh_srv); + mbedtls_ecdh_free(&ecdh_srv); + } + + for (curve_info = curve_list; + curve_info->grp_id != MBEDTLS_ECP_DP_NONE; + curve_info++) { + if (!mbedtls_ecdh_can_do(curve_info->grp_id)) { + continue; + } + + mbedtls_ecdh_init(&ecdh_srv); + mbedtls_ecdh_init(&ecdh_cli); + + CHECK_AND_CONTINUE(mbedtls_ecdh_setup(&ecdh_srv, curve_info->grp_id)); + CHECK_AND_CONTINUE(mbedtls_ecdh_make_params(&ecdh_srv, ¶ms_len, buf_srv, + sizeof(buf_srv), myrand, NULL)); + + const unsigned char *p_srv = buf_srv; + CHECK_AND_CONTINUE(mbedtls_ecdh_read_params(&ecdh_cli, &p_srv, + p_srv + params_len)); + CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh_cli, &publen, buf_cli, + sizeof(buf_cli), myrand, NULL)); + + + mbedtls_snprintf(title, sizeof(title), "ECDH-%s", curve_info->name); + TIME_PUBLIC(title, + "static handshake", + CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_cli, &seclen, buf_cli, + sizeof(buf_cli), myrand, NULL)); ); + mbedtls_ecdh_free(&ecdh_cli); + mbedtls_ecdh_free(&ecdh_srv); } } #endif -- cgit v1.1 From fdab78685245661d442df72b439d39daa908ef13 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 22 Feb 2024 15:19:13 +0000 Subject: Use TEST_EQUAL instead of TEST_ASSERT in new code Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum.function | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 47a6c98..e4d4af8 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -975,19 +975,19 @@ void mpi_exp_mod_min_RR(char *input_A, char *input_E, mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&RR); mbedtls_mpi_init(&Z); mbedtls_mpi_init(&X); - TEST_ASSERT(mbedtls_test_read_mpi(&A, input_A) == 0); - TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); - TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); - TEST_ASSERT(mbedtls_test_read_mpi(&X, input_X) == 0); + TEST_EQUAL(mbedtls_test_read_mpi(&A, input_A), 0); + TEST_EQUAL(mbedtls_test_read_mpi(&E, input_E), 0); + TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0); + TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0); - TEST_ASSERT(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N) == 0); - TEST_ASSERT(mbedtls_mpi_shrink(&RR, 0) == 0); + TEST_EQUAL(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N), 0); + TEST_EQUAL(mbedtls_mpi_shrink(&RR, 0), 0); res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR); - TEST_ASSERT(res == exp_result); + TEST_EQUAL(res, exp_result); if (res == 0) { - TEST_ASSERT(sign_is_valid(&Z)); - TEST_ASSERT(mbedtls_mpi_cmp_mpi(&Z, &X) == 0); + TEST_EQUAL(sign_is_valid(&Z), 1); + TEST_EQUAL(mbedtls_mpi_cmp_mpi(&Z, &X), 0); } exit: -- cgit v1.1 From 673461c389c8f54b4d127b1f7090b7e5da3f606e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Feb 2024 16:03:04 +0100 Subject: Improve validation in mpi_exp_mod_min_RR Check that the test case is hitting what it's supposed to hit, and that the library takes the expected defensive measure. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_bignum.function | 8 ++++++++ tests/suites/test_suite_bignum.misc.data | 2 ++ 2 files changed, 10 insertions(+) diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index e4d4af8..f3a64e1 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -982,8 +982,16 @@ void mpi_exp_mod_min_RR(char *input_A, char *input_E, TEST_EQUAL(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N), 0); TEST_EQUAL(mbedtls_mpi_shrink(&RR, 0), 0); + /* The objective of this test is to check that exp_mod defends + * against a smaller RR. */ + TEST_LE_U(RR.n, N.n - 1); res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR); + /* We know that exp_mod internally needs RR to be as large as N. + * Validate that it is the case now, otherwise there was probably + * a buffer overread. */ + TEST_EQUAL(RR.n, N.n); + TEST_EQUAL(res, exp_result); if (res == 0) { TEST_EQUAL(sign_is_valid(&Z), 1); diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index a953153..eb55dbe 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1395,9 +1395,11 @@ depends_on:MPI_MAX_BITS_LARGER_THAN_792 mpi_exp_mod:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0 Test mbedtls_mpi_exp_mod (N.n=3, RR.n=1 on 32 bit) +depends_on:MBEDTLS_HAVE_INT32 mpi_exp_mod_min_RR:"10":"2":"10000000100000001":"100":0 Test mbedtls_mpi_exp_mod (N.n=3, RR.n=1 on 64 bit) +depends_on:MBEDTLS_HAVE_INT64 mpi_exp_mod_min_RR:"10":"2":"100000000000000010000000000000001":"100":0 Base test GCD #1 -- cgit v1.1 From bd0a683e78941696fa3939c1d21aafca4aca5008 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 22 Feb 2024 15:48:01 +0000 Subject: Improve changelog Signed-off-by: Janos Follath --- ChangeLog.d/use_exp_mod_core.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/use_exp_mod_core.txt b/ChangeLog.d/use_exp_mod_core.txt index e145335..8f7193a 100644 --- a/ChangeLog.d/use_exp_mod_core.txt +++ b/ChangeLog.d/use_exp_mod_core.txt @@ -1,6 +1,6 @@ Changes - * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 2 to 3. - The correlation between this define and RSA decryption performance has - changed lately due to security hardening. - To fix the performance degradation when using default values the - window was increased from 2 to 3. + * mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations, + have changed their speed/memory compromise as part of a proactive security + improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly + preserves the current speed, at the expense of increasing memory + consumption. -- cgit v1.1 From f6eb0b8ab0adecd02ad49d7e3d037d18335cd791 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 12:42:46 +0100 Subject: Changelog entry for benchmark improvement Signed-off-by: Gilles Peskine --- ChangeLog.d/benchmark-ecdh.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/benchmark-ecdh.txt diff --git a/ChangeLog.d/benchmark-ecdh.txt b/ChangeLog.d/benchmark-ecdh.txt new file mode 100644 index 0000000..ef243b8 --- /dev/null +++ b/ChangeLog.d/benchmark-ecdh.txt @@ -0,0 +1,3 @@ +Features + * The benchmark program now reports times for both ephemeral and static + ECDH in all ECDH configurations. -- cgit v1.1 From 7f72a06e02290ee3d81f972fb88d46db20658ea2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2024 18:41:25 +0100 Subject: Remove cruft Signed-off-by: Gilles Peskine --- programs/fuzz/fuzz_client.c | 1 - programs/fuzz/fuzz_dtlsclient.c | 1 - programs/fuzz/fuzz_server.c | 1 - programs/fuzz/fuzz_x509crl.c | 1 - programs/fuzz/fuzz_x509crt.c | 1 - programs/fuzz/fuzz_x509csr.c | 1 - programs/ssl/ssl_context_info.c | 2 -- 7 files changed, 8 deletions(-) diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 21d03a3..07ca96e 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -1,4 +1,3 @@ - #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index 53f3f78..6581dcb 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -1,4 +1,3 @@ - #include #include #include diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 0c88767..64b35ed 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -1,4 +1,3 @@ - #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 89c3ff6..151db92 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -1,4 +1,3 @@ - #include #include "mbedtls/x509_crl.h" diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index 9f40cb6..3eee072 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -1,4 +1,3 @@ - #include #include "mbedtls/x509_crt.h" diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index e19005a..7946e57 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -1,4 +1,3 @@ - #include #include "mbedtls/x509_csr.h" diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c index 1e3e269..ee2cdb7 100644 --- a/programs/ssl/ssl_context_info.c +++ b/programs/ssl/ssl_context_info.c @@ -5,8 +5,6 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -//#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include "mbedtls/build_info.h" #include "mbedtls/debug.h" #include "mbedtls/platform.h" -- cgit v1.1 From 9011dae0c18d6195b756d43b823265a9b0a685e4 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sat, 24 Feb 2024 10:57:22 +0000 Subject: Improve documentation / comments Signed-off-by: Paul Elliott --- tests/src/helpers.c | 17 ++++++++--------- tests/src/threading_helpers.c | 4 ++-- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index 8e1d564..2433422 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -33,15 +33,14 @@ mbedtls_threading_mutex_t mbedtls_test_info_mutex; /*----------------------------------------------------------------------------*/ /* Mbedtls Test Info accessors * - * NOTE - there are two types of accessors here; the _internal functions, which - * are expected to be used from this module *only*. These do not attempt to lock - * the mbedtls_test_info_mutex, as they are designed to be called from within - * public functions which do lock the mutex first (if mutexes are enabled). - * The main reason for this is the need to set some sets of test data - * atomically, without releasing the mutex inbetween to prevent race conditions - * resulting in mixed test info. The other public accessors have prototypes in - * the header and have to lock the mutex for safety as we obviously cannot - * control where they are called from. */ + * NOTE - there are two types of accessors here: public accessors and internal + * accessors. The public accessors have prototypes in helpers.h and lock + * mbedtls_test_info_mutex (if mutexes are enabled). The _internal accessors, + * which are expected to be used from this module *only*, do not lock the mutex. + * These are designed to be called from within public functions which already + * hold the mutex. The main reason for this difference is the need to set + * multiple test data values atomically (without releasing the mutex) to prevent + * race conditions. */ mbedtls_test_result_t mbedtls_test_get_result(void) { diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c index 5eac029..c1686c2 100644 --- a/tests/src/threading_helpers.c +++ b/tests/src/threading_helpers.c @@ -321,8 +321,8 @@ void mbedtls_test_mutex_usage_check(void) if (live_mutexes != 0) { /* A positive number (more init than free) means that a mutex resource * is leaking (on platforms where a mutex consumes more than the - * mbedtls_threading_mutex_t object itself). The rare case of a - * negative number means a missing init somewhere. */ + * mbedtls_threading_mutex_t object itself). The (hopefully) rare + * case of a negative number means a missing init somewhere. */ mbedtls_fprintf(stdout, "[mutex: %d leaked] ", live_mutexes); live_mutexes = 0; mbedtls_test_set_mutex_usage_error("missing free"); -- cgit v1.1 From 6a2c400b8c690e0e9db0ac784dac2ae03a6aa45d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 26 Feb 2024 08:34:06 +0100 Subject: typo Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index e54af34..73889e0 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4144,7 +4144,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT * with \p params_data_length = 0, * this function is equivalent to - * psa_key_generation_output_key(). + * psa_generate_key(). * \param params_data_length * Length of `params->data` in bytes. * \param[out] key On success, an identifier for the newly created -- cgit v1.1 From bb91bcda0e60f6c106323598e9477b60c6a96507 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 26 Feb 2024 08:41:33 +0100 Subject: psa: move mbedtls_psa_get_random() to psa_util.c Signed-off-by: Valerio Setti --- library/psa_crypto.c | 33 --------------------------------- library/psa_util.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 87444e1..3aed6e6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7394,39 +7394,6 @@ psa_status_t psa_generate_random(uint8_t *output, #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ } -/* Wrapper function allowing the classic API to use the PSA RNG. - * - * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls - * `psa_generate_random(...)`. The state parameter is ignored since the - * PSA API doesn't support passing an explicit state. - * - * In the non-external case, psa_generate_random() calls an - * `mbedtls_xxx_drbg_random` function which has exactly the same signature - * and semantics as mbedtls_psa_get_random(). As an optimization, - * instead of doing this back-and-forth between the PSA API and the - * classic API, psa_crypto_random_impl.h defines `mbedtls_psa_get_random` - * as a constant function pointer to `mbedtls_xxx_drbg_random`. - */ -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -int mbedtls_psa_get_random(void *p_rng, - unsigned char *output, - size_t output_size) -{ - /* This function takes a pointer to the RNG state because that's what - * classic mbedtls functions using an RNG expect. The PSA RNG manages - * its own state internally and doesn't let the caller access that state. - * So we just ignore the state parameter, and in practice we'll pass - * NULL. */ - (void) p_rng; - psa_status_t status = psa_generate_random(output, output_size); - if (status == PSA_SUCCESS) { - return 0; - } else { - return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; - } -} -#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ - #if defined(MBEDTLS_PSA_INJECT_ENTROPY) psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, size_t seed_size) diff --git a/library/psa_util.c b/library/psa_util.c index 125b173..eda6ca8 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -338,6 +338,39 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, } #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ +/* Wrapper function allowing the classic API to use the PSA RNG. + * + * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls + * `psa_generate_random(...)`. The state parameter is ignored since the + * PSA API doesn't support passing an explicit state. + * + * In the non-external case, psa_generate_random() calls an + * `mbedtls_xxx_drbg_random` function which has exactly the same signature + * and semantics as mbedtls_psa_get_random(). As an optimization, + * instead of doing this back-and-forth between the PSA API and the + * classic API, psa_crypto_random_impl.h defines `mbedtls_psa_get_random` + * as a constant function pointer to `mbedtls_xxx_drbg_random`. + */ +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +int mbedtls_psa_get_random(void *p_rng, + unsigned char *output, + size_t output_size) +{ + /* This function takes a pointer to the RNG state because that's what + * classic mbedtls functions using an RNG expect. The PSA RNG manages + * its own state internally and doesn't let the caller access that state. + * So we just ignore the state parameter, and in practice we'll pass + * NULL. */ + (void) p_rng; + psa_status_t status = psa_generate_random(output, output_size); + if (status == PSA_SUCCESS) { + return 0; + } else { + return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; + } +} +#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ + #endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -- cgit v1.1 From 4c32b69f3724b0bc5fc1dd1d7885a61d26022957 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Feb 2024 00:11:09 +0100 Subject: Ignore domain parameters in RSA key generation Remove the ability to select a custom public exponent via domain parameters in RSA key generation. The only way to select a custom public exponent is now to pass custom production parameters to psa_generate_key_ext(). A subsequent commit will remove domain parameters altogether from the API, thus this commit does not bother to update the documentation. Signed-off-by: Gilles Peskine --- library/psa_crypto.c | 5 +- library/psa_crypto_rsa.c | 19 +++--- library/psa_crypto_rsa.h | 10 ++++ tests/src/drivers/test_driver_key_management.c | 5 +- tests/suites/test_suite_psa_crypto.data | 18 ------ tests/suites/test_suite_psa_crypto.function | 82 -------------------------- 6 files changed, 23 insertions(+), 116 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e9061f5..159b3c5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7576,11 +7576,8 @@ psa_status_t psa_generate_key_internal( * that mbedtls_psa_rsa_generate_key() gets e via a new * parameter instead. */ psa_key_attributes_t override_attributes = *attributes; - if (params_data_length != 0) { - override_attributes.domain_parameters_size = params_data_length; - override_attributes.domain_parameters = (uint8_t *) ¶ms->data; - } return mbedtls_psa_rsa_generate_key(&override_attributes, + params, params_data_length, key_buffer, key_buffer_size, key_buffer_length); diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 4a574d1..472a0e8 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -223,11 +223,6 @@ static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters, size_t i; uint32_t acc = 0; - if (domain_parameters_size == 0) { - *exponent = 65537; - return PSA_SUCCESS; - } - /* Mbed TLS encodes the public exponent as an int. For simplicity, only * support values that fit in a 32-bit integer, which is larger than * int on just about every platform anyway. */ @@ -246,18 +241,20 @@ static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters, psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, + const psa_key_production_parameters_t *params, size_t params_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status; mbedtls_rsa_context rsa; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - int exponent; + int exponent = 65537; - status = psa_rsa_read_exponent(attributes->domain_parameters, - attributes->domain_parameters_size, - &exponent); - if (status != PSA_SUCCESS) { - return status; + if (params_data_length != 0) { + status = psa_rsa_read_exponent(params->data, params_data_length, + &exponent); + if (status != PSA_SUCCESS) { + return status; + } } mbedtls_rsa_init(&rsa); diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h index e4c5caf..ffeef26 100644 --- a/library/psa_crypto_rsa.h +++ b/library/psa_crypto_rsa.h @@ -109,6 +109,15 @@ psa_status_t mbedtls_psa_rsa_export_public_key( * entry point. * * \param[in] attributes The attributes for the RSA key to generate. + * \param[in] params Production parameters for the key + * generation. This function only uses + * `params->data`, + * which contains the public exponent. + * This can be a null pointer if + * \c params_data_length is 0. + * \param params_data_length Length of `params->data` in bytes. + * This can be 0, in which case the + * public exponent will be 65537. * \param[out] key_buffer Buffer where the key data is to be written. * \param[in] key_buffer_size Size of \p key_buffer in bytes. * \param[out] key_buffer_length On success, the number of bytes written in @@ -123,6 +132,7 @@ psa_status_t mbedtls_psa_rsa_export_public_key( */ psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, + const psa_key_production_parameters_t *params, size_t params_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); /** Sign an already-calculated hash with an RSA private key. diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c index a3d532d..866b31e 100644 --- a/tests/src/drivers/test_driver_key_management.c +++ b/tests/src/drivers/test_driver_key_management.c @@ -225,10 +225,13 @@ psa_status_t mbedtls_test_transparent_generate_key( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) return libtestdriver1_mbedtls_psa_rsa_generate_key( (const libtestdriver1_psa_key_attributes_t *) attributes, + NULL, 0, /* We don't support custom e in the test driver yet */ key, key_size, key_length); #elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) return mbedtls_psa_rsa_generate_key( - attributes, key, key_size, key_length); + attributes, + NULL, 0, /* We don't support custom e in the test driver yet */ + key, key_size, key_length); #endif } else if (PSA_KEY_TYPE_IS_DH(psa_get_key_type(attributes)) && PSA_KEY_TYPE_IS_KEY_PAIR(psa_get_key_type(attributes))) { diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index e9b5717..c55af03 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -7431,24 +7431,6 @@ PSA generate key: ECC, Curve448, good depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_448 generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0 -PSA generate key: RSA, domain parameters: default e -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"":PSA_SUCCESS - -PSA generate key: RSA, domain parameters: e=3 -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"03":PSA_SUCCESS - -PSA generate key: RSA, domain parameters: e=65537 -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"010001":PSA_SUCCESS - -PSA generate key: RSA, domain parameters: e=513 -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"0201":PSA_SUCCESS - -PSA generate key: RSA, domain parameters: e=1 -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT - -PSA generate key: RSA, domain parameters: e=2 -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"02":PSA_ERROR_INVALID_ARGUMENT - PSA generate key: FFDH, 2048 bits, good depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_2048 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index b40b5f8..09874a1 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -9840,88 +9840,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_RSA_PKCS1V15_SIGN */ -void generate_key_rsa(int bits_arg, - data_t *e_arg, - int expected_status_arg) -{ - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR; - size_t bits = bits_arg; - psa_key_usage_t usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT; - psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW; - psa_status_t expected_status = expected_status_arg; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - uint8_t *e_read_buffer = NULL; - int is_default_public_exponent = 0; - size_t e_read_size = PSA_KEY_DOMAIN_PARAMETERS_SIZE(type, bits); - size_t e_read_length = SIZE_MAX; - - if (e_arg->len == 0 || - (e_arg->len == 3 && - e_arg->x[0] == 1 && e_arg->x[1] == 0 && e_arg->x[2] == 1)) { - is_default_public_exponent = 1; - e_read_size = 0; - } - TEST_CALLOC(e_read_buffer, e_read_size); - - PSA_ASSERT(psa_crypto_init()); - - psa_set_key_usage_flags(&attributes, usage); - psa_set_key_algorithm(&attributes, alg); - PSA_ASSERT(psa_set_key_domain_parameters(&attributes, type, - e_arg->x, e_arg->len)); - psa_set_key_bits(&attributes, bits); - - /* Generate a key */ - TEST_EQUAL(psa_generate_key(&attributes, &key), expected_status); - if (expected_status != PSA_SUCCESS) { - goto exit; - } - - /* Test the key information */ - PSA_ASSERT(psa_get_key_attributes(key, &attributes)); - TEST_EQUAL(psa_get_key_type(&attributes), type); - TEST_EQUAL(psa_get_key_bits(&attributes), bits); - psa_status_t status = psa_get_key_domain_parameters(&attributes, - e_read_buffer, e_read_size, - &e_read_length); - - -#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) - if (is_default_public_exponent) { - TEST_EQUAL(e_read_length, 0); - } else { - TEST_EQUAL(status, PSA_SUCCESS); - TEST_MEMORY_COMPARE(e_read_buffer, e_read_length, e_arg->x, e_arg->len); - } -#else - (void) is_default_public_exponent; - TEST_EQUAL(status, PSA_ERROR_NOT_SUPPORTED); -#endif - - /* Do something with the key according to its type and permitted usage. */ - if (!mbedtls_test_psa_exercise_key(key, usage, alg)) { - goto exit; - } - - TEST_ASSERT(rsa_test_e(key, bits, e_arg)); - -exit: - /* - * Key attributes may have been returned by psa_get_key_attributes() or - * set by psa_set_key_domain_parameters() thus reset them as required. - */ - psa_reset_key_attributes(&attributes); - - psa_destroy_key(key); - PSA_DONE(); - mbedtls_free(e_read_buffer); -} -/* END_CASE */ - /* BEGIN_CASE */ void generate_key_ext(int type_arg, int bits_arg, -- cgit v1.1 From bb6f3ff394597e9d86012d634bcbeee009f17720 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Feb 2024 00:51:07 +0100 Subject: Rename variables Signed-off-by: Gilles Peskine --- library/psa_crypto_rsa.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 472a0e8..84a8667 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -216,8 +216,8 @@ psa_status_t mbedtls_psa_rsa_export_public_key( * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) -static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters, - size_t domain_parameters_size, +static psa_status_t psa_rsa_read_exponent(const uint8_t *e_bytes, + size_t e_length, int *exponent) { size_t i; @@ -226,11 +226,11 @@ static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters, /* Mbed TLS encodes the public exponent as an int. For simplicity, only * support values that fit in a 32-bit integer, which is larger than * int on just about every platform anyway. */ - if (domain_parameters_size > sizeof(acc)) { + if (e_length > sizeof(acc)) { return PSA_ERROR_NOT_SUPPORTED; } - for (i = 0; i < domain_parameters_size; i++) { - acc = (acc << 8) | domain_parameters[i]; + for (i = 0; i < e_length; i++) { + acc = (acc << 8) | e_bytes[i]; } if (acc > INT_MAX) { return PSA_ERROR_NOT_SUPPORTED; -- cgit v1.1 From ae5eb647055e0f65290549c41732c6ed0161f934 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Feb 2024 00:41:14 +0100 Subject: Remove domain parameters from the public API Only leave deprecated, minimal non-linkable functions. Signed-off-by: Gilles Peskine --- ChangeLog.d/domain_parameters.txt | 9 +++ include/psa/crypto_compat.h | 77 +++++++++++++++++++++++ include/psa/crypto_extra.h | 129 -------------------------------------- include/psa/crypto_struct.h | 21 +------ library/psa_crypto_client.c | 49 --------------- 5 files changed, 87 insertions(+), 198 deletions(-) create mode 100644 ChangeLog.d/domain_parameters.txt diff --git a/ChangeLog.d/domain_parameters.txt b/ChangeLog.d/domain_parameters.txt new file mode 100644 index 0000000..d860cc4 --- /dev/null +++ b/ChangeLog.d/domain_parameters.txt @@ -0,0 +1,9 @@ +New deprecations + * In the PSA API, domain parameters are no longer used for anything. + They are deprecated and will be removed in a future version of the + library. + +Removals + * In the PSA API, the experimental way to encode the public exponent of + an RSA key as a domain parameter is no longer supported. Use + psa_generate_key_ext() instead. diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h index f896fae..2a226c0 100644 --- a/include/psa/crypto_compat.h +++ b/include/psa/crypto_compat.h @@ -146,6 +146,83 @@ psa_status_t psa_open_key(mbedtls_svc_key_id_t key, */ psa_status_t psa_close_key(psa_key_handle_t handle); +/** \addtogroup attributes + * @{ + */ + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +/** Custom Diffie-Hellman group. + * + * Mbed TLS does not support custom DH groups. + * + * \deprecated This value is not useful, so this macro will be removed in + * a future version of the library. + */ +#define PSA_DH_FAMILY_CUSTOM \ + ((psa_dh_family_t) MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(0x7e)) + +/** + * \brief Set domain parameters for a key. + * + * \deprecated Mbed TLS no longer supports any domain parameters. + * This function only does the equivalent of + * psa_set_key_type() and will be removed in a future version + * of the library. + * + * \param[in,out] attributes Attribute structure where \p type will be set. + * \param type Key type (a \c PSA_KEY_TYPE_XXX value). + * \param[in] data Ignored. + * \param data_length Must be 0. + * + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + */ +static inline psa_status_t MBEDTLS_DEPRECATED psa_set_key_domain_parameters( + psa_key_attributes_t *attributes, + psa_key_type_t type, const uint8_t *data, size_t data_length) +{ + (void) data; + if (data_length != 0) { + return PSA_ERROR_NOT_SUPPORTED; + } + psa_set_key_type(attributes, type); + return PSA_SUCCESS; +} + +/** + * \brief Get domain parameters for a key. + * + * \deprecated Mbed TLS no longer supports any domain parameters. + * This function alwaya has an empty output and will be + * removed in a future version of the library. + + * \param[in] attributes Ignored. + * \param[out] data Ignored. + * \param data_size Ignored. + * \param[out] data_length Set to 0. + * + * \retval #PSA_SUCCESS \emptydescription + */ +static inline psa_status_t MBEDTLS_DEPRECATED psa_get_key_domain_parameters( + const psa_key_attributes_t *attributes, + uint8_t *data, size_t data_size, size_t *data_length) +{ + (void) attributes; + (void) data; + (void) data_size; + *data_length = 0; + return PSA_SUCCESS; +} + +/** Safe output buffer size for psa_get_key_domain_parameters(). + * + */ +#define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits) \ + MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(1u) +#endif /* MBEDTLS_DEPRECATED_REMOVED */ + +/**@}*/ + #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 10a23f6..ac21e3e 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -409,140 +409,11 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, * @{ */ -/** Custom Diffie-Hellman group. - * - * For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or - * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM), the group data comes - * from domain parameters set by psa_set_key_domain_parameters(). - */ -#define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e) - /** PAKE operation stages. */ #define PSA_PAKE_OPERATION_STAGE_SETUP 0 #define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 1 #define PSA_PAKE_OPERATION_STAGE_COMPUTATION 2 -/** - * \brief Set domain parameters for a key. - * - * Some key types require additional domain parameters in addition to - * the key type identifier and the key size. Use this function instead - * of psa_set_key_type() when you need to specify domain parameters. - * - * The format for the required domain parameters varies based on the key type. - * Mbed TLS supports the following key type with domain parameters: - * - * - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR), - * the domain parameter data consists of the public exponent, - * represented as a big-endian integer with no leading zeros. - * This information is used when generating an RSA key pair. - * When importing a key, the public exponent is read from the imported - * key data and the exponent recorded in the attribute structure is ignored. - * As an exception, the public exponent 65537 is represented by an empty - * byte string. - * - * \note This function may allocate memory or other resources. - * Once you have called this function on an attribute structure, - * you must call psa_reset_key_attributes() to free these resources. - * - * \note This is an experimental extension to the interface. It may change - * in future versions of the library. - * - * \note Due to an implementation limitation, domain parameters are ignored - * for keys that are managed by a driver. - * - * \param[in,out] attributes Attribute structure where the specified domain - * parameters will be stored. - * If this function fails, the content of - * \p attributes is not modified. - * \param type Key type (a \c PSA_KEY_TYPE_XXX value). - * \param[in] data Buffer containing the key domain parameters. - * The content of this buffer is interpreted - * according to \p type as described above. - * \param data_length Size of the \p data buffer in bytes. - * - * \retval #PSA_SUCCESS \emptydescription - * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - */ -#if !defined(PSA_SET_KEY_DOMAIN_PARAMETERS) -#define PSA_SET_KEY_DOMAIN_PARAMETERS -psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, - psa_key_type_t type, - const uint8_t *data, - size_t data_length); -#endif /* PSA_SET_KEY_DOMAIN_PARAMETERS */ - -/** - * \brief Get domain parameters for a key. - * - * Get the domain parameters for a key with this function, if any. The format - * of the domain parameters written to \p data is specified in the - * documentation for psa_set_key_domain_parameters(). - * - * \note This is an experimental extension to the interface. It may change - * in future versions of the library. - * - * \note Due to an implementation limitation, domain parameters are not - * supported with keys that are managed by a driver. - * - * \param[in] attributes The key attribute structure to query. - * \param[out] data On success, the key domain parameters. - * \param data_size Size of the \p data buffer in bytes. - * The buffer is guaranteed to be large - * enough if its size in bytes is at least - * the value given by - * PSA_KEY_DOMAIN_PARAMETERS_SIZE(). - * \param[out] data_length On success, the number of bytes - * that make up the key domain parameters data. - * - * \retval #PSA_SUCCESS \emptydescription - * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription - * \retval #PSA_ERROR_NOT_SUPPORTED - * The key is managed by a driver. - */ -psa_status_t psa_get_key_domain_parameters( - const psa_key_attributes_t *attributes, - uint8_t *data, - size_t data_size, - size_t *data_length); - -/** Safe output buffer size for psa_get_key_domain_parameters(). - * - * This macro returns a compile-time constant if its arguments are - * compile-time constants. - * - * \warning This function may call its arguments multiple times or - * zero times, so you should not pass arguments that contain - * side effects. - * - * \note This is an experimental extension to the interface. It may change - * in future versions of the library. - * - * \param key_type A supported key type. - * \param key_bits The size of the key in bits. - * - * \return If the parameters are valid and supported, return - * a buffer size in bytes that guarantees that - * psa_get_key_domain_parameters() will not fail with - * #PSA_ERROR_BUFFER_TOO_SMALL. - * If the parameters are a valid combination that is not supported - * by the implementation, this macro shall return either a - * sensible size or 0. - * If the parameters are not valid, the - * return value is unspecified. - */ -#define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits) \ - (PSA_KEY_TYPE_IS_RSA(key_type) ? sizeof(int) : \ - PSA_KEY_TYPE_IS_DH(key_type) ? PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \ - PSA_KEY_TYPE_IS_DSA(key_type) ? PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \ - 0) -#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) \ - (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 3 /*without optional parts*/) -#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) \ - (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 2 /*p, g*/ + 34 /*q*/) - /**@}*/ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index e2068e8..df33b4f 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -437,29 +437,10 @@ static inline psa_algorithm_t psa_get_key_algorithm( return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg); } -/* This function is declared in crypto_extra.h, which comes after this - * header file, but we need the function here, so repeat the declaration. */ -#if !defined(PSA_SET_KEY_DOMAIN_PARAMETERS) -#define PSA_SET_KEY_DOMAIN_PARAMETERS -psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, - psa_key_type_t type, - const uint8_t *data, - size_t data_length); -#endif /* PSA_SET_KEY_DOMAIN_PARAMETERS */ - static inline void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type) { - if (attributes->MBEDTLS_PRIVATE(domain_parameters) == NULL) { - /* Common case: quick path */ - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) = type; - } else { - /* Call the bigger function to free the old domain parameters. - * Ignore any errors which may arise due to type requiring - * non-default domain parameters, since this function can't - * report errors. */ - (void) psa_set_key_domain_parameters(attributes, type, NULL, 0); - } + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) = type; } static inline psa_key_type_t psa_get_key_type( diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c index 472d3d3..77953fe 100644 --- a/library/psa_crypto_client.c +++ b/library/psa_crypto_client.c @@ -20,53 +20,4 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes) memset(attributes, 0, sizeof(*attributes)); } -psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, - psa_key_type_t type, - const uint8_t *data, - size_t data_length) -{ - uint8_t *copy = NULL; - - if (data_length != 0) { - copy = mbedtls_calloc(1, data_length); - if (copy == NULL) { - return PSA_ERROR_INSUFFICIENT_MEMORY; - } - memcpy(copy, data, data_length); - } - /* After this point, this function is guaranteed to succeed, so it - * can start modifying `*attributes`. */ - - if (attributes->domain_parameters != NULL) { - mbedtls_free(attributes->domain_parameters); - attributes->domain_parameters = NULL; - attributes->domain_parameters_size = 0; - } - - attributes->domain_parameters = copy; - attributes->domain_parameters_size = data_length; - attributes->core.type = type; - return PSA_SUCCESS; -} - -psa_status_t psa_get_key_domain_parameters( - const psa_key_attributes_t *attributes, - uint8_t *data, size_t data_size, size_t *data_length) -{ - if (attributes->domain_parameters == NULL && - attributes->domain_parameters_size == SIZE_MAX) { - return PSA_ERROR_NOT_SUPPORTED; - } - - if (attributes->domain_parameters_size > data_size) { - return PSA_ERROR_BUFFER_TOO_SMALL; - } - *data_length = attributes->domain_parameters_size; - if (attributes->domain_parameters_size != 0) { - memcpy(data, attributes->domain_parameters, - attributes->domain_parameters_size); - } - return PSA_SUCCESS; -} - #endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ -- cgit v1.1 From a53e7a5cb56e8cdc50fb02f31fabf9701792b526 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 26 Feb 2024 12:03:59 +0100 Subject: psa: let mbedtls_psa_get_random() always use psa_generate_random() It means that mbedtls_psa_get_random() goes through the PSA interface all the times. Fallbacks to CTR_DRBG or HMAC_DRBG are still possible, but that depends on how the crypto provider is built. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 57 +++++------------------------- library/psa_crypto.c | 10 +++--- library/psa_crypto_random_impl.h | 76 ++++++++++++---------------------------- library/psa_util.c | 10 +----- 4 files changed, 37 insertions(+), 116 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 984f031..f79178d 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -23,42 +23,22 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) -/* Expose whatever RNG the PSA subsystem uses to applications using the - * mbedtls_xxx API. The declarations and definitions here need to be - * consistent with the implementation in library/psa_crypto_random_impl.h. - * See that file for implementation documentation. */ - - -/* The type of a `f_rng` random generator function that many library functions - * take. - * - * This type name is not part of the Mbed TLS stable API. It may be renamed - * or moved without warning. - */ -typedef int mbedtls_f_rng_t(void *p_rng, unsigned char *output, size_t output_size); - -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) - /** The random generator function for the PSA subsystem. * * This function is suitable as the `f_rng` random generator function - * parameter of many `mbedtls_xxx` functions. Use #MBEDTLS_PSA_RANDOM_STATE - * to obtain the \p p_rng parameter. + * parameter of many `mbedtls_xxx` functions. * * The implementation of this function depends on the configuration of the * library. * - * \note Depending on the configuration, this may be a function or - * a pointer to a function. - * * \note This function may only be used if the PSA crypto subsystem is active. * This means that you must call psa_crypto_init() before any call to * this function, and you must not call this function after calling * mbedtls_psa_crypto_free(). * - * \param p_rng The random generator context. This must be - * #MBEDTLS_PSA_RANDOM_STATE. No other state is - * supported. + * \param p_rng This parameter is only kept for backward compatibility + * reasons with legacy `f_rng` functions and it's ignored. + * Set to #MBEDTLS_PSA_RANDOM_STATE or NULL. * \param output The buffer to fill. It must have room for * \c output_size bytes. * \param output_size The number of bytes to write to \p output. @@ -80,32 +60,11 @@ int mbedtls_psa_get_random(void *p_rng, /** The random generator state for the PSA subsystem. * - * This macro expands to an expression which is suitable as the `p_rng` - * random generator state parameter of many `mbedtls_xxx` functions. - * It must be used in combination with the random generator function - * mbedtls_psa_get_random(). - * - * The implementation of this macro depends on the configuration of the - * library. Do not make any assumption on its nature. + * This macro always expands to NULL because the `p_rng` parameter is unused + * in mbedtls_psa_get_random(), but it's kept for interface's backward + * compatibility. */ -#define MBEDTLS_PSA_RANDOM_STATE NULL - -#else /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ - -#if defined(MBEDTLS_CTR_DRBG_C) -#include "mbedtls/ctr_drbg.h" -typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t; -static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_ctr_drbg_random; -#elif defined(MBEDTLS_HMAC_DRBG_C) -#include "mbedtls/hmac_drbg.h" -typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t; -static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_hmac_drbg_random; -#endif -extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state; - -#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state - -#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ +#define MBEDTLS_PSA_RANDOM_STATE NULL /** \defgroup psa_tls_helpers TLS helper functions * @{ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3aed6e6..c371339 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -102,7 +102,7 @@ typedef struct { static psa_global_data_t global_data; #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state = +mbedtls_psa_drbg_context_t *const mbedtls_psa_drbg_ctx = &global_data.rng.drbg; #endif @@ -7322,7 +7322,7 @@ static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng) MBEDTLS_ENTROPY_SOURCE_STRONG); #endif - mbedtls_psa_drbg_init(MBEDTLS_PSA_RANDOM_STATE); + mbedtls_psa_drbg_init(MBEDTLS_PSA_DRBG_CTX); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ } @@ -7333,7 +7333,7 @@ static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng) #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) memset(rng, 0, sizeof(*rng)); #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ - mbedtls_psa_drbg_free(MBEDTLS_PSA_RANDOM_STATE); + mbedtls_psa_drbg_free(MBEDTLS_PSA_DRBG_CTX); rng->entropy_free(&rng->entropy); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ } @@ -7382,8 +7382,8 @@ psa_status_t psa_generate_random(uint8_t *output, (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ? MBEDTLS_PSA_RANDOM_MAX_REQUEST : output_size); - int ret = mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, - output, request_size); + int ret = mbedtls_psa_legacy_get_random(MBEDTLS_PSA_DRBG_CTX, + output, request_size); if (ret != 0) { return mbedtls_to_psa_error(ret); } diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h index 64b8949..0a2ae9e 100644 --- a/library/psa_crypto_random_impl.h +++ b/library/psa_crypto_random_impl.h @@ -20,23 +20,9 @@ #include "psa_util_internal.h" -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -#include -#include // only for error codes -#include - -typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t; - -/* Trivial wrapper around psa_generate_random(). */ -int mbedtls_psa_get_random(void *p_rng, - unsigned char *output, - size_t output_size); - -/* The PSA RNG API doesn't need any externally maintained state. */ -#define MBEDTLS_PSA_RANDOM_STATE NULL - -#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ +#include "mbedtls/entropy.h" /* Choose a DRBG based on configuration and availability */ #if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) @@ -67,11 +53,23 @@ int mbedtls_psa_get_random(void *p_rng, #error "No hash algorithm available for HMAC_DBRG." #endif -#else +#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ #error "No DRBG module available for the psa_crypto module." -#endif +#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ -#include "mbedtls/entropy.h" +#if defined(MBEDTLS_CTR_DRBG_C) +#include "mbedtls/ctr_drbg.h" +#elif defined(MBEDTLS_HMAC_DRBG_C) +#include "mbedtls/hmac_drbg.h" +#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ + +#if defined(MBEDTLS_CTR_DRBG_C) +#define mbedtls_psa_legacy_get_random mbedtls_ctr_drbg_random +typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t; +#elif defined(MBEDTLS_HMAC_DRBG_C) +#define mbedtls_psa_legacy_get_random mbedtls_hmac_drbg_random +typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t; +#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ /** Initialize the PSA DRBG. * @@ -111,20 +109,6 @@ typedef struct { mbedtls_psa_drbg_context_t drbg; } mbedtls_psa_random_context_t; -/* Defined in include/psa_util_internal.h so that it's visible to - * application code. The declaration here is redundant, but included - * as a safety net to make it more likely that a future change that - * accidentally causes the implementation to diverge from the interface - * will be noticed. */ -/* Do not include the declaration under MSVC because it doesn't accept it - * ("error C2370: 'mbedtls_psa_get_random' : redefinition; different storage class"). - * Observed with Visual Studio 2013. A known bug apparently: - * https://stackoverflow.com/questions/8146541/duplicate-external-static-declarations-not-allowed-in-visual-studio - */ -#if !defined(_MSC_VER) -static mbedtls_f_rng_t *const mbedtls_psa_get_random; -#endif - /** The maximum number of bytes that mbedtls_psa_get_random() is expected to * return. */ @@ -134,27 +118,13 @@ static mbedtls_f_rng_t *const mbedtls_psa_get_random; #define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST #endif -/** A pointer to the PSA DRBG state. +/** A pointer to the PSA DRBG context. * * This variable is only intended to be used through the macro - * #MBEDTLS_PSA_RANDOM_STATE. - */ -/* psa_crypto.c sets this variable to a pointer to the DRBG state in the - * global PSA crypto state. */ -/* The type `mbedtls_psa_drbg_context_t` is defined in - * include/psa_util_internal.h so that `mbedtls_psa_random_state` can be - * declared there and be visible to application code. */ -extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state; - -/** A pointer to the PSA DRBG state. - * - * This macro expands to an expression that is suitable as the \c p_rng - * parameter to pass to mbedtls_psa_get_random(). - * - * This macro exists in all configurations where the psa_crypto module is - * enabled. Its expansion depends on the configuration. + * #MBEDTLS_PSA_DRBG_CTX. */ -#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state +extern mbedtls_psa_drbg_context_t *const mbedtls_psa_drbg_ctx; +#define MBEDTLS_PSA_DRBG_CTX mbedtls_psa_drbg_ctx /** Seed the PSA DRBG. * @@ -172,14 +142,14 @@ static inline int mbedtls_psa_drbg_seed( const unsigned char *custom, size_t len) { #if defined(MBEDTLS_CTR_DRBG_C) - return mbedtls_ctr_drbg_seed(MBEDTLS_PSA_RANDOM_STATE, + return mbedtls_ctr_drbg_seed(MBEDTLS_PSA_DRBG_CTX, mbedtls_entropy_func, entropy, custom, len); #elif defined(MBEDTLS_HMAC_DRBG_C) const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE); - return mbedtls_hmac_drbg_seed(MBEDTLS_PSA_RANDOM_STATE, + return mbedtls_hmac_drbg_seed(MBEDTLS_PSA_DRBG_CTX, md_info, mbedtls_entropy_func, entropy, diff --git a/library/psa_util.c b/library/psa_util.c index eda6ca8..7384bf1 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -46,6 +46,7 @@ #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA) #include #endif +#include /* PSA_SUCCESS is kept at the top of each error table since * it's the most common status when everything functions properly. */ @@ -343,15 +344,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls * `psa_generate_random(...)`. The state parameter is ignored since the * PSA API doesn't support passing an explicit state. - * - * In the non-external case, psa_generate_random() calls an - * `mbedtls_xxx_drbg_random` function which has exactly the same signature - * and semantics as mbedtls_psa_get_random(). As an optimization, - * instead of doing this back-and-forth between the PSA API and the - * classic API, psa_crypto_random_impl.h defines `mbedtls_psa_get_random` - * as a constant function pointer to `mbedtls_xxx_drbg_random`. */ -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) int mbedtls_psa_get_random(void *p_rng, unsigned char *output, size_t output_size) @@ -369,7 +362,6 @@ int mbedtls_psa_get_random(void *p_rng, return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; } } -#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ #endif /* MBEDTLS_PSA_CRYPTO_C */ -- cgit v1.1 From 219006329da09f0c0821a34935953efc4d397c8f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 11:41:19 +0000 Subject: Move quiet wrapper setup Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1694ee9..54917d3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -131,25 +131,6 @@ pre_check_environment () { } pre_initialize_variables () { - special_options="--list-components|--list-all-components|-h|--help" - if [[ ! "$@" =~ $special_options ]]; then - # skip wrappers for "special options" which don't actually run any tests - - # Pick up "quiet" wrappers for make and cmake, which don't output very much - # unless there is an error. This reduces logging overhead in the CI. - # - # Note that the cmake wrapper breaks unless we use an absolute path here. - export PATH=${PWD}/tests/scripts/quiet:$PATH - if [[ ! -x ${PWD}/tests/scripts/quiet/make ]]; then - echo "can't find quiet/make" - exit 1 - fi - if [[ ! -x ${PWD}/tests/scripts/quiet/cmake ]]; then - echo "can't find quiet/cmake" - exit 1 - fi - fi - if in_mbedtls_repo; then CONFIG_H='include/mbedtls/mbedtls_config.h' else @@ -235,6 +216,23 @@ pre_initialize_variables () { # the commands set by the environment } +setup_quiet_wrappers() +{ + # Pick up "quiet" wrappers for make and cmake, which don't output very much + # unless there is an error. This reduces logging overhead in the CI. + # + # Note that the cmake wrapper breaks unless we use an absolute path here. + export PATH=${PWD}/tests/scripts/quiet:$PATH + if [[ ! -x ${PWD}/tests/scripts/quiet/make ]]; then + echo "can't find quiet/make" + exit 1 + fi + if [[ ! -x ${PWD}/tests/scripts/quiet/cmake ]]; then + echo "can't find quiet/cmake" + exit 1 + fi +} + # Test whether the component $1 is included in the command line patterns. is_component_included() { @@ -6268,6 +6266,7 @@ pre_check_environment pre_initialize_variables "$@" pre_parse_command_line "$@" +setup_quiet_wrappers pre_check_git pre_restore_files pre_back_up -- cgit v1.1 From 00bc790d79eb2d8ef3f0e1e2d3a67cfb1b8547c7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 11:43:11 +0000 Subject: Tidy up quiet wrappers Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 39 +++++++++++++++++++-------------------- tests/scripts/quiet/make | 41 ++++++++++++++++++++--------------------- 2 files changed, 39 insertions(+), 41 deletions(-) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index a79d757..4804637 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -16,15 +16,13 @@ NO_SILENCE=" --version " TOOL=$(basename "$0") # Locate original tool -ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) +ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$0" | head -n1 ) -quote_args() { +print_quoted_args() { # similar to printf '%q' "$@" # but produce more human-readable results for common/simple cases like "a b" - local args=("$@") - s="" - for a in "${args[@]}"; do - simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-]*)$' + for a in "$@"; do + simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-./:@]*)$' if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then # a has spaces, but no other special characters that need escaping # (quoting after removing spaces yields no backslashes) @@ -33,39 +31,40 @@ quote_args() { # CFLAGS=a b -> CFLAGS="a b" q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" else - # get bash to do the quoting + # get bash to do the quoting (which may result in no quotes or escaping, + # if none is needed). q=$(printf '%q' "$a") fi - s="$s $q" + printf "%s " "$q" done - echo $s } -if [[ ! " $@ " =~ " --version " ]]; then +if [[ ! " $* " =~ " --version " ]]; then # Display the command being invoked - if it succeeds, this is all that will # be displayed. Don't do this for invocations with --version, because # this output is often parsed by scripts, so we don't want to modify it. - echo "${TOOL} $(quote_args "$@")" + printf %s "${TOOL} " + print_quoted_args "$@" + echo fi if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then # Run original command with no output supression - ${ORIGINAL_TOOL} "$@" - EXIT_STATUS=$? + exec "${ORIGINAL_TOOL}" "$@" else # Run original command and capture output & exit status - TMPFILE=$(mktemp /tmp/quiet-${TOOL}.XXXXXX) - ${ORIGINAL_TOOL} "$@" > ${TMPFILE} 2>&1 + TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") + "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 EXIT_STATUS=$? if [[ $EXIT_STATUS -ne 0 ]]; then # On error, display the full output - cat ${TMPFILE} + cat "${TMPFILE}" fi # Remove tmpfile - rm ${TMPFILE} -fi + rm "${TMPFILE}" -# Propagate the exit status -exit $EXIT_STATUS + # Propagate the exit status + exit $EXIT_STATUS +fi diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 9722029..3eae91c 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -11,20 +11,18 @@ # VERBOSE_LOGS=1 # don't silence invocations containing these arguments -NO_SILENCE=" --version | test " +NO_SILENCE=" --version | test" TOOL=$(basename "$0") # Locate original tool -ORIGINAL_TOOL=$(type -ap ${TOOL} | grep -v "$0" | head -n1 ) +ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$0" | head -n1 ) -quote_args() { +print_quoted_args() { # similar to printf '%q' "$@" # but produce more human-readable results for common/simple cases like "a b" - local args=("$@") - s="" - for a in "${args[@]}"; do - simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-]*)$' + for a in "$@"; do + simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-./:@]*)$' if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then # a has spaces, but no other special characters that need escaping # (quoting after removing spaces yields no backslashes) @@ -33,39 +31,40 @@ quote_args() { # CFLAGS=a b -> CFLAGS="a b" q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" else - # get bash to do the quoting + # get bash to do the quoting (which may result in no quotes or escaping, + # if none is needed). q=$(printf '%q' "$a") fi - s="$s $q" + printf "%s " "$q" done - echo $s } -if [[ ! " $@ " =~ " --version " ]]; then +if [[ ! " $* " =~ " --version " ]]; then # Display the command being invoked - if it succeeds, this is all that will # be displayed. Don't do this for invocations with --version, because # this output is often parsed by scripts, so we don't want to modify it. - echo "${TOOL} $(quote_args "$@")" + printf %s "${TOOL} " + print_quoted_args "$@" + echo fi if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then # Run original command with no output supression - ${ORIGINAL_TOOL} "$@" - EXIT_STATUS=$? + exec "${ORIGINAL_TOOL}" "$@" else # Run original command and capture output & exit status - TMPFILE=$(mktemp /tmp/quiet-${TOOL}.XXXXXX) - ${ORIGINAL_TOOL} "$@" > ${TMPFILE} 2>&1 + TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") + "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 EXIT_STATUS=$? if [[ $EXIT_STATUS -ne 0 ]]; then # On error, display the full output - cat ${TMPFILE} + cat "${TMPFILE}" fi # Remove tmpfile - rm ${TMPFILE} -fi + rm "${TMPFILE}" -# Propagate the exit status -exit $EXIT_STATUS + # Propagate the exit status + exit $EXIT_STATUS +fi -- cgit v1.1 From 061d4e4655e54779b3788a107ab9c61d4cfee466 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 26 Feb 2024 12:52:44 +0100 Subject: psa: simplify management of mbedtls_psa_drbg_context_t Signed-off-by: Valerio Setti --- library/psa_crypto.c | 13 ++++--------- library/psa_crypto_random_impl.h | 13 +++---------- 2 files changed, 7 insertions(+), 19 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c371339..c8dd0d0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -101,11 +101,6 @@ typedef struct { static psa_global_data_t global_data; -#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -mbedtls_psa_drbg_context_t *const mbedtls_psa_drbg_ctx = - &global_data.rng.drbg; -#endif - #define GUARD_MODULE_INITIALIZED \ if (global_data.initialized == 0) \ return PSA_ERROR_BAD_STATE; @@ -7322,7 +7317,7 @@ static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng) MBEDTLS_ENTROPY_SOURCE_STRONG); #endif - mbedtls_psa_drbg_init(MBEDTLS_PSA_DRBG_CTX); + mbedtls_psa_drbg_init(&rng->drbg); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ } @@ -7333,7 +7328,7 @@ static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng) #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) memset(rng, 0, sizeof(*rng)); #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ - mbedtls_psa_drbg_free(MBEDTLS_PSA_DRBG_CTX); + mbedtls_psa_drbg_free(&rng->drbg); rng->entropy_free(&rng->entropy); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ } @@ -7348,7 +7343,7 @@ static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng) return PSA_SUCCESS; #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ const unsigned char drbg_seed[] = "PSA"; - int ret = mbedtls_psa_drbg_seed(&rng->entropy, + int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy, drbg_seed, sizeof(drbg_seed) - 1); return mbedtls_to_psa_error(ret); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -7382,7 +7377,7 @@ psa_status_t psa_generate_random(uint8_t *output, (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ? MBEDTLS_PSA_RANDOM_MAX_REQUEST : output_size); - int ret = mbedtls_psa_legacy_get_random(MBEDTLS_PSA_DRBG_CTX, + int ret = mbedtls_psa_legacy_get_random(&global_data.rng.drbg, output, request_size); if (ret != 0) { return mbedtls_to_psa_error(ret); diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h index 0a2ae9e..10db73d 100644 --- a/library/psa_crypto_random_impl.h +++ b/library/psa_crypto_random_impl.h @@ -118,14 +118,6 @@ typedef struct { #define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST #endif -/** A pointer to the PSA DRBG context. - * - * This variable is only intended to be used through the macro - * #MBEDTLS_PSA_DRBG_CTX. - */ -extern mbedtls_psa_drbg_context_t *const mbedtls_psa_drbg_ctx; -#define MBEDTLS_PSA_DRBG_CTX mbedtls_psa_drbg_ctx - /** Seed the PSA DRBG. * * \param entropy An entropy context to read the seed from. @@ -138,18 +130,19 @@ extern mbedtls_psa_drbg_context_t *const mbedtls_psa_drbg_ctx; * \return An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure. */ static inline int mbedtls_psa_drbg_seed( + mbedtls_psa_drbg_context_t *drbg_ctx, mbedtls_entropy_context *entropy, const unsigned char *custom, size_t len) { #if defined(MBEDTLS_CTR_DRBG_C) - return mbedtls_ctr_drbg_seed(MBEDTLS_PSA_DRBG_CTX, + return mbedtls_ctr_drbg_seed(drbg_ctx, mbedtls_entropy_func, entropy, custom, len); #elif defined(MBEDTLS_HMAC_DRBG_C) const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE); - return mbedtls_hmac_drbg_seed(MBEDTLS_PSA_DRBG_CTX, + return mbedtls_hmac_drbg_seed(drbg_ctx, md_info, mbedtls_entropy_func, entropy, -- cgit v1.1 From 98a79cdb238ee6b1b83167b2ce8aba9b6ffd13dd Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 12:37:44 +0000 Subject: Extract common parts of quiet wrapper Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 58 +++--------------------------------------- tests/scripts/quiet/make | 58 +++--------------------------------------- tests/scripts/quiet/quiet | 65 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 71 insertions(+), 110 deletions(-) create mode 100755 tests/scripts/quiet/quiet diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index 4804637..10a0b25 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -11,60 +11,8 @@ # VERBOSE_LOGS=1 # don't silence invocations containing these arguments -NO_SILENCE=" --version " +export NO_SILENCE=" --version " -TOOL=$(basename "$0") +export TOOL="cmake" -# Locate original tool -ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$0" | head -n1 ) - -print_quoted_args() { - # similar to printf '%q' "$@" - # but produce more human-readable results for common/simple cases like "a b" - for a in "$@"; do - simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-./:@]*)$' - if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then - # a has spaces, but no other special characters that need escaping - # (quoting after removing spaces yields no backslashes) - # simplify quoted form - e.g.: - # a b -> "a b" - # CFLAGS=a b -> CFLAGS="a b" - q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" - else - # get bash to do the quoting (which may result in no quotes or escaping, - # if none is needed). - q=$(printf '%q' "$a") - fi - printf "%s " "$q" - done -} - -if [[ ! " $* " =~ " --version " ]]; then - # Display the command being invoked - if it succeeds, this is all that will - # be displayed. Don't do this for invocations with --version, because - # this output is often parsed by scripts, so we don't want to modify it. - printf %s "${TOOL} " - print_quoted_args "$@" - echo -fi - -if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then - # Run original command with no output supression - exec "${ORIGINAL_TOOL}" "$@" -else - # Run original command and capture output & exit status - TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") - "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 - EXIT_STATUS=$? - - if [[ $EXIT_STATUS -ne 0 ]]; then - # On error, display the full output - cat "${TMPFILE}" - fi - - # Remove tmpfile - rm "${TMPFILE}" - - # Propagate the exit status - exit $EXIT_STATUS -fi +exec $(dirname "$0")/quiet "$@" diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 3eae91c..a1ef3e5 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -11,60 +11,8 @@ # VERBOSE_LOGS=1 # don't silence invocations containing these arguments -NO_SILENCE=" --version | test" +export NO_SILENCE=" --version | test " -TOOL=$(basename "$0") +export TOOL="make" -# Locate original tool -ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$0" | head -n1 ) - -print_quoted_args() { - # similar to printf '%q' "$@" - # but produce more human-readable results for common/simple cases like "a b" - for a in "$@"; do - simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-./:@]*)$' - if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then - # a has spaces, but no other special characters that need escaping - # (quoting after removing spaces yields no backslashes) - # simplify quoted form - e.g.: - # a b -> "a b" - # CFLAGS=a b -> CFLAGS="a b" - q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" - else - # get bash to do the quoting (which may result in no quotes or escaping, - # if none is needed). - q=$(printf '%q' "$a") - fi - printf "%s " "$q" - done -} - -if [[ ! " $* " =~ " --version " ]]; then - # Display the command being invoked - if it succeeds, this is all that will - # be displayed. Don't do this for invocations with --version, because - # this output is often parsed by scripts, so we don't want to modify it. - printf %s "${TOOL} " - print_quoted_args "$@" - echo -fi - -if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then - # Run original command with no output supression - exec "${ORIGINAL_TOOL}" "$@" -else - # Run original command and capture output & exit status - TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") - "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 - EXIT_STATUS=$? - - if [[ $EXIT_STATUS -ne 0 ]]; then - # On error, display the full output - cat "${TMPFILE}" - fi - - # Remove tmpfile - rm "${TMPFILE}" - - # Propagate the exit status - exit $EXIT_STATUS -fi +exec $(dirname "$0")/quiet "$@" diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet new file mode 100755 index 0000000..2279e6a --- /dev/null +++ b/tests/scripts/quiet/quiet @@ -0,0 +1,65 @@ +#! /usr/bin/env bash +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# +# This swallows the output of the wrapped tool, unless there is an error. +# This helps reduce excess logging in the CI. + +# If you are debugging a build / CI issue, you can get complete unsilenced logs +# by un-commenting the following line (or setting VERBOSE_LOGS in your environment): +# VERBOSE_LOGS=1 + +# Locate original tool +ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$0" | head -n1) + +print_quoted_args() { + # similar to printf '%q' "$@" + # but produce more human-readable results for common/simple cases like "a b" + for a in "$@"; do + simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-./:@]*)$' + if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then + # a has spaces, but no other special characters that need escaping + # (quoting after removing spaces yields no backslashes) + # simplify quoted form - e.g.: + # a b -> "a b" + # CFLAGS=a b -> CFLAGS="a b" + q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" + else + # get bash to do the quoting (which may result in no quotes or escaping, + # if none is needed). + q=$(printf '%q' "$a") + fi + printf "%s " "$q" + done +} + +if [[ ! " $* " =~ " --version " ]]; then + # Display the command being invoked - if it succeeds, this is all that will + # be displayed. Don't do this for invocations with --version, because + # this output is often parsed by scripts, so we don't want to modify it. + printf %s "${TOOL} " + print_quoted_args "$@" + echo +fi + +if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then + # Run original command with no output supression + exec "${ORIGINAL_TOOL}" "$@" +else + # Run original command and capture output & exit status + TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") + "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 + EXIT_STATUS=$? + + if [[ $EXIT_STATUS -ne 0 ]]; then + # On error, display the full output + cat "${TMPFILE}" + fi + + # Remove tmpfile + rm "${TMPFILE}" + + # Propagate the exit status + exit $EXIT_STATUS +fi -- cgit v1.1 From e03088b29eab0ba6cd0c40fb19ef5fd5904730e6 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 12:48:49 +0000 Subject: Avoid infinite loop Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet index 2279e6a..bbc685c 100755 --- a/tests/scripts/quiet/quiet +++ b/tests/scripts/quiet/quiet @@ -11,7 +11,8 @@ # VERBOSE_LOGS=1 # Locate original tool -ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$0" | head -n1) +TOOL_WITH_PATH=$(dirname "$0")/$TOOL +ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$TOOL_WITH_PATH" | head -n1) print_quoted_args() { # similar to printf '%q' "$@" -- cgit v1.1 From ef950ccb1d8a7dc7f29a6d7a7475ce4072da3e0a Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 26 Feb 2024 13:59:43 +0000 Subject: Un-unrestore mbedtls_x509_string_to_names() Re-restore mbedtls_x509_string_to_names() to public as our example programs use it, and it is the reverse of mbedtls_x509_dn_gets(). Add a docstring, so that it is a properly documented public function. Signed-off-by: David Horstmann --- include/mbedtls/x509.h | 17 +++++++++++++++++ library/x509_internal.h | 1 - 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 7158555..453f598 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -323,6 +323,23 @@ mbedtls_x509_san_list; int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); /** + * \brief Convert the certificate DN string \p name into + * a linked list of mbedtls_x509_name (equivalent to + * mbedtls_asn1_named_data). + * + * \note This function allocates a linked list, and places the head + * pointer in \p head. This list must later be freed by a + * call to mbedtls_asn1_free_named_data_list(). + * + * \param[out] head Address in which to store the pointer to the head of the + * allocated list of mbedtls_x509_name + * \param[in] name The string representation of a DN to convert + * + * \return 0 on success, or a negative error code. + */ +int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); + +/** * \brief Return the next relative DN in an X509 name. * * \note Intended use is to compare function result to dn->next diff --git a/library/x509_internal.h b/library/x509_internal.h index 09b6fc5..8a2d2ed 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -21,7 +21,6 @@ #include "mbedtls/rsa.h" #endif -int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name); int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur); int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, -- cgit v1.1 From 97c0b2f393cf86dadf5a1965df573f02695ee0fd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Feb 2024 00:49:46 +0100 Subject: Remove domain parameters from psa_key_attributes_t Signed-off-by: Gilles Peskine --- include/psa/crypto_struct.h | 18 +----- library/psa_crypto.c | 152 +------------------------------------------- library/psa_crypto_client.c | 1 - library/psa_crypto_ecp.c | 4 -- 4 files changed, 3 insertions(+), 172 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index df33b4f..683d841 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -318,20 +318,6 @@ struct psa_key_attributes_s { #if defined(MBEDTLS_PSA_CRYPTO_SE_C) psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - /* Unlike normal buffers, there are three cases for domain_parameters - * and domain_parameters_size: - * - domain_parameters_size == SIZE_MAX && domain_parameters == NULL: - * Access to domain parameters is not supported for this key. - * This is a hack which should not exist, intended for keys managed - * by a driver, because drivers don't support domain parameters. - * - domain_parameters_size == 0 && domain_parameters == NULL: - * The domain parameters are empty. - * - domain_parameters_size > 0 && - * domain_parameters == valid pointer to domain_parameters_size bytes: - * The domain parameters are non-empty. - */ - void *MBEDTLS_PRIVATE(domain_parameters); - size_t MBEDTLS_PRIVATE(domain_parameters_size); /* With client/service separation, struct psa_key_attributes_s is * marshalled through a transport channel between the client and * service side implementation of the PSA Crypto APIs, thus having @@ -342,9 +328,9 @@ struct psa_key_attributes_s { }; #if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#define PSA_KEY_ATTRIBUTES_INIT { 0, NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT } +#define PSA_KEY_ATTRIBUTES_INIT { 0, PSA_CORE_KEY_ATTRIBUTES_INIT } #else -#define PSA_KEY_ATTRIBUTES_INIT { NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT } +#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT } #endif static inline struct psa_key_attributes_s psa_key_attributes_init(void) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 159b3c5..3124a62 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1211,58 +1211,12 @@ exit: return overall_status; } -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) -static psa_status_t psa_get_rsa_public_exponent( - const mbedtls_rsa_context *rsa, - psa_key_attributes_t *attributes) -{ - mbedtls_mpi mpi; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - uint8_t *buffer = NULL; - size_t buflen; - mbedtls_mpi_init(&mpi); - - ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &mpi); - if (ret != 0) { - goto exit; - } - if (mbedtls_mpi_cmp_int(&mpi, 65537) == 0) { - /* It's the default value, which is reported as an empty string, - * so there's nothing to do. */ - goto exit; - } - - buflen = mbedtls_mpi_size(&mpi); - buffer = mbedtls_calloc(1, buflen); - if (buffer == NULL) { - ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; - goto exit; - } - ret = mbedtls_mpi_write_binary(&mpi, buffer, buflen); - if (ret != 0) { - goto exit; - } - attributes->domain_parameters = buffer; - attributes->domain_parameters_size = buflen; - -exit: - mbedtls_mpi_free(&mpi); - if (ret != 0) { - mbedtls_free(buffer); - } - return mbedtls_to_psa_error(ret); -} -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ - /** Retrieve all the publicly-accessible attributes of a key. */ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, psa_key_attributes_t *attributes) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; psa_reset_key_attributes(attributes); @@ -1283,55 +1237,7 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, } #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - switch (slot->attr.type) { -#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) - case PSA_KEY_TYPE_RSA_KEY_PAIR: - case PSA_KEY_TYPE_RSA_PUBLIC_KEY: - /* TODO: This is a temporary situation where domain parameters are deprecated, - * but we need it for namely generating an RSA key with a non-default exponent. - * This would be improved after https://github.com/Mbed-TLS/mbedtls/issues/6494. - */ - if (!psa_key_lifetime_is_external(slot->attr.lifetime)) { - mbedtls_rsa_context *rsa = NULL; - - status = mbedtls_psa_rsa_load_representation( - slot->attr.type, - slot->key.data, - slot->key.bytes, - &rsa); - if (status != PSA_SUCCESS) { - break; - } - - status = psa_get_rsa_public_exponent(rsa, - attributes); - mbedtls_rsa_free(rsa); - mbedtls_free(rsa); - } - break; -#else - case PSA_KEY_TYPE_RSA_KEY_PAIR: - case PSA_KEY_TYPE_RSA_PUBLIC_KEY: - attributes->domain_parameters = NULL; - attributes->domain_parameters_size = SIZE_MAX; - break; -#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ - default: - /* Nothing else to do. */ - break; - } - - if (status != PSA_SUCCESS) { - psa_reset_key_attributes(attributes); - } - - unlock_status = psa_unregister_read_under_mutex(slot); - - return (status == PSA_SUCCESS) ? unlock_status : status; + return psa_unregister_read_under_mutex(slot); } #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -1959,57 +1865,6 @@ static psa_status_t psa_validate_optional_attributes( } } - if (attributes->domain_parameters_size != 0) { -#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) - if (PSA_KEY_TYPE_IS_RSA(slot->attr.type)) { - mbedtls_rsa_context *rsa = NULL; - mbedtls_mpi actual, required; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - psa_status_t status = mbedtls_psa_rsa_load_representation( - slot->attr.type, - slot->key.data, - slot->key.bytes, - &rsa); - if (status != PSA_SUCCESS) { - return status; - } - - mbedtls_mpi_init(&actual); - mbedtls_mpi_init(&required); - ret = mbedtls_rsa_export(rsa, - NULL, NULL, NULL, NULL, &actual); - mbedtls_rsa_free(rsa); - mbedtls_free(rsa); - if (ret != 0) { - goto rsa_exit; - } - ret = mbedtls_mpi_read_binary(&required, - attributes->domain_parameters, - attributes->domain_parameters_size); - if (ret != 0) { - goto rsa_exit; - } - if (mbedtls_mpi_cmp_mpi(&actual, &required) != 0) { - ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - } -rsa_exit: - mbedtls_mpi_free(&actual); - mbedtls_mpi_free(&required); - if (ret != 0) { - return mbedtls_to_psa_error(ret); - } - } else -#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ - { - return PSA_ERROR_INVALID_ARGUMENT; - } - } - if (attributes->core.bits != 0) { if (attributes->core.bits != slot->attr.bits) { return PSA_ERROR_INVALID_ARGUMENT; @@ -7551,11 +7406,6 @@ psa_status_t psa_generate_key_internal( (void) params; (void) params_data_length; - if ((attributes->domain_parameters == NULL) && - (attributes->domain_parameters_size != 0)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - if (key_type_is_raw_bytes(type)) { status = psa_generate_random(key_buffer, key_buffer_size); if (status != PSA_SUCCESS) { diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c index 77953fe..72f671d 100644 --- a/library/psa_crypto_client.c +++ b/library/psa_crypto_client.c @@ -16,7 +16,6 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes) { - mbedtls_free(attributes->domain_parameters); memset(attributes, 0, sizeof(*attributes)); } diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index db08541..7edea81 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -345,10 +345,6 @@ psa_status_t mbedtls_psa_ecp_generate_key( mbedtls_ecp_curve_info_from_grp_id(grp_id); mbedtls_ecp_keypair ecp; - if (attributes->domain_parameters_size != 0) { - return PSA_ERROR_NOT_SUPPORTED; - } - if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) { return PSA_ERROR_NOT_SUPPORTED; } -- cgit v1.1 From e22f6a9610bf954b47593e248a83a4b8fe24ee93 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 26 Feb 2024 15:45:33 +0100 Subject: Finish cleaning up override that's no longer needed Signed-off-by: Gilles Peskine --- library/psa_crypto.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3124a62..ca01e76 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7421,12 +7421,7 @@ psa_status_t psa_generate_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - /* Hack: if the method specifies a non-default e, pass it - * via the domain parameters. TODO: refactor this code so - * that mbedtls_psa_rsa_generate_key() gets e via a new - * parameter instead. */ - psa_key_attributes_t override_attributes = *attributes; - return mbedtls_psa_rsa_generate_key(&override_attributes, + return mbedtls_psa_rsa_generate_key(attributes, params, params_data_length, key_buffer, key_buffer_size, -- cgit v1.1 From a9e8dbed14d487503d74cceb39df4e5f92ad06b7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:27:18 +0000 Subject: Allow wrappers to be missing; quote directory name from make Co-authored-by: Gilles Peskine Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 10 ++-------- tests/scripts/quiet/make | 2 +- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 54917d3..a8a704c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -222,14 +222,8 @@ setup_quiet_wrappers() # unless there is an error. This reduces logging overhead in the CI. # # Note that the cmake wrapper breaks unless we use an absolute path here. - export PATH=${PWD}/tests/scripts/quiet:$PATH - if [[ ! -x ${PWD}/tests/scripts/quiet/make ]]; then - echo "can't find quiet/make" - exit 1 - fi - if [[ ! -x ${PWD}/tests/scripts/quiet/cmake ]]; then - echo "can't find quiet/cmake" - exit 1 + if [[ -e ${PWD}/tests/scripts/quiet ]]; then + export PATH=${PWD}/tests/scripts/quiet:$PATH fi } diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index a1ef3e5..162d44d 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -15,4 +15,4 @@ export NO_SILENCE=" --version | test " export TOOL="make" -exec $(dirname "$0")/quiet "$@" +exec "$(dirname "$0")/quiet" "$@" -- cgit v1.1 From 30483dccc0df41bacb3ed38c682614666903fd95 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:28:13 +0000 Subject: Undo not-needed change Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a8a704c..ec201ce 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -6257,7 +6257,7 @@ run_component () { # Preliminary setup pre_check_environment -pre_initialize_variables "$@" +pre_initialize_variables pre_parse_command_line "$@" setup_quiet_wrappers -- cgit v1.1 From c7f05490bb804569b43aca1bbafa2596b49a42ae Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:28:42 +0000 Subject: Quote directory name from cmake wrapper Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index 10a0b25..3723473 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -15,4 +15,4 @@ export NO_SILENCE=" --version " export TOOL="cmake" -exec $(dirname "$0")/quiet "$@" +exec "$(dirname "$0")/quiet" "$@" -- cgit v1.1 From d0e3827ea2020c4a7a870cf759fed254c79c1c5d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:28:56 +0000 Subject: Improve docs Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet index bbc685c..8f83d07 100755 --- a/tests/scripts/quiet/quiet +++ b/tests/scripts/quiet/quiet @@ -9,6 +9,17 @@ # If you are debugging a build / CI issue, you can get complete unsilenced logs # by un-commenting the following line (or setting VERBOSE_LOGS in your environment): # VERBOSE_LOGS=1 +# +# This script provides most of the functionality for the adjacent make and cmake +# wrappers. +# +# It requires two variables to be set: +# +# TOOL - the name of the tool that is being wrapped (with no path), e.g. "make" +# +# NO_SILENCE - a regex that describes the commandline arguments for which output will not +# be silenced, e.g. " --version | test ". In this example, "make test" will +# not be silent, but "make lib" will be. # Locate original tool TOOL_WITH_PATH=$(dirname "$0")/$TOOL -- cgit v1.1 From bdf0a6d4318fe19b8a61d573b334ff447fa8bc66 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:29:10 +0000 Subject: remove shebang from quiet Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet index 8f83d07..00e2f63 100755 --- a/tests/scripts/quiet/quiet +++ b/tests/scripts/quiet/quiet @@ -1,5 +1,3 @@ -#! /usr/bin/env bash -# # Copyright The Mbed TLS Contributors # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # -- cgit v1.1 From dbc2e8d4ccad4ac7da8a27c34253a74bad34d20a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:29:31 +0000 Subject: Improve simplified quoting Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet index 00e2f63..7b54bdb 100755 --- a/tests/scripts/quiet/quiet +++ b/tests/scripts/quiet/quiet @@ -27,18 +27,15 @@ print_quoted_args() { # similar to printf '%q' "$@" # but produce more human-readable results for common/simple cases like "a b" for a in "$@"; do - simple_pattern='^([[:alnum:]_+-]+=)?([[:alnum:] _=+-./:@]*)$' - if [[ $a =~ ' ' && $a =~ $simple_pattern ]]; then - # a has spaces, but no other special characters that need escaping - # (quoting after removing spaces yields no backslashes) - # simplify quoted form - e.g.: - # a b -> "a b" - # CFLAGS=a b -> CFLAGS="a b" - q="${BASH_REMATCH[1]}\"${BASH_REMATCH[2]}\"" - else - # get bash to do the quoting (which may result in no quotes or escaping, - # if none is needed). - q=$(printf '%q' "$a") + # Get bash to quote the string + q=$(printf '%q' "$a") + simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$" + if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then + # a requires some quoting (a != q), but has no single quotes, so we can + # simplify the quoted form - e.g.: + # a b -> 'a b' + # CFLAGS=a b -> CFLAGS='a b' + q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'" fi printf "%s " "$q" done -- cgit v1.1 From 67126bbcea0f0486149ba3f8671a12e747924ceb Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:30:37 +0000 Subject: remove trailing space from printed command Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet index 7b54bdb..9c4939e 100755 --- a/tests/scripts/quiet/quiet +++ b/tests/scripts/quiet/quiet @@ -37,7 +37,7 @@ print_quoted_args() { # CFLAGS=a b -> CFLAGS='a b' q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'" fi - printf "%s " "$q" + printf " %s" "$q" done } @@ -45,7 +45,7 @@ if [[ ! " $* " =~ " --version " ]]; then # Display the command being invoked - if it succeeds, this is all that will # be displayed. Don't do this for invocations with --version, because # this output is often parsed by scripts, so we don't want to modify it. - printf %s "${TOOL} " + printf %s "${TOOL}" print_quoted_args "$@" echo fi -- cgit v1.1 From 2f94766a613500b6cdf79f2a438eef7faa975f2a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 17:30:56 +0000 Subject: Send printed command to stderr Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet index 9c4939e..0f5bf06 100755 --- a/tests/scripts/quiet/quiet +++ b/tests/scripts/quiet/quiet @@ -45,9 +45,9 @@ if [[ ! " $* " =~ " --version " ]]; then # Display the command being invoked - if it succeeds, this is all that will # be displayed. Don't do this for invocations with --version, because # this output is often parsed by scripts, so we don't want to modify it. - printf %s "${TOOL}" - print_quoted_args "$@" - echo + printf %s "${TOOL}" 1>&2 + print_quoted_args "$@" 1>&2 + echo 1>&2 fi if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then -- cgit v1.1 From 08b81bf1e8c2e412263102dcda56fd6f2c8e1ed3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 18:03:29 +0000 Subject: Test all unroll variations Signed-off-by: Dave Rodgman --- library/sha3.c | 34 +++++++++++++++++++++------------- tests/scripts/all.sh | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 5ebe9fc..299e278 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -24,18 +24,26 @@ * saving then enables us to unroll the other loops for a net code-size saving with a net * performance win. * - * Depending on your compiler and target, it may be beneficial to adjust these; the defaults here - * should give sensible trade-offs for gcc and clang. + * Depending on your size/perf priorities, compiler and target, it may be beneficial to adjust + * these; the defaults here should give sensible trade-offs for gcc and clang. */ -#undef MBEDTLS_SHA3_THETA_UNROLL //no-check-names -#define MBEDTLS_SHA3_RHO_UNROLL //no-check-names -#define MBEDTLS_SHA3_PI_UNROLL //no-check-names -#if !defined(MBEDTLS_COMPILER_IS_GCC) || defined(__OPTIMIZE_SIZE__) +#if !defined(MBEDTLS_SHA3_THETA_UNROLL) + #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names +#endif +#if !defined(MBEDTLS_SHA3_PI_UNROLL) + #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names +#endif +#if !defined(MBEDTLS_SHA3_CHI_UNROLL) + #if !defined(MBEDTLS_COMPILER_IS_GCC) || defined(__OPTIMIZE_SIZE__) /* GCC doesn't perform well with the rolled-up version, especially at -O2, so only enable on gcc * if optimising for size. Always enable for other compilers. */ -#undef MBEDTLS_SHA3_CHI_UNROLL //no-check-names -#else -#define MBEDTLS_SHA3_CHI_UNROLL //no-check-names + #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names + #else + #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names + #endif +#endif +#if !defined(MBEDTLS_SHA3_RHO_UNROLL) + #define MBEDTLS_SHA3_RHO_UNROLL 1 //no-check-names #endif #include "mbedtls/sha3.h" @@ -84,7 +92,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) uint64_t t; /* Theta */ -#if !defined(MBEDTLS_SHA3_THETA_UNROLL) //no-check-names +#if MBEDTLS_SHA3_THETA_UNROLL == 0 //no-check-names for (i = 0; i < 5; i++) { lane[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20]; } @@ -118,7 +126,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) /* Rho */ for (i = 1; i < 25; i += 4) { uint32_t r = rho[(i - 1) >> 2]; -#if !defined(MBEDTLS_SHA3_RHO_UNROLL) +#if MBEDTLS_SHA3_RHO_UNROLL == 0 for (int j = i; j < i + 4; j++) { uint8_t r8 = (uint8_t) (r >> 24); r <<= 8; @@ -134,7 +142,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) /* Pi */ t = s[1]; -#if !defined(MBEDTLS_SHA3_PI_UNROLL) +#if MBEDTLS_SHA3_PI_UNROLL == 0 for (i = 0; i < 24; i += 4) { uint32_t p = pi[i >> 2]; for (unsigned j = 0; j < 4; j++) { @@ -165,7 +173,7 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) #endif /* Chi */ -#if !defined(MBEDTLS_SHA3_CHI_UNROLL) //no-check-names +#if MBEDTLS_SHA3_CHI_UNROLL == 0 //no-check-names for (i = 0; i <= 20; i += 5) { lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; lane[3] = s[i + 3]; lane[4] = s[i + 4]; diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index af32c06..2b51f9e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4687,6 +4687,26 @@ component_test_aesni () { # ~ 60s not grep -q "AES note: built-in implementation." ./programs/test/selftest } +component_test_sha3_variations() { + msg "sha3 loop unroll variations" + + # define minimal config sufficient to test SHA3 + cat > include/mbedtls/mbedtls_config.h << END + #define MBEDTLS_SELF_TEST + #define MBEDTLS_SHA3_C +END + + msg "all loops unrolled" + make clean + make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" + ./tests/test_suite_shax + + msg "all loops rolled up" + make clean + make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" + ./tests/test_suite_shax +} + support_test_aesni_m32() { support_test_m32_no_asm && (lscpu | grep -qw aes) } -- cgit v1.1 From 40c837dc40592b58a4570b0670ff39fbde6facc1 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Feb 2024 18:33:23 +0000 Subject: Simplify pi rolled-up variant Signed-off-by: Dave Rodgman --- library/sha3.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 299e278..b41879c 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -72,7 +72,7 @@ static const uint32_t rho[6] = { }; static const uint32_t pi[6] = { - 0x0a070b11, 0x12030510, 0x08151804, 0x0f17130d, 0x0c02140e, 0x16090601 + 0x110b070a, 0x10050312, 0x04181508, 0x0d13170f, 0x0e14020c, 0x01060916 }; #define ROTR64(x, y) (((x) << (64U - (y))) | ((x) >> (y))) // 64-bit rotate right @@ -146,30 +146,29 @@ static void keccak_f1600(mbedtls_sha3_context *ctx) for (i = 0; i < 24; i += 4) { uint32_t p = pi[i >> 2]; for (unsigned j = 0; j < 4; j++) { - uint8_t p8 = (uint8_t) (p >> 24); - p <<= 8; - SWAP(s[p8], t); + SWAP(s[p & 0xff], t); + p >>= 8; } } #else uint32_t p = pi[0]; - SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); - SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); + SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); p = pi[1]; - SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); - SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); + SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); p = pi[2]; - SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); - SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); + SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); p = pi[3]; - SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); - SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); + SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); p = pi[4]; - SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); - SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); + SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); p = pi[5]; - SWAP(s[MBEDTLS_BYTE_3(p)], t); SWAP(s[MBEDTLS_BYTE_2(p)], t); - SWAP(s[MBEDTLS_BYTE_1(p)], t); SWAP(s[MBEDTLS_BYTE_0(p)], t); + SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); + SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); #endif /* Chi */ -- cgit v1.1 From 1fa2f6e9afa99a01fb9854f4cdb0f1261335bdda Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 08:11:25 +0100 Subject: test: remove usage of mbedtls_pk_wrap_as_opaque() from tests This is replaced with: mbedtls_pk_get_psa_attributes() + mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque(). Signed-off-by: Valerio Setti --- tests/src/test_helpers/ssl_helpers.c | 21 +++++++++++-- tests/suites/test_suite_pk.function | 49 ++++++++++++++++++------------ tests/suites/test_suite_pkwrite.function | 22 +++++++++----- tests/suites/test_suite_x509write.function | 47 +++++++++------------------- 4 files changed, 78 insertions(+), 61 deletions(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 7a28bd8..f6645d7 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -685,9 +685,24 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, #if defined(MBEDTLS_USE_PSA_CRYPTO) if (opaque_alg != 0) { - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot, - opaque_alg, opaque_usage, - opaque_alg2), 0); + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + /* Use a fake key usage to get a successful initial guess for the PSA attributes. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_VERIFY_HASH, + &key_attr), 0); + /* Then manually set type, usage, alg and alg2 as requested by the test. */ + psa_key_type_t key_type = psa_get_key_type(&key_attr); + if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) { + psa_set_key_type(&key_attr, PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(key_type)); + } + psa_set_key_usage_flags(&key_attr, opaque_usage); + psa_set_key_algorithm(&key_attr, opaque_alg); + if (opaque_alg2 != PSA_ALG_NONE) { + psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2); + } + TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0); + mbedtls_pk_free(cert->pkey); + mbedtls_pk_init(cert->pkey); + TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0); } #else (void) opaque_alg; diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 180cf76..91b3337 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -836,6 +836,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) mbedtls_pk_context pub, prv, alt; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_pk_init(&pub); @@ -873,9 +874,13 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) { - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id, - PSA_ALG_ANY_HASH, - PSA_KEY_USAGE_EXPORT, 0), 0); + /* Turn the prv PK context into an opaque one.*/ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH, + &opaque_key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0); + mbedtls_pk_free(&prv); + mbedtls_pk_init(&prv); + TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0); TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, NULL), ret); } @@ -1395,7 +1400,8 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, mbedtls_mpi N, P, Q, E; mbedtls_rsa_context *rsa; mbedtls_pk_context pk; - mbedtls_svc_key_id_t key_id; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; size_t olen; mbedtls_pk_init(&pk); @@ -1422,10 +1428,11 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); /* Turn PK context into an opaque one. */ - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, - PSA_ALG_RSA_PKCS1V15_CRYPT, - PSA_KEY_USAGE_DECRYPT, - PSA_ALG_NONE), 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); + mbedtls_pk_free(&pk); + mbedtls_pk_init(&pk); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); @@ -1635,10 +1642,9 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) unsigned char pkey_legacy[200]; unsigned char pkey_psa[200]; unsigned char *pkey_legacy_start, *pkey_psa_start; - psa_algorithm_t alg_psa; size_t sig_len, klen_legacy, klen_psa; int ret; - mbedtls_svc_key_id_t key_id; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; /* @@ -1660,7 +1666,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), mbedtls_test_rnd_std_rand, NULL, curve_or_keybits, 3) == 0); - alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256); } else #endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) @@ -1671,8 +1676,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); TEST_ASSERT(pk_genkey(&pk, grpid) == 0); - - alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256); } else #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ { @@ -1699,9 +1702,11 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) #endif /* MBEDTLS_PK_WRITE_C */ /* Turn PK context into an opaque one. */ - TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE) == 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0); + mbedtls_pk_free(&pk); + mbedtls_pk_init(&pk); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); PSA_ASSERT(psa_get_key_attributes(key_id, &attributes)); TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type); @@ -1822,6 +1827,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg mbedtls_pk_context pk; size_t sig_len, pkey_len; mbedtls_svc_key_id_t key_id; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; unsigned char *pkey_start; @@ -1861,9 +1867,14 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg } /* Turn PK context into an opaque one. */ - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE), 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); + /* Tweak the algorithm associated with the PSA key because get_psa_attributes() returns + * a PSA_ALG_RSA_PSS_ANY_SALT(), but mbedtls_pk_sign_ext() requires a PSA_ALG_RSA_PSS().*/ + psa_set_key_algorithm(&key_attr, psa_alg); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); + mbedtls_pk_free(&pk); + mbedtls_pk_init(&pk); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); memset(hash, 0x2a, sizeof(hash)); memset(sig, 0, sizeof(sig)); diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index c760090..735c125 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -75,6 +75,7 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) size_t buf_len, check_buf_len; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ USE_PSA_INIT(); @@ -117,10 +118,13 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) /* Verify that pk_write works also for opaque private keys */ if (!is_public_key) { memset(buf, 0, check_buf_len); - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id, - PSA_ALG_NONE, - PSA_KEY_USAGE_EXPORT, - PSA_ALG_NONE), 0); + /* Turn the key PK context into an opaque one. + * Note: set some practical usage for the key to make get_psa_attributes() happy. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0); + mbedtls_pk_free(&key); + mbedtls_pk_init(&key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0); start_buf = buf; buf_len = check_buf_len; TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key, @@ -172,6 +176,7 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file) size_t pub_key_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_pk_init(&priv_key); @@ -194,9 +199,12 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file) #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_platform_zeroize(derived_key_raw, derived_key_len); - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id, - PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT, - PSA_ALG_NONE), 0); + /* Turn the priv_key PK context into an opaque one. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0); + mbedtls_pk_free(&priv_key); + mbedtls_pk_init(&priv_key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0); TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw, derived_key_len), pub_key_len); diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 3d84c72..1db7e1c 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -284,7 +284,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, { mbedtls_pk_context key; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; - psa_algorithm_t md_alg_psa, alg_psa; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; mbedtls_x509write_csr req; unsigned char buf[4096]; int ret; @@ -297,24 +297,16 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); - md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type); - TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE); - mbedtls_pk_init(&key); TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL, mbedtls_test_rnd_std_rand, NULL) == 0); - if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) { - alg_psa = PSA_ALG_ECDSA(md_alg_psa); - } else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) { - alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa); - } else { - TEST_ASSUME(!"PK key type not supported in this configuration"); - } - - TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE) == 0); + /* Turn the PK context into an opaque one. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0); + mbedtls_pk_free(&key); + mbedtls_pk_init(&key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0); mbedtls_x509write_csr_set_md_alg(&req, md_type); mbedtls_x509write_csr_set_key(&req, &key); @@ -373,6 +365,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, mbedtls_test_rnd_pseudo_info rnd_info; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif mbedtls_pk_type_t issuer_key_type; mbedtls_x509_san_list san_ip; @@ -451,24 +444,14 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) - /* For Opaque PK contexts, wrap key as an Opaque RSA context. */ + /* Turn the issuer PK context into an opaque one. */ if (pk_wrap == 2) { - psa_algorithm_t alg_psa, md_alg_psa; - - md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type); - TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE); - - if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) { - alg_psa = PSA_ALG_ECDSA(md_alg_psa); - } else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) { - alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa); - } else { - TEST_ASSUME(!"PK key type not supported in this configuration"); - } - - TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE) == 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH, + &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0); + mbedtls_pk_free(&issuer_key); + mbedtls_pk_init(&issuer_key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -- cgit v1.1 From 7541ebea52cc634c5dfc0ec459c477992915fde6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 10:44:33 +0100 Subject: programs: remove usage of mbedtls_pk_wrap_as_opaque() from tests This is replaced with: mbedtls_pk_get_psa_attributes() + mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque(). Signed-off-by: Valerio Setti --- programs/ssl/ssl_client2.c | 5 ++--- programs/ssl/ssl_server2.c | 12 ++++-------- programs/ssl/ssl_test_lib.c | 29 +++++++++++++++++++++++++++++ programs/ssl/ssl_test_lib.h | 23 +++++++++++++++++++++++ 4 files changed, 58 insertions(+), 11 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 05bb2ff..f5768b1 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1711,11 +1711,10 @@ usage: &psa_alg, &psa_alg2, &usage, mbedtls_pk_get_type(&pkey)) == 0) { - ret = mbedtls_pk_wrap_as_opaque(&pkey, &key_slot, psa_alg, - usage, psa_alg2); + ret = pk_wrap_as_opaque(&pkey, psa_alg, psa_alg2, usage, &key_slot); if (ret != 0) { mbedtls_printf(" failed\n ! " - "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", + "mbedtls_pk_get_psa_attributes returned -0x%x\n\n", (unsigned int) -ret); goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index abf33de..f00a111 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2708,12 +2708,10 @@ usage: &psa_alg, &psa_alg2, &psa_usage, mbedtls_pk_get_type(&pkey)) == 0) { - ret = mbedtls_pk_wrap_as_opaque(&pkey, &key_slot, - psa_alg, psa_usage, psa_alg2); - + ret = pk_wrap_as_opaque(&pkey, psa_alg, psa_alg2, psa_usage, &key_slot); if (ret != 0) { mbedtls_printf(" failed\n ! " - "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", + "pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret); goto exit; } @@ -2727,12 +2725,10 @@ usage: &psa_alg, &psa_alg2, &psa_usage, mbedtls_pk_get_type(&pkey2)) == 0) { - ret = mbedtls_pk_wrap_as_opaque(&pkey2, &key_slot2, - psa_alg, psa_usage, psa_alg2); - + ret = pk_wrap_as_opaque(&pkey2, psa_alg, psa_alg2, psa_usage, &key_slot2); if (ret != 0) { mbedtls_printf(" failed\n ! " - "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", + "mbedtls_pk_get_psa_attributes returned -0x%x\n\n", (unsigned int) -ret); goto exit; } diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index d3ac526..ec02295 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -274,6 +274,35 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, return 0; } + +int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2, + psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id) +{ + int ret; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + + ret = mbedtls_pk_get_psa_attributes(pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr); + if (ret != 0) { + return ret; + } + psa_set_key_usage_flags(&key_attr, psa_usage); + psa_set_key_algorithm(&key_attr, psa_alg); + if (psa_alg2 != PSA_ALG_NONE) { + psa_set_key_enrollment_algorithm(&key_attr, psa_alg2); + } + ret = mbedtls_pk_import_into_psa(pk, &key_attr, key_id); + if (ret != 0) { + return ret; + } + mbedtls_pk_free(pk); + mbedtls_pk_init(pk); + ret = mbedtls_pk_setup_opaque(pk, *key_id); + if (ret != 0) { + return ret; + } + + return 0; +} #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index d06e099..5cb6a36 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -235,6 +235,29 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, psa_algorithm_t *psa_alg2, psa_key_usage_t *usage, mbedtls_pk_type_t key_type); + +/** Turn a non-opaque PK context into an opaque one with folowing steps: + * - extract the key data and attributes from the PK context. + * - import the key material into PSA. + * - free the provided PK context and re-initilize it as an opaque PK context + * wrapping the PSA key imported in the above step. + * + * \param[in/out] pk On input the non-opaque PK context which contains the + * key to be wrapped. On output the re-initialized PK + * context which represents the opaque version of the one + * provided as input. + * \param[in] psa_alg The primary algorithm that will be associated to the + * PSA key. + * \param[in] psa_alg2 The enrollment algorithm that will be associated to the + * PSA key. + * \param[in] psa_usage The PSA key usage policy. + * \param[out] key_id The PSA key identifier of the imported key. + * + * \return \c 0 on sucess. + * \return \c -1 on failure. + */ +int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2, + psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id); #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -- cgit v1.1 From 4c6cea549c28d3dc9b7a23a5ed607009055f7e7f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 10:48:49 +0100 Subject: pk: deprecate mbedtls_pk_wrap_as_opaque() Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 23 ++++++++++++++--------- library/pk.c | 14 +++++++------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 534712b..fff1912 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -1213,12 +1213,17 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, const mbedtls_pk_context *key); #endif /* MBEDTLS_PK_WRITE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief Turn an EC or RSA key into an opaque one. * - * \warning This is a temporary utility function for tests. It might - * change or be removed at any time without notice. + * \warning This function is deprecated and will be removed in a + * future version of the library. + * To wrap a key into an opaque one the following functions + * should be used instead: + * - mbedtls_pk_get_psa_attributes() + * - mbedtls_pk_import_into_psa() + * - mbedtls_pk_setup_opaque(). * * \param pk Input: the EC or RSA key to import to a PSA key. * Output: a PK context wrapping that PSA key. @@ -1233,12 +1238,12 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, * \return \c 0 if successful. * \return An Mbed TLS error code otherwise. */ -int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, - mbedtls_svc_key_id_t *key, - psa_algorithm_t alg, - psa_key_usage_t usage, - psa_algorithm_t alg2); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +MBEDTLS_DEPRECATED mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, + mbedtls_svc_key_id_t *key, + psa_algorithm_t alg, + psa_key_usage_t usage, + psa_algorithm_t alg2); +#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } diff --git a/library/pk.c b/library/pk.c index 1ded487..322cd58 100644 --- a/library/pk.c +++ b/library/pk.c @@ -1357,18 +1357,18 @@ mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx) return ctx->pk_info->type; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) /* * Load the key to a PSA key slot, * then turn the PK context into a wrapper for that key slot. * * Currently only works for EC & RSA private keys. */ -int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, - mbedtls_svc_key_id_t *key, - psa_algorithm_t alg, - psa_key_usage_t usage, - psa_algorithm_t alg2) +MBEDTLS_DEPRECATED int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, + mbedtls_svc_key_id_t *key, + psa_algorithm_t alg, + psa_key_usage_t usage, + psa_algorithm_t alg2) { #if !defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_RSA_C) ((void) pk); @@ -1476,5 +1476,5 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, #endif /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */ return MBEDTLS_ERR_PK_TYPE_MISMATCH; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_PK_C */ -- cgit v1.1 From 6a3da2d5edaba83079f298e0f13e894a2c537f49 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 27 Feb 2024 10:41:53 +0000 Subject: Add missing casts Signed-off-by: Dave Rodgman --- library/pk_wrap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index b472cfb..846175e 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -306,7 +306,7 @@ static int rsa_decrypt_wrap(mbedtls_pk_context *pk, psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { - psa_md_alg = mbedtls_md_psa_alg_from_type(mbedtls_rsa_get_md_alg(rsa)); + psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa)); decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg); } else { decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT; @@ -388,7 +388,7 @@ static int rsa_encrypt_wrap(mbedtls_pk_context *pk, psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) { - psa_md_alg = mbedtls_md_psa_alg_from_type(mbedtls_rsa_get_md_alg(rsa)); + psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa)); psa_set_key_algorithm(&attributes, PSA_ALG_RSA_OAEP(psa_md_alg)); } else { psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); -- cgit v1.1 From 88ae0ef286b348910a76b3ba78d6b9cd90851382 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 13:49:42 +0100 Subject: pk: completely remove mbedtls_pk_wrap_as_opaque Remove instead of deprecating it. Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 32 -------------- library/pk.c | 120 --------------------------------------------------- 2 files changed, 152 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index fff1912..ff80290 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -1213,38 +1213,6 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, const mbedtls_pk_context *key); #endif /* MBEDTLS_PK_WRITE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) -/** - * \brief Turn an EC or RSA key into an opaque one. - * - * \warning This function is deprecated and will be removed in a - * future version of the library. - * To wrap a key into an opaque one the following functions - * should be used instead: - * - mbedtls_pk_get_psa_attributes() - * - mbedtls_pk_import_into_psa() - * - mbedtls_pk_setup_opaque(). - * - * \param pk Input: the EC or RSA key to import to a PSA key. - * Output: a PK context wrapping that PSA key. - * \param key Output: a PSA key identifier. - * It's the caller's responsibility to call - * psa_destroy_key() on that key identifier after calling - * mbedtls_pk_free() on the PK context. - * \param alg The algorithm to allow for use with that key. - * \param usage The usage to allow for use with that key. - * \param alg2 The secondary algorithm to allow for use with that key. - * - * \return \c 0 if successful. - * \return An Mbed TLS error code otherwise. - */ -MBEDTLS_DEPRECATED mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, - mbedtls_svc_key_id_t *key, - psa_algorithm_t alg, - psa_key_usage_t usage, - psa_algorithm_t alg2); -#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ - #ifdef __cplusplus } #endif diff --git a/library/pk.c b/library/pk.c index 322cd58..7aee940 100644 --- a/library/pk.c +++ b/library/pk.c @@ -1357,124 +1357,4 @@ mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx) return ctx->pk_info->type; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) -/* - * Load the key to a PSA key slot, - * then turn the PK context into a wrapper for that key slot. - * - * Currently only works for EC & RSA private keys. - */ -MBEDTLS_DEPRECATED int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, - mbedtls_svc_key_id_t *key, - psa_algorithm_t alg, - psa_key_usage_t usage, - psa_algorithm_t alg2) -{ -#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_RSA_C) - ((void) pk); - ((void) key); - ((void) alg); - ((void) usage); - ((void) alg2); -#else /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */ -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) - if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY) { - size_t d_len; - psa_ecc_family_t curve_id; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_type_t key_type; - size_t bits; - psa_status_t status; - - /* export the private key material in the format PSA wants */ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - unsigned char d[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH]; - status = psa_export_key(pk->priv_id, d, sizeof(d), &d_len); - if (status != PSA_SUCCESS) { - return psa_pk_status_to_mbedtls(status); - } - - curve_id = pk->ec_family; - bits = pk->ec_bits; -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - unsigned char d[MBEDTLS_ECP_MAX_BYTES]; - mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - d_len = PSA_BITS_TO_BYTES(ec->grp.nbits); - if ((ret = mbedtls_ecp_write_key(ec, d, d_len)) != 0) { - return ret; - } - - curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits); -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id); - - /* prepare the key attributes */ - psa_set_key_type(&attributes, key_type); - psa_set_key_bits(&attributes, bits); - psa_set_key_usage_flags(&attributes, usage); - psa_set_key_algorithm(&attributes, alg); - if (alg2 != PSA_ALG_NONE) { - psa_set_key_enrollment_algorithm(&attributes, alg2); - } - - /* import private key into PSA */ - status = psa_import_key(&attributes, d, d_len, key); - mbedtls_platform_zeroize(d, sizeof(d)); - if (status != PSA_SUCCESS) { - return PSA_PK_TO_MBEDTLS_ERR(status); - } - - /* make PK context wrap the key slot */ - mbedtls_pk_free(pk); - mbedtls_pk_init(pk); - - return mbedtls_pk_setup_opaque(pk, *key); - } else -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ -#if defined(MBEDTLS_RSA_C) - if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) { - unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES]; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - int key_len; - psa_status_t status; - - /* export the private key material in the format PSA wants */ - key_len = mbedtls_pk_write_key_der(pk, buf, sizeof(buf)); - if (key_len <= 0) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - - /* prepare the key attributes */ - psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); - psa_set_key_bits(&attributes, mbedtls_pk_get_bitlen(pk)); - psa_set_key_usage_flags(&attributes, usage); - psa_set_key_algorithm(&attributes, alg); - if (alg2 != PSA_ALG_NONE) { - psa_set_key_enrollment_algorithm(&attributes, alg2); - } - - /* import private key into PSA */ - status = psa_import_key(&attributes, - buf + sizeof(buf) - key_len, - key_len, key); - - mbedtls_platform_zeroize(buf, sizeof(buf)); - - if (status != PSA_SUCCESS) { - return PSA_PK_TO_MBEDTLS_ERR(status); - } - - /* make PK context wrap the key slot */ - mbedtls_pk_free(pk); - mbedtls_pk_init(pk); - - return mbedtls_pk_setup_opaque(pk, *key); - } else -#endif /* MBEDTLS_RSA_C */ -#endif /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */ - return MBEDTLS_ERR_PK_TYPE_MISMATCH; -} -#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_PK_C */ -- cgit v1.1 From a9de9445b1c1373680fa1da105cc3ea774750816 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 13:56:09 +0100 Subject: ssl_helpers: minor fix in mbedtls_test_ssl_endpoint_certificate_init() Signed-off-by: Valerio Setti --- tests/src/test_helpers/ssl_helpers.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index f6645d7..5d4cb1c 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -687,13 +687,9 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, if (opaque_alg != 0) { psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; /* Use a fake key usage to get a successful initial guess for the PSA attributes. */ - TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_VERIFY_HASH, + TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); - /* Then manually set type, usage, alg and alg2 as requested by the test. */ - psa_key_type_t key_type = psa_get_key_type(&key_attr); - if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) { - psa_set_key_type(&key_attr, PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(key_type)); - } + /* Then manually usage, alg and alg2 as requested by the test. */ psa_set_key_usage_flags(&key_attr, opaque_usage); psa_set_key_algorithm(&key_attr, opaque_alg); if (opaque_alg2 != PSA_ALG_NONE) { -- cgit v1.1 From 23e637a7c7cfcdbb4fcdc4ca944ea6896bf2a06d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 13:56:57 +0100 Subject: test_suite_pk: initialize all PSA key IDs and attributes Signed-off-by: Valerio Setti --- tests/suites/test_suite_pk.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 91b3337..e1a0011 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -434,7 +434,7 @@ exit: */ mbedtls_svc_key_id_t pk_psa_genkey_ecc(void) { - mbedtls_svc_key_id_t key; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const psa_key_type_t type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); @@ -456,7 +456,7 @@ exit: */ mbedtls_svc_key_id_t pk_psa_genkey_rsa(void) { - mbedtls_svc_key_id_t key; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR; const size_t bits = 1024; @@ -482,7 +482,7 @@ exit: void pk_psa_utils(int key_is_rsa) { mbedtls_pk_context pk, pk2; - mbedtls_svc_key_id_t key; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const char * const name = "Opaque"; @@ -1826,7 +1826,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg { mbedtls_pk_context pk; size_t sig_len, pkey_len; - mbedtls_svc_key_id_t key_id; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; -- cgit v1.1 From 8988767b0ec7457999a3db107d2b458673fc7ed5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 27 Feb 2024 23:45:10 +0100 Subject: Use attribute accessor functions in driver wrappers Fully automated: ``` perl -i -pe 's/(\w+)->core\.(\w+)/psa_get_key_$2($1)/g' scripts/data_files/driver_templates/*.jinja docs/psa-driver-example-and-guide.md ``` Signed-off-by: Gilles Peskine --- docs/psa-driver-example-and-guide.md | 6 +- .../psa_crypto_driver_wrappers.h.jinja | 86 +++++++++++----------- .../psa_crypto_driver_wrappers_no_static.c.jinja | 10 +-- 3 files changed, 51 insertions(+), 51 deletions(-) diff --git a/docs/psa-driver-example-and-guide.md b/docs/psa-driver-example-and-guide.md index d041723..aa825ad 100644 --- a/docs/psa-driver-example-and-guide.md +++ b/docs/psa-driver-example-and-guide.md @@ -157,11 +157,11 @@ The driver wrapper functions in `psa_crypto_driver_wrappers.h.jinja` for all fou ``` #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) && + if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) && - PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 && - attributes->core.bits == 256 ) + PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 && + psa_get_key_bits(attributes) == 256 ) { status = p256_transparent_sign_hash( attributes, key_buffer, diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index 4f9764d..8b91f0b 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -122,7 +122,7 @@ static inline psa_status_t psa_driver_wrapper_sign_message( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -196,7 +196,7 @@ static inline psa_status_t psa_driver_wrapper_verify_message( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -266,7 +266,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash( const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { if( drv->asymmetric == NULL || drv->asymmetric->p_sign == NULL ) @@ -283,7 +283,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -306,11 +306,11 @@ static inline psa_status_t psa_driver_wrapper_sign_hash( return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) && + if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) && - PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 && - attributes->core.bits == 256 ) + PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 && + psa_get_key_bits(attributes) == 256 ) { status = p256_transparent_sign_hash( attributes, key_buffer, @@ -370,7 +370,7 @@ static inline psa_status_t psa_driver_wrapper_verify_hash( const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { if( drv->asymmetric == NULL || drv->asymmetric->p_verify == NULL ) @@ -387,7 +387,7 @@ static inline psa_status_t psa_driver_wrapper_verify_hash( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -410,11 +410,11 @@ static inline psa_status_t psa_driver_wrapper_verify_hash( return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) && + if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) && - PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 && - attributes->core.bits == 256 ) + PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 && + psa_get_key_bits(attributes) == 256 ) { status = p256_transparent_verify_hash( attributes, key_buffer, @@ -517,7 +517,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( - attributes->core.lifetime ); + psa_get_key_lifetime(attributes) ); switch( location ) { @@ -609,7 +609,7 @@ static inline psa_status_t psa_driver_wrapper_verify_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( - attributes->core.lifetime ); + psa_get_key_lifetime(attributes) ); switch( location ) { @@ -707,8 +707,8 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( size_t *key_buffer_size ) { psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); - psa_key_type_t key_type = attributes->core.type; + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); + psa_key_type_t key_type = psa_get_key_type(attributes); *key_buffer_size = 0; switch( location ) @@ -736,7 +736,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime); + PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)); #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) int is_default_production = @@ -757,7 +757,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { size_t pubkey_length = 0; /* We don't support this feature yet */ if( drv->key_management == NULL || @@ -780,7 +780,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Transparent drivers are limited to generating asymmetric keys. */ /* We don't support passing custom production parameters * to drivers yet. */ - if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) && + if( PSA_KEY_TYPE_IS_ASYMMETRIC( psa_get_key_type(attributes) ) && is_default_production ) { /* Cycle through all known transparent accelerators */ @@ -793,9 +793,9 @@ static inline psa_status_t psa_driver_wrapper_generate_key( break; #endif /* PSA_CRYPTO_DRIVER_TEST */ #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) && - attributes->core.type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) && - attributes->core.bits == 256 ) + if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && + psa_get_key_type(attributes) == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) && + psa_get_key_bits(attributes) == 256 ) { status = p256_transparent_generate_key( attributes, key_buffer, @@ -862,7 +862,7 @@ bits const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { if( drv->key_management == NULL || drv->key_management->p_import == NULL ) @@ -939,7 +939,7 @@ data_length const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { if( ( drv->key_management == NULL ) || ( drv->key_management->p_export == NULL ) ) @@ -994,13 +994,13 @@ target_key_buffer_length {% endmacro %} psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { /* Copying to a secure element is not implemented yet. */ return( PSA_ERROR_NOT_SUPPORTED ); @@ -1044,7 +1044,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1134,7 +1134,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1211,7 +1211,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1284,7 +1284,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup( { psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1684,7 +1684,7 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1736,7 +1736,7 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1785,7 +1785,7 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -1833,7 +1833,7 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2169,7 +2169,7 @@ static inline psa_status_t psa_driver_wrapper_mac_compute( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2233,7 +2233,7 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2305,7 +2305,7 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2505,7 +2505,7 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2563,7 +2563,7 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2627,7 +2627,7 @@ static inline psa_status_t psa_driver_wrapper_key_agreement( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { @@ -2645,10 +2645,10 @@ static inline psa_status_t psa_driver_wrapper_key_agreement( return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) && + if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && PSA_ALG_IS_ECDH(alg) && - PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 && - attributes->core.bits == 256 ) + PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 && + psa_get_key_bits(attributes) == 256 ) { status = p256_transparent_key_agreement( attributes, key_buffer, diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja index 2aae628..261cd2a 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja @@ -88,9 +88,9 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size( const psa_key_attributes_t *attributes, size_t *key_buffer_size ) { - psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); - psa_key_type_t key_type = attributes->core.type; - size_t key_bits = attributes->core.bits; + psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); + psa_key_type_t key_type = psa_get_key_type(attributes); + size_t key_bits = psa_get_key_bits(attributes); *key_buffer_size = 0; switch( location ) @@ -144,7 +144,7 @@ data_length const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) ) { if( ( drv->key_management == NULL ) || ( drv->key_management->p_export_public == NULL ) ) @@ -203,7 +203,7 @@ key_buffer, key_buffer_size, key_buffer_length {% endmacro %} - psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) ); switch( location ) { #if defined(PSA_CRYPTO_DRIVER_TEST) -- cgit v1.1 From 0f40a41cea69cf781f44ca29e8df0d76bc4010da Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 27 Feb 2024 23:21:15 +0100 Subject: psa_key_attributes_t: move slot_number to core structure Move the `slot_number` field of `psa_key_attributes_t` to `psa_core_key_attributes_t`. This makes ``psa_core_key_attributes_t` core` the sole field of `psa_key_attributes_t`. This paves the way to unifying the two structures. Signed-off-by: Gilles Peskine --- include/psa/crypto_extra.h | 2 +- include/psa/crypto_struct.h | 24 ++++++++++-------------- library/psa_crypto.c | 2 +- 3 files changed, 12 insertions(+), 16 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index ac21e3e..388e829 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -130,7 +130,7 @@ static inline void psa_set_key_slot_number( psa_key_slot_number_t slot_number) { attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; - attributes->MBEDTLS_PRIVATE(slot_number) = slot_number; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(slot_number) = slot_number; } /** Remove the slot number attribute from a key attribute structure. diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 683d841..a0218e3 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -290,6 +290,9 @@ typedef uint16_t psa_key_attributes_flag_t; 0) typedef struct { +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) + psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); +#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ psa_key_type_t MBEDTLS_PRIVATE(type); psa_key_bits_t MBEDTLS_PRIVATE(bits); psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); @@ -309,29 +312,22 @@ typedef struct { mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); } psa_core_key_attributes_t; -#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0, \ +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) +#define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER 0, +#else +#define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER +#endif +#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \ + PSA_KEY_TYPE_NONE, 0, \ PSA_KEY_LIFETIME_VOLATILE, \ PSA_KEY_POLICY_INIT, 0, \ MBEDTLS_SVC_KEY_ID_INIT } struct psa_key_attributes_s { -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - /* With client/service separation, struct psa_key_attributes_s is - * marshalled through a transport channel between the client and - * service side implementation of the PSA Crypto APIs, thus having - * the mbedtls_svc_key_id_t id as the last field of this structure - * allows for a more efficient marshalling/unmarshalling of parameters - */ psa_core_key_attributes_t MBEDTLS_PRIVATE(core); }; -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#define PSA_KEY_ATTRIBUTES_INIT { 0, PSA_CORE_KEY_ATTRIBUTES_INIT } -#else #define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT } -#endif static inline struct psa_key_attributes_s psa_key_attributes_init(void) { diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ca01e76..7188b12 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1246,7 +1246,7 @@ psa_status_t psa_get_key_slot_number( psa_key_slot_number_t *slot_number) { if (attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER) { - *slot_number = attributes->slot_number; + *slot_number = attributes->core.slot_number; return PSA_SUCCESS; } else { return PSA_ERROR_INVALID_ARGUMENT; -- cgit v1.1 From 7fad3ef3b5577e9b36ac9a25c9ad0e1ad9b97a63 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 01:08:27 +0100 Subject: Switch key slots to psa_key_attributes_t Switch `psa_key_slot_t` to the full `psa_key_attributes_t`, now that this structure only has psa_core_key_attributes_t`. To minimize the diff without breaking the build much, temporarily make `psa_key_attributes_t` contain either the `core` field or all the fields. This allows both things like `slot->attr.core.type` and `slot->attr.type` to exist. The build breaks with compilers that don't support anonymous unions and structs, which are only standard C since C11. Signed-off-by: Gilles Peskine --- include/psa/crypto_struct.h | 34 +++++++++++++++++++++---- library/psa_crypto.c | 49 ++++++++++++++++++------------------ library/psa_crypto_core.h | 2 +- library/psa_crypto_slot_management.c | 2 +- library/psa_crypto_storage.c | 8 +++--- library/psa_crypto_storage.h | 8 +++--- 6 files changed, 64 insertions(+), 39 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index a0218e3..e4d85be 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -312,6 +312,34 @@ typedef struct { mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); } psa_core_key_attributes_t; +struct psa_key_attributes_s { + union { + psa_core_key_attributes_t MBEDTLS_PRIVATE(core); + struct { +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) + psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); +#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + psa_key_type_t MBEDTLS_PRIVATE(type); + psa_key_bits_t MBEDTLS_PRIVATE(bits); + psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); + psa_key_policy_t MBEDTLS_PRIVATE(policy); + psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); + /* This type has a different layout in the client view wrt the + * service view of the key id, i.e. in service view usually is + * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined + * thus adding an owner field to the standard psa_key_id_t. For + * implementations with client/service separation, this means the + * object will be marshalled through a transport channel and + * interpreted differently at each side of the transport. Placing + * it at the end of structures allows to interpret the structure + * at the client without reorganizing the memory layout of the + * struct + */ + mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); + }; + }; +}; + #if defined(MBEDTLS_PSA_CRYPTO_SE_C) #define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER 0, #else @@ -323,11 +351,7 @@ typedef struct { PSA_KEY_POLICY_INIT, 0, \ MBEDTLS_SVC_KEY_ID_INIT } -struct psa_key_attributes_s { - psa_core_key_attributes_t MBEDTLS_PRIVATE(core); -}; - -#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT } +#define PSA_KEY_ATTRIBUTES_INIT { { PSA_CORE_KEY_ATTRIBUTES_INIT } } static inline struct psa_key_attributes_s psa_key_attributes_init(void) { diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 7188b12..fe0114f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1226,9 +1226,9 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, return status; } - attributes->core = slot->attr; - attributes->core.flags &= (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY | - MBEDTLS_PSA_KA_MASK_DUAL_USE); + *attributes = slot->attr; + attributes->flags &= (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY | + MBEDTLS_PSA_KA_MASK_DUAL_USE); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) { @@ -1325,7 +1325,7 @@ psa_status_t psa_export_key(mbedtls_svc_key_id_t key, } psa_key_attributes_t attributes = { - .core = slot->attr + .core = slot->attr.core }; status = psa_driver_wrapper_export_key(&attributes, slot->key.data, slot->key.bytes, @@ -1438,7 +1438,7 @@ psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; status = psa_driver_wrapper_export_public_key( &attributes, slot->key.data, slot->key.bytes, @@ -1617,7 +1617,7 @@ static psa_status_t psa_start_key_creation( * volatile key identifier associated to the slot returned to contain its * definition. */ - slot->attr = attributes->core; + slot->attr = *attributes; if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) slot->attr.id = volatile_key_id; @@ -2390,7 +2390,7 @@ static psa_status_t psa_mac_setup(psa_mac_operation_t *operation, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; status = psa_mac_finalize_alg_and_key_validation(alg, &attributes, @@ -2571,7 +2571,7 @@ static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; status = psa_mac_finalize_alg_and_key_validation(alg, &attributes, @@ -2729,7 +2729,7 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; if (input_is_message) { @@ -2783,7 +2783,7 @@ static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key, } psa_key_attributes_t attributes = { - .core = slot->attr + .core = slot->attr.core }; if (input_is_message) { @@ -3057,7 +3057,7 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; status = psa_driver_wrapper_asymmetric_encrypt( @@ -3108,7 +3108,7 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; status = psa_driver_wrapper_asymmetric_decrypt( @@ -3209,7 +3209,7 @@ psa_status_t psa_sign_hash_start( } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; /* Ensure ops count gets reset, in case of operation re-use. */ @@ -3354,7 +3354,7 @@ psa_status_t psa_verify_hash_start( } psa_key_attributes_t attributes = { - .core = slot->attr + .core = slot->attr.core }; /* Ensure ops count gets reset, in case of operation re-use. */ @@ -3920,7 +3920,7 @@ static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; /* Try doing the operation through a driver before using software fallback. */ @@ -4160,7 +4160,7 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); @@ -4231,7 +4231,7 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; if (alg == PSA_ALG_CCM_STAR_NO_TAG && @@ -4354,7 +4354,7 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, } psa_key_attributes_t attributes = { - .core = slot->attr + .core = slot->attr.core }; status = psa_aead_check_nonce_length(alg, nonce_length); @@ -4409,7 +4409,7 @@ psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, } psa_key_attributes_t attributes = { - .core = slot->attr + .core = slot->attr.core }; status = psa_aead_check_nonce_length(alg, nonce_length); @@ -4515,7 +4515,7 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) { @@ -5892,7 +5892,7 @@ static psa_status_t psa_generate_derived_key_internal( slot->attr.bits = (psa_key_bits_t) bits; attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; if (psa_key_lifetime_is_external(attributes.core.lifetime)) { @@ -7024,7 +7024,7 @@ static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg, } psa_key_attributes_t attributes = { - .core = private_key->attr + .core = private_key->attr.core }; return psa_driver_wrapper_key_agreement(&attributes, @@ -7839,7 +7839,7 @@ psa_status_t psa_pake_set_password_key( } attributes = (psa_key_attributes_t) { - .core = slot->attr + .core = slot->attr.core }; type = psa_get_key_type(&attributes); @@ -7858,7 +7858,8 @@ psa_status_t psa_pake_set_password_key( memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); operation->data.inputs.password_len = slot->key.bytes; - operation->data.inputs.attributes = attributes; + operation->data.inputs.attributes = slot->attr; + exit: if (status != PSA_SUCCESS) { psa_pake_abort(operation); diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index afa8659..02c485e 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -59,7 +59,7 @@ typedef enum { * and metadata for one key. */ typedef struct { - psa_core_key_attributes_t attr; + psa_key_attributes_t attr; /* * The current state of the key slot, as described in diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index b2a3c7e..5dee32f 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -329,7 +329,7 @@ static psa_status_t psa_load_builtin_key_into_slot(psa_key_slot_t *slot) /* Copy actual key length and core attributes into the slot on success */ slot->key.bytes = key_buffer_length; - slot->attr = attributes.core; + slot->attr = attributes; exit: if (status != PSA_SUCCESS) { psa_remove_key_data_from_memory(slot); diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 13a3c8a..7d1317b 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -235,7 +235,7 @@ typedef struct { void psa_format_key_data_for_storage(const uint8_t *data, const size_t data_length, - const psa_core_key_attributes_t *attr, + const psa_key_attributes_t *attr, uint8_t *storage_data) { psa_persistent_key_storage_format *storage_format = @@ -267,7 +267,7 @@ psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data, size_t storage_data_length, uint8_t **key_data, size_t *key_data_length, - psa_core_key_attributes_t *attr) + psa_key_attributes_t *attr) { psa_status_t status; const psa_persistent_key_storage_format *storage_format = @@ -314,7 +314,7 @@ psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data, return PSA_SUCCESS; } -psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr, +psa_status_t psa_save_persistent_key(const psa_key_attributes_t *attr, const uint8_t *data, const size_t data_length) { @@ -352,7 +352,7 @@ void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length) mbedtls_zeroize_and_free(key_data, key_data_length); } -psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr, +psa_status_t psa_load_persistent_key(psa_key_attributes_t *attr, uint8_t **data, size_t *data_length) { diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index b6b5e15..f1ea265 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -93,7 +93,7 @@ int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key); * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription */ -psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr, +psa_status_t psa_save_persistent_key(const psa_key_attributes_t *attr, const uint8_t *data, const size_t data_length); @@ -123,7 +123,7 @@ psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr, * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription */ -psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr, +psa_status_t psa_load_persistent_key(psa_key_attributes_t *attr, uint8_t **data, size_t *data_length); @@ -163,7 +163,7 @@ void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length); */ void psa_format_key_data_for_storage(const uint8_t *data, const size_t data_length, - const psa_core_key_attributes_t *attr, + const psa_key_attributes_t *attr, uint8_t *storage_data); /** @@ -186,7 +186,7 @@ psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data, size_t storage_data_length, uint8_t **key_data, size_t *key_data_length, - psa_core_key_attributes_t *attr); + psa_key_attributes_t *attr); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) /** This symbol is defined if transaction support is required. */ -- cgit v1.1 From 7a5d9201c12e60ea7baf140040498770228241ef Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 01:18:23 +0100 Subject: Get rid of intermediate full-attributes local variables Now that a key slot contains the full `psa_key_attributes_t, the temporary local variables holding a copy of core attributes read from the slot are no longer needed. Signed-off-by: Gilles Peskine --- library/psa_crypto.c | 144 +++++++++++---------------------------------------- 1 file changed, 29 insertions(+), 115 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fe0114f..7046a31 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1324,10 +1324,7 @@ psa_status_t psa_export_key(mbedtls_svc_key_id_t key, return status; } - psa_key_attributes_t attributes = { - .core = slot->attr.core - }; - status = psa_driver_wrapper_export_key(&attributes, + status = psa_driver_wrapper_export_key(&slot->attr, slot->key.data, slot->key.bytes, data, data_size, data_length); @@ -1411,7 +1408,6 @@ psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - psa_key_attributes_t attributes; /* Reject a zero-length output buffer now, since this can never be a * valid key representation. This way we know that data must be a valid @@ -1437,11 +1433,8 @@ psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; status = psa_driver_wrapper_export_public_key( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, data, data_size, data_length); exit: @@ -2372,7 +2365,6 @@ static psa_status_t psa_mac_setup(psa_mac_operation_t *operation, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; - psa_key_attributes_t attributes; /* A context must be freshly initialized before it can be set up. */ if (operation->id != 0) { @@ -2389,11 +2381,7 @@ static psa_status_t psa_mac_setup(psa_mac_operation_t *operation, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - - status = psa_mac_finalize_alg_and_key_validation(alg, &attributes, + status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr, &operation->mac_size); if (status != PSA_SUCCESS) { goto exit; @@ -2403,13 +2391,13 @@ static psa_status_t psa_mac_setup(psa_mac_operation_t *operation, /* Dispatch the MAC setup call with validated input */ if (is_sign) { status = psa_driver_wrapper_mac_sign_setup(operation, - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg); } else { status = psa_driver_wrapper_mac_verify_setup(operation, - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg); @@ -2559,7 +2547,6 @@ static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key, psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; uint8_t operation_mac_size = 0; - psa_key_attributes_t attributes; status = psa_get_and_lock_key_slot_with_policy( key, @@ -2570,11 +2557,7 @@ static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - - status = psa_mac_finalize_alg_and_key_validation(alg, &attributes, + status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr, &operation_mac_size); if (status != PSA_SUCCESS) { goto exit; @@ -2586,7 +2569,7 @@ static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key, } status = psa_driver_wrapper_mac_compute( - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, @@ -2696,7 +2679,6 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - psa_key_attributes_t attributes; *signature_length = 0; @@ -2728,19 +2710,15 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - if (input_is_message) { status = psa_driver_wrapper_sign_message( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, signature, signature_size, signature_length); } else { status = psa_driver_wrapper_sign_hash( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, signature, signature_size, signature_length); } @@ -2782,18 +2760,14 @@ static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key, return status; } - psa_key_attributes_t attributes = { - .core = slot->attr.core - }; - if (input_is_message) { status = psa_driver_wrapper_verify_message( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, signature, signature_length); } else { status = psa_driver_wrapper_verify_hash( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, signature, signature_length); } @@ -3031,7 +3005,6 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - psa_key_attributes_t attributes; (void) input; (void) input_length; @@ -3056,12 +3029,8 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - status = psa_driver_wrapper_asymmetric_encrypt( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, salt, salt_length, output, output_size, output_length); exit: @@ -3083,7 +3052,6 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - psa_key_attributes_t attributes; (void) input; (void) input_length; @@ -3107,12 +3075,8 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - status = psa_driver_wrapper_asymmetric_decrypt( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, salt, salt_length, output, output_size, output_length); @@ -3181,7 +3145,6 @@ psa_status_t psa_sign_hash_start( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - psa_key_attributes_t attributes; /* Check that start has not been previously called, or operation has not * previously errored. */ @@ -3208,14 +3171,10 @@ psa_status_t psa_sign_hash_start( goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - /* Ensure ops count gets reset, in case of operation re-use. */ operation->num_ops = 0; - status = psa_driver_wrapper_sign_hash_start(operation, &attributes, + status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr, slot->key.data, slot->key.bytes, alg, hash, hash_length); @@ -3353,14 +3312,10 @@ psa_status_t psa_verify_hash_start( return status; } - psa_key_attributes_t attributes = { - .core = slot->attr.core - }; - /* Ensure ops count gets reset, in case of operation re-use. */ operation->num_ops = 0; - status = psa_driver_wrapper_verify_hash_start(operation, &attributes, + status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr, slot->key.data, slot->key.bytes, alg, hash, hash_length, @@ -3889,7 +3844,6 @@ static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ? PSA_KEY_USAGE_ENCRYPT : PSA_KEY_USAGE_DECRYPT); - psa_key_attributes_t attributes; /* A context must be freshly initialized before it can be set up. */ if (operation->id != 0) { @@ -3919,20 +3873,16 @@ static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, } operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - /* Try doing the operation through a driver before using software fallback. */ if (cipher_operation == MBEDTLS_ENCRYPT) { status = psa_driver_wrapper_cipher_encrypt_setup(operation, - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg); } else { status = psa_driver_wrapper_cipher_decrypt_setup(operation, - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg); @@ -4145,7 +4095,6 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, psa_key_slot_t *slot = NULL; uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; size_t default_iv_length = 0; - psa_key_attributes_t attributes; if (!PSA_ALG_IS_CIPHER(alg)) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -4159,10 +4108,6 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) { status = PSA_ERROR_GENERIC_ERROR; @@ -4182,7 +4127,7 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, } status = psa_driver_wrapper_cipher_encrypt( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, local_iv, default_iv_length, input, input_length, psa_crypto_buffer_offset(output, default_iv_length), output_size - default_iv_length, output_length); @@ -4216,7 +4161,6 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; - psa_key_attributes_t attributes; if (!PSA_ALG_IS_CIPHER(alg)) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -4230,10 +4174,6 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - if (alg == PSA_ALG_CCM_STAR_NO_TAG && input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -4244,7 +4184,7 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, } status = psa_driver_wrapper_cipher_decrypt( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, input, input_length, output, output_size, output_length); @@ -4353,17 +4293,13 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, return status; } - psa_key_attributes_t attributes = { - .core = slot->attr.core - }; - status = psa_aead_check_nonce_length(alg, nonce_length); if (status != PSA_SUCCESS) { goto exit; } status = psa_driver_wrapper_aead_encrypt( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, nonce, nonce_length, additional_data, additional_data_length, @@ -4408,17 +4344,13 @@ psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, return status; } - psa_key_attributes_t attributes = { - .core = slot->attr.core - }; - status = psa_aead_check_nonce_length(alg, nonce_length); if (status != PSA_SUCCESS) { goto exit; } status = psa_driver_wrapper_aead_decrypt( - &attributes, slot->key.data, slot->key.bytes, + &slot->attr, slot->key.data, slot->key.bytes, alg, nonce, nonce_length, additional_data, additional_data_length, @@ -4484,7 +4416,6 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; psa_key_usage_t key_usage = 0; - psa_key_attributes_t attributes; status = psa_aead_check_algorithm(alg); if (status != PSA_SUCCESS) { @@ -4514,23 +4445,19 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) { goto exit; } if (is_encrypt) { status = psa_driver_wrapper_aead_encrypt_setup(operation, - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg); } else { status = psa_driver_wrapper_aead_decrypt_setup(operation, - &attributes, + &slot->attr, slot->key.data, slot->key.bytes, alg); @@ -4539,7 +4466,7 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, goto exit; } - operation->key_type = psa_get_key_type(&attributes); + operation->key_type = psa_get_key_type(&slot->attr); exit: unlock_status = psa_unregister_read_under_mutex(slot); @@ -5842,7 +5769,6 @@ static psa_status_t psa_generate_derived_key_internal( size_t bytes = PSA_BITS_TO_BYTES(bits); size_t storage_size = bytes; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_attributes_t attributes; if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) { return PSA_ERROR_INVALID_ARGUMENT; @@ -5891,12 +5817,9 @@ static psa_status_t psa_generate_derived_key_internal( } slot->attr.bits = (psa_key_bits_t) bits; - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - if (psa_key_lifetime_is_external(attributes.core.lifetime)) { - status = psa_driver_wrapper_get_key_buffer_size(&attributes, + if (psa_key_lifetime_is_external(slot->attr.core.lifetime)) { + status = psa_driver_wrapper_get_key_buffer_size(&slot->attr, &storage_size); if (status != PSA_SUCCESS) { goto exit; @@ -5907,7 +5830,7 @@ static psa_status_t psa_generate_derived_key_internal( goto exit; } - status = psa_driver_wrapper_import_key(&attributes, + status = psa_driver_wrapper_import_key(&slot->attr, data, bytes, slot->key.data, slot->key.bytes, @@ -7023,11 +6946,7 @@ static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg, return PSA_ERROR_NOT_SUPPORTED; } - psa_key_attributes_t attributes = { - .core = private_key->attr.core - }; - - return psa_driver_wrapper_key_agreement(&attributes, + return psa_driver_wrapper_key_agreement(&private_key->attr, private_key->key.data, private_key->key.bytes, alg, peer_key, peer_key_length, @@ -7823,7 +7742,6 @@ psa_status_t psa_pake_set_password_key( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; - psa_key_attributes_t attributes; psa_key_type_t type; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { @@ -7838,11 +7756,7 @@ psa_status_t psa_pake_set_password_key( goto exit; } - attributes = (psa_key_attributes_t) { - .core = slot->attr.core - }; - - type = psa_get_key_type(&attributes); + type = psa_get_key_type(&slot->attr); if (type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH) { -- cgit v1.1 From 2f107ae000c31ddddf4f941dcf782ca7deab0f8c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 01:26:46 +0100 Subject: Don't access psa_key_attributes_t.core Access the fields of `psa_key_attributes_t` directly rather than through the `core` field. This makes the `core` field obsolete. This commit is fully automated: ``` git ls-files '*.h' '*.c' '*.function' '*.jinja' | xargs perl -l -i -pe '$core = qr/\b(core\b|MBEDTLS_PRIVATE\(core\))/; s/->$core\./->/g; s/&(\w+)\.$core\./&$1./g; s/(\w+)\.$core/$1/g' ``` Signed-off-by: Gilles Peskine --- include/psa/crypto_extra.h | 10 +-- include/psa/crypto_struct.h | 36 +++++------ library/psa_crypto.c | 74 +++++++++++----------- library/psa_crypto_aead.c | 8 +-- library/psa_crypto_cipher.c | 4 +- library/psa_crypto_ecp.c | 30 ++++----- library/psa_crypto_ffdh.c | 6 +- library/psa_crypto_rsa.c | 22 +++---- tests/src/drivers/test_driver_signature.c | 8 +-- .../test_suite_psa_crypto_persistent_key.function | 4 +- .../test_suite_psa_crypto_se_driver_hal.function | 2 +- ...t_suite_psa_crypto_se_driver_hal_mocks.function | 24 +++---- .../test_suite_psa_crypto_slot_management.function | 4 +- 13 files changed, 116 insertions(+), 116 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 388e829..d94e946 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -59,7 +59,7 @@ static inline void psa_set_key_enrollment_algorithm( psa_key_attributes_t *attributes, psa_algorithm_t alg2) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2; + attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2; } /** Retrieve the enrollment algorithm policy from key attributes. @@ -71,7 +71,7 @@ static inline void psa_set_key_enrollment_algorithm( static inline psa_algorithm_t psa_get_key_enrollment_algorithm( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2); + return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2); } #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -129,8 +129,8 @@ static inline void psa_set_key_slot_number( psa_key_attributes_t *attributes, psa_key_slot_number_t slot_number) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(slot_number) = slot_number; + attributes->MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; + attributes->MBEDTLS_PRIVATE(slot_number) = slot_number; } /** Remove the slot number attribute from a key attribute structure. @@ -142,7 +142,7 @@ static inline void psa_set_key_slot_number( static inline void psa_clear_key_slot_number( psa_key_attributes_t *attributes) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) &= + attributes->MBEDTLS_PRIVATE(flags) &= ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; } diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index e4d85be..db85a1a 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -362,12 +362,12 @@ static inline struct psa_key_attributes_s psa_key_attributes_init(void) static inline void psa_set_key_id(psa_key_attributes_t *attributes, mbedtls_svc_key_id_t key) { - psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime); + psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(lifetime); - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = key; + attributes->MBEDTLS_PRIVATE(id) = key; if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) = + attributes->MBEDTLS_PRIVATE(lifetime) = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_LIFETIME_PERSISTENT, PSA_KEY_LIFETIME_GET_LOCATION(lifetime)); @@ -377,26 +377,26 @@ static inline void psa_set_key_id(psa_key_attributes_t *attributes, static inline mbedtls_svc_key_id_t psa_get_key_id( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id); + return attributes->MBEDTLS_PRIVATE(id); } #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER static inline void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes, mbedtls_key_owner_id_t owner) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner; + attributes->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner; } #endif static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, psa_key_lifetime_t lifetime) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) = lifetime; + attributes->MBEDTLS_PRIVATE(lifetime) = lifetime; if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) { #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0; + attributes->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0; #else - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = 0; + attributes->MBEDTLS_PRIVATE(id) = 0; #endif } } @@ -404,7 +404,7 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, static inline psa_key_lifetime_t psa_get_key_lifetime( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime); + return attributes->MBEDTLS_PRIVATE(lifetime); } static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags) @@ -422,53 +422,53 @@ static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes, psa_key_usage_t usage_flags) { psa_extend_key_usage_flags(&usage_flags); - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags; + attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags; } static inline psa_key_usage_t psa_get_key_usage_flags( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage); + return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage); } static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes, psa_algorithm_t alg) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg; + attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg; } static inline psa_algorithm_t psa_get_key_algorithm( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg); + return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg); } static inline void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) = type; + attributes->MBEDTLS_PRIVATE(type) = type; } static inline psa_key_type_t psa_get_key_type( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type); + return attributes->MBEDTLS_PRIVATE(type); } static inline void psa_set_key_bits(psa_key_attributes_t *attributes, size_t bits) { if (bits > PSA_MAX_KEY_BITS) { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE; + attributes->MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE; } else { - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits; + attributes->MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits; } } static inline size_t psa_get_key_bits( const psa_key_attributes_t *attributes) { - return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits); + return attributes->MBEDTLS_PRIVATE(bits); } /** diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 7046a31..71535fa 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -568,7 +568,7 @@ psa_status_t psa_import_key_into_slot( size_t *key_buffer_length, size_t *bits) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_type_t type = attributes->core.type; + psa_key_type_t type = attributes->type; /* zero-length keys are never supported. */ if (data_length == 0) { @@ -578,7 +578,7 @@ psa_status_t psa_import_key_into_slot( if (key_type_is_raw_bytes(type)) { *bits = PSA_BYTES_TO_BITS(data_length); - status = psa_validate_unstructured_key_bit_size(attributes->core.type, + status = psa_validate_unstructured_key_bit_size(attributes->type, *bits); if (status != PSA_SUCCESS) { return status; @@ -1245,8 +1245,8 @@ psa_status_t psa_get_key_slot_number( const psa_key_attributes_t *attributes, psa_key_slot_number_t *slot_number) { - if (attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER) { - *slot_number = attributes->core.slot_number; + if (attributes->flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER) { + *slot_number = attributes->slot_number; return PSA_SUCCESS; } else { return PSA_ERROR_INVALID_ARGUMENT; @@ -1275,7 +1275,7 @@ psa_status_t psa_export_key_internal( const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length) { - psa_key_type_t type = attributes->core.type; + psa_key_type_t type = attributes->type; if (key_type_is_raw_bytes(type) || PSA_KEY_TYPE_IS_RSA(type) || @@ -1341,7 +1341,7 @@ psa_status_t psa_export_public_key_internal( size_t data_size, size_t *data_length) { - psa_key_type_t type = attributes->core.type; + psa_key_type_t type = attributes->type; if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) && (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) || @@ -1518,7 +1518,7 @@ static psa_status_t psa_validate_key_attributes( } } - status = psa_validate_key_policy(&attributes->core.policy); + status = psa_validate_key_policy(&attributes->policy); if (status != PSA_SUCCESS) { return status; } @@ -1532,7 +1532,7 @@ static psa_status_t psa_validate_key_attributes( } /* Reject invalid flags. These should not be reachable through the API. */ - if (attributes->core.flags & ~(MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY | + if (attributes->flags & ~(MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY | MBEDTLS_PSA_KA_MASK_DUAL_USE)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -1652,7 +1652,7 @@ static psa_status_t psa_start_key_creation( return status; } - if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->core.lifetime)) { + if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) { psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY); psa_crypto_transaction.key.lifetime = slot->attr.lifetime; psa_crypto_transaction.key.slot = slot_number; @@ -1852,14 +1852,14 @@ static psa_status_t psa_validate_optional_attributes( const psa_key_slot_t *slot, const psa_key_attributes_t *attributes) { - if (attributes->core.type != 0) { - if (attributes->core.type != slot->attr.type) { + if (attributes->type != 0) { + if (attributes->type != slot->attr.type) { return PSA_ERROR_INVALID_ARGUMENT; } } - if (attributes->core.bits != 0) { - if (attributes->core.bits != slot->attr.bits) { + if (attributes->bits != 0) { + if (attributes->bits != slot->attr.bits) { return PSA_ERROR_INVALID_ARGUMENT; } } @@ -1903,7 +1903,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes, * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a * buffer to hold the imported key material. */ if (slot->key.data == NULL) { - if (psa_key_lifetime_is_external(attributes->core.lifetime)) { + if (psa_key_lifetime_is_external(attributes->lifetime)) { status = psa_driver_wrapper_get_key_buffer_size_from_key_data( attributes, data, data_length, &storage_size); if (status != PSA_SUCCESS) { @@ -2023,12 +2023,12 @@ psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key, * equal to the ones of the source key. So it is safe to inherit * them from the source key now." * */ - actual_attributes.core.bits = source_slot->attr.bits; - actual_attributes.core.type = source_slot->attr.type; + actual_attributes.bits = source_slot->attr.bits; + actual_attributes.type = source_slot->attr.type; status = psa_restrict_key_policy(source_slot->attr.type, - &actual_attributes.core.policy, + &actual_attributes.policy, &source_slot->attr.policy); if (status != PSA_SUCCESS) { goto exit; @@ -2057,7 +2057,7 @@ psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key, * - For opaque keys this translates to an invocation of the drivers' * copy_key entry point through the dispatch layer. * */ - if (psa_key_lifetime_is_external(actual_attributes.core.lifetime)) { + if (psa_key_lifetime_is_external(actual_attributes.lifetime)) { status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes, &storage_size); if (status != PSA_SUCCESS) { @@ -2878,7 +2878,7 @@ psa_status_t psa_sign_hash_builtin( psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, uint8_t *signature, size_t signature_size, size_t *signature_length) { - if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || PSA_ALG_IS_RSA_PSS(alg)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ @@ -2893,7 +2893,7 @@ psa_status_t psa_sign_hash_builtin( } else { return PSA_ERROR_INVALID_ARGUMENT; } - } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { if (PSA_ALG_IS_ECDSA(alg)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) @@ -2939,7 +2939,7 @@ psa_status_t psa_verify_hash_builtin( psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length) { - if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) { + if (PSA_KEY_TYPE_IS_RSA(attributes->type)) { if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || PSA_ALG_IS_RSA_PSS(alg)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ @@ -2954,7 +2954,7 @@ psa_status_t psa_verify_hash_builtin( } else { return PSA_ERROR_INVALID_ARGUMENT; } - } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { if (PSA_ALG_IS_ECDSA(alg)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) @@ -3450,7 +3450,7 @@ psa_status_t mbedtls_psa_sign_hash_start( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t required_hash_length; - if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { return PSA_ERROR_NOT_SUPPORTED; } @@ -3467,8 +3467,8 @@ psa_status_t mbedtls_psa_sign_hash_start( /* Ensure num_ops is zero'ed in case of context re-use. */ operation->num_ops = 0; - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, + status = mbedtls_psa_ecp_load_representation(attributes->type, + attributes->bits, key_buffer, key_buffer_size, &operation->ctx); @@ -3666,7 +3666,7 @@ psa_status_t mbedtls_psa_verify_hash_start( size_t coordinate_bytes = 0; size_t required_hash_length = 0; - if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { return PSA_ERROR_NOT_SUPPORTED; } @@ -3685,8 +3685,8 @@ psa_status_t mbedtls_psa_verify_hash_start( /* Ensure num_ops is zero'ed in case of context re-use. */ operation->num_ops = 0; - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, + status = mbedtls_psa_ecp_load_representation(attributes->type, + attributes->bits, key_buffer, key_buffer_size, &operation->ctx); @@ -5818,7 +5818,7 @@ static psa_status_t psa_generate_derived_key_internal( slot->attr.bits = (psa_key_bits_t) bits; - if (psa_key_lifetime_is_external(slot->attr.core.lifetime)) { + if (psa_key_lifetime_is_external(slot->attr.lifetime)) { status = psa_driver_wrapper_get_key_buffer_size(&slot->attr, &storage_size); if (status != PSA_SUCCESS) { @@ -5901,7 +5901,7 @@ psa_status_t psa_key_derivation_output_key_ext( #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ if (status == PSA_SUCCESS) { status = psa_generate_derived_key_internal(slot, - attributes->core.bits, + attributes->bits, operation); } if (status == PSA_SUCCESS) { @@ -7319,7 +7319,7 @@ psa_status_t psa_generate_key_internal( uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_type_t type = attributes->core.type; + psa_key_type_t type = attributes->type; /* Only used for RSA */ (void) params; @@ -7392,12 +7392,12 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } /* Reject any attempt to create a public key. */ - if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->core.type)) { + if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) { return PSA_ERROR_INVALID_ARGUMENT; } #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) - if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { if (params->flags != 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7418,17 +7418,17 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a * buffer to hold the generated key material. */ if (slot->key.data == NULL) { - if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime) == + if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) == PSA_KEY_LOCATION_LOCAL_STORAGE) { status = psa_validate_key_type_and_size_for_key_generation( - attributes->core.type, attributes->core.bits); + attributes->type, attributes->bits); if (status != PSA_SUCCESS) { goto exit; } key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE( - attributes->core.type, - attributes->core.bits); + attributes->type, + attributes->bits); } else { status = psa_driver_wrapper_get_key_buffer_size( attributes, &key_buffer_size); diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index 49aa961..a201985 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -33,10 +33,10 @@ static psa_status_t psa_aead_setup( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_cipher_id_t cipher_id; mbedtls_cipher_mode_t mode; - size_t key_bits = attributes->core.bits; + size_t key_bits = attributes->bits; (void) key_buffer_size; - status = mbedtls_cipher_values_from_psa(alg, attributes->core.type, + status = mbedtls_cipher_values_from_psa(alg, attributes->type, &key_bits, &mode, &cipher_id); if (status != PSA_SUCCESS) { return status; @@ -49,7 +49,7 @@ static psa_status_t psa_aead_setup( /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16. * The call to mbedtls_ccm_encrypt_and_tag or * mbedtls_ccm_auth_decrypt will validate the tag length. */ - if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) { + if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->type) != 16) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -69,7 +69,7 @@ static psa_status_t psa_aead_setup( /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. * The call to mbedtls_gcm_crypt_and_tag or * mbedtls_gcm_auth_decrypt will validate the tag length. */ - if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) { + if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->type) != 16) { return PSA_ERROR_INVALID_ARGUMENT; } diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 3132854..a45fb0f 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -289,14 +289,14 @@ static psa_status_t psa_cipher_setup( int ret = 0; size_t key_bits; const mbedtls_cipher_info_t *cipher_info = NULL; - psa_key_type_t key_type = attributes->core.type; + psa_key_type_t key_type = attributes->type; (void) key_buffer_size; mbedtls_cipher_init(&operation->ctx.cipher); operation->alg = alg; - key_bits = attributes->core.bits; + key_bits = attributes->bits; cipher_info = mbedtls_cipher_info_from_psa(alg, key_type, key_bits, NULL); if (cipher_info == NULL) { diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index 7edea81..9d583aa 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -216,8 +216,8 @@ psa_status_t mbedtls_psa_ecp_import_key( mbedtls_ecp_keypair *ecp = NULL; /* Parse input */ - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, + status = mbedtls_psa_ecp_load_representation(attributes->type, + attributes->bits, data, data_length, &ecp); @@ -225,7 +225,7 @@ psa_status_t mbedtls_psa_ecp_import_key( goto exit; } - if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == + if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type) == PSA_ECC_FAMILY_MONTGOMERY) { *bits = ecp->grp.nbits + 1; } else { @@ -235,7 +235,7 @@ psa_status_t mbedtls_psa_ecp_import_key( /* Re-export the data to PSA export format. There is currently no support * for other input formats then the export format, so this is a 1-1 * copy operation. */ - status = mbedtls_psa_ecp_export_key(attributes->core.type, + status = mbedtls_psa_ecp_export_key(attributes->type, ecp, key_buffer, key_buffer_size, @@ -308,7 +308,7 @@ psa_status_t mbedtls_psa_ecp_export_public_key( mbedtls_ecp_keypair *ecp = NULL; status = mbedtls_psa_ecp_load_representation( - attributes->core.type, attributes->core.bits, + attributes->type, attributes->bits, key_buffer, key_buffer_size, &ecp); if (status != PSA_SUCCESS) { return status; @@ -316,7 +316,7 @@ psa_status_t mbedtls_psa_ecp_export_public_key( status = mbedtls_psa_ecp_export_key( PSA_KEY_TYPE_ECC_PUBLIC_KEY( - PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type)), + PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type)), ecp, data, data_size, data_length); mbedtls_ecp_keypair_free(ecp); @@ -337,9 +337,9 @@ psa_status_t mbedtls_psa_ecp_generate_key( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( - attributes->core.type); + attributes->type); mbedtls_ecp_group_id grp_id = - mbedtls_ecc_group_from_psa(curve, attributes->core.bits); + mbedtls_ecc_group_from_psa(curve, attributes->bits); const mbedtls_ecp_curve_info *curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id); @@ -389,8 +389,8 @@ psa_status_t mbedtls_psa_ecdsa_sign_hash( size_t curve_bytes; mbedtls_mpi r, s; - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, + status = mbedtls_psa_ecp_load_representation(attributes->type, + attributes->bits, key_buffer, key_buffer_size, &ecp); @@ -476,8 +476,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( (void) alg; - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, + status = mbedtls_psa_ecp_load_representation(attributes->type, + attributes->bits, key_buffer, key_buffer_size, &ecp); @@ -541,14 +541,14 @@ psa_status_t mbedtls_psa_key_agreement_ecdh( size_t *shared_secret_length) { psa_status_t status; - if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->core.type) || + if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type) || !PSA_ALG_IS_ECDH(alg)) { return PSA_ERROR_INVALID_ARGUMENT; } mbedtls_ecp_keypair *ecp = NULL; status = mbedtls_psa_ecp_load_representation( - attributes->core.type, - attributes->core.bits, + attributes->type, + attributes->bits, key_buffer, key_buffer_size, &ecp); diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c index 0099d5f..ae38f6d 100644 --- a/library/psa_crypto_ffdh.c +++ b/library/psa_crypto_ffdh.c @@ -151,7 +151,7 @@ psa_status_t mbedtls_psa_ffdh_export_public_key( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_mpi GX, G, X, P; - psa_key_type_t type = attributes->core.type; + psa_key_type_t type = attributes->type; if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) { if (key_buffer_size > data_size) { @@ -167,7 +167,7 @@ psa_status_t mbedtls_psa_ffdh_export_public_key( mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G); mbedtls_mpi_init(&X); mbedtls_mpi_init(&P); - size_t key_len = PSA_BITS_TO_BYTES(attributes->core.bits); + size_t key_len = PSA_BITS_TO_BYTES(attributes->bits); status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G); @@ -283,7 +283,7 @@ psa_status_t mbedtls_psa_ffdh_key_agreement( mbedtls_mpi_init(&K); status = mbedtls_psa_ffdh_set_prime_generator( - PSA_BITS_TO_BYTES(attributes->core.bits), &P, &G); + PSA_BITS_TO_BYTES(attributes->bits), &P, &G); if (status != PSA_SUCCESS) { goto cleanup; diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 84a8667..2f613b3 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -116,7 +116,7 @@ psa_status_t mbedtls_psa_rsa_import_key( mbedtls_rsa_context *rsa = NULL; /* Parse input */ - status = mbedtls_psa_rsa_load_representation(attributes->core.type, + status = mbedtls_psa_rsa_load_representation(attributes->type, data, data_length, &rsa); @@ -130,7 +130,7 @@ psa_status_t mbedtls_psa_rsa_import_key( * representation in the key slot. Export representation in case of RSA is * the smallest representation that's allowed as input, so a straight-up * allocation of the same size as the input buffer will be large enough. */ - status = mbedtls_psa_rsa_export_key(attributes->core.type, + status = mbedtls_psa_rsa_export_key(attributes->type, rsa, key_buffer, key_buffer_size, @@ -196,7 +196,7 @@ psa_status_t mbedtls_psa_rsa_export_public_key( mbedtls_rsa_context *rsa = NULL; status = mbedtls_psa_rsa_load_representation( - attributes->core.type, key_buffer, key_buffer_size, &rsa); + attributes->type, key_buffer, key_buffer_size, &rsa); if (status != PSA_SUCCESS) { return status; } @@ -261,13 +261,13 @@ psa_status_t mbedtls_psa_rsa_generate_key( ret = mbedtls_rsa_gen_key(&rsa, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, - (unsigned int) attributes->core.bits, + (unsigned int) attributes->bits, exponent); if (ret != 0) { return mbedtls_to_psa_error(ret); } - status = mbedtls_psa_rsa_export_key(attributes->core.type, + status = mbedtls_psa_rsa_export_key(attributes->type, &rsa, key_buffer, key_buffer_size, key_buffer_length); mbedtls_rsa_free(&rsa); @@ -325,7 +325,7 @@ psa_status_t mbedtls_psa_rsa_sign_hash( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; - status = mbedtls_psa_rsa_load_representation(attributes->core.type, + status = mbedtls_psa_rsa_load_representation(attributes->type, key_buffer, key_buffer_size, &rsa); @@ -424,7 +424,7 @@ psa_status_t mbedtls_psa_rsa_verify_hash( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; - status = mbedtls_psa_rsa_load_representation(attributes->core.type, + status = mbedtls_psa_rsa_load_representation(attributes->type, key_buffer, key_buffer_size, &rsa); @@ -536,11 +536,11 @@ psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attribut (void) output_size; (void) output_length; - if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) { + if (PSA_KEY_TYPE_IS_RSA(attributes->type)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) mbedtls_rsa_context *rsa = NULL; - status = mbedtls_psa_rsa_load_representation(attributes->core.type, + status = mbedtls_psa_rsa_load_representation(attributes->type, key_buffer, key_buffer_size, &rsa); @@ -632,11 +632,11 @@ psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attribut *output_length = 0; - if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) mbedtls_rsa_context *rsa = NULL; - status = mbedtls_psa_rsa_load_representation(attributes->core.type, + status = mbedtls_psa_rsa_load_representation(attributes->type, key_buffer, key_buffer_size, &rsa); diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c index 00dd3e2..4fca5d1 100644 --- a/tests/src/drivers/test_driver_signature.c +++ b/tests/src/drivers/test_driver_signature.c @@ -49,7 +49,7 @@ psa_status_t sign_hash( size_t signature_size, size_t *signature_length) { - if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || PSA_ALG_IS_RSA_PSS(alg)) { #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ @@ -71,7 +71,7 @@ psa_status_t sign_hash( } else { return PSA_ERROR_INVALID_ARGUMENT; } - } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { if (PSA_ALG_IS_ECDSA(alg)) { #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ (defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ @@ -116,7 +116,7 @@ psa_status_t verify_hash( const uint8_t *signature, size_t signature_length) { - if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) { + if (PSA_KEY_TYPE_IS_RSA(attributes->type)) { if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || PSA_ALG_IS_RSA_PSS(alg)) { #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ @@ -138,7 +138,7 @@ psa_status_t verify_hash( } else { return PSA_ERROR_INVALID_ARGUMENT; } - } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { if (PSA_ALG_IS_ECDSA(alg)) { #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ (defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function index c4e4c7d..ea8cb6b 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.function +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -61,7 +61,7 @@ void format_storage_data_check(data_t *key_data, TEST_CALLOC(file_data, file_data_length); psa_format_key_data_for_storage(key_data->x, key_data->len, - &attributes.core, + &attributes, file_data); TEST_MEMORY_COMPARE(expected_file_data->x, expected_file_data->len, @@ -90,7 +90,7 @@ void parse_storage_data_check(data_t *file_data, status = psa_parse_key_data_from_storage(file_data->x, file_data->len, &key_data, &key_data_length, - &attributes.core); + &attributes); TEST_EQUAL(status, expected_status); if (status != PSA_SUCCESS) { diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 8e96984..e3681ba 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -952,7 +952,7 @@ void key_creation_import_export(int lifetime_arg, int min_slot, int restart) psa_set_key_slot_number(&attributes, min_slot); if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) { - attributes.core.id = returned_id; + attributes.id = returned_id; } else { psa_set_key_id(&attributes, returned_id); } diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index 6f28f93..b6d3a34 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -359,19 +359,19 @@ void mock_import(int mock_alloc_return_value, if (mock_alloc_return_value == PSA_SUCCESS) { TEST_ASSERT(mbedtls_svc_key_id_equal( - mock_import_data.attributes.core.id, id)); + mock_import_data.attributes.id, id)); } else { TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_KEY_ID( - mock_import_data.attributes.core.id) == 0); + mock_import_data.attributes.id) == 0); TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( - mock_import_data.attributes.core.id) == 0); + mock_import_data.attributes.id) == 0); } - TEST_ASSERT(mock_import_data.attributes.core.lifetime == + TEST_ASSERT(mock_import_data.attributes.lifetime == (mock_alloc_return_value == PSA_SUCCESS ? lifetime : 0)); - TEST_ASSERT(mock_import_data.attributes.core.policy.usage == + TEST_ASSERT(mock_import_data.attributes.policy.usage == (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_USAGE_EXPORT : 0)); - TEST_ASSERT(mock_import_data.attributes.core.type == + TEST_ASSERT(mock_import_data.attributes.type == (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_TYPE_RAW_DATA : 0)); if (expected_result == PSA_SUCCESS) { @@ -474,19 +474,19 @@ void mock_generate(int mock_alloc_return_value, if (mock_alloc_return_value == PSA_SUCCESS) { TEST_ASSERT(mbedtls_svc_key_id_equal( - mock_generate_data.attributes.core.id, id)); + mock_generate_data.attributes.id, id)); } else { TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_KEY_ID( - mock_generate_data.attributes.core.id) == 0); + mock_generate_data.attributes.id) == 0); TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( - mock_generate_data.attributes.core.id) == 0); + mock_generate_data.attributes.id) == 0); } - TEST_ASSERT(mock_generate_data.attributes.core.lifetime == + TEST_ASSERT(mock_generate_data.attributes.lifetime == (mock_alloc_return_value == PSA_SUCCESS ? lifetime : 0)); - TEST_ASSERT(mock_generate_data.attributes.core.policy.usage == + TEST_ASSERT(mock_generate_data.attributes.policy.usage == (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_USAGE_EXPORT : 0)); - TEST_ASSERT(mock_generate_data.attributes.core.type == + TEST_ASSERT(mock_generate_data.attributes.type == (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_TYPE_RAW_DATA : 0)); if (expected_result == PSA_SUCCESS) { diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index 8564d35..94f26f6 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -458,7 +458,7 @@ void create_fail(int lifetime_arg, int id_arg, * PSA key attributes APIs thus accessing to the attributes * directly. */ - attributes.core.id = id; + attributes.id = id; } else { psa_set_key_id(&attributes, id); } @@ -992,7 +992,7 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation() * Check that we can now access the persistent key again. */ PSA_ASSERT(psa_get_key_attributes(persistent_key, &attributes)); - TEST_ASSERT(mbedtls_svc_key_id_equal(attributes.core.id, + TEST_ASSERT(mbedtls_svc_key_id_equal(attributes.id, persistent_key)); /* -- cgit v1.1 From 2dc2bd70972710b44172007d560495d1191fb23b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 01:32:31 +0100 Subject: Get rid of psa_core_key_attributes_t The `psa_core_key_attributes_t` structure is no longer used. Remove it. Switch `psa_key_attributes_t` back to a simple struct, now containing the fields that were formerly inside its `psa_core_key_attributes_t core` member. This repairs the build with non-C11 compilers. Signed-off-by: Gilles Peskine --- include/psa/crypto_struct.h | 40 +++++----------------------------------- 1 file changed, 5 insertions(+), 35 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index db85a1a..adb33ed 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -289,33 +289,7 @@ typedef uint16_t psa_key_attributes_flag_t; #define MBEDTLS_PSA_KA_MASK_DUAL_USE ( \ 0) -typedef struct { -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - psa_key_type_t MBEDTLS_PRIVATE(type); - psa_key_bits_t MBEDTLS_PRIVATE(bits); - psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); - psa_key_policy_t MBEDTLS_PRIVATE(policy); - psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); - /* This type has a different layout in the client view wrt the - * service view of the key id, i.e. in service view usually is - * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined - * thus adding an owner field to the standard psa_key_id_t. For - * implementations with client/service separation, this means the - * object will be marshalled through a transport channel and - * interpreted differently at each side of the transport. Placing - * it at the end of structures allows to interpret the structure - * at the client without reorganizing the memory layout of the - * struct - */ - mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); -} psa_core_key_attributes_t; - struct psa_key_attributes_s { - union { - psa_core_key_attributes_t MBEDTLS_PRIVATE(core); - struct { #if defined(MBEDTLS_PSA_CRYPTO_SE_C) psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ @@ -336,8 +310,6 @@ struct psa_key_attributes_s { * struct */ mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); - }; - }; }; #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -345,13 +317,11 @@ struct psa_key_attributes_s { #else #define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER #endif -#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \ - PSA_KEY_TYPE_NONE, 0, \ - PSA_KEY_LIFETIME_VOLATILE, \ - PSA_KEY_POLICY_INIT, 0, \ - MBEDTLS_SVC_KEY_ID_INIT } - -#define PSA_KEY_ATTRIBUTES_INIT { { PSA_CORE_KEY_ATTRIBUTES_INIT } } +#define PSA_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \ + PSA_KEY_TYPE_NONE, 0, \ + PSA_KEY_LIFETIME_VOLATILE, \ + PSA_KEY_POLICY_INIT, 0, \ + MBEDTLS_SVC_KEY_ID_INIT } static inline struct psa_key_attributes_s psa_key_attributes_init(void) { -- cgit v1.1 From 972539c2418c751d5974717c097d8667a16c7e5f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 01:49:45 +0100 Subject: In attributes, keep track of slot number through a dedicated field In `psa_key_attributes_t`, keep track of whether `slot_number` has been set through a dedicated field, rather than using a flag. This paves the way to removing `flags`, which is not used for anything else. Signed-off-by: Gilles Peskine --- include/psa/crypto_extra.h | 5 ++--- include/psa/crypto_struct.h | 3 ++- library/psa_crypto.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index d94e946..6ed1f6c 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -129,7 +129,7 @@ static inline void psa_set_key_slot_number( psa_key_attributes_t *attributes, psa_key_slot_number_t slot_number) { - attributes->MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; + attributes->MBEDTLS_PRIVATE(has_slot_number) = 1; attributes->MBEDTLS_PRIVATE(slot_number) = slot_number; } @@ -142,8 +142,7 @@ static inline void psa_set_key_slot_number( static inline void psa_clear_key_slot_number( psa_key_attributes_t *attributes) { - attributes->MBEDTLS_PRIVATE(flags) &= - ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; + attributes->MBEDTLS_PRIVATE(has_slot_number) = 0; } /** Register a key that is already present in a secure element. diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index adb33ed..e8f67d5 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -292,6 +292,7 @@ typedef uint16_t psa_key_attributes_flag_t; struct psa_key_attributes_s { #if defined(MBEDTLS_PSA_CRYPTO_SE_C) psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); + int MBEDTLS_PRIVATE(has_slot_number); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ psa_key_type_t MBEDTLS_PRIVATE(type); psa_key_bits_t MBEDTLS_PRIVATE(bits); @@ -313,7 +314,7 @@ struct psa_key_attributes_s { }; #if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER 0, +#define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER 0, 0, #else #define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER #endif diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 71535fa..91f5f16 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1245,7 +1245,7 @@ psa_status_t psa_get_key_slot_number( const psa_key_attributes_t *attributes, psa_key_slot_number_t *slot_number) { - if (attributes->flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER) { + if (attributes->has_slot_number) { *slot_number = attributes->slot_number; return PSA_SUCCESS; } else { -- cgit v1.1 From e92796ef98651b3bdea611479a52cd6eb77ce026 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 01:56:16 +0100 Subject: Get rid of flags in attributes The `flags` field in `psa_key_attributes_t` was a general mechanism that only ever got used for a single flag: to indicate that the `slot_number` field has been set. We have switched to a dedicated indicator for that, so we can now remove `flags`. Signed-off-by: Gilles Peskine --- include/psa/crypto_struct.h | 26 +-------------------- library/psa_crypto.c | 25 --------------------- library/psa_crypto_core.h | 55 --------------------------------------------- 3 files changed, 1 insertion(+), 105 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index e8f67d5..4585a3e 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -266,29 +266,6 @@ typedef uint16_t psa_key_bits_t; * conditionals. */ #define PSA_MAX_KEY_BITS 0xfff8 -/** A mask of flags that can be stored in key attributes. - * - * This type is also used internally to store flags in slots. Internal - * flags are defined in library/psa_crypto_core.h. Internal flags may have - * the same value as external flags if they are properly handled during - * key creation and in psa_get_key_attributes. - */ -typedef uint16_t psa_key_attributes_flag_t; - -#define MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER \ - ((psa_key_attributes_flag_t) 0x0001) - -/* A mask of key attribute flags used externally only. - * Only meant for internal checks inside the library. */ -#define MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ( \ - MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER | \ - 0) - -/* A mask of key attribute flags used both internally and externally. - * Currently there aren't any. */ -#define MBEDTLS_PSA_KA_MASK_DUAL_USE ( \ - 0) - struct psa_key_attributes_s { #if defined(MBEDTLS_PSA_CRYPTO_SE_C) psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); @@ -298,7 +275,6 @@ struct psa_key_attributes_s { psa_key_bits_t MBEDTLS_PRIVATE(bits); psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); psa_key_policy_t MBEDTLS_PRIVATE(policy); - psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); /* This type has a different layout in the client view wrt the * service view of the key id, i.e. in service view usually is * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined @@ -321,7 +297,7 @@ struct psa_key_attributes_s { #define PSA_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \ PSA_KEY_TYPE_NONE, 0, \ PSA_KEY_LIFETIME_VOLATILE, \ - PSA_KEY_POLICY_INIT, 0, \ + PSA_KEY_POLICY_INIT, \ MBEDTLS_SVC_KEY_ID_INIT } static inline struct psa_key_attributes_s psa_key_attributes_init(void) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 91f5f16..3c2b6a0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1227,8 +1227,6 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, } *attributes = slot->attr; - attributes->flags &= (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY | - MBEDTLS_PSA_KA_MASK_DUAL_USE); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) { @@ -1443,16 +1441,6 @@ exit: return (status == PSA_SUCCESS) ? unlock_status : status; } -MBEDTLS_STATIC_ASSERT( - (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE) == 0, - "One or more key attribute flag is listed as both external-only and dual-use") -MBEDTLS_STATIC_ASSERT( - (PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE) == 0, - "One or more key attribute flag is listed as both internal-only and dual-use") -MBEDTLS_STATIC_ASSERT( - (PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY) == 0, - "One or more key attribute flag is listed as both internal-only and external-only") - /** Validate that a key policy is internally well-formed. * * This function only rejects invalid policies. It does not validate the @@ -1531,12 +1519,6 @@ static psa_status_t psa_validate_key_attributes( return PSA_ERROR_NOT_SUPPORTED; } - /* Reject invalid flags. These should not be reachable through the API. */ - if (attributes->flags & ~(MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY | - MBEDTLS_PSA_KA_MASK_DUAL_USE)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - return PSA_SUCCESS; } @@ -1619,13 +1601,6 @@ static psa_status_t psa_start_key_creation( #endif } - /* Erase external-only flags from the internal copy. To access - * external-only flags, query `attributes`. Thanks to the check - * in psa_validate_key_attributes(), this leaves the dual-use - * flags and any internal flag that psa_reserve_free_key_slot() - * may have set. */ - slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY; - #if defined(MBEDTLS_PSA_CRYPTO_SE_C) /* For a key in a secure element, we need to do three things * when creating or registering a persistent key: diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 02c485e..d4bdf92 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -159,11 +159,6 @@ typedef struct { } while (0); #endif -/* A mask of key attribute flags used only internally. - * Currently there aren't any. */ -#define PSA_KA_MASK_INTERNAL_ONLY ( \ - 0) - /** Test whether a key slot has any registered readers. * If multi-threading is enabled, the caller must hold the * global key slot mutex. @@ -177,56 +172,6 @@ static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot) return slot->registered_readers > 0; } -/** Retrieve flags from psa_key_slot_t::attr::core::flags. - * - * \param[in] slot The key slot to query. - * \param mask The mask of bits to extract. - * - * \return The key attribute flags in the given slot, - * bitwise-anded with \p mask. - */ -static inline uint16_t psa_key_slot_get_flags(const psa_key_slot_t *slot, - uint16_t mask) -{ - return slot->attr.flags & mask; -} - -/** Set flags in psa_key_slot_t::attr::core::flags. - * - * \param[in,out] slot The key slot to modify. - * \param mask The mask of bits to modify. - * \param value The new value of the selected bits. - */ -static inline void psa_key_slot_set_flags(psa_key_slot_t *slot, - uint16_t mask, - uint16_t value) -{ - slot->attr.flags = ((~mask & slot->attr.flags) | - (mask & value)); -} - -/** Turn on flags in psa_key_slot_t::attr::core::flags. - * - * \param[in,out] slot The key slot to modify. - * \param mask The mask of bits to set. - */ -static inline void psa_key_slot_set_bits_in_flags(psa_key_slot_t *slot, - uint16_t mask) -{ - slot->attr.flags |= mask; -} - -/** Turn off flags in psa_key_slot_t::attr::core::flags. - * - * \param[in,out] slot The key slot to modify. - * \param mask The mask of bits to clear. - */ -static inline void psa_key_slot_clear_bits(psa_key_slot_t *slot, - uint16_t mask) -{ - slot->attr.flags &= ~mask; -} - #if defined(MBEDTLS_PSA_CRYPTO_SE_C) /** Get the SE slot number of a key from the key slot storing its description. * -- cgit v1.1 From 718180c7b5e0236decdf326e5155961e1cb68c22 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 11:58:39 +0100 Subject: psa_crypto_random_impl: minor fixes - define mbedtls_psa_random_context_t even when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is defined - define mbedtls_psa_legacy_get_random as pointer to function instead of #define to make "check_names" test happy. Signed-off-by: Valerio Setti --- library/psa_crypto.c | 8 +++-- library/psa_crypto_random_impl.h | 74 +++++++++++++++------------------------- 2 files changed, 33 insertions(+), 49 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c8dd0d0..b86a4fc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7373,12 +7373,16 @@ psa_status_t psa_generate_random(uint8_t *output, #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ while (output_size > 0) { + int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; size_t request_size = (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ? MBEDTLS_PSA_RANDOM_MAX_REQUEST : output_size); - int ret = mbedtls_psa_legacy_get_random(&global_data.rng.drbg, - output, request_size); +#if defined(MBEDTLS_CTR_DRBG_C) + ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size); +#elif defined(MBEDTLS_HMAC_DRBG_C) + ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size); +#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ if (ret != 0) { return mbedtls_to_psa_error(ret); } diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h index 10db73d..533fb2e 100644 --- a/library/psa_crypto_random_impl.h +++ b/library/psa_crypto_random_impl.h @@ -1,14 +1,6 @@ /** \file psa_crypto_random_impl.h * * \brief PSA crypto random generator implementation abstraction. - * - * The definitions here need to be consistent with the declarations - * in include/psa_util_internal.h. This file contains some redundant - * declarations to increase the chance that a compiler will detect - * inconsistencies if one file is changed without updating the other, - * but not all potential inconsistencies can be enforced, so make sure - * to check the public declarations and contracts in - * include/psa_util_internal.h if you modify this file. */ /* * Copyright The Mbed TLS Contributors @@ -20,7 +12,11 @@ #include "psa_util_internal.h" -#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) + +typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t; + +#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ #include "mbedtls/entropy.h" @@ -54,7 +50,9 @@ #endif #else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ + #error "No DRBG module available for the psa_crypto module." + #endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ #if defined(MBEDTLS_CTR_DRBG_C) @@ -63,14 +61,26 @@ #include "mbedtls/hmac_drbg.h" #endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ +/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */ +#if defined(MBEDTLS_CTR_DRBG_C) +#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST +#elif defined(MBEDTLS_HMAC_DRBG_C) +#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST +#endif + #if defined(MBEDTLS_CTR_DRBG_C) -#define mbedtls_psa_legacy_get_random mbedtls_ctr_drbg_random typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t; #elif defined(MBEDTLS_HMAC_DRBG_C) -#define mbedtls_psa_legacy_get_random mbedtls_hmac_drbg_random typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t; #endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ +typedef struct { + void (* entropy_init)(mbedtls_entropy_context *ctx); + void (* entropy_free)(mbedtls_entropy_context *ctx); + mbedtls_entropy_context entropy; + mbedtls_psa_drbg_context_t drbg; +} mbedtls_psa_random_context_t; + /** Initialize the PSA DRBG. * * \param p_rng Pointer to the Mbed TLS DRBG state. @@ -97,27 +107,6 @@ static inline void mbedtls_psa_drbg_free(mbedtls_psa_drbg_context_t *p_rng) #endif } -/** The type of the PSA random generator context. - * - * The random generator context is composed of an entropy context and - * a DRBG context. - */ -typedef struct { - void (* entropy_init)(mbedtls_entropy_context *ctx); - void (* entropy_free)(mbedtls_entropy_context *ctx); - mbedtls_entropy_context entropy; - mbedtls_psa_drbg_context_t drbg; -} mbedtls_psa_random_context_t; - -/** The maximum number of bytes that mbedtls_psa_get_random() is expected to - * return. - */ -#if defined(MBEDTLS_CTR_DRBG_C) -#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST -#elif defined(MBEDTLS_HMAC_DRBG_C) -#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST -#endif - /** Seed the PSA DRBG. * * \param entropy An entropy context to read the seed from. @@ -129,24 +118,15 @@ typedef struct { * \return \c 0 on success. * \return An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure. */ -static inline int mbedtls_psa_drbg_seed( - mbedtls_psa_drbg_context_t *drbg_ctx, - mbedtls_entropy_context *entropy, - const unsigned char *custom, size_t len) +static inline int mbedtls_psa_drbg_seed(mbedtls_psa_drbg_context_t *drbg_ctx, + mbedtls_entropy_context *entropy, + const unsigned char *custom, size_t len) { #if defined(MBEDTLS_CTR_DRBG_C) - return mbedtls_ctr_drbg_seed(drbg_ctx, - mbedtls_entropy_func, - entropy, - custom, len); + return mbedtls_ctr_drbg_seed(drbg_ctx, mbedtls_entropy_func, entropy, custom, len); #elif defined(MBEDTLS_HMAC_DRBG_C) - const mbedtls_md_info_t *md_info = - mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE); - return mbedtls_hmac_drbg_seed(drbg_ctx, - md_info, - mbedtls_entropy_func, - entropy, - custom, len); + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE); + return mbedtls_hmac_drbg_seed(drbg_ctx, md_info, mbedtls_entropy_func, entropy, custom, len); #endif } -- cgit v1.1 From b484e37d917a5af8e1fe204750d138b66d33b93a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 27 Feb 2024 16:21:12 +0100 Subject: pk: fix alg selection in mbedtls_pk_sign_ext() for opaque keys This commit also fixes pk_psa_wrap_sign_ext() setting the RSA padding mode so that mbedtls_pk_get_psa_attributes() correctly guesses the PSA alg to be used. Signed-off-by: Valerio Setti --- library/pk.c | 25 ++++++++++++++++++++++++- tests/suites/test_suite_pk.function | 16 ++++------------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/library/pk.c b/library/pk.c index 7aee940..8a5124f 100644 --- a/library/pk.c +++ b/library/pk.c @@ -1188,9 +1188,32 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type, } if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) { + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t psa_alg, psa_enrollment_alg, sign_alg; psa_status_t status; - status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg), + status = psa_get_key_attributes(ctx->priv_id, &key_attr); + if (status != PSA_SUCCESS) { + return PSA_PK_RSA_TO_MBEDTLS_ERR(status); + } + psa_alg = psa_get_key_algorithm(&key_attr); + psa_enrollment_alg = psa_get_key_enrollment_algorithm(&key_attr); + psa_reset_key_attributes(&key_attr); + + /* Since we're PK type is MBEDTLS_PK_RSASSA_PSS at least one between + * alg and enrollment alg should be of type RSA_PSS. */ + if (PSA_ALG_IS_RSA_PSS(psa_alg)) { + sign_alg = psa_alg; + } else if (PSA_ALG_IS_RSA_PSS(psa_enrollment_alg)) { + sign_alg = psa_enrollment_alg; + } else { + /* The opaque key has no RSA PSS algorithm associated. */ + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + /* Adjust the hashing algorithm. */ + sign_alg = (sign_alg & ~PSA_ALG_HASH_MASK) | PSA_ALG_GET_HASH(psa_md_alg); + + status = psa_sign_hash(ctx->priv_id, sign_alg, hash, hash_len, sig, sig_size, sig_len); return PSA_PK_RSA_TO_MBEDTLS_ERR(status); diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index e1a0011..3d75ad0 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1833,7 +1833,6 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg unsigned char *pkey_start; unsigned char hash[PSA_HASH_MAX_SIZE]; psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg); - psa_algorithm_t psa_alg; size_t hash_len = PSA_HASH_LENGTH(psa_md_alg); void const *options = NULL; mbedtls_pk_rsassa_pss_options rsassa_pss_options; @@ -1850,6 +1849,10 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg mbedtls_test_rnd_std_rand, NULL, key_bits, 3), 0); + if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { + mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE); + } + /* Export underlying public key for re-importing in a legacy context. */ ret = mbedtls_pk_write_pubkey_der(&pk, pkey, sizeof(pkey)); TEST_ASSERT(ret >= 0); @@ -1858,19 +1861,8 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ pkey_start = pkey + sizeof(pkey) - pkey_len; - if (key_pk_type == MBEDTLS_PK_RSA) { - psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg); - } else if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { - psa_alg = PSA_ALG_RSA_PSS(psa_md_alg); - } else { - TEST_ASSUME(!"PK key type not supported in this configuration"); - } - /* Turn PK context into an opaque one. */ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); - /* Tweak the algorithm associated with the PSA key because get_psa_attributes() returns - * a PSA_ALG_RSA_PSS_ANY_SALT(), but mbedtls_pk_sign_ext() requires a PSA_ALG_RSA_PSS().*/ - psa_set_key_algorithm(&key_attr, psa_alg); TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); mbedtls_pk_free(&pk); mbedtls_pk_init(&pk); -- cgit v1.1 From 90eca2adb047823f82f3714edc26b93a7f0f7c09 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 28 Feb 2024 10:45:43 +0100 Subject: ssl_test_lib: add guards for pk_wrap_as_opaque() Signed-off-by: Valerio Setti --- programs/ssl/ssl_test_lib.c | 2 ++ programs/ssl/ssl_test_lib.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index ec02295..17d36b7 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -275,6 +275,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, return 0; } +#if defined(MBEDTLS_PK_C) int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2, psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id) { @@ -303,6 +304,7 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor return 0; } +#endif /* MBEDTLS_PK_C */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index 5cb6a36..1da2dfb 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -236,6 +236,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, psa_key_usage_t *usage, mbedtls_pk_type_t key_type); +#if defined(MBEDTLS_PK_C) /** Turn a non-opaque PK context into an opaque one with folowing steps: * - extract the key data and attributes from the PK context. * - import the key material into PSA. @@ -258,6 +259,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, */ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2, psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id); +#endif /* MBEDTLS_PK_C */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -- cgit v1.1 From 0eb4e7fb40cd8ff851ef32b82f353f3f21e308e5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 10:56:14 +0100 Subject: Fix code style Signed-off-by: Gilles Peskine --- include/psa/crypto_struct.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 4585a3e..3913551 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -295,10 +295,10 @@ struct psa_key_attributes_s { #define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER #endif #define PSA_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \ - PSA_KEY_TYPE_NONE, 0, \ - PSA_KEY_LIFETIME_VOLATILE, \ - PSA_KEY_POLICY_INIT, \ - MBEDTLS_SVC_KEY_ID_INIT } + PSA_KEY_TYPE_NONE, 0, \ + PSA_KEY_LIFETIME_VOLATILE, \ + PSA_KEY_POLICY_INIT, \ + MBEDTLS_SVC_KEY_ID_INIT } static inline struct psa_key_attributes_s psa_key_attributes_init(void) { -- cgit v1.1 From e3fb4ccabf02784bbf41010b837b520a4b43c115 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 16:27:35 +0100 Subject: mbedtls_ecp_write_key_ext(): new function Same as mbedtls_ecp_write_key(), but doesn't require the caller to figure out the length of the output and possibly distinguish between Weierstrass and Montgomery curves. Signed-off-by: Gilles Peskine --- ChangeLog.d/ecp_write_key.txt | 4 ++ include/mbedtls/ecp.h | 20 +++++++ library/ecp.c | 32 +++++++++++ tests/suites/test_suite_ecp.data | 103 +++++++++++++++++++++++++++++++++++ tests/suites/test_suite_ecp.function | 36 ++++++++++++ 5 files changed, 195 insertions(+) create mode 100644 ChangeLog.d/ecp_write_key.txt diff --git a/ChangeLog.d/ecp_write_key.txt b/ChangeLog.d/ecp_write_key.txt new file mode 100644 index 0000000..1961239 --- /dev/null +++ b/ChangeLog.d/ecp_write_key.txt @@ -0,0 +1,4 @@ +Features + * The new function mbedtls_ecp_write_key_ext() is similar to + mbedtls_ecp_write_key(), but can be used without separately calculating + the output length. diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 0201963..b46d6c3 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1371,6 +1371,26 @@ int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, unsigned char *buf, size_t buflen); /** + * \brief This function exports an elliptic curve private key. + * + * \param key The private key. + * \param olen On success, the length of the private key. + * This is always (`grp->nbits` + 7) / 8 bytes + * where `grp->nbits` is the private key size in bits. + * \param buf The output buffer for containing the binary representation + * of the key. + * \param buflen The total length of the buffer in bytes. + * #MBEDTLS_ECP_MAX_BYTES is always sufficient. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key + * representation is larger than the available space in \p buf. + * \return Another negative error code on different kinds of failure. + */ +int mbedtls_ecp_write_key_ext(mbedtls_ecp_keypair *key, + size_t *olen, unsigned char *buf, size_t buflen); + +/** * \brief This function exports an elliptic curve public key. * * \note If the public key was not set in \p key, diff --git a/library/ecp.c b/library/ecp.c index 66b3dc1..930102f 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -3333,6 +3333,38 @@ cleanup: return ret; } +int mbedtls_ecp_write_key_ext(mbedtls_ecp_keypair *key, + size_t *olen, unsigned char *buf, size_t buflen) +{ + size_t len = (key->grp.nbits + 7) / 8; + if (len > buflen) { + /* For robustness, ensure *olen <= buflen even on error. */ + *olen = 0; + return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; + } + *olen = len; + + /* Private key not set */ + if (key->d.n == 0) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + +#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) + if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) { + return mbedtls_mpi_write_binary_le(&key->d, buf, len); + } +#endif + +#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) + if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) { + return mbedtls_mpi_write_binary(&key->d, buf, len); + } +#endif + + /* Private key set but no recognized curve type? This shouldn't happen. */ + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +} + /* * Write a public key. */ diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 1dd963a..fd63657 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -888,6 +888,109 @@ ECP write key: Curve448, mostly-0 key, output_size=55 depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL +ECP write key ext: secp256r1, nominal +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":32:0 + +ECP write key ext: secp256r1, output longer by 1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":33:0 + +ECP write key ext: secp256r1, output short by 1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: secp256r1, output_size=0 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: secp256r1, top byte = 0, output_size=32 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":32:0 + +ECP write key ext: secp256r1, top byte = 0, output_size=31 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: secp256r1, top byte = 0, output_size=30 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":30:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: secp256r1, mostly-0 key, output_size=32 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":32:0 + +ECP write key ext: secp256r1, mostly-0 key, output_size=1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: secp256r1, private key not set +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECP write key ext: secp384r1, nominal +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":48:0 + +ECP write key ext: secp384r1, output longer by 1 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":49:0 + +ECP write key ext: secp384r1, output short by 1 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":47:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: Curve25519, nominal +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":32:0 + +ECP write key ext: Curve25519, output longer by 1 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":33:0 + +ECP write key ext: Curve25519, output short by 1 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: Curve25519, output_size=0 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: Curve25519, mostly-0 key, output_size=32 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":32:0 + +ECP write key ext: Curve25519, mostly-0 key, output_size=31 +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: Curve25519, private key not set +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECP write key ext: Curve448, nominal +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":56:0 + +ECP write key ext: Curve448, output longer by 1 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":57:0 + +ECP write key ext: Curve448, output short by 1 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: Curve448, mostly-0 key, output_size=56 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":56:0 + +ECP write key ext: Curve448, mostly-0 key, output_size=55 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL + +ECP write key ext: group not set +ecp_write_key_ext:MBEDTLS_ECP_DP_NONE:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA + ECP mod p192 small (more than 192 bits, less limbs than 2 * 192 bits) depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_NIST_OPTIM ecp_fast_mod:MBEDTLS_ECP_DP_SECP192R1:"0100000000000103010000000000010201000000000001010100000000000100" diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 9cf0ce1..c061275 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1296,6 +1296,42 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void ecp_write_key_ext(int grp_id, data_t *in_key, + int exported_size, int expected_ret) +{ + mbedtls_ecp_keypair key; + mbedtls_ecp_keypair_init(&key); + unsigned char *exported = NULL; + + if (in_key->len != 0) { + TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len), 0); + } else if (grp_id != MBEDTLS_ECP_DP_NONE) { + TEST_EQUAL(mbedtls_ecp_group_load(&key.grp, grp_id), 0); + } + + TEST_CALLOC(exported, exported_size); + size_t olen = 0xdeadbeef; + TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, &olen, exported, exported_size), + expected_ret); + + if (expected_ret == 0) { + TEST_EQUAL(olen, (key.grp.nbits + 7) / 8); + TEST_LE_U(olen, MBEDTLS_ECP_MAX_BYTES); + TEST_MEMORY_COMPARE(in_key->x, in_key->len, + exported, olen); + } else { + /* Robustness check: even in the error case, insist that olen is less + * than the buffer size. */ + TEST_LE_U(olen, exported_size); + } + +exit: + mbedtls_ecp_keypair_free(&key); + mbedtls_free(exported); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED:MBEDTLS_ECP_LIGHT */ void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected) { -- cgit v1.1 From acdc52e1543dfb1deb79de414758726538767dba Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 16:42:54 +0100 Subject: mbedtls_ecp_write_key_ext(): recommend over the old function in documentation Signed-off-by: Gilles Peskine --- docs/psa-transition.md | 10 +++++----- include/mbedtls/ecp.h | 2 ++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/psa-transition.md b/docs/psa-transition.md index e89128c..94b57eb 100644 --- a/docs/psa-transition.md +++ b/docs/psa-transition.md @@ -845,7 +845,6 @@ For an ECC private key (a future version of Mbed TLS [will provide a more direct ``` unsigned char buf[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; -size_t length = PSA_BITS_TO_BYTES(mbedtls_pk_bitlen(&pk)); mbedtls_ecp_keypair *ec = mbedtls_pk_ec(&pk); psa_ecc_curve_t curve; { @@ -862,7 +861,8 @@ psa_ecc_curve_t curve; mbedtls_ecp_point_free(&Q); mbedtls_mpi_free(&d); } -mbedtls_ecp_write_key(ec, buf, length); +size_t length; +mbedtls_ecp_write_key_ext(ec, &length, buf, sizeof(buf)); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_... | ...); @@ -900,8 +900,8 @@ mbedtls_ecp_keypair_init(&ec); // Omitted: fill ec with key material // (the public key will not be used and does not need to be set) unsigned char buf[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; -size_t length = PSA_BITS_TO_BYTES(mbedtls_pk_bitlen(&pk)); -mbedtls_ecp_write_key(&ec, buf, length); +size_t length; +mbedtls_ecp_write_key_ext(&ec, &length, buf, sizeof(buf)); psa_ecc_curve_t curve = ...; // need to determine the curve family manually psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_attributes(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); @@ -1300,7 +1300,7 @@ There is no PSA equivalent to the types `mbedtls_ecdsa_context` and `mbedtls_ecd The PSA API is a cryptography API, not an arithmetic API. As a consequence, there is no PSA equivalent for the ECC arithmetic functionality exposed by `ecp.h`: * Manipulation of point objects and input-output: the type `mbedtls_ecp_point` and functions operating on it (`mbedtls_ecp_point_xxx`, `mbedtls_ecp_copy`, `mbedtls_ecp_{set,is}_zero`, `mbedtls_ecp_tls_{read,write}_point`). Note that the PSA export format for public keys corresponds to the uncompressed point format (`MBEDTLS_ECP_PF_UNCOMPRESSED`), so [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b), [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) are equivalent to `mbedtls_ecp_point_read_binary` and `mbedtls_ecp_point_write_binary` for uncompressed points. The PSA API does not currently support compressed points, but it is likely that such support will be added in the future. -* Manipulation of key pairs as such, with a bridge to bignum arithmetic (`mbedtls_ecp_keypair` type, `mbedtls_ecp_export`). However, the PSA export format for ECC private keys used by [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b), [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) is the same as the format used by `mbedtls_ecp_read_key` and `mbedtls_ecp_write_key`. +* Manipulation of key pairs as such, with a bridge to bignum arithmetic (`mbedtls_ecp_keypair` type, `mbedtls_ecp_export`). However, the PSA export format for ECC private keys used by [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b), [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) is the same as the format used by `mbedtls_ecp_read_key` and `mbedtls_ecp_write_key_ext`. * Elliptic curve arithmetic (`mbedtls_ecp_mul`, `mbedtls_ecp_muladd` and their restartable variants). ### Additional information about RSA diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index b46d6c3..58fc5e5 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1338,6 +1338,8 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * checking that the output buffer is large enough. * See the description of the \p buflen parameter for * how to calculate the nominal length. + * To avoid this difficulty, use mbedtls_ecp_write_key_ext() + * instead. * * \note If the private key was not set in \p key, * the output is unspecified. Future versions -- cgit v1.1 From 84b9f1b0391ec748ab0565b4cd89b0f4a667187b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 16:44:29 +0100 Subject: mbedtls_ecp_write_key_ext(): migrate internally Stop using mbedtls_ecp_write_key() except to test it. Signed-off-by: Gilles Peskine --- library/pk.c | 3 +-- library/pkwrite.c | 2 +- library/psa_crypto_ecp.c | 21 +++----------------- library/ssl_tls12_server.c | 3 +-- tests/suites/test_suite_ecp.function | 37 ++++++++++++++++++++++++------------ 5 files changed, 31 insertions(+), 35 deletions(-) diff --git a/library/pk.c b/library/pk.c index 1ded487..c647b45 100644 --- a/library/pk.c +++ b/library/pk.c @@ -1401,8 +1401,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - d_len = PSA_BITS_TO_BYTES(ec->grp.nbits); - if ((ret = mbedtls_ecp_write_key(ec, d, d_len)) != 0) { + if ((ret = mbedtls_ecp_write_key_ext(ec, &d_len, d, sizeof(d))) != 0) { return ret; } diff --git a/library/pkwrite.c b/library/pkwrite.c index b9ddcf1..5e009c5 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -202,7 +202,7 @@ static int pk_write_ec_private(unsigned char **p, unsigned char *start, mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); byte_length = (ec->grp.pbits + 7) / 8; - ret = mbedtls_ecp_write_key(ec, tmp, byte_length); + ret = mbedtls_ecp_write_key_ext(ec, &byte_length, tmp, sizeof(tmp)); if (ret != 0) { goto exit; } diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index 7edea81..e373ad9 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -281,20 +281,8 @@ psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type, return status; } else { - if (data_size < PSA_BITS_TO_BYTES(ecp->grp.nbits)) { - return PSA_ERROR_BUFFER_TOO_SMALL; - } - status = mbedtls_to_psa_error( - mbedtls_ecp_write_key(ecp, - data, - PSA_BITS_TO_BYTES(ecp->grp.nbits))); - if (status == PSA_SUCCESS) { - *data_length = PSA_BITS_TO_BYTES(ecp->grp.nbits); - } else { - memset(data, 0, data_size); - } - + mbedtls_ecp_write_key_ext(ecp, data_length, data, data_size)); return status; } } @@ -359,14 +347,11 @@ psa_status_t mbedtls_psa_ecp_generate_key( } status = mbedtls_to_psa_error( - mbedtls_ecp_write_key(&ecp, key_buffer, key_buffer_size)); + mbedtls_ecp_write_key_ext(&ecp, key_buffer_length, + key_buffer, key_buffer_size)); mbedtls_ecp_keypair_free(&ecp); - if (status == PSA_SUCCESS) { - *key_buffer_length = key_buffer_size; - } - return status; } #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 53a9ce2..5bee188 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2703,8 +2703,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type)); psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits); - key_len = PSA_BITS_TO_BYTES(key->grp.pbits); - ret = mbedtls_ecp_write_key(key, buf, key_len); + ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf)); if (ret != 0) { mbedtls_platform_zeroize(buf, sizeof(buf)); break; diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index c061275..ef0781b 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1204,27 +1204,40 @@ void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonica TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Y, 2), 0); TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Z, 3), 0); - if (canonical) { + if (canonical && in_key->len == (key.grp.nbits + 7) / 8) { unsigned char buf[MBEDTLS_ECP_MAX_BYTES]; + size_t length = 0xdeadbeef; - ret = mbedtls_ecp_write_key(&key, buf, in_key->len); - TEST_ASSERT(ret == 0); + TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, + &length, buf, in_key->len), 0); + TEST_MEMORY_COMPARE(in_key->x, in_key->len, + buf, length); + memset(buf, 0, sizeof(buf)); + TEST_EQUAL(mbedtls_ecp_write_key(&key, buf, in_key->len), 0); TEST_MEMORY_COMPARE(in_key->x, in_key->len, buf, in_key->len); } else { unsigned char export1[MBEDTLS_ECP_MAX_BYTES]; unsigned char export2[MBEDTLS_ECP_MAX_BYTES]; - ret = mbedtls_ecp_write_key(&key, export1, in_key->len); - TEST_ASSERT(ret == 0); - - ret = mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len); - TEST_ASSERT(ret == expected); - - ret = mbedtls_ecp_write_key(&key2, export2, in_key->len); - TEST_ASSERT(ret == 0); - + size_t length1 = 0xdeadbeef; + TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, &length1, + export1, sizeof(export1)), 0); + TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key2, export1, length1), + expected); + size_t length2 = 0xdeadbeef; + TEST_EQUAL(mbedtls_ecp_write_key_ext(&key2, &length2, + export2, sizeof(export2)), 0); + TEST_MEMORY_COMPARE(export1, length1, + export2, length2); + + memset(export1, 0, sizeof(export1)); + memset(export2, 0, sizeof(export2)); + TEST_EQUAL(mbedtls_ecp_write_key(&key, export1, in_key->len), 0); + TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len), + expected); + TEST_EQUAL(mbedtls_ecp_write_key(&key2, export2, in_key->len), 0); TEST_MEMORY_COMPARE(export1, in_key->len, export2, in_key->len); } -- cgit v1.1 From c0f7a8680fe1b1a5346058fca7b6af38352dbe15 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Feb 2024 16:50:39 +0100 Subject: mbedtls_ecp_write_key(): deprecate the old function Signed-off-by: Gilles Peskine --- ChangeLog.d/ecp_write_key.txt | 4 ++++ include/mbedtls/ecp.h | 11 ++++++++--- library/ecp.c | 2 ++ tests/suites/test_suite_ecp.function | 6 +++++- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ChangeLog.d/ecp_write_key.txt b/ChangeLog.d/ecp_write_key.txt index 1961239..73354c8 100644 --- a/ChangeLog.d/ecp_write_key.txt +++ b/ChangeLog.d/ecp_write_key.txt @@ -2,3 +2,7 @@ Features * The new function mbedtls_ecp_write_key_ext() is similar to mbedtls_ecp_write_key(), but can be used without separately calculating the output length. + +New deprecations + * mbedtls_ecp_write_key() is deprecated in favor of + mbedtls_ecp_write_key_ext(). diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 58fc5e5..05778cd 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -24,6 +24,7 @@ #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" +#include "mbedtls/platform_util.h" #include "mbedtls/bignum.h" @@ -1327,10 +1328,11 @@ int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id, int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, const unsigned char *buf, size_t buflen); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief This function exports an elliptic curve private key. * - * \note Note that although this function accepts an output + * \deprecated Note that although this function accepts an output * buffer that is smaller or larger than the key, most key * import interfaces require the output to have exactly * key's nominal length. It is generally simplest to @@ -1340,6 +1342,8 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * how to calculate the nominal length. * To avoid this difficulty, use mbedtls_ecp_write_key_ext() * instead. + * mbedtls_ecp_write_key() is deprecated and will be + * removed in a future version of the library. * * \note If the private key was not set in \p key, * the output is unspecified. Future versions @@ -1369,8 +1373,9 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, * representation is larger than the available space in \p buf. * \return Another negative error code on different kinds of failure. */ -int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, - unsigned char *buf, size_t buflen); +int MBEDTLS_DEPRECATED mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, + unsigned char *buf, size_t buflen); +#endif /* MBEDTLS_DEPRECATED_REMOVED */ /** * \brief This function exports an elliptic curve private key. diff --git a/library/ecp.c b/library/ecp.c index 930102f..0dadaea 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -3302,6 +3302,7 @@ cleanup: /* * Write a private key. */ +#if !defined MBEDTLS_DEPRECATED_REMOVED int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, unsigned char *buf, size_t buflen) { @@ -3332,6 +3333,7 @@ cleanup: return ret; } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ int mbedtls_ecp_write_key_ext(mbedtls_ecp_keypair *key, size_t *olen, unsigned char *buf, size_t buflen) diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index ef0781b..9b5c86f 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1213,10 +1213,12 @@ void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonica TEST_MEMORY_COMPARE(in_key->x, in_key->len, buf, length); +#if defined(MBEDTLS_TEST_DEPRECATED) memset(buf, 0, sizeof(buf)); TEST_EQUAL(mbedtls_ecp_write_key(&key, buf, in_key->len), 0); TEST_MEMORY_COMPARE(in_key->x, in_key->len, buf, in_key->len); +#endif /* MBEDTLS_TEST_DEPRECATED */ } else { unsigned char export1[MBEDTLS_ECP_MAX_BYTES]; unsigned char export2[MBEDTLS_ECP_MAX_BYTES]; @@ -1232,6 +1234,7 @@ void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonica TEST_MEMORY_COMPARE(export1, length1, export2, length2); +#if defined(MBEDTLS_TEST_DEPRECATED) memset(export1, 0, sizeof(export1)); memset(export2, 0, sizeof(export2)); TEST_EQUAL(mbedtls_ecp_write_key(&key, export1, in_key->len), 0); @@ -1240,6 +1243,7 @@ void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonica TEST_EQUAL(mbedtls_ecp_write_key(&key2, export2, in_key->len), 0); TEST_MEMORY_COMPARE(export1, in_key->len, export2, in_key->len); +#endif /* MBEDTLS_TEST_DEPRECATED */ } } @@ -1249,7 +1253,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_TEST_DEPRECATED */ void ecp_write_key(int grp_id, data_t *in_key, int exported_size, int expected_ret) { -- cgit v1.1 From 04ae479b04eedc2a9cb7e720bd4ca51f87c91654 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 26 Feb 2024 09:15:08 +0100 Subject: mbedtls_ecp_write_key_ext: document error for no private key set Signed-off-by: Gilles Peskine --- include/mbedtls/ecp.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 05778cd..e2ae074 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1392,6 +1392,8 @@ int MBEDTLS_DEPRECATED mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, * \return \c 0 on success. * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key * representation is larger than the available space in \p buf. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is + * set in \p key. * \return Another negative error code on different kinds of failure. */ int mbedtls_ecp_write_key_ext(mbedtls_ecp_keypair *key, -- cgit v1.1 From b395e74edd3cce58b692eefe3b5127e096030075 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 14:18:28 +0100 Subject: mbedtls_ecp_write_key_ext(): make key const Having a non-const `key` parameter was anotherf defect of mbedtls_ecp_write_key(). Take this opportunity to fix it. Signed-off-by: Gilles Peskine --- include/mbedtls/ecp.h | 2 +- library/ecp.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index e2ae074..d8f73ae 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -1396,7 +1396,7 @@ int MBEDTLS_DEPRECATED mbedtls_ecp_write_key(mbedtls_ecp_keypair *key, * set in \p key. * \return Another negative error code on different kinds of failure. */ -int mbedtls_ecp_write_key_ext(mbedtls_ecp_keypair *key, +int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key, size_t *olen, unsigned char *buf, size_t buflen); /** diff --git a/library/ecp.c b/library/ecp.c index 0dadaea..427059b 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -3335,7 +3335,7 @@ cleanup: } #endif /* MBEDTLS_DEPRECATED_REMOVED */ -int mbedtls_ecp_write_key_ext(mbedtls_ecp_keypair *key, +int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key, size_t *olen, unsigned char *buf, size_t buflen) { size_t len = (key->grp.nbits + 7) / 8; -- cgit v1.1 From 84a7bfbd33a2df49235231ff3b9c49c22038bf30 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 28 Feb 2024 14:21:32 +0100 Subject: mbedtls_ecp_write_key_ext(): Upgrade import_pair_into_psa as well It wasn't done with the others because that code was added in a concurrent branch. Signed-off-by: Gilles Peskine --- library/pk.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/library/pk.c b/library/pk.c index c647b45..328bbe1 100644 --- a/library/pk.c +++ b/library/pk.c @@ -675,10 +675,7 @@ static int import_pair_into_psa(const mbedtls_pk_context *pk, #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) psa_ecc_family_t from_family = pk->ec_family; #else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - /* We're only reading the key, but mbedtls_ecp_write_key() - * is missing a const annotation on its key parameter, so - * we need the non-const accessor here. */ - mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); + const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk); size_t from_bits = 0; psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id, &from_bits); @@ -704,12 +701,9 @@ static int import_pair_into_psa(const mbedtls_pk_context *pk, return MBEDTLS_ERR_PK_TYPE_MISMATCH; } unsigned char key_buffer[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; - /* Make sure to pass the exact key length to - * mbedtls_ecp_write_key(), because it writes Montgomery keys - * at the start of the buffer but Weierstrass keys at the - * end of the buffer. */ - size_t key_length = PSA_BITS_TO_BYTES(ec->grp.nbits); - int ret = mbedtls_ecp_write_key(ec, key_buffer, key_length); + size_t key_length = 0; + int ret = mbedtls_ecp_write_key_ext(ec, &key_length, + key_buffer, sizeof(key_buffer)); if (ret < 0) { return ret; } -- cgit v1.1 From d753738fc0f32368af0b284562d33ffc9d771cd2 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 23 Feb 2024 12:17:59 +0000 Subject: echd: Added `mbedtls_ecdh_get_grp_id` getter. Signed-off-by: Minos Galanakis --- include/mbedtls/ecdh.h | 13 +++++++++++++ library/ecdh.c | 9 +++++++++ 2 files changed, 22 insertions(+) diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 792db79..a0909d6 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -142,6 +142,19 @@ typedef struct mbedtls_ecdh_context { mbedtls_ecdh_context; /** + * \brief Return the ECP group for provided context. + * + * \note To access group specific fields, users should use + * `mbedtls_ecp_curve_info_from_grp_id` or + * `mbedtls_ecp_group_load` on the extracted `group_id`. + * + * \param ctx The ECDH context to parse. This must not be \c NULL. + * + * \return The \c mbedtls_ecp_group_id of the context. + */ +mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx); + +/** * \brief Check whether a given group can be used for ECDH. * * \param gid The ECP group ID to check. diff --git a/library/ecdh.c b/library/ecdh.c index 52b1617..b276c6a 100644 --- a/library/ecdh.c +++ b/library/ecdh.c @@ -144,6 +144,15 @@ static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx) #endif } +mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx) +{ +#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) + return ctx->MBEDTLS_PRIVATE(grp).id; +#else + return ctx->MBEDTLS_PRIVATE(grp_id); +#endif +} + /* * Initialize context */ -- cgit v1.1 From b4ce628b64140959cacaec430e3a2d2edde09e17 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 23 Feb 2024 16:55:33 +0000 Subject: tests: Added test for `mbedtls_ecdh_context_grp` Signed-off-by: Minos Galanakis --- tests/suites/test_suite_ecdh.data | 16 ++++++++++++++++ tests/suites/test_suite_ecdh.function | 17 +++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/tests/suites/test_suite_ecdh.data b/tests/suites/test_suite_ecdh.data index cc58432..8d06067 100644 --- a/tests/suites/test_suite_ecdh.data +++ b/tests/suites/test_suite_ecdh.data @@ -100,3 +100,19 @@ ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"12345678123456781234567812 ECDH get_params with mismatched groups: their SECP256R1, our BP256R1 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_BP256R1_ENABLED ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"1234567812345678123456781234567812345678123456781234567812345678":MBEDTLS_ECP_DP_SECP256R1:"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +Context get ECP Group #1 +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecdh_context_grp:MBEDTLS_ECP_DP_SECP256R1 + +Context get ECP Group #2 +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecdh_primitive_random:MBEDTLS_ECP_DP_SECP384R1 + +Context get ECP Group #3 +depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED +ecdh_primitive_random:MBEDTLS_ECP_DP_SECP521R1 + +Context get ECP Group #4 +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecdh_primitive_random:MBEDTLS_ECP_DP_CURVE448 diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function index cc193da..300916f 100644 --- a/tests/suites/test_suite_ecdh.function +++ b/tests/suites/test_suite_ecdh.function @@ -464,3 +464,20 @@ exit: mbedtls_ecp_keypair_free(&their_key); } /* END_CASE */ + +/* BEGIN_CASE */ +void ecdh_context_grp(int id) +{ + mbedtls_ecdh_context srv; + + mbedtls_ecdh_init(&srv); + TEST_ASSERT(mbedtls_ecdh_setup(&srv, id) == 0); + + /* Test the retrieved group id matches/*/ + TEST_ASSERT((int) mbedtls_ecdh_get_grp_id(&srv) == id); + +exit: + mbedtls_ecdh_free(&srv); + +} +/* END_CASE */ -- cgit v1.1 From 4ee6f811957511d6e9f88b6be6de747224430494 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 29 Feb 2024 15:01:21 +0100 Subject: add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/8848.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/8848.txt diff --git a/ChangeLog.d/8848.txt b/ChangeLog.d/8848.txt new file mode 100644 index 0000000..682f4f0 --- /dev/null +++ b/ChangeLog.d/8848.txt @@ -0,0 +1,5 @@ +New deprecations + * mbedtls_pk_wrap_as_opaque() is deprecated. To mimic the same behavior + mbedtls_pk_get_psa_attributes() and mbedtls_pk_import_into_psa() can be + used to import a PK key into PSA, while mbedtls_pk_setup_opaque() can + be used to wrap a PSA key into a opaque PK context. -- cgit v1.1 From 1f08a3248e201146c6a8f0bcba99647b37516e99 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 14:00:58 +0000 Subject: Rename quiet to quiet.sh Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 2 +- tests/scripts/quiet/make | 2 +- tests/scripts/quiet/quiet | 72 -------------------------------------------- tests/scripts/quiet/quiet.sh | 72 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 74 deletions(-) delete mode 100755 tests/scripts/quiet/quiet create mode 100755 tests/scripts/quiet/quiet.sh diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index 3723473..5863978 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -15,4 +15,4 @@ export NO_SILENCE=" --version " export TOOL="cmake" -exec "$(dirname "$0")/quiet" "$@" +exec "$(dirname "$0")/quiet.sh" "$@" diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 162d44d..24e7795 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -15,4 +15,4 @@ export NO_SILENCE=" --version | test " export TOOL="make" -exec "$(dirname "$0")/quiet" "$@" +exec "$(dirname "$0")/quiet.sh" "$@" diff --git a/tests/scripts/quiet/quiet b/tests/scripts/quiet/quiet deleted file mode 100755 index 0f5bf06..0000000 --- a/tests/scripts/quiet/quiet +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later -# -# This swallows the output of the wrapped tool, unless there is an error. -# This helps reduce excess logging in the CI. - -# If you are debugging a build / CI issue, you can get complete unsilenced logs -# by un-commenting the following line (or setting VERBOSE_LOGS in your environment): -# VERBOSE_LOGS=1 -# -# This script provides most of the functionality for the adjacent make and cmake -# wrappers. -# -# It requires two variables to be set: -# -# TOOL - the name of the tool that is being wrapped (with no path), e.g. "make" -# -# NO_SILENCE - a regex that describes the commandline arguments for which output will not -# be silenced, e.g. " --version | test ". In this example, "make test" will -# not be silent, but "make lib" will be. - -# Locate original tool -TOOL_WITH_PATH=$(dirname "$0")/$TOOL -ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$TOOL_WITH_PATH" | head -n1) - -print_quoted_args() { - # similar to printf '%q' "$@" - # but produce more human-readable results for common/simple cases like "a b" - for a in "$@"; do - # Get bash to quote the string - q=$(printf '%q' "$a") - simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$" - if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then - # a requires some quoting (a != q), but has no single quotes, so we can - # simplify the quoted form - e.g.: - # a b -> 'a b' - # CFLAGS=a b -> CFLAGS='a b' - q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'" - fi - printf " %s" "$q" - done -} - -if [[ ! " $* " =~ " --version " ]]; then - # Display the command being invoked - if it succeeds, this is all that will - # be displayed. Don't do this for invocations with --version, because - # this output is often parsed by scripts, so we don't want to modify it. - printf %s "${TOOL}" 1>&2 - print_quoted_args "$@" 1>&2 - echo 1>&2 -fi - -if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then - # Run original command with no output supression - exec "${ORIGINAL_TOOL}" "$@" -else - # Run original command and capture output & exit status - TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") - "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 - EXIT_STATUS=$? - - if [[ $EXIT_STATUS -ne 0 ]]; then - # On error, display the full output - cat "${TMPFILE}" - fi - - # Remove tmpfile - rm "${TMPFILE}" - - # Propagate the exit status - exit $EXIT_STATUS -fi diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh new file mode 100755 index 0000000..0f5bf06 --- /dev/null +++ b/tests/scripts/quiet/quiet.sh @@ -0,0 +1,72 @@ +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# +# This swallows the output of the wrapped tool, unless there is an error. +# This helps reduce excess logging in the CI. + +# If you are debugging a build / CI issue, you can get complete unsilenced logs +# by un-commenting the following line (or setting VERBOSE_LOGS in your environment): +# VERBOSE_LOGS=1 +# +# This script provides most of the functionality for the adjacent make and cmake +# wrappers. +# +# It requires two variables to be set: +# +# TOOL - the name of the tool that is being wrapped (with no path), e.g. "make" +# +# NO_SILENCE - a regex that describes the commandline arguments for which output will not +# be silenced, e.g. " --version | test ". In this example, "make test" will +# not be silent, but "make lib" will be. + +# Locate original tool +TOOL_WITH_PATH=$(dirname "$0")/$TOOL +ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$TOOL_WITH_PATH" | head -n1) + +print_quoted_args() { + # similar to printf '%q' "$@" + # but produce more human-readable results for common/simple cases like "a b" + for a in "$@"; do + # Get bash to quote the string + q=$(printf '%q' "$a") + simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$" + if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then + # a requires some quoting (a != q), but has no single quotes, so we can + # simplify the quoted form - e.g.: + # a b -> 'a b' + # CFLAGS=a b -> CFLAGS='a b' + q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'" + fi + printf " %s" "$q" + done +} + +if [[ ! " $* " =~ " --version " ]]; then + # Display the command being invoked - if it succeeds, this is all that will + # be displayed. Don't do this for invocations with --version, because + # this output is often parsed by scripts, so we don't want to modify it. + printf %s "${TOOL}" 1>&2 + print_quoted_args "$@" 1>&2 + echo 1>&2 +fi + +if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then + # Run original command with no output supression + exec "${ORIGINAL_TOOL}" "$@" +else + # Run original command and capture output & exit status + TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX") + "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1 + EXIT_STATUS=$? + + if [[ $EXIT_STATUS -ne 0 ]]; then + # On error, display the full output + cat "${TMPFILE}" + fi + + # Remove tmpfile + rm "${TMPFILE}" + + # Propagate the exit status + exit $EXIT_STATUS +fi -- cgit v1.1 From 20964780347fcde5916cf2cd625049d587fba572 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 14:06:19 +0000 Subject: Add editor hint for emacs Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh index 0f5bf06..be065f4 100755 --- a/tests/scripts/quiet/quiet.sh +++ b/tests/scripts/quiet/quiet.sh @@ -1,3 +1,5 @@ +# -*-mode: sh; sh-shell: bash -*- +# # Copyright The Mbed TLS Contributors # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # -- cgit v1.1 From 63c94a36f19ceaf0f410ac5ca4f51f40dade8642 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 14:06:36 +0000 Subject: improve docs Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh index be065f4..5cdcd1e 100755 --- a/tests/scripts/quiet/quiet.sh +++ b/tests/scripts/quiet/quiet.sh @@ -19,7 +19,7 @@ # # NO_SILENCE - a regex that describes the commandline arguments for which output will not # be silenced, e.g. " --version | test ". In this example, "make test" will -# not be silent, but "make lib" will be. +# not be silent, but "make lib test" will be. # Locate original tool TOOL_WITH_PATH=$(dirname "$0")/$TOOL -- cgit v1.1 From a3e694c2ad0d915b545874b7ba3a0829997306e6 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 14:06:49 +0000 Subject: simplify printf call Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh index 5cdcd1e..5b34129 100755 --- a/tests/scripts/quiet/quiet.sh +++ b/tests/scripts/quiet/quiet.sh @@ -30,7 +30,7 @@ print_quoted_args() { # but produce more human-readable results for common/simple cases like "a b" for a in "$@"; do # Get bash to quote the string - q=$(printf '%q' "$a") + printf -v q '%q' "$a" simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$" if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then # a requires some quoting (a != q), but has no single quotes, so we can -- cgit v1.1 From 5f7862a56738607f5b5404306e480c293990b6c2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 14:14:37 +0000 Subject: Fix docs Co-authored-by: Gilles Peskine Signed-off-by: Dave Rodgman --- tests/scripts/quiet/quiet.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh index 5b34129..01ef422 100755 --- a/tests/scripts/quiet/quiet.sh +++ b/tests/scripts/quiet/quiet.sh @@ -18,8 +18,8 @@ # TOOL - the name of the tool that is being wrapped (with no path), e.g. "make" # # NO_SILENCE - a regex that describes the commandline arguments for which output will not -# be silenced, e.g. " --version | test ". In this example, "make test" will -# not be silent, but "make lib test" will be. +# be silenced, e.g. " --version | test ". In this example, "make lib test" will +# not be silent, but "make lib" will be. # Locate original tool TOOL_WITH_PATH=$(dirname "$0")/$TOOL -- cgit v1.1 From a50190e2df771d0639ab239b48922562a78ec8e8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 29 Feb 2024 15:23:00 +0100 Subject: add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/8825.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/8825.txt diff --git a/ChangeLog.d/8825.txt b/ChangeLog.d/8825.txt new file mode 100644 index 0000000..b7a2487 --- /dev/null +++ b/ChangeLog.d/8825.txt @@ -0,0 +1,6 @@ +Features + * mbedtls_psa_get_random() is always available as soon as + MBEDTLS_PSA_CRYPTO_C is enabled at build time and psa_crypto_init() is + called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be + used as random number generator function(f_rng) and context (p_rng) in + legacy functions. -- cgit v1.1 From 869e310456725ae18a32c7468f7777f002e998c4 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 14:59:40 +0000 Subject: Use export to set VERBOSE_LOGS Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 2 +- tests/scripts/quiet/make | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index 5863978..854375e 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -8,7 +8,7 @@ # If you are debugging a build / CI issue, you can get complete unsilenced logs # by un-commenting the following line (or setting VERBOSE_LOGS in your environment): -# VERBOSE_LOGS=1 +# export VERBOSE_LOGS=1 # don't silence invocations containing these arguments export NO_SILENCE=" --version " diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index 24e7795..b232316 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -8,7 +8,7 @@ # If you are debugging a build / CI issue, you can get complete unsilenced logs # by un-commenting the following line (or setting VERBOSE_LOGS in your environment): -# VERBOSE_LOGS=1 +# export VERBOSE_LOGS=1 # don't silence invocations containing these arguments export NO_SILENCE=" --version | test " -- cgit v1.1 From 87218b364dfa1ce1c92b1ef1c118a42cce2eace7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 15:01:29 +0000 Subject: blank line for readability Signed-off-by: Dave Rodgman --- tests/scripts/quiet/cmake | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake index 854375e..930931d 100755 --- a/tests/scripts/quiet/cmake +++ b/tests/scripts/quiet/cmake @@ -8,6 +8,7 @@ # If you are debugging a build / CI issue, you can get complete unsilenced logs # by un-commenting the following line (or setting VERBOSE_LOGS in your environment): + # export VERBOSE_LOGS=1 # don't silence invocations containing these arguments -- cgit v1.1 From 1a58e9a2326d34254125c30ffad9acd33a610905 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 29 Feb 2024 16:14:29 +0100 Subject: psa_util: change guard for mbedtls_psa_get_random() to CRYPTO_CLIENT This commit also: - updates changelog - add a stub function to be used in component_test_psa_crypto_client() test Signed-off-by: Valerio Setti --- ChangeLog.d/8825.txt | 2 +- include/mbedtls/psa_util.h | 4 ++-- library/psa_util.c | 4 ++-- library/psa_util_internal.h | 4 ++-- tests/src/psa_crypto_stubs.c | 25 +++++++++++++++++++++++++ 5 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 tests/src/psa_crypto_stubs.c diff --git a/ChangeLog.d/8825.txt b/ChangeLog.d/8825.txt index b7a2487..f892f80 100644 --- a/ChangeLog.d/8825.txt +++ b/ChangeLog.d/8825.txt @@ -1,6 +1,6 @@ Features * mbedtls_psa_get_random() is always available as soon as - MBEDTLS_PSA_CRYPTO_C is enabled at build time and psa_crypto_init() is + MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be used as random number generator function(f_rng) and context (p_rng) in legacy functions. diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index f79178d..c78cc23 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -21,7 +21,7 @@ * otherwise error codes would be unknown in test_suite_psa_crypto_util.data.*/ #include -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) /** The random generator function for the PSA subsystem. * @@ -139,7 +139,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa { return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK); } -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) diff --git a/library/psa_util.c b/library/psa_util.c index 7384bf1..4ccc5b0 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -18,7 +18,7 @@ #include "psa_util_internal.h" -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #include @@ -363,7 +363,7 @@ int mbedtls_psa_get_random(void *p_rng, } } -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) diff --git a/library/psa_util_internal.h b/library/psa_util_internal.h index 3e62d5f..70a08a0 100644 --- a/library/psa_util_internal.h +++ b/library/psa_util_internal.h @@ -16,7 +16,7 @@ #include "psa/crypto.h" -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) /************************************************************************* * FFDH @@ -96,5 +96,5 @@ int psa_pk_status_to_mbedtls(psa_status_t status); sizeof(error_list)/sizeof(error_list[0]), \ fallback_f) -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ #endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */ diff --git a/tests/src/psa_crypto_stubs.c b/tests/src/psa_crypto_stubs.c new file mode 100644 index 0000000..be01121 --- /dev/null +++ b/tests/src/psa_crypto_stubs.c @@ -0,0 +1,25 @@ +/** \file psa_crypto_stubs.c + * + * \brief Stub functions when MBEDTLS_PSA_CRYPTO_CLIENT is enabled but + * MBEDTLS_PSA_CRYPTO_C is disabled. + */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include + +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C) + +psa_status_t psa_generate_random(uint8_t *output, + size_t output_size) +{ + (void) output; + (void) output_size; + + return PSA_ERROR_COMMUNICATION_FAILURE; +} + +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT !MBEDTLS_PSA_CRYPTO_C */ -- cgit v1.1 From d32dd08934b7e7b2e1c55f3641570d68695d9e68 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 29 Feb 2024 16:28:03 +0100 Subject: changelog: fix description Signed-off-by: Valerio Setti --- ChangeLog.d/8848.txt | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/8848.txt b/ChangeLog.d/8848.txt index 682f4f0..71bb7e3 100644 --- a/ChangeLog.d/8848.txt +++ b/ChangeLog.d/8848.txt @@ -1,5 +1,6 @@ -New deprecations - * mbedtls_pk_wrap_as_opaque() is deprecated. To mimic the same behavior - mbedtls_pk_get_psa_attributes() and mbedtls_pk_import_into_psa() can be - used to import a PK key into PSA, while mbedtls_pk_setup_opaque() can - be used to wrap a PSA key into a opaque PK context. +Removals + * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the + same behavior mbedtls_pk_get_psa_attributes() and + mbedtls_pk_import_into_psa() can be used to import a PK key into PSA, + while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque + PK context. -- cgit v1.1 From 5c5a32f52a6b0ec75dc071c26f14dc4592364098 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 13 Feb 2024 17:53:35 +0000 Subject: Add session config bit for KEEP_PEER_CERTIFICATE This config option decides whether the session stores the entire certificate or just a digest of it, but was missing from the serialization config bitflag. Signed-off-by: David Horstmann --- library/ssl_tls.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5b0a4b9..f229360 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3662,6 +3662,12 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 1 +#else +#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 0 +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 #else @@ -3692,6 +3698,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 +#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT 6 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ ((uint16_t) ( \ @@ -3701,7 +3708,8 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT))) + (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ + (SSL_SERIALIZED_SESSION_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT))) static const unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, -- cgit v1.1 From 92b258bb507ea43ad64b83323f8ddc4521ee2126 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 13 Feb 2024 17:23:34 +0000 Subject: Update ssl session serialization config bitflag Add config bits for server name indication, early data and record size limit, which all cause the serialized session to be structured differently. Signed-off-by: David Horstmann --- library/ssl_tls.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f229360..54db0a1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3692,6 +3692,24 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0 +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + +#if defined(MBEDTLS_SSL_EARLY_DATA) +#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0 +#endif /* MBEDTLS_SSL_EARLY_DATA */ + +#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) +#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0 +#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ + #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 @@ -3699,6 +3717,9 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT 6 +#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 +#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 +#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ ((uint16_t) ( \ @@ -3709,7 +3730,12 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ - (SSL_SERIALIZED_SESSION_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT))) + (SSL_SERIALIZED_SESSION_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ + SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \ + SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT))) static const unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, -- cgit v1.1 From e59f970f2874260011f328085c2fbcdb31fb02fb Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 29 Feb 2024 16:08:57 +0000 Subject: Move session functions to same part of file Ensure that session save and load functions are not scattered throughout ssl_tls.c but are in the same part of the file. Signed-off-by: David Horstmann --- library/ssl_tls.c | 9811 ++++++++++++++++++++++++++--------------------------- 1 file changed, 4905 insertions(+), 4906 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 54db0a1..870f7d9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -432,10 +432,6 @@ static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); #endif /* MBEDTLS_MD_CAN_SHA384*/ -static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, - unsigned char *buf, - size_t buf_len); - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls12_session_load(mbedtls_ssl_session *session, const unsigned char *buf, @@ -2448,333 +2444,57 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) -/* Serialization of TLS 1.3 sessions: - * - * struct { - * opaque hostname<0..2^16-1>; - * uint64 ticket_reception_time; - * uint32 ticket_lifetime; - * opaque ticket<1..2^16-1>; - * } ClientOnlyData; - * - * struct { - * uint32 ticket_age_add; - * uint8 ticket_flags; - * opaque resumption_key<0..255>; - * uint32 max_early_data_size; - * uint16 record_size_limit; - * select ( endpoint ) { - * case client: ClientOnlyData; - * case server: uint64 ticket_creation_time; - * }; - * } serialized_session_tls13; - * - */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_session_save(const mbedtls_ssl_session *session, - unsigned char *buf, - size_t buf_len, - size_t *olen) +psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, + size_t taglen, + psa_algorithm_t *alg, + psa_key_type_t *key_type, + size_t *key_size) { - unsigned char *p = buf; -#if defined(MBEDTLS_SSL_CLI_C) && \ - defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - size_t hostname_len = (session->hostname == NULL) ? - 0 : strlen(session->hostname) + 1; +#if !defined(MBEDTLS_SSL_HAVE_CCM) + (void) taglen; #endif - size_t needed = 4 /* ticket_age_add */ - + 1 /* ticket_flags */ - + 1; /* resumption_key length */ - *olen = 0; - - if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - needed += session->resumption_key_len; /* resumption_key */ - -#if defined(MBEDTLS_SSL_EARLY_DATA) - needed += 4; /* max_early_data_size */ + switch (mbedtls_cipher_type) { +#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) + case MBEDTLS_CIPHER_AES_128_CBC: + *alg = PSA_ALG_CBC_NO_PADDING; + *key_type = PSA_KEY_TYPE_AES; + *key_size = 128; + break; #endif -#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) - needed += 2; /* record_size_limit */ -#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ - -#if defined(MBEDTLS_HAVE_TIME) - needed += 8; /* ticket_creation_time or ticket_reception_time */ +#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) + case MBEDTLS_CIPHER_AES_128_CCM: + *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; + *key_type = PSA_KEY_TYPE_AES; + *key_size = 128; + break; #endif - -#if defined(MBEDTLS_SSL_CLI_C) - if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - needed += 2 /* hostname_len */ - + hostname_len; /* hostname */ +#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) + case MBEDTLS_CIPHER_AES_128_GCM: + *alg = PSA_ALG_GCM; + *key_type = PSA_KEY_TYPE_AES; + *key_size = 128; + break; #endif - - needed += 4 /* ticket_lifetime */ - + 2; /* ticket_len */ - - /* Check size_t overflow */ - if (session->ticket_len > SIZE_MAX - needed) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - needed += session->ticket_len; /* ticket */ - } -#endif /* MBEDTLS_SSL_CLI_C */ - - *olen = needed; - if (needed > buf_len) { - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } - - MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0); - p[4] = session->ticket_flags; - - /* save resumption_key */ - p[5] = session->resumption_key_len; - p += 6; - memcpy(p, session->resumption_key, session->resumption_key_len); - p += session->resumption_key_len; - -#if defined(MBEDTLS_SSL_EARLY_DATA) - MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0); - p += 4; +#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) + case MBEDTLS_CIPHER_AES_192_CCM: + *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; + *key_type = PSA_KEY_TYPE_AES; + *key_size = 192; + break; #endif -#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) - MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0); - p += 2; -#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ - -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); - p += 8; - } -#endif /* MBEDTLS_HAVE_TIME */ - -#if defined(MBEDTLS_SSL_CLI_C) - if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); - p += 2; - if (hostname_len > 0) { - /* save host name */ - memcpy(p, session->hostname, hostname_len); - p += hostname_len; - } -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - -#if defined(MBEDTLS_HAVE_TIME) - MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0); - p += 8; +#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) + case MBEDTLS_CIPHER_AES_192_GCM: + *alg = PSA_ALG_GCM; + *key_type = PSA_KEY_TYPE_AES; + *key_size = 192; + break; #endif - MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); - p += 4; - - MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0); - p += 2; - - if (session->ticket != NULL && session->ticket_len > 0) { - memcpy(p, session->ticket, session->ticket_len); - p += session->ticket_len; - } - } -#endif /* MBEDTLS_SSL_CLI_C */ - return 0; -} - -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_session_load(mbedtls_ssl_session *session, - const unsigned char *buf, - size_t len) -{ - const unsigned char *p = buf; - const unsigned char *end = buf + len; - - if (end - p < 6) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0); - session->ticket_flags = p[4]; - - /* load resumption_key */ - session->resumption_key_len = p[5]; - p += 6; - - if (end - p < session->resumption_key_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - if (sizeof(session->resumption_key) < session->resumption_key_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - memcpy(session->resumption_key, p, session->resumption_key_len); - p += session->resumption_key_len; - -#if defined(MBEDTLS_SSL_EARLY_DATA) - if (end - p < 4) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; -#endif -#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) - if (end - p < 2) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; -#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ - -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - if (end - p < 8) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); - p += 8; - } -#endif /* MBEDTLS_HAVE_TIME */ - -#if defined(MBEDTLS_SSL_CLI_C) - if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - size_t hostname_len; - /* load host name */ - if (end - p < 2) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - hostname_len = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; - - if (end - p < (long int) hostname_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - if (hostname_len > 0) { - session->hostname = mbedtls_calloc(1, hostname_len); - if (session->hostname == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } - memcpy(session->hostname, p, hostname_len); - p += hostname_len; - } -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - -#if defined(MBEDTLS_HAVE_TIME) - if (end - p < 8) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0); - p += 8; -#endif - if (end - p < 4) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; - - if (end - p < 2) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; - - if (end - p < (long int) session->ticket_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - if (session->ticket_len > 0) { - session->ticket = mbedtls_calloc(1, session->ticket_len); - if (session->ticket == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } - memcpy(session->ticket, p, session->ticket_len); - p += session->ticket_len; - } - } -#endif /* MBEDTLS_SSL_CLI_C */ - - return 0; - -} -#else /* MBEDTLS_SSL_SESSION_TICKETS */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_session_save(const mbedtls_ssl_session *session, - unsigned char *buf, - size_t buf_len, - size_t *olen) -{ - ((void) session); - ((void) buf); - ((void) buf_len); - *olen = 0; - return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; -} - -static int ssl_tls13_session_load(const mbedtls_ssl_session *session, - unsigned char *buf, - size_t buf_len) -{ - ((void) session); - ((void) buf); - ((void) buf_len); - return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; -} -#endif /* !MBEDTLS_SSL_SESSION_TICKETS */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - -psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, - size_t taglen, - psa_algorithm_t *alg, - psa_key_type_t *key_type, - size_t *key_size) -{ -#if !defined(MBEDTLS_SSL_HAVE_CCM) - (void) taglen; -#endif - switch (mbedtls_cipher_type) { -#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) - case MBEDTLS_CIPHER_AES_128_CBC: - *alg = PSA_ALG_CBC_NO_PADDING; - *key_type = PSA_KEY_TYPE_AES; - *key_size = 128; - break; -#endif -#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) - case MBEDTLS_CIPHER_AES_128_CCM: - *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; - *key_type = PSA_KEY_TYPE_AES; - *key_size = 128; - break; -#endif -#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) - case MBEDTLS_CIPHER_AES_128_GCM: - *alg = PSA_ALG_GCM; - *key_type = PSA_KEY_TYPE_AES; - *key_size = 128; - break; -#endif -#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) - case MBEDTLS_CIPHER_AES_192_CCM: - *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; - *key_type = PSA_KEY_TYPE_AES; - *key_size = 192; - break; -#endif -#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) - case MBEDTLS_CIPHER_AES_192_GCM: - *alg = PSA_ALG_GCM; - *key_type = PSA_KEY_TYPE_AES; - *key_size = 192; - break; -#endif -#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) - case MBEDTLS_CIPHER_AES_256_CBC: - *alg = PSA_ALG_CBC_NO_PADDING; - *key_type = PSA_KEY_TYPE_AES; - *key_size = 256; - break; +#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) + case MBEDTLS_CIPHER_AES_256_CBC: + *alg = PSA_ALG_CBC_NO_PADDING; + *key_type = PSA_KEY_TYPE_AES; + *key_size = 256; + break; #endif #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) case MBEDTLS_CIPHER_AES_256_CCM: @@ -3640,5727 +3360,6006 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_CLI_C */ -/* - * Define ticket header determining Mbed TLS version - * and structure of the ticket. - */ - -/* - * Define bitflag determining compile-time settings influencing - * structure of serialized SSL sessions. +/* Serialization of TLS 1.2 sessions: + * + * struct { + * opaque ticket<0..2^24-1>; // length 0 means no ticket + * uint32 ticket_lifetime; + * } ClientOnlyData; + * + * struct { + * uint64 start_time; + * uint8 session_id_len; // at most 32 + * opaque session_id[32]; + * opaque master[48]; // fixed length in the standard + * uint32 verify_result; + * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert + * select (endpoint) { + * case client: ClientOnlyData; + * case server: uint64 ticket_creation_time; + * }; + * uint8 mfl_code; // up to 255 according to standard + * uint8 encrypt_then_mac; // 0 or 1 + * } serialized_session_tls12; */ +static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len) +{ + unsigned char *p = buf; + size_t used = 0; #if defined(MBEDTLS_HAVE_TIME) -#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 -#endif /* MBEDTLS_HAVE_TIME */ - + uint64_t start; +#endif #if defined(MBEDTLS_X509_CRT_PARSE_C) -#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + size_t cert_len; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) -#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 1 -#else -#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 0 -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + /* + * Time + */ +#if defined(MBEDTLS_HAVE_TIME) + used += 8; -#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 -#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ + if (used <= buf_len) { + start = (uint64_t) session->start; -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + MBEDTLS_PUT_UINT64_BE(start, p, 0); + p += 8; + } +#endif /* MBEDTLS_HAVE_TIME */ -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) -#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ + /* + * Basic mandatory fields + */ + used += 1 /* id_len */ + + sizeof(session->id) + + sizeof(session->master) + + 4; /* verify_result */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + if (used <= buf_len) { + *p++ = MBEDTLS_BYTE_0(session->id_len); + memcpy(p, session->id, 32); + p += 32; -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0 -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + memcpy(p, session->master, 48); + p += 48; -#if defined(MBEDTLS_SSL_EARLY_DATA) -#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0 -#endif /* MBEDTLS_SSL_EARLY_DATA */ + MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0); + p += 4; + } -#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) -#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0 -#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ + /* + * Peer's end-entity certificate + */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if (session->peer_cert == NULL) { + cert_len = 0; + } else { + cert_len = session->peer_cert->raw.len; + } -#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 -#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 -#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 -#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 -#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 -#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 -#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT 6 -#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 -#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 -#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 + used += 3 + cert_len; -#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ - ((uint16_t) ( \ - (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \ - SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ - (SSL_SERIALIZED_SESSION_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ - SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \ - SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT))) - -static const unsigned char ssl_serialized_session_header[] = { - MBEDTLS_VERSION_MAJOR, - MBEDTLS_VERSION_MINOR, - MBEDTLS_VERSION_PATCH, - MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), - MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), -}; - -/* - * Serialize a session in the following format: - * (in the presentation language of TLS, RFC 8446 section 3) - * - * struct { - * - * opaque mbedtls_version[3]; // library version: major, minor, patch - * opaque session_format[2]; // library-version specific 16-bit field - * // determining the format of the remaining - * // serialized data. - * - * Note: When updating the format, remember to keep - * these version+format bytes. - * - * // In this version, `session_format` determines - * // the setting of those compile-time - * // configuration options which influence - * // the structure of mbedtls_ssl_session. - * - * uint8_t minor_ver; // Protocol minor version. Possible values: - * // - TLS 1.2 (0x0303) - * // - TLS 1.3 (0x0304) - * - * select (serialized_session.tls_version) { - * - * case MBEDTLS_SSL_VERSION_TLS1_2: - * serialized_session_tls12 data; - * case MBEDTLS_SSL_VERSION_TLS1_3: - * serialized_session_tls13 data; - * - * }; - * - * } serialized_session; - * - */ + if (used <= buf_len) { + *p++ = MBEDTLS_BYTE_2(cert_len); + *p++ = MBEDTLS_BYTE_1(cert_len); + *p++ = MBEDTLS_BYTE_0(cert_len); -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_session_save(const mbedtls_ssl_session *session, - unsigned char omit_header, - unsigned char *buf, - size_t buf_len, - size_t *olen) -{ - unsigned char *p = buf; - size_t used = 0; - size_t remaining_len; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - size_t out_len; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#endif - if (session == NULL) { - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + if (session->peer_cert != NULL) { + memcpy(p, session->peer_cert->raw.p, cert_len); + p += cert_len; + } } - - if (!omit_header) { - /* - * Add Mbed TLS version identifier - */ - used += sizeof(ssl_serialized_session_header); - +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if (session->peer_cert_digest != NULL) { + used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len; if (used <= buf_len) { - memcpy(p, ssl_serialized_session_header, - sizeof(ssl_serialized_session_header)); - p += sizeof(ssl_serialized_session_header); + *p++ = (unsigned char) session->peer_cert_digest_type; + *p++ = (unsigned char) session->peer_cert_digest_len; + memcpy(p, session->peer_cert_digest, + session->peer_cert_digest_len); + p += session->peer_cert_digest_len; + } + } else { + used += 2; + if (used <= buf_len) { + *p++ = (unsigned char) MBEDTLS_MD_NONE; + *p++ = 0; } } +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ /* - * TLS version identifier, endpoint, ciphersuite + * Session ticket if any, plus associated data */ - used += 1 /* TLS version */ - + 1 /* endpoint */ - + 2; /* ciphersuite */ - if (used <= buf_len) { - *p++ = MBEDTLS_BYTE_0(session->tls_version); - *p++ = session->endpoint; - MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); - p += 2; - } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_CLI_C) + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { + used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ - /* Forward to version-specific serialization routine. */ - remaining_len = (buf_len >= used) ? buf_len - used : 0; - switch (session->tls_version) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - case MBEDTLS_SSL_VERSION_TLS1_2: - used += ssl_tls12_session_save(session, p, remaining_len); - break; -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + if (used <= buf_len) { + *p++ = MBEDTLS_BYTE_2(session->ticket_len); + *p++ = MBEDTLS_BYTE_1(session->ticket_len); + *p++ = MBEDTLS_BYTE_0(session->ticket_len); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - case MBEDTLS_SSL_VERSION_TLS1_3: - ret = ssl_tls13_session_save(session, p, remaining_len, &out_len); - if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { - return ret; + if (session->ticket != NULL) { + memcpy(p, session->ticket, session->ticket_len); + p += session->ticket_len; } - used += out_len; - break; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - default: - return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); + p += 4; + } } +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + used += 8; - *olen = used; - if (used > buf_len) { - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + if (used <= buf_len) { + MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); + p += 8; + } } +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - return 0; -} + /* + * Misc extension-related info + */ +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + used += 1; -/* - * Public wrapper for ssl_session_save() - */ -int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, - unsigned char *buf, - size_t buf_len, - size_t *olen) -{ - return ssl_session_save(session, 0, buf, buf_len, olen); + if (used <= buf_len) { + *p++ = session->mfl_code; + } +#endif + +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + used += 1; + + if (used <= buf_len) { + *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac); + } +#endif + + return used; } -/* - * Deserialize session, see mbedtls_ssl_session_save() for format. - * - * This internal version is wrapped by a public function that cleans up in - * case of error, and has an extra option omit_header. - */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_session_load(mbedtls_ssl_session *session, - unsigned char omit_header, - const unsigned char *buf, - size_t len) +static int ssl_tls12_session_load(mbedtls_ssl_session *session, + const unsigned char *buf, + size_t len) { +#if defined(MBEDTLS_HAVE_TIME) + uint64_t start; +#endif +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + size_t cert_len; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + const unsigned char *p = buf; const unsigned char * const end = buf + len; - size_t remaining_len; - - if (session == NULL) { - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + /* + * Time + */ +#if defined(MBEDTLS_HAVE_TIME) + if (8 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - if (!omit_header) { - /* - * Check Mbed TLS version identifier - */ - - if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + start = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; - if (memcmp(p, ssl_serialized_session_header, - sizeof(ssl_serialized_session_header)) != 0) { - return MBEDTLS_ERR_SSL_VERSION_MISMATCH; - } - p += sizeof(ssl_serialized_session_header); - } + session->start = (time_t) start; +#endif /* MBEDTLS_HAVE_TIME */ /* - * TLS version identifier, endpoint, ciphersuite + * Basic mandatory fields */ - if (4 > (size_t) (end - p)) { + if (1 + 32 + 48 + 4 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++); - session->endpoint = *p++; - session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; - /* Dispatch according to TLS version. */ - remaining_len = (size_t) (end - p); - switch (session->tls_version) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - case MBEDTLS_SSL_VERSION_TLS1_2: - return ssl_tls12_session_load(session, p, remaining_len); -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + session->id_len = *p++; + memcpy(session->id, p, 32); + p += 32; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - case MBEDTLS_SSL_VERSION_TLS1_3: - return ssl_tls13_session_load(session, p, remaining_len); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + memcpy(session->master, p, 48); + p += 48; - default: - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } -} + session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; -/* - * Deserialize session: public wrapper for error cleaning - */ -int mbedtls_ssl_session_load(mbedtls_ssl_session *session, - const unsigned char *buf, - size_t len) -{ - int ret = ssl_session_load(session, 0, buf, len); + /* Immediately clear invalid pointer values that have been read, in case + * we exit early before we replaced them with valid ones. */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + session->peer_cert = NULL; +#else + session->peer_cert_digest = NULL; +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) + session->ticket = NULL; +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ - if (ret != 0) { - mbedtls_ssl_session_free(session); + /* + * Peer certificate + */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + /* Deserialize CRT from the end of the ticket. */ + if (3 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return ret; -} + cert_len = MBEDTLS_GET_UINT24_BE(p, 0); + p += 3; -/* - * Perform a single step of the SSL handshake - */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + if (cert_len != 0) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* - * We may have not been able to send to the peer all the handshake data - * that were written into the output buffer by the previous handshake step, - * if the write to the network callback returned with the - * #MBEDTLS_ERR_SSL_WANT_WRITE error code. - * We proceed to the next handshake step only when all data from the - * previous one have been sent to the peer, thus we make sure that this is - * the case here by calling `mbedtls_ssl_flush_output()`. The function may - * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case - * we have to wait before to go ahead. - * In the case of TLS 1.3, handshake step handlers do not send data to the - * peer. Data are only sent here and through - * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an - * alert occurred. - */ - if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { - return ret; - } + if (cert_len > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { - if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { - return ret; + session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); + + if (session->peer_cert == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; } - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - return ret; -} + mbedtls_x509_crt_init(session->peer_cert); -int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert, + p, cert_len)) != 0) { + mbedtls_x509_crt_free(session->peer_cert); + mbedtls_free(session->peer_cert); + session->peer_cert = NULL; + return ret; + } - if (ssl == NULL || - ssl->conf == NULL || - ssl->handshake == NULL || - ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) { + p += cert_len; + } +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* Deserialize CRT digest from the end of the ticket. */ + if (2 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - ret = ssl_prepare_handshake_step(ssl); - if (ret != 0) { - return ret; - } + session->peer_cert_digest_type = (mbedtls_md_type_t) *p++; + session->peer_cert_digest_len = (size_t) *p++; - ret = mbedtls_ssl_handle_pending_alert(ssl); - if (ret != 0) { - goto cleanup; - } + if (session->peer_cert_digest_len != 0) { + const mbedtls_md_info_t *md_info = + mbedtls_md_info_from_type(session->peer_cert_digest_type); + if (md_info == NULL) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or - * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ - ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (session->peer_cert_digest_len > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + session->peer_cert_digest = + mbedtls_calloc(1, session->peer_cert_digest_len); + if (session->peer_cert_digest == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; + } + + memcpy(session->peer_cert_digest, p, + session->peer_cert_digest_len); + p += session->peer_cert_digest_len; + } +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + /* + * Session ticket and associated data + */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s", - mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state))); + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { + if (3 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - switch (ssl->state) { - case MBEDTLS_SSL_HELLO_REQUEST: - ssl->state = MBEDTLS_SSL_CLIENT_HELLO; - ret = 0; - break; + session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); + p += 3; - case MBEDTLS_SSL_CLIENT_HELLO: - ret = mbedtls_ssl_write_client_hello(ssl); - break; + if (session->ticket_len != 0) { + if (session->ticket_len > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - default: -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) - if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - ret = mbedtls_ssl_tls13_handshake_client_step(ssl); - } else { - ret = mbedtls_ssl_handshake_client_step(ssl); - } -#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) - ret = mbedtls_ssl_handshake_client_step(ssl); -#else - ret = mbedtls_ssl_tls13_handshake_client_step(ssl); -#endif + session->ticket = mbedtls_calloc(1, session->ticket_len); + if (session->ticket == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; + } + + memcpy(session->ticket, p, session->ticket_len); + p += session->ticket_len; + } + + if (4 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + + session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; } #endif /* MBEDTLS_SSL_CLI_C */ - -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) - if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - ret = mbedtls_ssl_tls13_handshake_server_step(ssl); - } else { - ret = mbedtls_ssl_handshake_server_step(ssl); +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (8 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) - ret = mbedtls_ssl_handshake_server_step(ssl); -#else - ret = mbedtls_ssl_tls13_handshake_server_step(ssl); -#endif + session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; } -#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - if (ret != 0) { - /* handshake_step return error. And it is same - * with alert_reason. - */ - if (ssl->send_alert) { - ret = mbedtls_ssl_handle_pending_alert(ssl); - goto cleanup; - } + /* + * Misc extension-related info + */ +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + if (1 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -cleanup: - return ret; -} + session->mfl_code = *p++; +#endif -/* - * Perform the SSL handshake - */ -int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) -{ - int ret = 0; +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + if (1 > (size_t) (end - p)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - /* Sanity checks */ + session->encrypt_then_mac = *p++; +#endif - if (ssl == NULL || ssl->conf == NULL) { + /* Done, should have consumed entire buffer */ + if (p != end) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("You must use " - "mbedtls_ssl_set_timer_cb() for DTLS")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ + return 0; +} - MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake")); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - /* Main handshake loop */ - while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { - ret = mbedtls_ssl_handshake_step(ssl); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* Serialization of TLS 1.3 sessions: + * + * struct { + * opaque hostname<0..2^16-1>; + * uint64 ticket_reception_time; + * uint32 ticket_lifetime; + * opaque ticket<1..2^16-1>; + * } ClientOnlyData; + * + * struct { + * uint32 ticket_age_add; + * uint8 ticket_flags; + * opaque resumption_key<0..255>; + * uint32 max_early_data_size; + * uint16 record_size_limit; + * select ( endpoint ) { + * case client: ClientOnlyData; + * case server: uint64 ticket_creation_time; + * }; + * } serialized_session_tls13; + * + */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_save(const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len, + size_t *olen) +{ + unsigned char *p = buf; +#if defined(MBEDTLS_SSL_CLI_C) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + size_t hostname_len = (session->hostname == NULL) ? + 0 : strlen(session->hostname) + 1; +#endif + size_t needed = 4 /* ticket_age_add */ + + 1 /* ticket_flags */ + + 1; /* resumption_key length */ + *olen = 0; - if (ret != 0) { - break; - } + if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + needed += session->resumption_key_len; /* resumption_key */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake")); +#if defined(MBEDTLS_SSL_EARLY_DATA) + needed += 4; /* max_early_data_size */ +#endif +#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) + needed += 2; /* record_size_limit */ +#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ - return ret; -} +#if defined(MBEDTLS_HAVE_TIME) + needed += 8; /* ticket_creation_time or ticket_reception_time */ +#endif -#if defined(MBEDTLS_SSL_RENEGOTIATION) -#if defined(MBEDTLS_SSL_SRV_C) -/* - * Write HelloRequest to request renegotiation on server - */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_write_hello_request(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_SSL_CLI_C) + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + needed += 2 /* hostname_len */ + + hostname_len; /* hostname */ +#endif - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request")); + needed += 4 /* ticket_lifetime */ + + 2; /* ticket_len */ - ssl->out_msglen = 4; - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; + /* Check size_t overflow */ + if (session->ticket_len > SIZE_MAX - needed) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); - return ret; + needed += session->ticket_len; /* ticket */ } +#endif /* MBEDTLS_SSL_CLI_C */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request")); + *olen = needed; + if (needed > buf_len) { + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - return 0; -} -#endif /* MBEDTLS_SSL_SRV_C */ + MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0); + p[4] = session->ticket_flags; -/* - * Actually renegotiate current connection, triggered by either: - * - any side: calling mbedtls_ssl_renegotiate(), - * - client: receiving a HelloRequest during mbedtls_ssl_read(), - * - server: receiving any handshake message on server during mbedtls_ssl_read() after - * the initial handshake is completed. - * If the handshake doesn't complete due to waiting for I/O, it will continue - * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. - */ -int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* save resumption_key */ + p[5] = session->resumption_key_len; + p += 6; + memcpy(p, session->resumption_key, session->resumption_key_len); + p += session->resumption_key_len; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate")); +#if defined(MBEDTLS_SSL_EARLY_DATA) + MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0); + p += 4; +#endif +#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) + MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0); + p += 2; +#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ - if ((ret = ssl_handshake_init(ssl)) != 0) { - return ret; +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); + p += 8; } +#endif /* MBEDTLS_HAVE_TIME */ - /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and - * the ServerHello will have message_seq = 1" */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) { - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - ssl->handshake->out_msg_seq = 1; - } else { - ssl->handshake->in_msg_seq = 1; +#if defined(MBEDTLS_SSL_CLI_C) + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); + p += 2; + if (hostname_len > 0) { + /* save host name */ + memcpy(p, session->hostname, hostname_len); + p += hostname_len; } - } +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + +#if defined(MBEDTLS_HAVE_TIME) + MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0); + p += 8; #endif + MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); + p += 4; - ssl->state = MBEDTLS_SSL_HELLO_REQUEST; - ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; + MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0); + p += 2; - if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); - return ret; + if (session->ticket != NULL && session->ticket_len > 0) { + memcpy(p, session->ticket, session->ticket_len); + p += session->ticket_len; + } } - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate")); - +#endif /* MBEDTLS_SSL_CLI_C */ return 0; } -/* - * Renegotiate current connection on client, - * or request renegotiation on server - */ -int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_load(mbedtls_ssl_session *session, + const unsigned char *buf, + size_t len) { - int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + const unsigned char *p = buf; + const unsigned char *end = buf + len; - if (ssl == NULL || ssl->conf == NULL) { + if (end - p < 6) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0); + session->ticket_flags = p[4]; -#if defined(MBEDTLS_SSL_SRV_C) - /* On server, just send the request */ - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - if (mbedtls_ssl_is_handshake_over(ssl) == 0) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + /* load resumption_key */ + session->resumption_key_len = p[5]; + p += 6; - ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; + if (end - p < session->resumption_key_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - /* Did we already try/start sending HelloRequest? */ - if (ssl->out_left != 0) { - return mbedtls_ssl_flush_output(ssl); - } + if (sizeof(session->resumption_key) < session->resumption_key_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + memcpy(session->resumption_key, p, session->resumption_key_len); + p += session->resumption_key_len; - return ssl_write_hello_request(ssl); +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (end - p < 4) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -#endif /* MBEDTLS_SSL_SRV_C */ + session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; +#endif +#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) + if (end - p < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; +#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ -#if defined(MBEDTLS_SSL_CLI_C) - /* - * On client, either start the renegotiation process or, - * if already in progress, continue the handshake - */ - if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { - if (mbedtls_ssl_is_handshake_over(ssl) == 0) { +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (end - p < 8) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; + } +#endif /* MBEDTLS_HAVE_TIME */ - if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret); - return ret; - } - } else { - if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); - return ret; +#if defined(MBEDTLS_SSL_CLI_C) + if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + size_t hostname_len; + /* load host name */ + if (end - p < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + hostname_len = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; + + if (end - p < (long int) hostname_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + if (hostname_len > 0) { + session->hostname = mbedtls_calloc(1, hostname_len); + if (session->hostname == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; + } + memcpy(session->hostname, p, hostname_len); + p += hostname_len; + } +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + +#if defined(MBEDTLS_HAVE_TIME) + if (end - p < 8) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; +#endif + if (end - p < 4) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; + + if (end - p < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; + + if (end - p < (long int) session->ticket_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + if (session->ticket_len > 0) { + session->ticket = mbedtls_calloc(1, session->ticket_len); + if (session->ticket == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; + } + memcpy(session->ticket, p, session->ticket_len); + p += session->ticket_len; } } #endif /* MBEDTLS_SSL_CLI_C */ - return ret; -} -#endif /* MBEDTLS_SSL_RENEGOTIATION */ + return 0; -void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) +} +#else /* MBEDTLS_SSL_SESSION_TICKETS */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_save(const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len, + size_t *olen) { - mbedtls_ssl_handshake_params *handshake = ssl->handshake; + ((void) session); + ((void) buf); + ((void) buf_len); + *olen = 0; + return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; +} - if (handshake == NULL) { - return; - } +static int ssl_tls13_session_load(const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len) +{ + ((void) session); + ((void) buf); + ((void) buf_len); + return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; +} +#endif /* !MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - if (ssl->handshake->group_list_heap_allocated) { - mbedtls_free((void *) handshake->group_list); - } - handshake->group_list = NULL; -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ +/* + * Define ticket header determining Mbed TLS version + * and structure of the ticket. + */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - if (ssl->handshake->sig_algs_heap_allocated) { - mbedtls_free((void *) handshake->sig_algs); - } - handshake->sig_algs = NULL; -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if (ssl->handshake->certificate_request_context) { - mbedtls_free((void *) handshake->certificate_request_context); - } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +/* + * Define bitflag determining compile-time settings influencing + * structure of serialized SSL sessions. + */ -#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) { - ssl->conf->f_async_cancel(ssl); - handshake->async_in_progress = 0; - } -#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_HAVE_TIME) +#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 +#endif /* MBEDTLS_HAVE_TIME */ -#if defined(MBEDTLS_MD_CAN_SHA256) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&handshake->fin_sha256_psa); +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 #else - mbedtls_md_free(&handshake->fin_sha256); -#endif -#endif -#if defined(MBEDTLS_MD_CAN_SHA384) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&handshake->fin_sha384_psa); +#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 1 #else - mbedtls_md_free(&handshake->fin_sha384); -#endif -#endif +#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 0 +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_DHM_C) - mbedtls_dhm_free(&handshake->dhm_ctx); -#endif -#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) - mbedtls_ecdh_free(&handshake->ecdh_ctx); -#endif +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_pake_abort(&handshake->psa_pake_ctx); - /* - * Opaque keys are not stored in the handshake's data and it's the user - * responsibility to destroy them. Clear ones, instead, are created by - * the TLS library and should be destroyed at the same level - */ - if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) { - psa_destroy_key(handshake->psa_pake_password); - } - handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 #else - mbedtls_ecjpake_free(&handshake->ecjpake_ctx); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_SSL_CLI_C) - mbedtls_free(handshake->ecjpake_cache); - handshake->ecjpake_cache = NULL; - handshake->ecjpake_cache_len = 0; -#endif -#endif +#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - /* explicit void pointer cast for buggy MS compiler */ - mbedtls_free((void *) handshake->curves_tls_id); -#endif +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 +#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { - /* The maintenance of the external PSK key slot is the - * user's responsibility. */ - if (ssl->handshake->psk_opaque_is_internal) { - psa_destroy_key(ssl->handshake->psk_opaque); - ssl->handshake->psk_opaque_is_internal = 0; - } - ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; - } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 #else - if (handshake->psk != NULL) { - mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len); - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ +#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - /* - * Free only the linked list wrapper, not the keys themselves - * since the belong to the SNI callback - */ - ssl_key_cert_free(handshake->sni_key_cert); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0 +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx); - if (handshake->ecrs_peer_cert != NULL) { - mbedtls_x509_crt_free(handshake->ecrs_peer_cert); - mbedtls_free(handshake->ecrs_peer_cert); - } -#endif +#if defined(MBEDTLS_SSL_EARLY_DATA) +#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0 +#endif /* MBEDTLS_SSL_EARLY_DATA */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - mbedtls_pk_free(&handshake->peer_pubkey); -#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) +#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0 +#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ -#if defined(MBEDTLS_SSL_CLI_C) && \ - (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) - mbedtls_free(handshake->cookie); -#endif /* MBEDTLS_SSL_CLI_C && - ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - mbedtls_ssl_flight_free(handshake->flight); - mbedtls_ssl_buffering_free(ssl); -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) - if (handshake->xxdh_psa_privkey_is_external == 0) { - psa_destroy_key(handshake->xxdh_psa_privkey); - } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_ssl_transform_free(handshake->transform_handshake); - mbedtls_free(handshake->transform_handshake); -#if defined(MBEDTLS_SSL_EARLY_DATA) - mbedtls_ssl_transform_free(handshake->transform_earlydata); - mbedtls_free(handshake->transform_earlydata); -#endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - - -#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) - /* If the buffers are too big - reallocate. Because of the way Mbed TLS - * processes datagrams and the fact that a datagram is allowed to have - * several records in it, it is possible that the I/O buffers are not - * empty at this stage */ - handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl), - mbedtls_ssl_get_output_buflen(ssl)); -#endif - - /* mbedtls_platform_zeroize MUST be last one in this function */ - mbedtls_platform_zeroize(handshake, - sizeof(mbedtls_ssl_handshake_params)); -} - -void mbedtls_ssl_session_free(mbedtls_ssl_session *session) -{ - if (session == NULL) { - return; - } - -#if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl_clear_peer_cert(session); -#endif - -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ - defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - mbedtls_free(session->hostname); -#endif - mbedtls_free(session->ticket); -#endif - - mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); -} - -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) - -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u -#else -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u - -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u -#else -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u -#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - -#if defined(MBEDTLS_SSL_ALPN) -#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u -#else -#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u -#endif /* MBEDTLS_SSL_ALPN */ - -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0 -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1 -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2 -#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3 +#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 +#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 +#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 +#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 +#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT 6 +#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 +#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 +#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 -#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \ - ((uint32_t) ( \ - (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \ - SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \ - (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \ - SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \ - (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \ - SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \ - (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ - 0u)) +#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ + ((uint16_t) ( \ + (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \ + SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ + (SSL_SERIALIZED_SESSION_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ + SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \ + SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT))) -static const unsigned char ssl_serialized_context_header[] = { +static const unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, MBEDTLS_VERSION_MINOR, MBEDTLS_VERSION_PATCH, MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), - MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), - MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), - MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), }; /* - * Serialize a full SSL context - * - * The format of the serialized data is: + * Serialize a session in the following format: * (in the presentation language of TLS, RFC 8446 section 3) * - * // header - * opaque mbedtls_version[3]; // major, minor, patch - * opaque context_format[5]; // version-specific field determining - * // the format of the remaining - * // serialized data. - * Note: When updating the format, remember to keep these - * version+format bytes. (We may make their size part of the API.) + * struct { * - * // session sub-structure - * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save() - * // transform sub-structure - * uint8 random[64]; // ServerHello.random+ClientHello.random - * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value - * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use - * // fields from ssl_context - * uint32 badmac_seen; // DTLS: number of records with failing MAC - * uint64 in_window_top; // DTLS: last validated record seq_num - * uint64 in_window; // DTLS: bitmask for replay protection - * uint8 disable_datagram_packing; // DTLS: only one record per datagram - * uint64 cur_out_ctr; // Record layer: outgoing sequence number - * uint16 mtu; // DTLS: path mtu (max outgoing fragment size) - * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol + * opaque mbedtls_version[3]; // library version: major, minor, patch + * opaque session_format[2]; // library-version specific 16-bit field + * // determining the format of the remaining + * // serialized data. * - * Note that many fields of the ssl_context or sub-structures are not - * serialized, as they fall in one of the following categories: + * Note: When updating the format, remember to keep + * these version+format bytes. + * + * // In this version, `session_format` determines + * // the setting of those compile-time + * // configuration options which influence + * // the structure of mbedtls_ssl_session. + * + * uint8_t minor_ver; // Protocol minor version. Possible values: + * // - TLS 1.2 (0x0303) + * // - TLS 1.3 (0x0304) + * + * select (serialized_session.tls_version) { + * + * case MBEDTLS_SSL_VERSION_TLS1_2: + * serialized_session_tls12 data; + * case MBEDTLS_SSL_VERSION_TLS1_3: + * serialized_session_tls13 data; + * + * }; + * + * } serialized_session; * - * 1. forced value (eg in_left must be 0) - * 2. pointer to dynamically-allocated memory (eg session, transform) - * 3. value can be re-derived from other data (eg session keys from MS) - * 4. value was temporary (eg content of input buffer) - * 5. value will be provided by the user again (eg I/O callbacks and context) */ -int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t buf_len, - size_t *olen) + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_session_save(const mbedtls_ssl_session *session, + unsigned char omit_header, + unsigned char *buf, + size_t buf_len, + size_t *olen) { unsigned char *p = buf; size_t used = 0; - size_t session_len; - int ret = 0; + size_t remaining_len; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + size_t out_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif + if (session == NULL) { + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + + if (!omit_header) { + /* + * Add Mbed TLS version identifier + */ + used += sizeof(ssl_serialized_session_header); + + if (used <= buf_len) { + memcpy(p, ssl_serialized_session_header, + sizeof(ssl_serialized_session_header)); + p += sizeof(ssl_serialized_session_header); + } + } /* - * Enforce usage restrictions, see "return BAD_INPUT_DATA" in - * this function's documentation. - * - * These are due to assumptions/limitations in the implementation. Some of - * them are likely to stay (no handshake in progress) some might go away - * (only DTLS) but are currently used to simplify the implementation. + * TLS version identifier, endpoint, ciphersuite */ - /* The initial handshake must be over */ - if (mbedtls_ssl_is_handshake_over(ssl) == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - if (ssl->handshake != NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - /* Double-check that sub-structures are indeed ready */ - if (ssl->transform == NULL || ssl->session == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - /* There must be no pending incoming or outgoing data */ - if (mbedtls_ssl_check_pending(ssl) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - if (ssl->out_left != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + used += 1 /* TLS version */ + + 1 /* endpoint */ + + 2; /* ciphersuite */ + if (used <= buf_len) { + *p++ = MBEDTLS_BYTE_0(session->tls_version); + *p++ = session->endpoint; + MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); + p += 2; } - /* Protocol must be DTLS, not TLS */ - if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - /* Version must be 1.2 */ - if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - /* We must be using an AEAD ciphersuite */ - if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - /* Renegotiation must not be enabled */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled")); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } -#endif - - /* - * Version and format identifier - */ - used += sizeof(ssl_serialized_context_header); - - if (used <= buf_len) { - memcpy(p, ssl_serialized_context_header, - sizeof(ssl_serialized_context_header)); - p += sizeof(ssl_serialized_context_header); - } - - /* - * Session (length + data) - */ - ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len); - if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { - return ret; - } - - used += 4 + session_len; - if (used <= buf_len) { - MBEDTLS_PUT_UINT32_BE(session_len, p, 0); - p += 4; - - ret = ssl_session_save(ssl->session, 1, - p, session_len, &session_len); - if (ret != 0) { - return ret; - } - - p += session_len; - } - - /* - * Transform - */ - used += sizeof(ssl->transform->randbytes); - if (used <= buf_len) { - memcpy(p, ssl->transform->randbytes, - sizeof(ssl->transform->randbytes)); - p += sizeof(ssl->transform->randbytes); - } - -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len; - if (used <= buf_len) { - *p++ = ssl->transform->in_cid_len; - memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len); - p += ssl->transform->in_cid_len; - - *p++ = ssl->transform->out_cid_len; - memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len); - p += ssl->transform->out_cid_len; - } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - - /* - * Saved fields from top-level ssl_context structure - */ - used += 4; - if (used <= buf_len) { - MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0); - p += 4; - } - -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - used += 16; - if (used <= buf_len) { - MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0); - p += 8; - - MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0); - p += 8; - } -#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - used += 1; - if (used <= buf_len) { - *p++ = ssl->disable_datagram_packing; - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - - used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; - if (used <= buf_len) { - memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN); - p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; - } - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - used += 2; - if (used <= buf_len) { - MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0); - p += 2; - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - -#if defined(MBEDTLS_SSL_ALPN) - { - const uint8_t alpn_len = ssl->alpn_chosen - ? (uint8_t) strlen(ssl->alpn_chosen) - : 0; - used += 1 + alpn_len; - if (used <= buf_len) { - *p++ = alpn_len; + /* Forward to version-specific serialization routine. */ + remaining_len = (buf_len >= used) ? buf_len - used : 0; + switch (session->tls_version) { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + case MBEDTLS_SSL_VERSION_TLS1_2: + used += ssl_tls12_session_save(session, p, remaining_len); + break; +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - if (ssl->alpn_chosen != NULL) { - memcpy(p, ssl->alpn_chosen, alpn_len); - p += alpn_len; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case MBEDTLS_SSL_VERSION_TLS1_3: + ret = ssl_tls13_session_save(session, p, remaining_len, &out_len); + if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { + return ret; } - } + used += out_len; + break; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + + default: + return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; } -#endif /* MBEDTLS_SSL_ALPN */ - /* - * Done - */ *olen = used; - if (used > buf_len) { return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; } - MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used); + return 0; +} - return mbedtls_ssl_session_reset_int(ssl, 0); +/* + * Public wrapper for ssl_session_save() + */ +int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len, + size_t *olen) +{ + return ssl_session_save(session, 0, buf, buf_len, olen); } /* - * Deserialize context, see mbedtls_ssl_context_save() for format. + * Deserialize session, see mbedtls_ssl_session_save() for format. * * This internal version is wrapped by a public function that cleans up in - * case of error. + * case of error, and has an extra option omit_header. */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_context_load(mbedtls_ssl_context *ssl, +static int ssl_session_load(mbedtls_ssl_session *session, + unsigned char omit_header, const unsigned char *buf, size_t len) { const unsigned char *p = buf; const unsigned char * const end = buf + len; - size_t session_len; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - tls_prf_fn prf_func = NULL; -#endif + size_t remaining_len; - /* - * The context should have been freshly setup or reset. - * Give the user an error in case of obvious misuse. - * (Checking session is useful because it won't be NULL if we're - * renegotiating, or if the user mistakenly loaded a session first.) - */ - if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST || - ssl->session != NULL) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - /* - * We can't check that the config matches the initial one, but we can at - * least check it matches the requirements for serializing. - */ - if ( -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED || -#endif - ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || - ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 || - ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 - ) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (session == NULL) { + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } - MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len); + if (!omit_header) { + /* + * Check Mbed TLS version identifier + */ - /* - * Check version identifier - */ - if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - if (memcmp(p, ssl_serialized_context_header, - sizeof(ssl_serialized_context_header)) != 0) { - return MBEDTLS_ERR_SSL_VERSION_MISMATCH; + if (memcmp(p, ssl_serialized_session_header, + sizeof(ssl_serialized_session_header)) != 0) { + return MBEDTLS_ERR_SSL_VERSION_MISMATCH; + } + p += sizeof(ssl_serialized_session_header); } - p += sizeof(ssl_serialized_context_header); /* - * Session + * TLS version identifier, endpoint, ciphersuite */ - if ((size_t) (end - p) < 4) { + if (4 > (size_t) (end - p)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++); + session->endpoint = *p++; + session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; - session_len = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; + /* Dispatch according to TLS version. */ + remaining_len = (size_t) (end - p); + switch (session->tls_version) { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + case MBEDTLS_SSL_VERSION_TLS1_2: + return ssl_tls12_session_load(session, p, remaining_len); +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - /* This has been allocated by ssl_handshake_init(), called by - * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ - ssl->session = ssl->session_negotiate; - ssl->session_in = ssl->session; - ssl->session_out = ssl->session; - ssl->session_negotiate = NULL; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case MBEDTLS_SSL_VERSION_TLS1_3: + return ssl_tls13_session_load(session, p, remaining_len); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - if ((size_t) (end - p) < session_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + default: + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } +} + +/* + * Deserialize session: public wrapper for error cleaning + */ +int mbedtls_ssl_session_load(mbedtls_ssl_session *session, + const unsigned char *buf, + size_t len) +{ + int ret = ssl_session_load(session, 0, buf, len); - ret = ssl_session_load(ssl->session, 1, p, session_len); if (ret != 0) { - mbedtls_ssl_session_free(ssl->session); - return ret; + mbedtls_ssl_session_free(session); } - p += session_len; + return ret; +} + +/* + * Perform a single step of the SSL handshake + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* - * Transform + * We may have not been able to send to the peer all the handshake data + * that were written into the output buffer by the previous handshake step, + * if the write to the network callback returned with the + * #MBEDTLS_ERR_SSL_WANT_WRITE error code. + * We proceed to the next handshake step only when all data from the + * previous one have been sent to the peer, thus we make sure that this is + * the case here by calling `mbedtls_ssl_flush_output()`. The function may + * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case + * we have to wait before to go ahead. + * In the case of TLS 1.3, handshake step handlers do not send data to the + * peer. Data are only sent here and through + * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an + * alert occurred. */ + if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { + return ret; + } - /* This has been allocated by ssl_handshake_init(), called by - * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - ssl->transform = ssl->transform_negotiate; - ssl->transform_in = ssl->transform; - ssl->transform_out = ssl->transform; - ssl->transform_negotiate = NULL; -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite); - if (prf_func == NULL) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { + if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { + return ret; + } } +#endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* Read random bytes and populate structure */ - if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) { + return ret; +} + +int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if (ssl == NULL || + ssl->conf == NULL || + ssl->handshake == NULL || + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - ret = ssl_tls12_populate_transform(ssl->transform, - ssl->session->ciphersuite, - ssl->session->master, -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - ssl->session->encrypt_then_mac, -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - prf_func, - p, /* currently pointing to randbytes */ - MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ - ssl->conf->endpoint, - ssl); + ret = ssl_prepare_handshake_step(ssl); if (ret != 0) { return ret; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - p += sizeof(ssl->transform->randbytes); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - /* Read connection IDs and store them */ - if ((size_t) (end - p) < 1) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + ret = mbedtls_ssl_handle_pending_alert(ssl); + if (ret != 0) { + goto cleanup; } - ssl->transform->in_cid_len = *p++; + /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or + * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } +#if defined(MBEDTLS_SSL_CLI_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { + MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s", + mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state))); - memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len); - p += ssl->transform->in_cid_len; + switch (ssl->state) { + case MBEDTLS_SSL_HELLO_REQUEST: + ssl->state = MBEDTLS_SSL_CLIENT_HELLO; + ret = 0; + break; - ssl->transform->out_cid_len = *p++; + case MBEDTLS_SSL_CLIENT_HELLO: + ret = mbedtls_ssl_write_client_hello(ssl); + break; - if ((size_t) (end - p) < ssl->transform->out_cid_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + default: +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) + if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { + ret = mbedtls_ssl_tls13_handshake_client_step(ssl); + } else { + ret = mbedtls_ssl_handshake_client_step(ssl); + } +#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) + ret = mbedtls_ssl_handshake_client_step(ssl); +#else + ret = mbedtls_ssl_tls13_handshake_client_step(ssl); +#endif + } } +#endif /* MBEDTLS_SSL_CLI_C */ - memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len); - p += ssl->transform->out_cid_len; -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - - /* - * Saved fields from top-level ssl_context structure - */ - if ((size_t) (end - p) < 4) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; +#if defined(MBEDTLS_SSL_SRV_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) + if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { + ret = mbedtls_ssl_tls13_handshake_server_step(ssl); + } else { + ret = mbedtls_ssl_handshake_server_step(ssl); + } +#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) + ret = mbedtls_ssl_handshake_server_step(ssl); +#else + ret = mbedtls_ssl_tls13_handshake_server_step(ssl); +#endif } +#endif /* MBEDTLS_SSL_SRV_C */ - ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; - -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if ((size_t) (end - p) < 16) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (ret != 0) { + /* handshake_step return error. And it is same + * with alert_reason. + */ + if (ssl->send_alert) { + ret = mbedtls_ssl_handle_pending_alert(ssl); + goto cleanup; + } } - ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0); - p += 8; - - ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0); - p += 8; -#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ +cleanup: + return ret; +} -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if ((size_t) (end - p) < 1) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } +/* + * Perform the SSL handshake + */ +int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) +{ + int ret = 0; - ssl->disable_datagram_packing = *p++; -#endif /* MBEDTLS_SSL_PROTO_DTLS */ + /* Sanity checks */ - if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) { + if (ssl == NULL || ssl->conf == NULL) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr)); - p += sizeof(ssl->cur_out_ctr); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if ((size_t) (end - p) < 2) { + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) { + MBEDTLS_SSL_DEBUG_MSG(1, ("You must use " + "mbedtls_ssl_set_timer_cb() for DTLS")); return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - - ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_ALPN) - { - uint8_t alpn_len; - const char **cur; - - if ((size_t) (end - p) < 1) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - alpn_len = *p++; + MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake")); - if (alpn_len != 0 && ssl->conf->alpn_list != NULL) { - /* alpn_chosen should point to an item in the configured list */ - for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { - if (strlen(*cur) == alpn_len && - memcmp(p, cur, alpn_len) == 0) { - ssl->alpn_chosen = *cur; - break; - } - } - } + /* Main handshake loop */ + while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { + ret = mbedtls_ssl_handshake_step(ssl); - /* can only happen on conf mismatch */ - if (alpn_len != 0 && ssl->alpn_chosen == NULL) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (ret != 0) { + break; } - - p += alpn_len; } -#endif /* MBEDTLS_SSL_ALPN */ - /* - * Forced fields from top-level ssl_context structure - * - * Most of them already set to the correct value by mbedtls_ssl_init() and - * mbedtls_ssl_reset(), so we only need to set the remaining ones. - */ - ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; - ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake")); - /* Adjust pointers for header fields of outgoing records to - * the given transform, accounting for explicit IV and CID. */ - mbedtls_ssl_update_out_pointers(ssl, ssl->transform); + return ret; +} -#if defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->in_epoch = 1; -#endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) +#if defined(MBEDTLS_SSL_SRV_C) +/* + * Write HelloRequest to request renegotiation on server + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_write_hello_request(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated, - * which we don't want - otherwise we'd end up freeing the wrong transform - * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform() - * inappropriately. */ - if (ssl->handshake != NULL) { - mbedtls_ssl_handshake_free(ssl); - mbedtls_free(ssl->handshake); - ssl->handshake = NULL; - } + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request")); - /* - * Done - should have consumed entire buffer - */ - if (p != end) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + ssl->out_msglen = 4; + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; + + if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + return ret; } + MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request")); + return 0; } +#endif /* MBEDTLS_SSL_SRV_C */ /* - * Deserialize context: public wrapper for error cleaning + * Actually renegotiate current connection, triggered by either: + * - any side: calling mbedtls_ssl_renegotiate(), + * - client: receiving a HelloRequest during mbedtls_ssl_read(), + * - server: receiving any handshake message on server during mbedtls_ssl_read() after + * the initial handshake is completed. + * If the handshake doesn't complete due to waiting for I/O, it will continue + * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. */ -int mbedtls_ssl_context_load(mbedtls_ssl_context *context, - const unsigned char *buf, - size_t len) +int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) { - int ret = ssl_context_load(context, buf, len); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (ret != 0) { - mbedtls_ssl_free(context); + MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate")); + + if ((ret = ssl_handshake_init(ssl)) != 0) { + return ret; } - return ret; + /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and + * the ServerHello will have message_seq = 1" */ +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) { + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { + ssl->handshake->out_msg_seq = 1; + } else { + ssl->handshake->in_msg_seq = 1; + } + } +#endif + + ssl->state = MBEDTLS_SSL_HELLO_REQUEST; + ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; + + if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); + return ret; + } + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate")); + + return 0; } -#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ /* - * Free an SSL context + * Renegotiate current connection on client, + * or request renegotiation on server */ -void mbedtls_ssl_free(mbedtls_ssl_context *ssl) +int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) { - if (ssl == NULL) { - return; + int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + + if (ssl == NULL || ssl->conf == NULL) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - MBEDTLS_SSL_DEBUG_MSG(2, ("=> free")); +#if defined(MBEDTLS_SSL_SRV_C) + /* On server, just send the request */ + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (mbedtls_ssl_is_handshake_over(ssl) == 0) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - if (ssl->out_buf != NULL) { -#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) - size_t out_buf_len = ssl->out_buf_len; -#else - size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; -#endif + ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; - mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len); - ssl->out_buf = NULL; + /* Did we already try/start sending HelloRequest? */ + if (ssl->out_left != 0) { + return mbedtls_ssl_flush_output(ssl); + } + + return ssl_write_hello_request(ssl); } +#endif /* MBEDTLS_SSL_SRV_C */ - if (ssl->in_buf != NULL) { -#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) - size_t in_buf_len = ssl->in_buf_len; -#else - size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; -#endif +#if defined(MBEDTLS_SSL_CLI_C) + /* + * On client, either start the renegotiation process or, + * if already in progress, continue the handshake + */ + if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { + if (mbedtls_ssl_is_handshake_over(ssl) == 0) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len); - ssl->in_buf = NULL; + if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret); + return ret; + } + } else { + if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); + return ret; + } } +#endif /* MBEDTLS_SSL_CLI_C */ - if (ssl->transform) { - mbedtls_ssl_transform_free(ssl->transform); - mbedtls_free(ssl->transform); - } + return ret; +} +#endif /* MBEDTLS_SSL_RENEGOTIATION */ - if (ssl->handshake) { - mbedtls_ssl_handshake_free(ssl); - mbedtls_free(ssl->handshake); +void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) +{ + mbedtls_ssl_handshake_params *handshake = ssl->handshake; -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - mbedtls_ssl_transform_free(ssl->transform_negotiate); - mbedtls_free(ssl->transform_negotiate); -#endif + if (handshake == NULL) { + return; + } - mbedtls_ssl_session_free(ssl->session_negotiate); - mbedtls_free(ssl->session_negotiate); +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + if (ssl->handshake->group_list_heap_allocated) { + mbedtls_free((void *) handshake->group_list); } + handshake->group_list = NULL; +#endif /* MBEDTLS_DEPRECATED_REMOVED */ +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + if (ssl->handshake->sig_algs_heap_allocated) { + mbedtls_free((void *) handshake->sig_algs); + } + handshake->sig_algs = NULL; +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_ssl_transform_free(ssl->transform_application); - mbedtls_free(ssl->transform_application); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - - if (ssl->session) { - mbedtls_ssl_session_free(ssl->session); - mbedtls_free(ssl->session); + if (ssl->handshake->certificate_request_context) { + mbedtls_free((void *) handshake->certificate_request_context); } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) - if (ssl->hostname != NULL) { - mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); +#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) + if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) { + ssl->conf->f_async_cancel(ssl); + handshake->async_in_progress = 0; } -#endif - -#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) - mbedtls_free(ssl->cli_id); -#endif - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= free")); - - /* Actually clear after last debug message */ - mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context)); -} - -/* - * Initialize mbedtls_ssl_config - */ -void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) -{ - memset(conf, 0, sizeof(mbedtls_ssl_config)); -} +#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -/* The selection should be the same as mbedtls_x509_crt_profile_default in - * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: - * curves with a lower resource usage come first. - * See the documentation of mbedtls_ssl_conf_curves() for what we promise - * about this list. - */ -static const uint16_t ssl_preset_default_groups[] = { -#if defined(MBEDTLS_ECP_HAVE_CURVE25519) - MBEDTLS_SSL_IANA_TLS_GROUP_X25519, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP256R1) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP384R1) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, +#if defined(MBEDTLS_MD_CAN_SHA256) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort(&handshake->fin_sha256_psa); +#else + mbedtls_md_free(&handshake->fin_sha256); #endif -#if defined(MBEDTLS_ECP_HAVE_CURVE448) - MBEDTLS_SSL_IANA_TLS_GROUP_X448, #endif -#if defined(MBEDTLS_ECP_HAVE_SECP521R1) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, +#if defined(MBEDTLS_MD_CAN_SHA384) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort(&handshake->fin_sha384_psa); +#else + mbedtls_md_free(&handshake->fin_sha384); #endif -#if defined(MBEDTLS_ECP_HAVE_BP256R1) - MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, #endif -#if defined(MBEDTLS_ECP_HAVE_BP384R1) - MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, + +#if defined(MBEDTLS_DHM_C) + mbedtls_dhm_free(&handshake->dhm_ctx); #endif -#if defined(MBEDTLS_ECP_HAVE_BP512R1) - MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) + mbedtls_ecdh_free(&handshake->ecdh_ctx); #endif -#if defined(PSA_WANT_ALG_FFDH) - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, - MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, -#endif - MBEDTLS_SSL_IANA_TLS_GROUP_NONE -}; - -static const int ssl_preset_suiteb_ciphersuites[] = { - MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - 0 -}; - -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) - -/* NOTICE: - * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following - * rules SHOULD be upheld. - * - No duplicate entries. - * - But if there is a good reason, do not change the order of the algorithms. - * - ssl_tls12_preset* is for TLS 1.2 use only. - * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. - */ -static const uint16_t ssl_preset_default_sig_algs[] = { -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ - defined(MBEDTLS_MD_CAN_SHA256) && \ - defined(PSA_WANT_ECC_SECP_R1_256) - MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, - // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_abort(&handshake->psa_pake_ctx); + /* + * Opaque keys are not stored in the handshake's data and it's the user + * responsibility to destroy them. Clear ones, instead, are created by + * the TLS library and should be destroyed at the same level + */ + if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) { + psa_destroy_key(handshake->psa_pake_password); + } + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else + mbedtls_ecjpake_free(&handshake->ecjpake_ctx); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_CLI_C) + mbedtls_free(handshake->ecjpake_cache); + handshake->ecjpake_cache = NULL; + handshake->ecjpake_cache_len = 0; #endif - -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ - defined(MBEDTLS_MD_CAN_SHA384) && \ - defined(PSA_WANT_ECC_SECP_R1_384) - MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, - // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ - defined(MBEDTLS_MD_CAN_SHA512) && \ - defined(PSA_WANT_ECC_SECP_R1_521) - MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, - // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512) +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + /* explicit void pointer cast for buggy MS compiler */ + mbedtls_free((void *) handshake->curves_tls_id); #endif -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, -#endif +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { + /* The maintenance of the external PSK key slot is the + * user's responsibility. */ + if (ssl->handshake->psk_opaque_is_internal) { + psa_destroy_key(ssl->handshake->psk_opaque); + ssl->handshake->psk_opaque_is_internal = 0; + } + ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; + } +#else + if (handshake->psk != NULL) { + mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len); + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, -#endif +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + /* + * Free only the linked list wrapper, not the keys themselves + * since the belong to the SNI callback + */ + ssl_key_cert_free(handshake->sni_key_cert); +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx); + if (handshake->ecrs_peer_cert != NULL) { + mbedtls_x509_crt_free(handshake->ecrs_peer_cert); + mbedtls_free(handshake->ecrs_peer_cert); + } #endif -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512) - MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, -#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */ - -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384) - MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, -#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + mbedtls_pk_free(&handshake->peer_pubkey); +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) - MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, -#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */ +#if defined(MBEDTLS_SSL_CLI_C) && \ + (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) + mbedtls_free(handshake->cookie); +#endif /* MBEDTLS_SSL_CLI_C && + ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ - MBEDTLS_TLS_SIG_NONE -}; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + mbedtls_ssl_flight_free(handshake->flight); + mbedtls_ssl_buffering_free(ssl); +#endif /* MBEDTLS_SSL_PROTO_DTLS */ -/* NOTICE: see above */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) -static uint16_t ssl_tls12_preset_default_sig_algs[] = { +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) + if (handshake->xxdh_psa_privkey_is_external == 0) { + psa_destroy_key(handshake->xxdh_psa_privkey); + } +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ -#if defined(MBEDTLS_MD_CAN_SHA512) -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), -#endif -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, -#endif -#if defined(MBEDTLS_RSA_C) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_transform_free(handshake->transform_handshake); + mbedtls_free(handshake->transform_handshake); +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_transform_free(handshake->transform_earlydata); + mbedtls_free(handshake->transform_earlydata); #endif -#endif /* MBEDTLS_MD_CAN_SHA512 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_MD_CAN_SHA384) -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), -#endif -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, -#endif -#if defined(MBEDTLS_RSA_C) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), -#endif -#endif /* MBEDTLS_MD_CAN_SHA384 */ -#if defined(MBEDTLS_MD_CAN_SHA256) -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), -#endif -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, -#endif -#if defined(MBEDTLS_RSA_C) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + /* If the buffers are too big - reallocate. Because of the way Mbed TLS + * processes datagrams and the fact that a datagram is allowed to have + * several records in it, it is possible that the I/O buffers are not + * empty at this stage */ + handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl), + mbedtls_ssl_get_output_buflen(ssl)); #endif -#endif /* MBEDTLS_MD_CAN_SHA256 */ - MBEDTLS_TLS_SIG_NONE -}; -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + /* mbedtls_platform_zeroize MUST be last one in this function */ + mbedtls_platform_zeroize(handshake, + sizeof(mbedtls_ssl_handshake_params)); +} -/* NOTICE: see above */ -static const uint16_t ssl_preset_suiteb_sig_algs[] = { +void mbedtls_ssl_session_free(mbedtls_ssl_session *session) +{ + if (session == NULL) { + return; + } -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ - defined(MBEDTLS_MD_CAN_SHA256) && \ - defined(MBEDTLS_ECP_HAVE_SECP256R1) - MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, - // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) +#if defined(MBEDTLS_X509_CRT_PARSE_C) + ssl_clear_peer_cert(session); #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ - defined(MBEDTLS_MD_CAN_SHA384) && \ - defined(MBEDTLS_ECP_HAVE_SECP384R1) - MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, - // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + mbedtls_free(session->hostname); +#endif + mbedtls_free(session->ticket); #endif - MBEDTLS_TLS_SIG_NONE -}; + mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); +} -/* NOTICE: see above */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) -static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) -#if defined(MBEDTLS_MD_CAN_SHA256) -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), -#endif -#endif /* MBEDTLS_MD_CAN_SHA256 */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u +#else +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_MD_CAN_SHA384) -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), -#endif -#endif /* MBEDTLS_MD_CAN_SHA384 */ +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u - MBEDTLS_TLS_SIG_NONE -}; -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u +#else +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_SSL_ALPN) +#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u +#else +#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u +#endif /* MBEDTLS_SSL_ALPN */ -static const uint16_t ssl_preset_suiteb_groups[] = { -#if defined(MBEDTLS_ECP_HAVE_SECP256R1) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP384R1) - MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, -#endif - MBEDTLS_SSL_IANA_TLS_GROUP_NONE -}; - -#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` - * to make sure there are no duplicated signature algorithm entries. */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs) -{ - size_t i, j; - int ret = 0; +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0 +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1 +#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2 +#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3 - for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { - for (j = 0; j < i; j++) { - if (sig_algs[i] != sig_algs[j]) { - continue; - } - mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET - ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n", - sig_algs[i], j, i); - ret = -1; - } - } - return ret; -} +#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \ + ((uint32_t) ( \ + (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \ + SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \ + (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \ + SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \ + (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \ + SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \ + (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ + 0u)) -#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +static const unsigned char ssl_serialized_context_header[] = { + MBEDTLS_VERSION_MAJOR, + MBEDTLS_VERSION_MINOR, + MBEDTLS_VERSION_PATCH, + MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), + MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), + MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), + MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), + MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), +}; /* - * Load default in mbedtls_ssl_config + * Serialize a full SSL context + * + * The format of the serialized data is: + * (in the presentation language of TLS, RFC 8446 section 3) + * + * // header + * opaque mbedtls_version[3]; // major, minor, patch + * opaque context_format[5]; // version-specific field determining + * // the format of the remaining + * // serialized data. + * Note: When updating the format, remember to keep these + * version+format bytes. (We may make their size part of the API.) + * + * // session sub-structure + * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save() + * // transform sub-structure + * uint8 random[64]; // ServerHello.random+ClientHello.random + * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value + * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use + * // fields from ssl_context + * uint32 badmac_seen; // DTLS: number of records with failing MAC + * uint64 in_window_top; // DTLS: last validated record seq_num + * uint64 in_window; // DTLS: bitmask for replay protection + * uint8 disable_datagram_packing; // DTLS: only one record per datagram + * uint64 cur_out_ctr; // Record layer: outgoing sequence number + * uint16 mtu; // DTLS: path mtu (max outgoing fragment size) + * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol + * + * Note that many fields of the ssl_context or sub-structures are not + * serialized, as they fall in one of the following categories: + * + * 1. forced value (eg in_left must be 0) + * 2. pointer to dynamically-allocated memory (eg session, transform) + * 3. value can be re-derived from other data (eg session keys from MS) + * 4. value was temporary (eg content of input buffer) + * 5. value will be provided by the user again (eg I/O callbacks and context) */ -int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, - int endpoint, int transport, int preset) +int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *olen) { -#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#endif + unsigned char *p = buf; + size_t used = 0; + size_t session_len; + int ret = 0; -#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) - if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) { - mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n"); - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* + * Enforce usage restrictions, see "return BAD_INPUT_DATA" in + * this function's documentation. + * + * These are due to assumptions/limitations in the implementation. Some of + * them are likely to stay (no handshake in progress) some might go away + * (only DTLS) but are currently used to simplify the implementation. + */ + /* The initial handshake must be over */ + if (mbedtls_ssl_is_handshake_over(ssl) == 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - - if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) { - mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n"); - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + if (ssl->handshake != NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + /* Double-check that sub-structures are indeed ready */ + if (ssl->transform == NULL || ssl->session == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + /* There must be no pending incoming or outgoing data */ + if (mbedtls_ssl_check_pending(ssl) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + if (ssl->out_left != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + /* Protocol must be DTLS, not TLS */ + if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + /* Version must be 1.2 */ + if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + /* We must be using an AEAD ciphersuite */ + if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + /* Renegotiation must not be enabled */ +#if defined(MBEDTLS_SSL_RENEGOTIATION) + if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled")); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } +#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) { - mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n"); - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* + * Version and format identifier + */ + used += sizeof(ssl_serialized_context_header); + + if (used <= buf_len) { + memcpy(p, ssl_serialized_context_header, + sizeof(ssl_serialized_context_header)); + p += sizeof(ssl_serialized_context_header); } - if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) { - mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n"); - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* + * Session (length + data) + */ + ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len); + if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { + return ret; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ - /* Use the functions here so that they are covered in tests, - * but otherwise access member directly for efficiency */ - mbedtls_ssl_conf_endpoint(conf, endpoint); - mbedtls_ssl_conf_transport(conf, transport); + used += 4 + session_len; + if (used <= buf_len) { + MBEDTLS_PUT_UINT32_BE(session_len, p, 0); + p += 4; + + ret = ssl_session_save(ssl->session, 1, + p, session_len, &session_len); + if (ret != 0) { + return ret; + } + + p += session_len; + } /* - * Things that are common to all presets + * Transform */ -#if defined(MBEDTLS_SSL_CLI_C) - if (endpoint == MBEDTLS_SSL_IS_CLIENT) { - conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; -#endif + used += sizeof(ssl->transform->randbytes); + if (used <= buf_len) { + memcpy(p, ssl->transform->randbytes, + sizeof(ssl->transform->randbytes)); + p += sizeof(ssl->transform->randbytes); } -#endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; -#endif +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len; + if (used <= buf_len) { + *p++ = ssl->transform->in_cid_len; + memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len); + p += ssl->transform->in_cid_len; -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; -#endif + *p++ = ssl->transform->out_cid_len; + memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len); + p += ssl->transform->out_cid_len; + } +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) - conf->f_cookie_write = ssl_cookie_write_dummy; - conf->f_cookie_check = ssl_cookie_check_dummy; -#endif + /* + * Saved fields from top-level ssl_context structure + */ + used += 4; + if (used <= buf_len) { + MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0); + p += 4; + } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; -#endif + used += 16; + if (used <= buf_len) { + MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0); + p += 8; -#if defined(MBEDTLS_SSL_SRV_C) - conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; - conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER; -#endif + MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0); + p += 8; + } +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; - conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; -#endif - -#if defined(MBEDTLS_SSL_RENEGOTIATION) - conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; - memset(conf->renego_period, 0x00, 2); - memset(conf->renego_period + 2, 0xFF, 6); -#endif - -#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) - if (endpoint == MBEDTLS_SSL_IS_SERVER) { - const unsigned char dhm_p[] = - MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; - const unsigned char dhm_g[] = - MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + used += 1; + if (used <= buf_len) { + *p++ = ssl->disable_datagram_packing; + } +#endif /* MBEDTLS_SSL_PROTO_DTLS */ - if ((ret = mbedtls_ssl_conf_dh_param_bin(conf, - dhm_p, sizeof(dhm_p), - dhm_g, sizeof(dhm_g))) != 0) { - return ret; - } + used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + if (used <= buf_len) { + memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN); + p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; } -#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_DTLS) + used += 2; + if (used <= buf_len) { + MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0); + p += 2; + } +#endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_EARLY_DATA) - mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); -#if defined(MBEDTLS_SSL_SRV_C) - mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE); -#endif -#endif /* MBEDTLS_SSL_EARLY_DATA */ +#if defined(MBEDTLS_SSL_ALPN) + { + const uint8_t alpn_len = ssl->alpn_chosen + ? (uint8_t) strlen(ssl->alpn_chosen) + : 0; -#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_conf_new_session_tickets( - conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS); -#endif - /* - * Allow all TLS 1.3 key exchange modes by default. - */ - conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + used += 1 + alpn_len; + if (used <= buf_len) { + *p++ = alpn_len; - if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; - conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; -#else - return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; -#endif - } else { -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) - conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; - conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) - conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; - conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) - conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; - conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; -#else - return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; -#endif + if (ssl->alpn_chosen != NULL) { + memcpy(p, ssl->alpn_chosen, alpn_len); + p += alpn_len; + } + } } +#endif /* MBEDTLS_SSL_ALPN */ /* - * Preset-specific defaults + * Done */ - switch (preset) { - /* - * NSA Suite B - */ - case MBEDTLS_SSL_PRESET_SUITEB: + *olen = used; - conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; + if (used > buf_len) { + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } -#if defined(MBEDTLS_X509_CRT_PARSE_C) - conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; -#endif + MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used); -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if (mbedtls_ssl_conf_is_tls12_only(conf)) { - conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; - } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - conf->sig_algs = ssl_preset_suiteb_sig_algs; -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + return mbedtls_ssl_session_reset_int(ssl, 0); +} -#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->curve_list = NULL; +/* + * Deserialize context, see mbedtls_ssl_context_save() for format. + * + * This internal version is wrapped by a public function that cleans up in + * case of error. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_context_load(mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len) +{ + const unsigned char *p = buf; + const unsigned char * const end = buf + len; + size_t session_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + tls_prf_fn prf_func = NULL; #endif - conf->group_list = ssl_preset_suiteb_groups; - break; - - /* - * Default - */ - default: - conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); + /* + * The context should have been freshly setup or reset. + * Give the user an error in case of obvious misuse. + * (Checking session is useful because it won't be NULL if we're + * renegotiating, or if the user mistakenly loaded a session first.) + */ + if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST || + ssl->session != NULL) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } -#if defined(MBEDTLS_X509_CRT_PARSE_C) - conf->cert_profile = &mbedtls_x509_crt_profile_default; + /* + * We can't check that the config matches the initial one, but we can at + * least check it matches the requirements for serializing. + */ + if ( +#if defined(MBEDTLS_SSL_RENEGOTIATION) + ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED || #endif + ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || + ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 || + ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 + ) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if (mbedtls_ssl_conf_is_tls12_only(conf)) { - conf->sig_algs = ssl_tls12_preset_default_sig_algs; - } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - conf->sig_algs = ssl_preset_default_sig_algs; -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len); -#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->curve_list = NULL; -#endif - conf->group_list = ssl_preset_default_groups; + /* + * Check version identifier + */ + if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } -#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) - conf->dhm_min_bitlen = 1024; -#endif + if (memcmp(p, ssl_serialized_context_header, + sizeof(ssl_serialized_context_header)) != 0) { + return MBEDTLS_ERR_SSL_VERSION_MISMATCH; } + p += sizeof(ssl_serialized_context_header); - return 0; -} + /* + * Session + */ + if ((size_t) (end - p) < 4) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } -/* - * Free mbedtls_ssl_config - */ -void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) -{ -#if defined(MBEDTLS_DHM_C) - mbedtls_mpi_free(&conf->dhm_P); - mbedtls_mpi_free(&conf->dhm_G); -#endif + session_len = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { - conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - if (conf->psk != NULL) { - mbedtls_zeroize_and_free(conf->psk, conf->psk_len); - conf->psk = NULL; - conf->psk_len = 0; + /* This has been allocated by ssl_handshake_init(), called by + * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ + ssl->session = ssl->session_negotiate; + ssl->session_in = ssl->session; + ssl->session_out = ssl->session; + ssl->session_negotiate = NULL; + + if ((size_t) (end - p) < session_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - if (conf->psk_identity != NULL) { - mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len); - conf->psk_identity = NULL; - conf->psk_identity_len = 0; + ret = ssl_session_load(ssl->session, 1, p, session_len); + if (ret != 0) { + mbedtls_ssl_session_free(ssl->session); + return ret; } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl_key_cert_free(conf->key_cert); -#endif + p += session_len; - mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config)); -} + /* + * Transform + */ -#if defined(MBEDTLS_PK_C) && \ - (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) -/* - * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX - */ -unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) -{ -#if defined(MBEDTLS_RSA_C) - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { - return MBEDTLS_SSL_SIG_RSA; - } -#endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { - return MBEDTLS_SSL_SIG_ECDSA; - } + /* This has been allocated by ssl_handshake_init(), called by + * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + ssl->transform = ssl->transform_negotiate; + ssl->transform_in = ssl->transform; + ssl->transform_out = ssl->transform; + ssl->transform_negotiate = NULL; #endif - return MBEDTLS_SSL_SIG_ANON; -} -unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) -{ - switch (type) { - case MBEDTLS_PK_RSA: - return MBEDTLS_SSL_SIG_RSA; - case MBEDTLS_PK_ECDSA: - case MBEDTLS_PK_ECKEY: - return MBEDTLS_SSL_SIG_ECDSA; - default: - return MBEDTLS_SSL_SIG_ANON; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite); + if (prf_func == NULL) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -} -mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) -{ - switch (sig) { -#if defined(MBEDTLS_RSA_C) - case MBEDTLS_SSL_SIG_RSA: - return MBEDTLS_PK_RSA; -#endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) - case MBEDTLS_SSL_SIG_ECDSA: - return MBEDTLS_PK_ECDSA; -#endif - default: - return MBEDTLS_PK_NONE; + /* Read random bytes and populate structure */ + if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -} -#endif /* MBEDTLS_PK_C && - ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ -/* - * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX - */ -mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) -{ - switch (hash) { -#if defined(MBEDTLS_MD_CAN_MD5) - case MBEDTLS_SSL_HASH_MD5: - return MBEDTLS_MD_MD5; -#endif -#if defined(MBEDTLS_MD_CAN_SHA1) - case MBEDTLS_SSL_HASH_SHA1: - return MBEDTLS_MD_SHA1; -#endif -#if defined(MBEDTLS_MD_CAN_SHA224) - case MBEDTLS_SSL_HASH_SHA224: - return MBEDTLS_MD_SHA224; -#endif -#if defined(MBEDTLS_MD_CAN_SHA256) - case MBEDTLS_SSL_HASH_SHA256: - return MBEDTLS_MD_SHA256; -#endif -#if defined(MBEDTLS_MD_CAN_SHA384) - case MBEDTLS_SSL_HASH_SHA384: - return MBEDTLS_MD_SHA384; -#endif -#if defined(MBEDTLS_MD_CAN_SHA512) - case MBEDTLS_SSL_HASH_SHA512: - return MBEDTLS_MD_SHA512; -#endif - default: - return MBEDTLS_MD_NONE; + ret = ssl_tls12_populate_transform(ssl->transform, + ssl->session->ciphersuite, + ssl->session->master, +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + ssl->session->encrypt_then_mac, +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + prf_func, + p, /* currently pointing to randbytes */ + MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ + ssl->conf->endpoint, + ssl); + if (ret != 0) { + return ret; } -} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + p += sizeof(ssl->transform->randbytes); -/* - * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX - */ -unsigned char mbedtls_ssl_hash_from_md_alg(int md) -{ - switch (md) { -#if defined(MBEDTLS_MD_CAN_MD5) - case MBEDTLS_MD_MD5: - return MBEDTLS_SSL_HASH_MD5; -#endif -#if defined(MBEDTLS_MD_CAN_SHA1) - case MBEDTLS_MD_SHA1: - return MBEDTLS_SSL_HASH_SHA1; -#endif -#if defined(MBEDTLS_MD_CAN_SHA224) - case MBEDTLS_MD_SHA224: - return MBEDTLS_SSL_HASH_SHA224; -#endif -#if defined(MBEDTLS_MD_CAN_SHA256) - case MBEDTLS_MD_SHA256: - return MBEDTLS_SSL_HASH_SHA256; -#endif -#if defined(MBEDTLS_MD_CAN_SHA384) - case MBEDTLS_MD_SHA384: - return MBEDTLS_SSL_HASH_SHA384; -#endif -#if defined(MBEDTLS_MD_CAN_SHA512) - case MBEDTLS_MD_SHA512: - return MBEDTLS_SSL_HASH_SHA512; -#endif - default: - return MBEDTLS_SSL_HASH_NONE; +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + /* Read connection IDs and store them */ + if ((size_t) (end - p) < 1) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -} - -/* - * Check if a curve proposed by the peer is in our list. - * Return 0 if we're willing to use it, -1 otherwise. - */ -int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) -{ - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); - if (group_list == NULL) { - return -1; - } + ssl->transform->in_cid_len = *p++; - for (; *group_list != 0; group_list++) { - if (*group_list == tls_id) { - return 0; - } + if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return -1; -} + memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len); + p += ssl->transform->in_cid_len; -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) -/* - * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id. - */ -int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) -{ - uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); + ssl->transform->out_cid_len = *p++; - if (tls_id == 0) { - return -1; + if ((size_t) (end - p) < ssl->transform->out_cid_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return mbedtls_ssl_check_curve_tls_id(ssl, tls_id); -} -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ - -static const struct { - uint16_t tls_id; - mbedtls_ecp_group_id ecp_group_id; - psa_ecc_family_t psa_family; - uint16_t bits; -} tls_id_match_table[] = -{ -#if defined(MBEDTLS_ECP_HAVE_SECP521R1) - { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_BP512R1) - { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP384R1) - { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_BP384R1) - { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP256R1) - { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP256K1) - { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_BP256R1) - { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP224R1) - { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP224K1) - { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP192R1) - { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_SECP192K1) - { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_CURVE25519) - { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, -#endif -#if defined(MBEDTLS_ECP_HAVE_CURVE448) - { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 }, -#endif - { 0, MBEDTLS_ECP_DP_NONE, 0, 0 }, -}; + memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len); + p += ssl->transform->out_cid_len; +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, - psa_key_type_t *type, - size_t *bits) -{ - for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { - if (tls_id_match_table[i].tls_id == tls_id) { - if (type != NULL) { - *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family); - } - if (bits != NULL) { - *bits = tls_id_match_table[i].bits; - } - return PSA_SUCCESS; - } + /* + * Saved fields from top-level ssl_context structure + */ + if ((size_t) (end - p) < 4) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return PSA_ERROR_NOT_SUPPORTED; -} + ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0); + p += 4; -mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id) -{ - for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { - if (tls_id_match_table[i].tls_id == tls_id) { - return tls_id_match_table[i].ecp_group_id; - } +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) + if ((size_t) (end - p) < 16) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return MBEDTLS_ECP_DP_NONE; -} + ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; -uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) -{ - for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE; - i++) { - if (tls_id_match_table[i].ecp_group_id == grp_id) { - return tls_id_match_table[i].tls_id; - } + ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0); + p += 8; +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if ((size_t) (end - p) < 1) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return 0; -} + ssl->disable_datagram_packing = *p++; +#endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_DEBUG_C) -static const struct { - uint16_t tls_id; - const char *name; -} tls_id_curve_name_table[] = -{ - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, - { 0, NULL }, -}; + if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr)); + p += sizeof(ssl->cur_out_ctr); -const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) -{ - for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) { - if (tls_id_curve_name_table[i].tls_id == tls_id) { - return tls_id_curve_name_table[i].name; - } +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if ((size_t) (end - p) < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return NULL; -} -#endif + ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; +#endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) -int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, - const mbedtls_ssl_ciphersuite_t *ciphersuite, - int cert_endpoint, - uint32_t *flags) -{ - int ret = 0; - unsigned int usage = 0; - const char *ext_oid; - size_t ext_len; +#if defined(MBEDTLS_SSL_ALPN) + { + uint8_t alpn_len; + const char **cur; - if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { - /* Server part of the key exchange */ - switch (ciphersuite->key_exchange) { - case MBEDTLS_KEY_EXCHANGE_RSA: - case MBEDTLS_KEY_EXCHANGE_RSA_PSK: - usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; - break; + if ((size_t) (end - p) < 1) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; - break; + alpn_len = *p++; - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - usage = MBEDTLS_X509_KU_KEY_AGREEMENT; - break; + if (alpn_len != 0 && ssl->conf->alpn_list != NULL) { + /* alpn_chosen should point to an item in the configured list */ + for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { + if (strlen(*cur) == alpn_len && + memcmp(p, cur, alpn_len) == 0) { + ssl->alpn_chosen = *cur; + break; + } + } + } - /* Don't use default: we want warnings when adding new values */ - case MBEDTLS_KEY_EXCHANGE_NONE: - case MBEDTLS_KEY_EXCHANGE_PSK: - case MBEDTLS_KEY_EXCHANGE_DHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECJPAKE: - usage = 0; + /* can only happen on conf mismatch */ + if (alpn_len != 0 && ssl->alpn_chosen == NULL) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - } else { - /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ - usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; + + p += alpn_len; } +#endif /* MBEDTLS_SSL_ALPN */ - if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { - *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; - ret = -1; + /* + * Forced fields from top-level ssl_context structure + * + * Most of them already set to the correct value by mbedtls_ssl_init() and + * mbedtls_ssl_reset(), so we only need to set the remaining ones. + */ + ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; + ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + + /* Adjust pointers for header fields of outgoing records to + * the given transform, accounting for explicit IV and CID. */ + mbedtls_ssl_update_out_pointers(ssl, ssl->transform); + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + ssl->in_epoch = 1; +#endif + + /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated, + * which we don't want - otherwise we'd end up freeing the wrong transform + * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform() + * inappropriately. */ + if (ssl->handshake != NULL) { + mbedtls_ssl_handshake_free(ssl); + mbedtls_free(ssl->handshake); + ssl->handshake = NULL; } - if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { - ext_oid = MBEDTLS_OID_SERVER_AUTH; - ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); - } else { - ext_oid = MBEDTLS_OID_CLIENT_AUTH; - ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); + /* + * Done - should have consumed entire buffer + */ + if (p != end) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { - *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; - ret = -1; + return 0; +} + +/* + * Deserialize context: public wrapper for error cleaning + */ +int mbedtls_ssl_context_load(mbedtls_ssl_context *context, + const unsigned char *buf, + size_t len) +{ + int ret = ssl_context_load(context, buf, len); + + if (ret != 0) { + mbedtls_ssl_free(context); } return ret; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, - const mbedtls_md_type_t md, - unsigned char *dst, - size_t dst_len, - size_t *olen) +/* + * Free an SSL context + */ +void mbedtls_ssl_free(mbedtls_ssl_context *ssl) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_hash_operation_t *hash_operation_to_clone; - psa_hash_operation_t hash_operation = psa_hash_operation_init(); + if (ssl == NULL) { + return; + } - *olen = 0; + MBEDTLS_SSL_DEBUG_MSG(2, ("=> free")); - switch (md) { -#if defined(MBEDTLS_MD_CAN_SHA384) - case MBEDTLS_MD_SHA384: - hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; - break; + if (ssl->out_buf != NULL) { +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + size_t out_buf_len = ssl->out_buf_len; +#else + size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; #endif -#if defined(MBEDTLS_MD_CAN_SHA256) - case MBEDTLS_MD_SHA256: - hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; - break; + mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len); + ssl->out_buf = NULL; + } + + if (ssl->in_buf != NULL) { +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + size_t in_buf_len = ssl->in_buf_len; +#else + size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; #endif - default: - goto exit; + mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len); + ssl->in_buf = NULL; } - status = psa_hash_clone(hash_operation_to_clone, &hash_operation); - if (status != PSA_SUCCESS) { - goto exit; + if (ssl->transform) { + mbedtls_ssl_transform_free(ssl->transform); + mbedtls_free(ssl->transform); } - status = psa_hash_finish(&hash_operation, dst, dst_len, olen); - if (status != PSA_SUCCESS) { - goto exit; - } + if (ssl->handshake) { + mbedtls_ssl_handshake_free(ssl); + mbedtls_free(ssl->handshake); -exit: -#if !defined(MBEDTLS_MD_CAN_SHA384) && \ - !defined(MBEDTLS_MD_CAN_SHA256) - (void) ssl; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + mbedtls_ssl_transform_free(ssl->transform_negotiate); + mbedtls_free(ssl->transform_negotiate); #endif - return PSA_TO_MBEDTLS_ERR(status); -} -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_MD_CAN_SHA384) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl, - unsigned char *dst, - size_t dst_len, - size_t *olen) -{ - int ret; - mbedtls_md_context_t sha384; - - if (dst_len < 48) { - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + mbedtls_ssl_session_free(ssl->session_negotiate); + mbedtls_free(ssl->session_negotiate); } - mbedtls_md_init(&sha384); - ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); - if (ret != 0) { - goto exit; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_transform_free(ssl->transform_application); + mbedtls_free(ssl->transform_application); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + + if (ssl->session) { + mbedtls_ssl_session_free(ssl->session); + mbedtls_free(ssl->session); } - if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); - goto exit; +#if defined(MBEDTLS_X509_CRT_PARSE_C) + if (ssl->hostname != NULL) { + mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); } +#endif - *olen = 48; +#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) + mbedtls_free(ssl->cli_id); +#endif -exit: + MBEDTLS_SSL_DEBUG_MSG(2, ("<= free")); - mbedtls_md_free(&sha384); - return ret; + /* Actually clear after last debug message */ + mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context)); } -#endif /* MBEDTLS_MD_CAN_SHA384 */ -#if defined(MBEDTLS_MD_CAN_SHA256) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl, - unsigned char *dst, - size_t dst_len, - size_t *olen) +/* + * Initialize mbedtls_ssl_config + */ +void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) { - int ret; - mbedtls_md_context_t sha256; - - if (dst_len < 32) { - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } + memset(conf, 0, sizeof(mbedtls_ssl_config)); +} - mbedtls_md_init(&sha256); - ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); - if (ret != 0) { - goto exit; - } +/* The selection should be the same as mbedtls_x509_crt_profile_default in + * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: + * curves with a lower resource usage come first. + * See the documentation of mbedtls_ssl_conf_curves() for what we promise + * about this list. + */ +static const uint16_t ssl_preset_default_groups[] = { +#if defined(MBEDTLS_ECP_HAVE_CURVE25519) + MBEDTLS_SSL_IANA_TLS_GROUP_X25519, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP256R1) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP384R1) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, +#endif +#if defined(MBEDTLS_ECP_HAVE_CURVE448) + MBEDTLS_SSL_IANA_TLS_GROUP_X448, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP521R1) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, +#endif +#if defined(MBEDTLS_ECP_HAVE_BP256R1) + MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, +#endif +#if defined(MBEDTLS_ECP_HAVE_BP384R1) + MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, +#endif +#if defined(MBEDTLS_ECP_HAVE_BP512R1) + MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, +#endif +#if defined(PSA_WANT_ALG_FFDH) + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, + MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, +#endif + MBEDTLS_SSL_IANA_TLS_GROUP_NONE +}; - if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); - goto exit; - } +static const int ssl_preset_suiteb_ciphersuites[] = { + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + 0 +}; - *olen = 32; +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -exit: +/* NOTICE: + * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following + * rules SHOULD be upheld. + * - No duplicate entries. + * - But if there is a good reason, do not change the order of the algorithms. + * - ssl_tls12_preset* is for TLS 1.2 use only. + * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. + */ +static const uint16_t ssl_preset_default_sig_algs[] = { - mbedtls_md_free(&sha256); - return ret; -} -#endif /* MBEDTLS_MD_CAN_SHA256 */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA256) && \ + defined(PSA_WANT_ECC_SECP_R1_256) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, + // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) +#endif -int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, - const mbedtls_md_type_t md, - unsigned char *dst, - size_t dst_len, - size_t *olen) -{ - switch (md) { +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA384) && \ + defined(PSA_WANT_ECC_SECP_R1_384) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, + // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) +#endif -#if defined(MBEDTLS_MD_CAN_SHA384) - case MBEDTLS_MD_SHA384: - return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen); -#endif /* MBEDTLS_MD_CAN_SHA384*/ +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA512) && \ + defined(PSA_WANT_ECC_SECP_R1_521) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, + // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512) +#endif -#if defined(MBEDTLS_MD_CAN_SHA256) - case MBEDTLS_MD_SHA256: - return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen); -#endif /* MBEDTLS_MD_CAN_SHA256*/ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, +#endif - default: -#if !defined(MBEDTLS_MD_CAN_SHA384) && \ - !defined(MBEDTLS_MD_CAN_SHA256) - (void) ssl; - (void) dst; - (void) dst_len; - (void) olen; +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, #endif - break; - } - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; -} -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -/* mbedtls_ssl_parse_sig_alg_ext() - * - * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` - * value (TLS 1.3 RFC8446): - * enum { - * .... - * ecdsa_secp256r1_sha256( 0x0403 ), - * ecdsa_secp384r1_sha384( 0x0503 ), - * ecdsa_secp521r1_sha512( 0x0603 ), - * .... - * } SignatureScheme; - * - * struct { - * SignatureScheme supported_signature_algorithms<2..2^16-2>; - * } SignatureSchemeList; - * - * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` - * value (TLS 1.2 RFC5246): - * enum { - * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), - * sha512(6), (255) - * } HashAlgorithm; - * - * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } - * SignatureAlgorithm; - * - * struct { - * HashAlgorithm hash; - * SignatureAlgorithm signature; - * } SignatureAndHashAlgorithm; - * - * SignatureAndHashAlgorithm - * supported_signature_algorithms<2..2^16-2>; - * - * The TLS 1.3 signature algorithm extension was defined to be a compatible - * generalization of the TLS 1.2 signature algorithm extension. - * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by - * `SignatureScheme` field of TLS 1.3 - * - */ -int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - const unsigned char *end) -{ - const unsigned char *p = buf; - size_t supported_sig_algs_len = 0; - const unsigned char *supported_sig_algs_end; - uint16_t sig_alg; - uint32_t common_idx = 0; +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512) + MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, +#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */ - MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); - supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384) + MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, +#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */ - memset(ssl->handshake->received_sig_algs, 0, - sizeof(ssl->handshake->received_sig_algs)); +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) + MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, +#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */ - MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len); - supported_sig_algs_end = p + supported_sig_algs_len; - while (p < supported_sig_algs_end) { - MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2); - sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); - p += 2; - MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s", - sig_alg, - mbedtls_ssl_sig_alg_to_str(sig_alg))); + MBEDTLS_TLS_SIG_NONE +}; + +/* NOTICE: see above */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && - (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) && - mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) { - continue; - } -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +static uint16_t ssl_tls12_preset_default_sig_algs[] = { - MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s", - mbedtls_ssl_sig_alg_to_str(sig_alg))); +#if defined(MBEDTLS_MD_CAN_SHA512) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), +#endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, +#endif +#if defined(MBEDTLS_RSA_C) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), +#endif +#endif /* MBEDTLS_MD_CAN_SHA512 */ - if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) { - ssl->handshake->received_sig_algs[common_idx] = sig_alg; - common_idx += 1; - } - } - /* Check that we consumed all the message. */ - if (p != end) { - MBEDTLS_SSL_DEBUG_MSG(1, - ("Signature algorithms extension length misaligned")); - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR); - return MBEDTLS_ERR_SSL_DECODE_ERROR; - } +#if defined(MBEDTLS_MD_CAN_SHA384) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), +#endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, +#endif +#if defined(MBEDTLS_RSA_C) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), +#endif +#endif /* MBEDTLS_MD_CAN_SHA384 */ - if (common_idx == 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common")); - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - } +#if defined(MBEDTLS_MD_CAN_SHA256) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), +#endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif +#if defined(MBEDTLS_RSA_C) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), +#endif +#endif /* MBEDTLS_MD_CAN_SHA256 */ - ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; - return 0; -} + MBEDTLS_TLS_SIG_NONE +}; +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +/* NOTICE: see above */ +static const uint16_t ssl_preset_suiteb_sig_algs[] = { + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA256) && \ + defined(MBEDTLS_ECP_HAVE_SECP256R1) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, + // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA384) && \ + defined(MBEDTLS_ECP_HAVE_SECP384R1) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, + // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) +#endif + + MBEDTLS_TLS_SIG_NONE +}; +/* NOTICE: see above */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_MD_CAN_SHA256) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), +#endif +#endif /* MBEDTLS_MD_CAN_SHA256 */ -static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation, - mbedtls_svc_key_id_t key, - psa_algorithm_t alg, - const unsigned char *raw_psk, size_t raw_psk_length, - const unsigned char *seed, size_t seed_length, - const unsigned char *label, size_t label_length, - const unsigned char *other_secret, - size_t other_secret_length, - size_t capacity) -{ - psa_status_t status; +#if defined(MBEDTLS_MD_CAN_SHA384) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) + MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), +#endif +#endif /* MBEDTLS_MD_CAN_SHA384 */ - status = psa_key_derivation_setup(derivation, alg); - if (status != PSA_SUCCESS) { - return status; - } + MBEDTLS_TLS_SIG_NONE +}; +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { - status = psa_key_derivation_input_bytes(derivation, - PSA_KEY_DERIVATION_INPUT_SEED, - seed, seed_length); - if (status != PSA_SUCCESS) { - return status; - } +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ - if (other_secret != NULL) { - status = psa_key_derivation_input_bytes(derivation, - PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, - other_secret, other_secret_length); - if (status != PSA_SUCCESS) { - return status; - } - } +static const uint16_t ssl_preset_suiteb_groups[] = { +#if defined(MBEDTLS_ECP_HAVE_SECP256R1) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP384R1) + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, +#endif + MBEDTLS_SSL_IANA_TLS_GROUP_NONE +}; - if (mbedtls_svc_key_id_is_null(key)) { - status = psa_key_derivation_input_bytes( - derivation, PSA_KEY_DERIVATION_INPUT_SECRET, - raw_psk, raw_psk_length); - } else { - status = psa_key_derivation_input_key( - derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key); - } - if (status != PSA_SUCCESS) { - return status; - } +#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` + * to make sure there are no duplicated signature algorithm entries. */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs) +{ + size_t i, j; + int ret = 0; - status = psa_key_derivation_input_bytes(derivation, - PSA_KEY_DERIVATION_INPUT_LABEL, - label, label_length); - if (status != PSA_SUCCESS) { - return status; + for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { + for (j = 0; j < i; j++) { + if (sig_algs[i] != sig_algs[j]) { + continue; + } + mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET + ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n", + sig_algs[i], j, i); + ret = -1; } - } else { - return PSA_ERROR_NOT_SUPPORTED; - } - - status = psa_key_derivation_set_capacity(derivation, capacity); - if (status != PSA_SUCCESS) { - return status; } - - return PSA_SUCCESS; + return ret; } -#if defined(PSA_WANT_ALG_SHA_384) || \ - defined(PSA_WANT_ALG_SHA_256) -MBEDTLS_CHECK_RETURN_CRITICAL -static int tls_prf_generic(mbedtls_md_type_t md_type, - const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen) +#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + +/* + * Load default in mbedtls_ssl_config + */ +int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, + int endpoint, int transport, int preset) { - psa_status_t status; - psa_algorithm_t alg; - mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_derivation_operation_t derivation = - PSA_KEY_DERIVATION_OPERATION_INIT; +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif - if (md_type == MBEDTLS_MD_SHA384) { - alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); - } else { - alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); +#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) + if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) { + mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n"); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } - /* Normally a "secret" should be long enough to be impossible to - * find by brute force, and in particular should not be empty. But - * this PRF is also used to derive an IV, in particular in EAP-TLS, - * and for this use case it makes sense to have a 0-length "secret". - * Since the key API doesn't allow importing a key of length 0, - * keep master_key=0, which setup_psa_key_derivation() understands - * to mean a 0-length "secret" input. */ - if (slen != 0) { - psa_key_attributes_t key_attributes = psa_key_attributes_init(); - psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&key_attributes, alg); - psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); + if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) { + mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n"); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } - status = psa_import_key(&key_attributes, secret, slen, &master_key); - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) { + mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n"); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } - status = setup_psa_key_derivation(&derivation, - master_key, alg, - NULL, 0, - random, rlen, - (unsigned char const *) label, - (size_t) strlen(label), - NULL, 0, - dlen); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - psa_destroy_key(master_key); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) { + mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n"); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ - status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - psa_destroy_key(master_key); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } + /* Use the functions here so that they are covered in tests, + * but otherwise access member directly for efficiency */ + mbedtls_ssl_conf_endpoint(conf, endpoint); + mbedtls_ssl_conf_transport(conf, transport); - status = psa_key_derivation_abort(&derivation); - if (status != PSA_SUCCESS) { - psa_destroy_key(master_key); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + /* + * Things that are common to all presets + */ +#if defined(MBEDTLS_SSL_CLI_C) + if (endpoint == MBEDTLS_SSL_IS_CLIENT) { + conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; +#endif } +#endif - if (!mbedtls_svc_key_id_is_null(master_key)) { - status = psa_destroy_key(master_key); - } - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; +#endif - return 0; -} -#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ -#else /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; +#endif -#if defined(MBEDTLS_MD_C) && \ - (defined(MBEDTLS_MD_CAN_SHA256) || \ - defined(MBEDTLS_MD_CAN_SHA384)) -MBEDTLS_CHECK_RETURN_CRITICAL -static int tls_prf_generic(mbedtls_md_type_t md_type, - const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen) -{ - size_t nb; - size_t i, j, k, md_len; - unsigned char *tmp; - size_t tmp_len = 0; - unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) + conf->f_cookie_write = ssl_cookie_write_dummy; + conf->f_cookie_check = ssl_cookie_check_dummy; +#endif - mbedtls_md_init(&md_ctx); +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) + conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; +#endif - if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) { - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } +#if defined(MBEDTLS_SSL_SRV_C) + conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; + conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER; +#endif - md_len = mbedtls_md_get_size(md_info); +#if defined(MBEDTLS_SSL_PROTO_DTLS) + conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; + conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; +#endif - tmp_len = md_len + strlen(label) + rlen; - tmp = mbedtls_calloc(1, tmp_len); - if (tmp == NULL) { - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto exit; +#if defined(MBEDTLS_SSL_RENEGOTIATION) + conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; + memset(conf->renego_period, 0x00, 2); + memset(conf->renego_period + 2, 0xFF, 6); +#endif + +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + if (endpoint == MBEDTLS_SSL_IS_SERVER) { + const unsigned char dhm_p[] = + MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; + const unsigned char dhm_g[] = + MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + + if ((ret = mbedtls_ssl_conf_dh_param_bin(conf, + dhm_p, sizeof(dhm_p), + dhm_g, sizeof(dhm_g))) != 0) { + return ret; + } } +#endif - nb = strlen(label); - memcpy(tmp + md_len, label, nb); - memcpy(tmp + md_len + nb, random, rlen); - nb += rlen; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); +#if defined(MBEDTLS_SSL_SRV_C) + mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE); +#endif +#endif /* MBEDTLS_SSL_EARLY_DATA */ +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_conf_new_session_tickets( + conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS); +#endif /* - * Compute P_(secret, label + random)[0..dlen] + * Allow all TLS 1.3 key exchange modes by default. */ - if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) { - goto exit; - } + conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_hmac_finish(&md_ctx, tmp); - if (ret != 0) { - goto exit; + if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; +#else + return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; +#endif + } else { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) + conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) + conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; + conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; +#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) + conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; +#else + return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; +#endif } - for (i = 0; i < dlen; i += md_len) { - ret = mbedtls_md_hmac_reset(&md_ctx); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_hmac_finish(&md_ctx, h_i); - if (ret != 0) { - goto exit; - } + /* + * Preset-specific defaults + */ + switch (preset) { + /* + * NSA Suite B + */ + case MBEDTLS_SSL_PRESET_SUITEB: - ret = mbedtls_md_hmac_reset(&md_ctx); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_hmac_finish(&md_ctx, tmp); - if (ret != 0) { - goto exit; - } + conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; - k = (i + md_len > dlen) ? dlen % md_len : md_len; +#if defined(MBEDTLS_X509_CRT_PARSE_C) + conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; +#endif - for (j = 0; j < k; j++) { - dstbuf[i + j] = h_i[j]; - } - } +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (mbedtls_ssl_conf_is_tls12_only(conf)) { + conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; + } else +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + conf->sig_algs = ssl_preset_suiteb_sig_algs; +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -exit: - mbedtls_md_free(&md_ctx); +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + conf->curve_list = NULL; +#endif + conf->group_list = ssl_preset_suiteb_groups; + break; - if (tmp != NULL) { - mbedtls_platform_zeroize(tmp, tmp_len); - } + /* + * Default + */ + default: - mbedtls_platform_zeroize(h_i, sizeof(h_i)); + conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); - mbedtls_free(tmp); +#if defined(MBEDTLS_X509_CRT_PARSE_C) + conf->cert_profile = &mbedtls_x509_crt_profile_default; +#endif - return ret; -} -#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (mbedtls_ssl_conf_is_tls12_only(conf)) { + conf->sig_algs = ssl_tls12_preset_default_sig_algs; + } else +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + conf->sig_algs = ssl_preset_default_sig_algs; +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_MD_CAN_SHA256) -MBEDTLS_CHECK_RETURN_CRITICAL -static int tls_prf_sha256(const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen) -{ - return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, - label, random, rlen, dstbuf, dlen); -} -#endif /* MBEDTLS_MD_CAN_SHA256*/ +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + conf->curve_list = NULL; +#endif + conf->group_list = ssl_preset_default_groups; -#if defined(MBEDTLS_MD_CAN_SHA384) -MBEDTLS_CHECK_RETURN_CRITICAL -static int tls_prf_sha384(const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen) -{ - return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, - label, random, rlen, dstbuf, dlen); +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) + conf->dhm_min_bitlen = 1024; +#endif + } + + return 0; } -#endif /* MBEDTLS_MD_CAN_SHA384*/ /* - * Set appropriate PRF function and other SSL / TLS1.2 functions - * - * Inputs: - * - hash associated with the ciphersuite (only used by TLS 1.2) - * - * Outputs: - * - the tls_prf, calc_verify and calc_finished members of handshake structure + * Free mbedtls_ssl_config */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake, - mbedtls_md_type_t hash) +void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) { -#if defined(MBEDTLS_MD_CAN_SHA384) - if (hash == MBEDTLS_MD_SHA384) { - handshake->tls_prf = tls_prf_sha384; - handshake->calc_verify = ssl_calc_verify_tls_sha384; - handshake->calc_finished = ssl_calc_finished_tls_sha384; - } else +#if defined(MBEDTLS_DHM_C) + mbedtls_mpi_free(&conf->dhm_P); + mbedtls_mpi_free(&conf->dhm_G); #endif -#if defined(MBEDTLS_MD_CAN_SHA256) - { - (void) hash; - handshake->tls_prf = tls_prf_sha256; - handshake->calc_verify = ssl_calc_verify_tls_sha256; - handshake->calc_finished = ssl_calc_finished_tls_sha256; + +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { + conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } -#else - { - (void) handshake; - (void) hash; - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if (conf->psk != NULL) { + mbedtls_zeroize_and_free(conf->psk, conf->psk_len); + conf->psk = NULL; + conf->psk_len = 0; } + + if (conf->psk_identity != NULL) { + mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len); + conf->psk_identity = NULL; + conf->psk_identity_len = 0; + } +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + ssl_key_cert_free(conf->key_cert); #endif - return 0; + mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config)); } +#if defined(MBEDTLS_PK_C) && \ + (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) /* - * Compute master secret if needed - * - * Parameters: - * [in/out] handshake - * [in] resume, premaster, extended_ms, calc_verify, tls_prf - * (PSA-PSK) ciphersuite_info, psk_opaque - * [out] premaster (cleared) - * [out] master - * [in] ssl: optionally used for debugging, EMS and PSA-PSK - * debug: conf->f_dbg, conf->p_dbg - * EMS: passed to calc_verify (debug + session_negotiate) - * PSA-PSA: conf + * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, - unsigned char *master, - const mbedtls_ssl_context *ssl) +unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - /* cf. RFC 5246, Section 8.1: - * "The master secret is always exactly 48 bytes in length." */ - size_t const master_secret_len = 48; - -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - unsigned char session_hash[48]; -#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ - - /* The label for the KDF used for key expansion. - * This is either "master secret" or "extended master secret" - * depending on whether the Extended Master Secret extension - * is used. */ - char const *lbl = "master secret"; - - /* The seed for the KDF used for key expansion. - * - If the Extended Master Secret extension is not used, - * this is ClientHello.Random + ServerHello.Random - * (see Sect. 8.1 in RFC 5246). - * - If the Extended Master Secret extension is used, - * this is the transcript of the handshake so far. - * (see Sect. 4 in RFC 7627). */ - unsigned char const *seed = handshake->randbytes; - size_t seed_len = 64; - -#if !defined(MBEDTLS_DEBUG_C) && \ - !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ - !(defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)) - ssl = NULL; /* make sure we don't use it except for those cases */ - (void) ssl; +#if defined(MBEDTLS_RSA_C) + if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { + return MBEDTLS_SSL_SIG_RSA; + } #endif - - if (handshake->resume != 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)")); - return 0; +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) + if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { + return MBEDTLS_SSL_SIG_ECDSA; } +#endif + return MBEDTLS_SSL_SIG_ANON; +} -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { - lbl = "extended master secret"; - seed = session_hash; - ret = handshake->calc_verify(ssl, session_hash, &seed_len); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); - } - - MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", - session_hash, seed_len); +unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) +{ + switch (type) { + case MBEDTLS_PK_RSA: + return MBEDTLS_SSL_SIG_RSA; + case MBEDTLS_PK_ECDSA: + case MBEDTLS_PK_ECKEY: + return MBEDTLS_SSL_SIG_ECDSA; + default: + return MBEDTLS_SSL_SIG_ANON; } -#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ - -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) { - /* Perform PSK-to-MS expansion in a single step. */ - psa_status_t status; - psa_algorithm_t alg; - mbedtls_svc_key_id_t psk; - psa_key_derivation_operation_t derivation = - PSA_KEY_DERIVATION_OPERATION_INIT; - mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; - - MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion")); - - psk = mbedtls_ssl_get_opaque_psk(ssl); - - if (hash_alg == MBEDTLS_MD_SHA384) { - alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); - } else { - alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); - } +} - size_t other_secret_len = 0; - unsigned char *other_secret = NULL; +mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) +{ + switch (sig) { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_SSL_SIG_RSA: + return MBEDTLS_PK_RSA; +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) + case MBEDTLS_SSL_SIG_ECDSA: + return MBEDTLS_PK_ECDSA; +#endif + default: + return MBEDTLS_PK_NONE; + } +} +#endif /* MBEDTLS_PK_C && + ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ - switch (handshake->ciphersuite_info->key_exchange) { - /* Provide other secret. - * Other secret is stored in premaster, where first 2 bytes hold the - * length of the other key. - */ - case MBEDTLS_KEY_EXCHANGE_RSA_PSK: - /* For RSA-PSK other key length is always 48 bytes. */ - other_secret_len = 48; - other_secret = handshake->premaster + 2; - break; - case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: - case MBEDTLS_KEY_EXCHANGE_DHE_PSK: - other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0); - other_secret = handshake->premaster + 2; - break; - default: - break; - } +/* + * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX + */ +mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) +{ + switch (hash) { +#if defined(MBEDTLS_MD_CAN_MD5) + case MBEDTLS_SSL_HASH_MD5: + return MBEDTLS_MD_MD5; +#endif +#if defined(MBEDTLS_MD_CAN_SHA1) + case MBEDTLS_SSL_HASH_SHA1: + return MBEDTLS_MD_SHA1; +#endif +#if defined(MBEDTLS_MD_CAN_SHA224) + case MBEDTLS_SSL_HASH_SHA224: + return MBEDTLS_MD_SHA224; +#endif +#if defined(MBEDTLS_MD_CAN_SHA256) + case MBEDTLS_SSL_HASH_SHA256: + return MBEDTLS_MD_SHA256; +#endif +#if defined(MBEDTLS_MD_CAN_SHA384) + case MBEDTLS_SSL_HASH_SHA384: + return MBEDTLS_MD_SHA384; +#endif +#if defined(MBEDTLS_MD_CAN_SHA512) + case MBEDTLS_SSL_HASH_SHA512: + return MBEDTLS_MD_SHA512; +#endif + default: + return MBEDTLS_MD_NONE; + } +} - status = setup_psa_key_derivation(&derivation, psk, alg, - ssl->conf->psk, ssl->conf->psk_len, - seed, seed_len, - (unsigned char const *) lbl, - (size_t) strlen(lbl), - other_secret, other_secret_len, - master_secret_len); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } +/* + * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX + */ +unsigned char mbedtls_ssl_hash_from_md_alg(int md) +{ + switch (md) { +#if defined(MBEDTLS_MD_CAN_MD5) + case MBEDTLS_MD_MD5: + return MBEDTLS_SSL_HASH_MD5; +#endif +#if defined(MBEDTLS_MD_CAN_SHA1) + case MBEDTLS_MD_SHA1: + return MBEDTLS_SSL_HASH_SHA1; +#endif +#if defined(MBEDTLS_MD_CAN_SHA224) + case MBEDTLS_MD_SHA224: + return MBEDTLS_SSL_HASH_SHA224; +#endif +#if defined(MBEDTLS_MD_CAN_SHA256) + case MBEDTLS_MD_SHA256: + return MBEDTLS_SSL_HASH_SHA256; +#endif +#if defined(MBEDTLS_MD_CAN_SHA384) + case MBEDTLS_MD_SHA384: + return MBEDTLS_SSL_HASH_SHA384; +#endif +#if defined(MBEDTLS_MD_CAN_SHA512) + case MBEDTLS_MD_SHA512: + return MBEDTLS_SSL_HASH_SHA512; +#endif + default: + return MBEDTLS_SSL_HASH_NONE; + } +} - status = psa_key_derivation_output_bytes(&derivation, - master, - master_secret_len); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } +/* + * Check if a curve proposed by the peer is in our list. + * Return 0 if we're willing to use it, -1 otherwise. + */ +int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) +{ + const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); - status = psa_key_derivation_abort(&derivation); - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } - } else -#endif - { -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { - psa_status_t status; - psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; - psa_key_derivation_operation_t derivation = - PSA_KEY_DERIVATION_OPERATION_INIT; + if (group_list == NULL) { + return -1; + } - MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE")); + for (; *group_list != 0; group_list++) { + if (*group_list == tls_id) { + return 0; + } + } - handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; + return -1; +} - status = psa_key_derivation_setup(&derivation, alg); - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) +/* + * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id. + */ +int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) +{ + uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); - status = psa_key_derivation_set_capacity(&derivation, - PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } + if (tls_id == 0) { + return -1; + } - status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, - &derivation); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } + return mbedtls_ssl_check_curve_tls_id(ssl, tls_id); +} +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ - status = psa_key_derivation_output_bytes(&derivation, - handshake->premaster, - handshake->pmslen); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(&derivation); - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - } +static const struct { + uint16_t tls_id; + mbedtls_ecp_group_id ecp_group_id; + psa_ecc_family_t psa_family; + uint16_t bits; +} tls_id_match_table[] = +{ +#if defined(MBEDTLS_ECP_HAVE_SECP521R1) + { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_BP512R1) + { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP384R1) + { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_BP384R1) + { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP256R1) + { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP256K1) + { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_BP256R1) + { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP224R1) + { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP224K1) + { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP192R1) + { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_SECP192K1) + { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_CURVE25519) + { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, +#endif +#if defined(MBEDTLS_ECP_HAVE_CURVE448) + { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 }, +#endif + { 0, MBEDTLS_ECP_DP_NONE, 0, 0 }, +}; - status = psa_key_derivation_abort(&derivation); - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; +int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, + psa_key_type_t *type, + size_t *bits) +{ + for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { + if (tls_id_match_table[i].tls_id == tls_id) { + if (type != NULL) { + *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family); + } + if (bits != NULL) { + *bits = tls_id_match_table[i].bits; } + return PSA_SUCCESS; } -#endif - ret = handshake->tls_prf(handshake->premaster, handshake->pmslen, - lbl, seed, seed_len, - master, - master_secret_len); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); - return ret; + } + + return PSA_ERROR_NOT_SUPPORTED; +} + +mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id) +{ + for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { + if (tls_id_match_table[i].tls_id == tls_id) { + return tls_id_match_table[i].ecp_group_id; } + } - MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret", - handshake->premaster, - handshake->pmslen); + return MBEDTLS_ECP_DP_NONE; +} - mbedtls_platform_zeroize(handshake->premaster, - sizeof(handshake->premaster)); +uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) +{ + for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE; + i++) { + if (tls_id_match_table[i].ecp_group_id == grp_id) { + return tls_id_match_table[i].tls_id; + } } return 0; } -int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) +#if defined(MBEDTLS_DEBUG_C) +static const struct { + uint16_t tls_id; + const char *name; +} tls_id_curve_name_table[] = { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = - ssl->handshake->ciphersuite_info; - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys")); + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, + { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, + { 0, NULL }, +}; - /* Set PRF, calc_verify and calc_finished function pointers */ - ret = ssl_set_handshake_prfs(ssl->handshake, - (mbedtls_md_type_t) ciphersuite_info->mac); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret); - return ret; +const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) +{ + for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) { + if (tls_id_curve_name_table[i].tls_id == tls_id) { + return tls_id_curve_name_table[i].name; + } } - /* Compute master secret if needed */ - ret = ssl_compute_master(ssl->handshake, - ssl->session_negotiate->master, - ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret); - return ret; - } + return NULL; +} +#endif - /* Swap the client and server random values: - * - MS derivation wanted client+server (RFC 5246 8.1) - * - key derivation wants server+client (RFC 5246 6.3) */ - { - unsigned char tmp[64]; - memcpy(tmp, ssl->handshake->randbytes, 64); - memcpy(ssl->handshake->randbytes, tmp + 32, 32); - memcpy(ssl->handshake->randbytes + 32, tmp, 32); - mbedtls_platform_zeroize(tmp, sizeof(tmp)); +#if defined(MBEDTLS_X509_CRT_PARSE_C) +int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, + const mbedtls_ssl_ciphersuite_t *ciphersuite, + int cert_endpoint, + uint32_t *flags) +{ + int ret = 0; + unsigned int usage = 0; + const char *ext_oid; + size_t ext_len; + + if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { + /* Server part of the key exchange */ + switch (ciphersuite->key_exchange) { + case MBEDTLS_KEY_EXCHANGE_RSA: + case MBEDTLS_KEY_EXCHANGE_RSA_PSK: + usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; + break; + + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; + break; + + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + usage = MBEDTLS_X509_KU_KEY_AGREEMENT; + break; + + /* Don't use default: we want warnings when adding new values */ + case MBEDTLS_KEY_EXCHANGE_NONE: + case MBEDTLS_KEY_EXCHANGE_PSK: + case MBEDTLS_KEY_EXCHANGE_DHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: + usage = 0; + } + } else { + /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ + usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; } - /* Populate transform structure */ - ret = ssl_tls12_populate_transform(ssl->transform_negotiate, - ssl->session_negotiate->ciphersuite, - ssl->session_negotiate->master, -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - ssl->session_negotiate->encrypt_then_mac, -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - ssl->handshake->tls_prf, - ssl->handshake->randbytes, - ssl->tls_version, - ssl->conf->endpoint, - ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret); - return ret; + if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { + *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; + ret = -1; } - /* We no longer need Server/ClientHello.random values */ - mbedtls_platform_zeroize(ssl->handshake->randbytes, - sizeof(ssl->handshake->randbytes)); + if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { + ext_oid = MBEDTLS_OID_SERVER_AUTH; + ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); + } else { + ext_oid = MBEDTLS_OID_CLIENT_AUTH; + ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys")); + if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { + *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; + ret = -1; + } - return 0; + return ret; } +#endif /* MBEDTLS_X509_CRT_PARSE_C */ -int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_hash_operation_t *hash_operation_to_clone; + psa_hash_operation_t hash_operation = psa_hash_operation_init(); + + *olen = 0; + switch (md) { #if defined(MBEDTLS_MD_CAN_SHA384) - case MBEDTLS_SSL_HASH_SHA384: - ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; + case MBEDTLS_MD_SHA384: + hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; break; #endif + #if defined(MBEDTLS_MD_CAN_SHA256) - case MBEDTLS_SSL_HASH_SHA256: - ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; + case MBEDTLS_MD_SHA256: + hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; break; #endif + default: - return -1; + goto exit; + } + + status = psa_hash_clone(hash_operation_to_clone, &hash_operation); + if (status != PSA_SUCCESS) { + goto exit; + } + + status = psa_hash_finish(&hash_operation, dst, dst_len, olen); + if (status != PSA_SUCCESS) { + goto exit; } + +exit: #if !defined(MBEDTLS_MD_CAN_SHA384) && \ !defined(MBEDTLS_MD_CAN_SHA256) (void) ssl; #endif - return 0; + return PSA_TO_MBEDTLS_ERR(status); } +#else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl, - const psa_hash_operation_t *hs_op, - size_t buffer_size, - unsigned char *hash, - size_t *hlen) +#if defined(MBEDTLS_MD_CAN_SHA384) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *olen) { - psa_status_t status; - psa_hash_operation_t cloned_op = psa_hash_operation_init(); + int ret; + mbedtls_md_context_t sha384; -#if !defined(MBEDTLS_DEBUG_C) - (void) ssl; -#endif - MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify")); - status = psa_hash_clone(hs_op, &cloned_op); - if (status != PSA_SUCCESS) { + if (dst_len < 48) { + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + + mbedtls_md_init(&sha384); + ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); + if (ret != 0) { goto exit; } - status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen); - if (status != PSA_SUCCESS) { + if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); goto exit; } - MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); + *olen = 48; exit: - psa_hash_abort(&cloned_op); - return mbedtls_md_error_from_psa(status); + + mbedtls_md_free(&sha384); + return ret; } -#else -static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl, - const mbedtls_md_context_t *hs_ctx, - unsigned char *hash, - size_t *hlen) +#endif /* MBEDTLS_MD_CAN_SHA384 */ + +#if defined(MBEDTLS_MD_CAN_SHA256) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *olen) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_context_t cloned_ctx; + int ret; + mbedtls_md_context_t sha256; - mbedtls_md_init(&cloned_ctx); + if (dst_len < 32) { + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + + mbedtls_md_init(&sha256); + ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); + if (ret != 0) { + goto exit; + } + + if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); + goto exit; + } + + *olen = 32; + +exit: + + mbedtls_md_free(&sha256); + return ret; +} +#endif /* MBEDTLS_MD_CAN_SHA256 */ + +int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md, + unsigned char *dst, + size_t dst_len, + size_t *olen) +{ + switch (md) { + +#if defined(MBEDTLS_MD_CAN_SHA384) + case MBEDTLS_MD_SHA384: + return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen); +#endif /* MBEDTLS_MD_CAN_SHA384*/ + +#if defined(MBEDTLS_MD_CAN_SHA256) + case MBEDTLS_MD_SHA256: + return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen); +#endif /* MBEDTLS_MD_CAN_SHA256*/ + + default: +#if !defined(MBEDTLS_MD_CAN_SHA384) && \ + !defined(MBEDTLS_MD_CAN_SHA256) + (void) ssl; + (void) dst; + (void) dst_len; + (void) olen; +#endif + break; + } + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; +} + +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ + +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +/* mbedtls_ssl_parse_sig_alg_ext() + * + * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` + * value (TLS 1.3 RFC8446): + * enum { + * .... + * ecdsa_secp256r1_sha256( 0x0403 ), + * ecdsa_secp384r1_sha384( 0x0503 ), + * ecdsa_secp521r1_sha512( 0x0603 ), + * .... + * } SignatureScheme; + * + * struct { + * SignatureScheme supported_signature_algorithms<2..2^16-2>; + * } SignatureSchemeList; + * + * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` + * value (TLS 1.2 RFC5246): + * enum { + * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), + * sha512(6), (255) + * } HashAlgorithm; + * + * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } + * SignatureAlgorithm; + * + * struct { + * HashAlgorithm hash; + * SignatureAlgorithm signature; + * } SignatureAndHashAlgorithm; + * + * SignatureAndHashAlgorithm + * supported_signature_algorithms<2..2^16-2>; + * + * The TLS 1.3 signature algorithm extension was defined to be a compatible + * generalization of the TLS 1.2 signature algorithm extension. + * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by + * `SignatureScheme` field of TLS 1.3 + * + */ +int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end) +{ + const unsigned char *p = buf; + size_t supported_sig_algs_len = 0; + const unsigned char *supported_sig_algs_end; + uint16_t sig_alg; + uint32_t common_idx = 0; + + MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); + supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; + + memset(ssl->handshake->received_sig_algs, 0, + sizeof(ssl->handshake->received_sig_algs)); + + MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len); + supported_sig_algs_end = p + supported_sig_algs_len; + while (p < supported_sig_algs_end) { + MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2); + sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); + p += 2; + MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s", + sig_alg, + mbedtls_ssl_sig_alg_to_str(sig_alg))); +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && + (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) && + mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) { + continue; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if !defined(MBEDTLS_DEBUG_C) - (void) ssl; -#endif - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify")); + MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s", + mbedtls_ssl_sig_alg_to_str(sig_alg))); - ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); - if (ret != 0) { - goto exit; + if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) { + ssl->handshake->received_sig_algs[common_idx] = sig_alg; + common_idx += 1; + } } - ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); - if (ret != 0) { - goto exit; + /* Check that we consumed all the message. */ + if (p != end) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("Signature algorithms extension length misaligned")); + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR); + return MBEDTLS_ERR_SSL_DECODE_ERROR; } - ret = mbedtls_md_finish(&cloned_ctx, hash); - if (ret != 0) { - goto exit; + if (common_idx == 0) { + MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common")); + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; } - *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx)); - - MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); - -exit: - mbedtls_md_free(&cloned_ctx); - return ret; + ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; + return 0; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_MD_CAN_SHA256) -int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, - unsigned char *hash, - size_t *hlen) -{ -#if defined(MBEDTLS_USE_PSA_CRYPTO) - return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32, - hash, hlen); -#else - return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256, - hash, hlen); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -} -#endif /* MBEDTLS_MD_CAN_SHA256 */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_MD_CAN_SHA384) -int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, - unsigned char *hash, - size_t *hlen) -{ #if defined(MBEDTLS_USE_PSA_CRYPTO) - return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48, - hash, hlen); -#else - return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384, - hash, hlen); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -} -#endif /* MBEDTLS_MD_CAN_SHA384 */ -#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) +static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation, + mbedtls_svc_key_id_t key, + psa_algorithm_t alg, + const unsigned char *raw_psk, size_t raw_psk_length, + const unsigned char *seed, size_t seed_length, + const unsigned char *label, size_t label_length, + const unsigned char *other_secret, + size_t other_secret_length, + size_t capacity) { - unsigned char *p = ssl->handshake->premaster; - unsigned char *end = p + sizeof(ssl->handshake->premaster); - const unsigned char *psk = NULL; - size_t psk_len = 0; - int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len); + psa_status_t status; - if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) { - /* - * This should never happen because the existence of a PSK is always - * checked before calling this function. - * - * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with - * the shared secret without PSK. - */ - if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } + status = psa_key_derivation_setup(derivation, alg); + if (status != PSA_SUCCESS) { + return status; } - /* - * PMS = struct { - * opaque other_secret<0..2^16-1>; - * opaque psk<0..2^16-1>; - * }; - * with "other_secret" depending on the particular key exchange - */ -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) { - if (end - p < 2) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { + status = psa_key_derivation_input_bytes(derivation, + PSA_KEY_DERIVATION_INPUT_SEED, + seed, seed_length); + if (status != PSA_SUCCESS) { + return status; } - MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); - p += 2; - - if (end < p || (size_t) (end - p) < psk_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (other_secret != NULL) { + status = psa_key_derivation_input_bytes(derivation, + PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, + other_secret, other_secret_length); + if (status != PSA_SUCCESS) { + return status; + } } - memset(p, 0, psk_len); - p += psk_len; - } else -#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) - if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { - /* - * other_secret already set by the ClientKeyExchange message, - * and is 48 bytes long - */ - if (end - p < 2) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (mbedtls_svc_key_id_is_null(key)) { + status = psa_key_derivation_input_bytes( + derivation, PSA_KEY_DERIVATION_INPUT_SECRET, + raw_psk, raw_psk_length); + } else { + status = psa_key_derivation_input_key( + derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key); } - - *p++ = 0; - *p++ = 48; - p += 48; - } else -#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) - if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len; - - /* Write length only when we know the actual value */ - if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, - p + 2, (size_t) (end - (p + 2)), &len, - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); - return ret; + if (status != PSA_SUCCESS) { + return status; } - MBEDTLS_PUT_UINT16_BE(len, p, 0); - p += 2 + len; - - MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); - } else -#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t zlen; - if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen, - p + 2, (size_t) (end - (p + 2)), - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); - return ret; + status = psa_key_derivation_input_bytes(derivation, + PSA_KEY_DERIVATION_INPUT_LABEL, + label, label_length); + if (status != PSA_SUCCESS) { + return status; } - - MBEDTLS_PUT_UINT16_BE(zlen, p, 0); - p += 2 + zlen; - - MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, - MBEDTLS_DEBUG_ECDH_Z); - } else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } - - /* opaque psk<0..2^16-1>; */ - if (end - p < 2) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); - p += 2; - - if (end < p || (size_t) (end - p) < psk_len) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } else { + return PSA_ERROR_NOT_SUPPORTED; } - memcpy(p, psk, psk_len); - p += psk_len; - - ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster); - - return 0; -} -#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - -#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_write_hello_request(mbedtls_ssl_context *ssl); - -#if defined(MBEDTLS_SSL_PROTO_DTLS) -int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) -{ - /* If renegotiation is not enforced, retransmit until we would reach max - * timeout if we were using the usual handshake doubling scheme */ - if (ssl->conf->renego_max_records < 0) { - uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; - unsigned char doublings = 1; - - while (ratio != 0) { - ++doublings; - ratio >>= 1; - } - - if (++ssl->renego_records_seen > doublings) { - MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request")); - return 0; - } + status = psa_key_derivation_set_capacity(derivation, capacity); + if (status != PSA_SUCCESS) { + return status; } - return ssl_write_hello_request(ssl); + return PSA_SUCCESS; } -#endif -#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ -/* - * Handshake functions - */ -#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -/* No certificate support -> dummy functions */ -int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) +#if defined(PSA_WANT_ALG_SHA_384) || \ + defined(PSA_WANT_ALG_SHA_256) +MBEDTLS_CHECK_RETURN_CRITICAL +static int tls_prf_generic(mbedtls_md_type_t md_type, + const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; + psa_status_t status; + psa_algorithm_t alg; + mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); + if (md_type == MBEDTLS_MD_SHA384) { + alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); + } else { + alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); + } - if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); - ssl->state++; - return 0; + /* Normally a "secret" should be long enough to be impossible to + * find by brute force, and in particular should not be empty. But + * this PRF is also used to derive an IV, in particular in EAP-TLS, + * and for this use case it makes sense to have a 0-length "secret". + * Since the key API doesn't allow importing a key of length 0, + * keep master_key=0, which setup_psa_key_derivation() understands + * to mean a 0-length "secret" input. */ + if (slen != 0) { + psa_key_attributes_t key_attributes = psa_key_attributes_init(); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&key_attributes, alg); + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); + + status = psa_import_key(&key_attributes, secret, slen, &master_key); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } } - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; -} + status = setup_psa_key_derivation(&derivation, + master_key, alg, + NULL, 0, + random, rlen, + (unsigned char const *) label, + (size_t) strlen(label), + NULL, 0, + dlen); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + psa_destroy_key(master_key); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } -int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) -{ - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; + status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + psa_destroy_key(master_key); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); + status = psa_key_derivation_abort(&derivation); + if (status != PSA_SUCCESS) { + psa_destroy_key(master_key); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } - if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); - ssl->state++; - return 0; + if (!mbedtls_svc_key_id_is_null(master_key)) { + status = psa_destroy_key(master_key); + } + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + return 0; } +#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ +#else /* MBEDTLS_USE_PSA_CRYPTO */ -#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -/* Some certificate support -> implement write and parse */ - -int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) +#if defined(MBEDTLS_MD_C) && \ + (defined(MBEDTLS_MD_CAN_SHA256) || \ + defined(MBEDTLS_MD_CAN_SHA384)) +MBEDTLS_CHECK_RETURN_CRITICAL +static int tls_prf_generic(mbedtls_md_type_t md_type, + const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen) { - int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - size_t i, n; - const mbedtls_x509_crt *crt; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; + size_t nb; + size_t i, j, k, md_len; + unsigned char *tmp; + size_t tmp_len = 0; + unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info; + mbedtls_md_context_t md_ctx; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); + mbedtls_md_init(&md_ctx); - if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); - ssl->state++; - return 0; + if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) { + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } -#if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - if (ssl->handshake->client_auth == 0) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); - ssl->state++; - return 0; - } - } -#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - if (mbedtls_ssl_own_cert(ssl) == NULL) { - /* Should never happen because we shouldn't have picked the - * ciphersuite if we don't have a certificate. */ - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } + md_len = mbedtls_md_get_size(md_info); + + tmp_len = md_len + strlen(label) + rlen; + tmp = mbedtls_calloc(1, tmp_len); + if (tmp == NULL) { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto exit; } -#endif - MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); + nb = strlen(label); + memcpy(tmp + md_len, label, nb); + memcpy(tmp + md_len + nb, random, rlen); + nb += rlen; /* - * 0 . 0 handshake type - * 1 . 3 handshake length - * 4 . 6 length of all certs - * 7 . 9 length of cert. 1 - * 10 . n-1 peer certificate - * n . n+2 length of cert. 2 - * n+3 . ... upper level cert, etc. + * Compute P_(secret, label + random)[0..dlen] */ - i = 7; - crt = mbedtls_ssl_own_cert(ssl); - - while (crt != NULL) { - n = crt->raw.len; - if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { - MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET - " > %" MBEDTLS_PRINTF_SIZET, - i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } - - ssl->out_msg[i] = MBEDTLS_BYTE_2(n); - ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n); - ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n); + if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) { + goto exit; + } - i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n); - i += n; crt = crt->next; + ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_hmac_finish(&md_ctx, tmp); + if (ret != 0) { + goto exit; } - ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7); - ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7); - ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7); + for (i = 0; i < dlen; i += md_len) { + ret = mbedtls_md_hmac_reset(&md_ctx); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_hmac_finish(&md_ctx, h_i); + if (ret != 0) { + goto exit; + } - ssl->out_msglen = i; - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; + ret = mbedtls_md_hmac_reset(&md_ctx); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_hmac_finish(&md_ctx, tmp); + if (ret != 0) { + goto exit; + } - ssl->state++; + k = (i + md_len > dlen) ? dlen % md_len : md_len; - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); - return ret; + for (j = 0; j < k; j++) { + dstbuf[i + j] = h_i[j]; + } } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); - - return ret; -} - -#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, - unsigned char *crt_buf, - size_t crt_buf_len) -{ - mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; +exit: + mbedtls_md_free(&md_ctx); - if (peer_crt == NULL) { - return -1; + if (tmp != NULL) { + mbedtls_platform_zeroize(tmp, tmp_len); } - if (peer_crt->raw.len != crt_buf_len) { - return -1; - } + mbedtls_platform_zeroize(h_i, sizeof(h_i)); - return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len); + mbedtls_free(tmp); + + return ret; } -#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + +#if defined(MBEDTLS_MD_CAN_SHA256) MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, - unsigned char *crt_buf, - size_t crt_buf_len) +static int tls_prf_sha256(const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char const * const peer_cert_digest = - ssl->session->peer_cert_digest; - mbedtls_md_type_t const peer_cert_digest_type = - ssl->session->peer_cert_digest_type; - mbedtls_md_info_t const * const digest_info = - mbedtls_md_info_from_type(peer_cert_digest_type); - unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; - size_t digest_len; + return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, + label, random, rlen, dstbuf, dlen); +} +#endif /* MBEDTLS_MD_CAN_SHA256*/ - if (peer_cert_digest == NULL || digest_info == NULL) { - return -1; - } +#if defined(MBEDTLS_MD_CAN_SHA384) +MBEDTLS_CHECK_RETURN_CRITICAL +static int tls_prf_sha384(const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen) +{ + return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, + label, random, rlen, dstbuf, dlen); +} +#endif /* MBEDTLS_MD_CAN_SHA384*/ - digest_len = mbedtls_md_get_size(digest_info); - if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) { - return -1; +/* + * Set appropriate PRF function and other SSL / TLS1.2 functions + * + * Inputs: + * - hash associated with the ciphersuite (only used by TLS 1.2) + * + * Outputs: + * - the tls_prf, calc_verify and calc_finished members of handshake structure + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake, + mbedtls_md_type_t hash) +{ +#if defined(MBEDTLS_MD_CAN_SHA384) + if (hash == MBEDTLS_MD_SHA384) { + handshake->tls_prf = tls_prf_sha384; + handshake->calc_verify = ssl_calc_verify_tls_sha384; + handshake->calc_finished = ssl_calc_finished_tls_sha384; + } else +#endif +#if defined(MBEDTLS_MD_CAN_SHA256) + { + (void) hash; + handshake->tls_prf = tls_prf_sha256; + handshake->calc_verify = ssl_calc_verify_tls_sha256; + handshake->calc_finished = ssl_calc_finished_tls_sha256; } - - ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest); - if (ret != 0) { - return -1; +#else + { + (void) handshake; + (void) hash; + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } +#endif - return memcmp(tmp_digest, peer_cert_digest, digest_len); + return 0; } -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ /* - * Once the certificate message is read, parse it into a cert chain and - * perform basic checks, but leave actual verification to the caller + * Compute master secret if needed + * + * Parameters: + * [in/out] handshake + * [in] resume, premaster, extended_ms, calc_verify, tls_prf + * (PSA-PSK) ciphersuite_info, psk_opaque + * [out] premaster (cleared) + * [out] master + * [in] ssl: optionally used for debugging, EMS and PSA-PSK + * debug: conf->f_dbg, conf->p_dbg + * EMS: passed to calc_verify (debug + session_negotiate) + * PSA-PSA: conf */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, - mbedtls_x509_crt *chain) +static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, + unsigned char *master, + const mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - int crt_cnt = 0; + + /* cf. RFC 5246, Section 8.1: + * "The master secret is always exactly 48 bytes in length." */ + size_t const master_secret_len = 48; + +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + unsigned char session_hash[48]; +#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ + + /* The label for the KDF used for key expansion. + * This is either "master secret" or "extended master secret" + * depending on whether the Extended Master Secret extension + * is used. */ + char const *lbl = "master secret"; + + /* The seed for the KDF used for key expansion. + * - If the Extended Master Secret extension is not used, + * this is ClientHello.Random + ServerHello.Random + * (see Sect. 8.1 in RFC 5246). + * - If the Extended Master Secret extension is used, + * this is the transcript of the handshake so far. + * (see Sect. 4 in RFC 7627). */ + unsigned char const *seed = handshake->randbytes; + size_t seed_len = 64; + +#if !defined(MBEDTLS_DEBUG_C) && \ + !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ + !(defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)) + ssl = NULL; /* make sure we don't use it except for those cases */ + (void) ssl; #endif - size_t i, n; - uint8_t alert; - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + if (handshake->resume != 0) { + MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)")); + return 0; } - if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) { - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; - } +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { + lbl = "extended master secret"; + seed = session_hash; + ret = handshake->calc_verify(ssl, session_hash, &seed_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); + } - if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return MBEDTLS_ERR_SSL_DECODE_ERROR; + MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", + session_hash, seed_len); } +#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ - i = mbedtls_ssl_hs_hdr_len(ssl); +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) { + /* Perform PSK-to-MS expansion in a single step. */ + psa_status_t status; + psa_algorithm_t alg; + mbedtls_svc_key_id_t psk; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; + mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; - /* - * Same message structure as in mbedtls_ssl_write_certificate() - */ - n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); + MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion")); - if (ssl->in_msg[i] != 0 || - ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return MBEDTLS_ERR_SSL_DECODE_ERROR; - } + psk = mbedtls_ssl_get_opaque_psk(ssl); - /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ - i += 3; + if (hash_alg == MBEDTLS_MD_SHA384) { + alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); + } else { + alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); + } - /* Iterate through and parse the CRTs in the provided chain. */ - while (i < ssl->in_hslen) { - /* Check that there's room for the next CRT's length fields. */ - if (i + 3 > ssl->in_hslen) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return MBEDTLS_ERR_SSL_DECODE_ERROR; + size_t other_secret_len = 0; + unsigned char *other_secret = NULL; + + switch (handshake->ciphersuite_info->key_exchange) { + /* Provide other secret. + * Other secret is stored in premaster, where first 2 bytes hold the + * length of the other key. + */ + case MBEDTLS_KEY_EXCHANGE_RSA_PSK: + /* For RSA-PSK other key length is always 48 bytes. */ + other_secret_len = 48; + other_secret = handshake->premaster + 2; + break; + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_DHE_PSK: + other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0); + other_secret = handshake->premaster + 2; + break; + default: + break; } - /* In theory, the CRT can be up to 2**24 Bytes, but we don't support - * anything beyond 2**16 ~ 64K. */ - if (ssl->in_msg[i] != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + + status = setup_psa_key_derivation(&derivation, psk, alg, + ssl->conf->psk, ssl->conf->psk_len, + seed, seed_len, + (unsigned char const *) lbl, + (size_t) strlen(lbl), + other_secret, other_secret_len, + master_secret_len); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } + + status = psa_key_derivation_output_bytes(&derivation, + master, + master_secret_len); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } - /* Read length of the next CRT in the chain. */ - n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); - i += 3; - - if (n < 128 || i + n > ssl->in_hslen) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return MBEDTLS_ERR_SSL_DECODE_ERROR; + status = psa_key_derivation_abort(&derivation); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } + } else +#endif + { +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { + psa_status_t status; + psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; - /* Check if we're handling the first CRT in the chain. */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - if (crt_cnt++ == 0 && - ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && - ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { - /* During client-side renegotiation, check that the server's - * end-CRTs hasn't changed compared to the initial handshake, - * mitigating the triple handshake attack. On success, reuse - * the original end-CRT instead of parsing it again. */ - MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation")); - if (ssl_check_peer_crt_unchanged(ssl, - &ssl->in_msg[i], - n) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation")); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); - return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } + MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE")); - /* Now we can safely free the original chain. */ - ssl_clear_peer_cert(ssl->session); - } -#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ + handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; - /* Parse the next certificate in the chain. */ -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n); -#else - /* If we don't need to store the CRT chain permanently, parse - * it in-place from the input buffer instead of making a copy. */ - ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n); -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - switch (ret) { - case 0: /*ok*/ - case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: - /* Ignore certificate with an unknown algorithm: maybe a - prior certificate was already trusted. */ - break; + status = psa_key_derivation_setup(&derivation, alg); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } - case MBEDTLS_ERR_X509_ALLOC_FAILED: - alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; - goto crt_parse_der_failed; + status = psa_key_derivation_set_capacity(&derivation, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } - case MBEDTLS_ERR_X509_UNKNOWN_VERSION: - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - goto crt_parse_der_failed; + status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, + &derivation); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } - default: - alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; -crt_parse_der_failed: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert); - MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); - return ret; + status = psa_key_derivation_output_bytes(&derivation, + handshake->premaster, + handshake->pmslen); + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } + + status = psa_key_derivation_abort(&derivation); + if (status != PSA_SUCCESS) { + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } + } +#endif + ret = handshake->tls_prf(handshake->premaster, handshake->pmslen, + lbl, seed, seed_len, + master, + master_secret_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); + return ret; } - i += n; + MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret", + handshake->premaster, + handshake->pmslen); + + mbedtls_platform_zeroize(handshake->premaster, + sizeof(handshake->premaster)); } - MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain); return 0; } -#if defined(MBEDTLS_SSL_SRV_C) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) +int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) { - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - return -1; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = + ssl->handshake->ciphersuite_info; + + MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys")); + + /* Set PRF, calc_verify and calc_finished function pointers */ + ret = ssl_set_handshake_prfs(ssl->handshake, + (mbedtls_md_type_t) ciphersuite_info->mac); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret); + return ret; } - if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) && - ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && - ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && - memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); - return 0; + /* Compute master secret if needed */ + ret = ssl_compute_master(ssl->handshake, + ssl->session_negotiate->master, + ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret); + return ret; } - return -1; + + /* Swap the client and server random values: + * - MS derivation wanted client+server (RFC 5246 8.1) + * - key derivation wants server+client (RFC 5246 6.3) */ + { + unsigned char tmp[64]; + memcpy(tmp, ssl->handshake->randbytes, 64); + memcpy(ssl->handshake->randbytes, tmp + 32, 32); + memcpy(ssl->handshake->randbytes + 32, tmp, 32); + mbedtls_platform_zeroize(tmp, sizeof(tmp)); + } + + /* Populate transform structure */ + ret = ssl_tls12_populate_transform(ssl->transform_negotiate, + ssl->session_negotiate->ciphersuite, + ssl->session_negotiate->master, +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + ssl->session_negotiate->encrypt_then_mac, +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + ssl->handshake->tls_prf, + ssl->handshake->randbytes, + ssl->tls_version, + ssl->conf->endpoint, + ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret); + return ret; + } + + /* We no longer need Server/ClientHello.random values */ + mbedtls_platform_zeroize(ssl->handshake->randbytes, + sizeof(ssl->handshake->randbytes)); + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys")); + + return 0; } -#endif /* MBEDTLS_SSL_SRV_C */ -/* Check if a certificate message is expected. - * Return either - * - SSL_CERTIFICATE_EXPECTED, or - * - SSL_CERTIFICATE_SKIP - * indicating whether a Certificate message is expected or not. - */ -#define SSL_CERTIFICATE_EXPECTED 0 -#define SSL_CERTIFICATE_SKIP 1 -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, - int authmode) +int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; - - if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { - return SSL_CERTIFICATE_SKIP; + switch (md) { +#if defined(MBEDTLS_MD_CAN_SHA384) + case MBEDTLS_SSL_HASH_SHA384: + ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; + break; +#endif +#if defined(MBEDTLS_MD_CAN_SHA256) + case MBEDTLS_SSL_HASH_SHA256: + ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; + break; +#endif + default: + return -1; } +#if !defined(MBEDTLS_MD_CAN_SHA384) && \ + !defined(MBEDTLS_MD_CAN_SHA256) + (void) ssl; +#endif + return 0; +} -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { - return SSL_CERTIFICATE_SKIP; - } +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl, + const psa_hash_operation_t *hs_op, + size_t buffer_size, + unsigned char *hash, + size_t *hlen) +{ + psa_status_t status; + psa_hash_operation_t cloned_op = psa_hash_operation_init(); - if (authmode == MBEDTLS_SSL_VERIFY_NONE) { - ssl->session_negotiate->verify_result = - MBEDTLS_X509_BADCERT_SKIP_VERIFY; - return SSL_CERTIFICATE_SKIP; - } +#if !defined(MBEDTLS_DEBUG_C) + (void) ssl; +#endif + MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify")); + status = psa_hash_clone(hs_op, &cloned_op); + if (status != PSA_SUCCESS) { + goto exit; + } + + status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen); + if (status != PSA_SUCCESS) { + goto exit; } -#else - ((void) authmode); -#endif /* MBEDTLS_SSL_SRV_C */ - return SSL_CERTIFICATE_EXPECTED; -} + MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); + MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, - int authmode, - mbedtls_x509_crt *chain, - void *rs_ctx) +exit: + psa_hash_abort(&cloned_op); + return mbedtls_md_error_from_psa(status); +} +#else +static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl, + const mbedtls_md_context_t *hs_ctx, + unsigned char *hash, + size_t *hlen) { - int ret = 0; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; - int have_ca_chain = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_context_t cloned_ctx; - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); - void *p_vrfy; + mbedtls_md_init(&cloned_ctx); - if (authmode == MBEDTLS_SSL_VERIFY_NONE) { - return 0; +#if !defined(MBEDTLS_DEBUG_C) + (void) ssl; +#endif + MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify")); + + ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); + if (ret != 0) { + goto exit; } - if (ssl->f_vrfy != NULL) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); - f_vrfy = ssl->f_vrfy; - p_vrfy = ssl->p_vrfy; - } else { - MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); - f_vrfy = ssl->conf->f_vrfy; - p_vrfy = ssl->conf->p_vrfy; + ret = mbedtls_md_finish(&cloned_ctx, hash); + if (ret != 0) { + goto exit; } - /* - * Main check: verify certificate - */ -#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) - if (ssl->conf->f_ca_cb != NULL) { - ((void) rs_ctx); - have_ca_chain = 1; + *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx)); - MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); - ret = mbedtls_x509_crt_verify_with_ca_cb( - chain, - ssl->conf->f_ca_cb, - ssl->conf->p_ca_cb, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - f_vrfy, p_vrfy); - } else -#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ - { - mbedtls_x509_crt *ca_chain; - mbedtls_x509_crl *ca_crl; + MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); + MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_ca_chain != NULL) { - ca_chain = ssl->handshake->sni_ca_chain; - ca_crl = ssl->handshake->sni_ca_crl; - } else -#endif - { - ca_chain = ssl->conf->ca_chain; - ca_crl = ssl->conf->ca_crl; - } +exit: + mbedtls_md_free(&cloned_ctx); + return ret; +} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ - if (ca_chain != NULL) { - have_ca_chain = 1; - } +#if defined(MBEDTLS_MD_CAN_SHA256) +int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, + unsigned char *hash, + size_t *hlen) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32, + hash, hlen); +#else + return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256, + hash, hlen); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +} +#endif /* MBEDTLS_MD_CAN_SHA256 */ - ret = mbedtls_x509_crt_verify_restartable( - chain, - ca_chain, ca_crl, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - f_vrfy, p_vrfy, rs_ctx); - } +#if defined(MBEDTLS_MD_CAN_SHA384) +int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, + unsigned char *hash, + size_t *hlen) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48, + hash, hlen); +#else + return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384, + hash, hlen); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +} +#endif /* MBEDTLS_MD_CAN_SHA384 */ - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); - } +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) +{ + unsigned char *p = ssl->handshake->premaster; + unsigned char *end = p + sizeof(ssl->handshake->premaster); + const unsigned char *psk = NULL; + size_t psk_len = 0; + int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len); -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { - return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; + if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) { + /* + * This should never happen because the existence of a PSK is always + * checked before calling this function. + * + * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with + * the shared secret without PSK. + */ + if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) { + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } } -#endif /* - * Secondary checks: always done, but change 'ret' only if it was 0 + * PMS = struct { + * opaque other_secret<0..2^16-1>; + * opaque psk<0..2^16-1>; + * }; + * with "other_secret" depending on the particular key exchange */ +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) + if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) { + if (end - p < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) - { - const mbedtls_pk_context *pk = &chain->pk; + MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); + p += 2; - /* If certificate uses an EC key, make sure the curve is OK. - * This is a public key, so it can't be opaque, so can_do() is a good - * enough check to ensure pk_ec() is safe to use here. */ - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { - /* and in the unlikely case the above assumption no longer holds - * we are making sure that pk_ec() here does not return a NULL - */ - mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk); - if (grp_id == MBEDTLS_ECP_DP_NONE) { - MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } - if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { - ssl->session_negotiate->verify_result |= - MBEDTLS_X509_BADCERT_BAD_KEY; + if (end < p || (size_t) (end - p) < psk_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); - if (ret == 0) { - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } - } + memset(p, 0, psk_len); + p += psk_len; + } else +#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) + if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { + /* + * other_secret already set by the ClientKeyExchange message, + * and is 48 bytes long + */ + if (end - p < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - } -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ - if (mbedtls_ssl_check_cert_usage(chain, - ciphersuite_info, - !ssl->conf->endpoint, - &ssl->session_negotiate->verify_result) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); - if (ret == 0) { - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + *p++ = 0; + *p++ = 48; + p += 48; + } else +#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) + if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len; + + /* Write length only when we know the actual value */ + if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, + p + 2, (size_t) (end - (p + 2)), &len, + ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); + return ret; + } + MBEDTLS_PUT_UINT16_BE(len, p, 0); + p += 2 + len; + + MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); + } else +#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t zlen; + + if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen, + p + 2, (size_t) (end - (p + 2)), + ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); + return ret; } - } - /* mbedtls_x509_crt_verify_with_profile is supposed to report a - * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, - * with details encoded in the verification flags. All other kinds - * of error codes, including those from the user provided f_vrfy - * functions, are treated as fatal and lead to a failure of - * ssl_parse_certificate even if verification was optional. */ - if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && - (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || - ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { - ret = 0; + MBEDTLS_PUT_UINT16_BE(zlen, p, 0); + p += 2 + zlen; + + MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, + MBEDTLS_DEBUG_ECDH_Z); + } else +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ + { + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } - if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); - ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; + /* opaque psk<0..2^16-1>; */ + if (end - p < 2) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - if (ret != 0) { - uint8_t alert; + MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); + p += 2; - /* The certificate may have been rejected for several reasons. - Pick one and send the corresponding alert. Which alert to send - may be a subject of debate in some cases. */ - if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { - alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { - alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { - alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { - alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { - alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; - } else { - alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; - } - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - alert); + if (end < p || (size_t) (end - p) < psk_len) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } -#if defined(MBEDTLS_DEBUG_C) - if (ssl->session_negotiate->verify_result != 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", - (unsigned int) ssl->session_negotiate->verify_result)); - } else { - MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); - } -#endif /* MBEDTLS_DEBUG_C */ + memcpy(p, psk, psk_len); + p += psk_len; - return ret; + ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster); + + return 0; } +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, - unsigned char *start, size_t len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* Remember digest of the peer's end-CRT. */ - ssl->session_negotiate->peer_cert_digest = - mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN); - if (ssl->session_negotiate->peer_cert_digest == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN)); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); +static int ssl_write_hello_request(mbedtls_ssl_context *ssl); - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } +#if defined(MBEDTLS_SSL_PROTO_DTLS) +int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) +{ + /* If renegotiation is not enforced, retransmit until we would reach max + * timeout if we were using the usual handshake doubling scheme */ + if (ssl->conf->renego_max_records < 0) { + uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; + unsigned char doublings = 1; - ret = mbedtls_md(mbedtls_md_info_from_type( - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), - start, len, - ssl->session_negotiate->peer_cert_digest); + while (ratio != 0) { + ++doublings; + ratio >>= 1; + } - ssl->session_negotiate->peer_cert_digest_type = - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; - ssl->session_negotiate->peer_cert_digest_len = - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; + if (++ssl->renego_records_seen > doublings) { + MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request")); + return 0; + } + } - return ret; + return ssl_write_hello_request(ssl); } +#endif +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl, - unsigned char *start, size_t len) +/* + * Handshake functions + */ +#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +/* No certificate support -> dummy functions */ +int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) { - unsigned char *end = start + len; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->handshake->ciphersuite_info; - /* Make a copy of the peer's raw public key. */ - mbedtls_pk_init(&ssl->handshake->peer_pubkey); - ret = mbedtls_pk_parse_subpubkey(&start, end, - &ssl->handshake->peer_pubkey); - if (ret != 0) { - /* We should have parsed the public key before. */ - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); + + if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { + MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); + ssl->state++; + return 0; } - return 0; + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) { - int ret = 0; - int crt_expected; -#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET - ? ssl->handshake->sni_authmode - : ssl->conf->authmode; -#else - const int authmode = ssl->conf->authmode; -#endif - void *rs_ctx = NULL; - mbedtls_x509_crt *chain = NULL; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); - crt_expected = ssl_parse_certificate_coordinate(ssl, authmode); - if (crt_expected == SSL_CERTIFICATE_SKIP) { + if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); - goto exit; + ssl->state++; + return 0; } -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - if (ssl->handshake->ecrs_enabled && - ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) { - chain = ssl->handshake->ecrs_peer_cert; - ssl->handshake->ecrs_peer_cert = NULL; - goto crt_verify; - } -#endif + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; +} - if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { - /* mbedtls_ssl_read_record may have sent an alert already. We - let it decide whether to alert. */ - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - goto exit; - } +#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +/* Some certificate support -> implement write and parse */ -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl_srv_check_client_no_crt_notification(ssl) == 0) { - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; +int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + size_t i, n; + const mbedtls_x509_crt *crt; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->handshake->ciphersuite_info; - if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) { - ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; - } + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); - goto exit; + if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { + MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); + ssl->state++; + return 0; } -#endif /* MBEDTLS_SSL_SRV_C */ - /* Clear existing peer CRT structure in case we tried to - * reuse a session but it failed, and allocate a new one. */ - ssl_clear_peer_cert(ssl->session_negotiate); +#if defined(MBEDTLS_SSL_CLI_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { + if (ssl->handshake->client_auth == 0) { + MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); + ssl->state++; + return 0; + } + } +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_SRV_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (mbedtls_ssl_own_cert(ssl) == NULL) { + /* Should never happen because we shouldn't have picked the + * ciphersuite if we don't have a certificate. */ + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + } +#endif - chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); - if (chain == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", - sizeof(mbedtls_x509_crt))); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto exit; - } - mbedtls_x509_crt_init(chain); + /* + * 0 . 0 handshake type + * 1 . 3 handshake length + * 4 . 6 length of all certs + * 7 . 9 length of cert. 1 + * 10 . n-1 peer certificate + * n . n+2 length of cert. 2 + * n+3 . ... upper level cert, etc. + */ + i = 7; + crt = mbedtls_ssl_own_cert(ssl); - ret = ssl_parse_certificate_chain(ssl, chain); - if (ret != 0) { - goto exit; - } + while (crt != NULL) { + n = crt->raw.len; + if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { + MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET + " > %" MBEDTLS_PRINTF_SIZET, + i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - if (ssl->handshake->ecrs_enabled) { - ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; - } + ssl->out_msg[i] = MBEDTLS_BYTE_2(n); + ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n); + ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n); -crt_verify: - if (ssl->handshake->ecrs_enabled) { - rs_ctx = &ssl->handshake->ecrs_ctx; + i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n); + i += n; crt = crt->next; } -#endif - ret = ssl_parse_certificate_verify(ssl, authmode, - chain, rs_ctx); - if (ret != 0) { - goto exit; - } + ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7); + ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7); + ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7); -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - { - unsigned char *crt_start, *pk_start; - size_t crt_len, pk_len; + ssl->out_msglen = i; + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; - /* We parse the CRT chain without copying, so - * these pointers point into the input buffer, - * and are hence still valid after freeing the - * CRT chain. */ + ssl->state++; - crt_start = chain->raw.p; - crt_len = chain->raw.len; + if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + return ret; + } - pk_start = chain->pk_raw.p; - pk_len = chain->pk_raw.len; + MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); - /* Free the CRT structures before computing - * digest and copying the peer's public key. */ - mbedtls_x509_crt_free(chain); - mbedtls_free(chain); - chain = NULL; + return ret; +} - ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len); - if (ret != 0) { - goto exit; - } +#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len); - if (ret != 0) { - goto exit; - } +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, + unsigned char *crt_buf, + size_t crt_buf_len) +{ + mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; + + if (peer_crt == NULL) { + return -1; } -#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - /* Pass ownership to session structure. */ - ssl->session_negotiate->peer_cert = chain; - chain = NULL; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); + if (peer_crt->raw.len != crt_buf_len) { + return -1; + } -exit: + return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len); +} +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, + unsigned char *crt_buf, + size_t crt_buf_len) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char const * const peer_cert_digest = + ssl->session->peer_cert_digest; + mbedtls_md_type_t const peer_cert_digest_type = + ssl->session->peer_cert_digest_type; + mbedtls_md_info_t const * const digest_info = + mbedtls_md_info_from_type(peer_cert_digest_type); + unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; + size_t digest_len; - if (ret == 0) { - ssl->state++; + if (peer_cert_digest == NULL || digest_info == NULL) { + return -1; } -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { - ssl->handshake->ecrs_peer_cert = chain; - chain = NULL; + digest_len = mbedtls_md_get_size(digest_info); + if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) { + return -1; } -#endif - if (chain != NULL) { - mbedtls_x509_crt_free(chain); - mbedtls_free(chain); + ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest); + if (ret != 0) { + return -1; } - return ret; + return memcmp(tmp_digest, peer_cert_digest, digest_len); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ -static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx, - unsigned char *padbuf, size_t hlen, - unsigned char *buf, int from) +/* + * Once the certificate message is read, parse it into a cert chain and + * perform basic checks, but leave actual verification to the caller + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, + mbedtls_x509_crt *chain) { - unsigned int len = 12; - const char *sender; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; - psa_hash_operation_t *hs_op = ctx; - psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT; - size_t hash_size; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_context_t *hs_ctx = ctx; - mbedtls_md_context_t cloned_ctx; - mbedtls_md_init(&cloned_ctx); +#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) + int crt_cnt = 0; #endif + size_t i, n; + uint8_t alert; - mbedtls_ssl_session *session = ssl->session_negotiate; - if (!session) { - session = ssl->session; + if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } - sender = (from == MBEDTLS_SSL_IS_CLIENT) - ? "client finished" - : "server finished"; - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls")); - - status = psa_hash_clone(hs_op, &cloned_op); - if (status != PSA_SUCCESS) { - goto exit; + if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) { + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } - status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size); - if (status != PSA_SUCCESS) { - goto exit; + if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); + return MBEDTLS_ERR_SSL_DECODE_ERROR; } - MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen); -#else - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls")); - ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); - if (ret != 0) { - goto exit; + i = mbedtls_ssl_hs_hdr_len(ssl); + + /* + * Same message structure as in mbedtls_ssl_write_certificate() + */ + n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); + + if (ssl->in_msg[i] != 0 || + ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); + return MBEDTLS_ERR_SSL_DECODE_ERROR; } - ret = mbedtls_md_finish(&cloned_ctx, padbuf); - if (ret != 0) { - goto exit; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ + i += 3; + + /* Iterate through and parse the CRTs in the provided chain. */ + while (i < ssl->in_hslen) { + /* Check that there's room for the next CRT's length fields. */ + if (i + 3 > ssl->in_hslen) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); + mbedtls_ssl_send_alert_message(ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); + return MBEDTLS_ERR_SSL_DECODE_ERROR; + } + /* In theory, the CRT can be up to 2**24 Bytes, but we don't support + * anything beyond 2**16 ~ 64K. */ + if (ssl->in_msg[i] != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); + mbedtls_ssl_send_alert_message(ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); + return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + + /* Read length of the next CRT in the chain. */ + n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); + i += 3; + + if (n < 128 || i + n > ssl->in_hslen) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); + mbedtls_ssl_send_alert_message(ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); + return MBEDTLS_ERR_SSL_DECODE_ERROR; + } + + /* Check if we're handling the first CRT in the chain. */ +#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) + if (crt_cnt++ == 0 && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && + ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { + /* During client-side renegotiation, check that the server's + * end-CRTs hasn't changed compared to the initial handshake, + * mitigating the triple handshake attack. On success, reuse + * the original end-CRT instead of parsing it again. */ + MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation")); + if (ssl_check_peer_crt_unchanged(ssl, + &ssl->in_msg[i], + n) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation")); + mbedtls_ssl_send_alert_message(ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); + return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + + /* Now we can safely free the original chain. */ + ssl_clear_peer_cert(ssl->session); + } +#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ - MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen); + /* Parse the next certificate in the chain. */ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n); +#else + /* If we don't need to store the CRT chain permanently, parse + * it in-place from the input buffer instead of making a copy. */ + ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n); +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + switch (ret) { + case 0: /*ok*/ + case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: + /* Ignore certificate with an unknown algorithm: maybe a + prior certificate was already trusted. */ + break; - /* - * TLSv1.2: - * hash = PRF( master, finished_label, - * Hash( handshake ) )[0.11] - */ - ssl->handshake->tls_prf(session->master, 48, sender, - padbuf, hlen, buf, len); + case MBEDTLS_ERR_X509_ALLOC_FAILED: + alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; + goto crt_parse_der_failed; - MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); + case MBEDTLS_ERR_X509_UNKNOWN_VERSION: + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + goto crt_parse_der_failed; - mbedtls_platform_zeroize(padbuf, hlen); + default: + alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; +crt_parse_der_failed: + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert); + MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); + return ret; + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); + i += n; + } -exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&cloned_op); - return mbedtls_md_error_from_psa(status); -#else - mbedtls_md_free(&cloned_ctx); - return ret; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain); + return 0; } -#if defined(MBEDTLS_MD_CAN_SHA256) -static int ssl_calc_finished_tls_sha256( - mbedtls_ssl_context *ssl, unsigned char *buf, int from) +#if defined(MBEDTLS_SSL_SRV_C) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) { - unsigned char padbuf[32]; - return ssl_calc_finished_tls_generic(ssl, -#if defined(MBEDTLS_USE_PSA_CRYPTO) - &ssl->handshake->fin_sha256_psa, -#else - &ssl->handshake->fin_sha256, -#endif - padbuf, sizeof(padbuf), - buf, from); -} -#endif /* MBEDTLS_MD_CAN_SHA256*/ - + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { + return -1; + } -#if defined(MBEDTLS_MD_CAN_SHA384) -static int ssl_calc_finished_tls_sha384( - mbedtls_ssl_context *ssl, unsigned char *buf, int from) -{ - unsigned char padbuf[48]; - return ssl_calc_finished_tls_generic(ssl, -#if defined(MBEDTLS_USE_PSA_CRYPTO) - &ssl->handshake->fin_sha384_psa, -#else - &ssl->handshake->fin_sha384, -#endif - padbuf, sizeof(padbuf), - buf, from); + if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) && + ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && + ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && + memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); + return 0; + } + return -1; } -#endif /* MBEDTLS_MD_CAN_SHA384*/ +#endif /* MBEDTLS_SSL_SRV_C */ -void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) +/* Check if a certificate message is expected. + * Return either + * - SSL_CERTIFICATE_EXPECTED, or + * - SSL_CERTIFICATE_SKIP + * indicating whether a Certificate message is expected or not. + */ +#define SSL_CERTIFICATE_EXPECTED 0 +#define SSL_CERTIFICATE_SKIP 1 +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, + int authmode) { - MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free")); + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->handshake->ciphersuite_info; - /* - * Free our handshake params - */ - mbedtls_ssl_handshake_free(ssl); - mbedtls_free(ssl->handshake); - ssl->handshake = NULL; + if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { + return SSL_CERTIFICATE_SKIP; + } - /* - * Free the previous transform and switch in the current one - */ - if (ssl->transform) { - mbedtls_ssl_transform_free(ssl->transform); - mbedtls_free(ssl->transform); +#if defined(MBEDTLS_SSL_SRV_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { + return SSL_CERTIFICATE_SKIP; + } + + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + ssl->session_negotiate->verify_result = + MBEDTLS_X509_BADCERT_SKIP_VERIFY; + return SSL_CERTIFICATE_SKIP; + } } - ssl->transform = ssl->transform_negotiate; - ssl->transform_negotiate = NULL; +#else + ((void) authmode); +#endif /* MBEDTLS_SSL_SRV_C */ - MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free")); + return SSL_CERTIFICATE_EXPECTED; } -void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, + int authmode, + mbedtls_x509_crt *chain, + void *rs_ctx) { - int resume = ssl->handshake->resume; + int ret = 0; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->handshake->ciphersuite_info; + int have_ca_chain = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); + void *p_vrfy; -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { - ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; - ssl->renego_records_seen = 0; + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + return 0; } -#endif - - /* - * Free the previous session and switch in the current one - */ - if (ssl->session) { -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - /* RFC 7366 3.1: keep the EtM state */ - ssl->session_negotiate->encrypt_then_mac = - ssl->session->encrypt_then_mac; -#endif - mbedtls_ssl_session_free(ssl->session); - mbedtls_free(ssl->session); + if (ssl->f_vrfy != NULL) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); + f_vrfy = ssl->f_vrfy; + p_vrfy = ssl->p_vrfy; + } else { + MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); + f_vrfy = ssl->conf->f_vrfy; + p_vrfy = ssl->conf->p_vrfy; } - ssl->session = ssl->session_negotiate; - ssl->session_negotiate = NULL; /* - * Add cache entry + * Main check: verify certificate */ - if (ssl->conf->f_set_cache != NULL && - ssl->session->id_len != 0 && - resume == 0) { - if (ssl->conf->f_set_cache(ssl->conf->p_cache, - ssl->session->id, - ssl->session->id_len, - ssl->session) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session")); - } - } - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->flight != NULL) { - /* Cancel handshake timer */ - mbedtls_ssl_set_timer(ssl, 0); +#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) + if (ssl->conf->f_ca_cb != NULL) { + ((void) rs_ctx); + have_ca_chain = 1; - /* Keep last flight around in case we need to resend it: - * we need the handshake and transform structures for that */ - MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); + MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); + ret = mbedtls_x509_crt_verify_with_ca_cb( + chain, + ssl->conf->f_ca_cb, + ssl->conf->p_ca_cb, + ssl->conf->cert_profile, + ssl->hostname, + &ssl->session_negotiate->verify_result, + f_vrfy, p_vrfy); } else -#endif - mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl); - - ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; - - MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); -} +#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ + { + mbedtls_x509_crt *ca_chain; + mbedtls_x509_crl *ca_crl; -int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) -{ - int ret; - unsigned int hash_len; +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if (ssl->handshake->sni_ca_chain != NULL) { + ca_chain = ssl->handshake->sni_ca_chain; + ca_crl = ssl->handshake->sni_ca_crl; + } else +#endif + { + ca_chain = ssl->conf->ca_chain; + ca_crl = ssl->conf->ca_crl; + } - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); + if (ca_chain != NULL) { + have_ca_chain = 1; + } - mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); + ret = mbedtls_x509_crt_verify_restartable( + chain, + ca_chain, ca_crl, + ssl->conf->cert_profile, + ssl->hostname, + &ssl->session_negotiate->verify_result, + f_vrfy, p_vrfy, rs_ctx); + } - ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); + MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); + } + +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { + return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; } +#endif /* - * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites - * may define some other value. Currently (early 2016), no defined - * ciphersuite does this (and this is unlikely to change as activity has - * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. + * Secondary checks: always done, but change 'ret' only if it was 0 */ - hash_len = 12; -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->verify_data_len = hash_len; - memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len); -#endif +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + { + const mbedtls_pk_context *pk = &chain->pk; - ssl->out_msglen = 4 + hash_len; - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; + /* If certificate uses an EC key, make sure the curve is OK. + * This is a public key, so it can't be opaque, so can_do() is a good + * enough check to ensure pk_ec() is safe to use here. */ + if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { + /* and in the unlikely case the above assumption no longer holds + * we are making sure that pk_ec() here does not return a NULL + */ + mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk); + if (grp_id == MBEDTLS_ECP_DP_NONE) { + MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID")); + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { + ssl->session_negotiate->verify_result |= + MBEDTLS_X509_BADCERT_BAD_KEY; - /* - * In case of session resuming, invert the client and server - * ChangeCipherSpec messages order. - */ - if (ssl->handshake->resume != 0) { -#if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; - } -#endif -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); + if (ret == 0) { + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + } } -#endif - } else { - ssl->state++; } +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ - /* - * Switch to our negotiated transform and session parameters for outbound - * data. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - unsigned char i; + if (mbedtls_ssl_check_cert_usage(chain, + ciphersuite_info, + !ssl->conf->endpoint, + &ssl->session_negotiate->verify_result) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); + if (ret == 0) { + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + } - /* Remember current epoch settings for resending */ - ssl->handshake->alt_transform_out = ssl->transform_out; - memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, - sizeof(ssl->handshake->alt_out_ctr)); + /* mbedtls_x509_crt_verify_with_profile is supposed to report a + * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, + * with details encoded in the verification flags. All other kinds + * of error codes, including those from the user provided f_vrfy + * functions, are treated as fatal and lead to a failure of + * ssl_parse_certificate even if verification was optional. */ + if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && + (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { + ret = 0; + } - /* Set sequence_number to zero */ - memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2); + if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { + MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); + ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; + } + if (ret != 0) { + uint8_t alert; - /* Increment epoch */ - for (i = 2; i > 0; i--) { - if (++ssl->cur_out_ctr[i - 1] != 0) { - break; - } + /* The certificate may have been rejected for several reasons. + Pick one and send the corresponding alert. Which alert to send + may be a subject of debate in some cases. */ + if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { + alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { + alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { + alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { + alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { + alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; + } else { + alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; } + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + alert); + } - /* The loop goes to its end iff the counter is wrapping */ - if (i == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); - return MBEDTLS_ERR_SSL_COUNTER_WRAPPING; - } - } else -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); +#if defined(MBEDTLS_DEBUG_C) + if (ssl->session_negotiate->verify_result != 0) { + MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", + (unsigned int) ssl->session_negotiate->verify_result)); + } else { + MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); + } +#endif /* MBEDTLS_DEBUG_C */ - ssl->transform_out = ssl->transform_negotiate; - ssl->session_out = ssl->session_negotiate; + return ret; +} -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - mbedtls_ssl_send_flight_completed(ssl); - } -#endif +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, + unsigned char *start, size_t len) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* Remember digest of the peer's end-CRT. */ + ssl->session_negotiate->peer_cert_digest = + mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN); + if (ssl->session_negotiate->peer_cert_digest == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN)); + mbedtls_ssl_send_alert_message(ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); - return ret; + return MBEDTLS_ERR_SSL_ALLOC_FAILED; } -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); - return ret; - } -#endif + ret = mbedtls_md(mbedtls_md_info_from_type( + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), + start, len, + ssl->session_negotiate->peer_cert_digest); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); + ssl->session_negotiate->peer_cert_digest_type = + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; + ssl->session_negotiate->peer_cert_digest_len = + MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; - return 0; + return ret; } -#define SSL_MAX_HASH_LEN 12 - -int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl, + unsigned char *start, size_t len) { + unsigned char *end = start + len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned int hash_len = 12; - unsigned char buf[SSL_MAX_HASH_LEN]; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); + /* Make a copy of the peer's raw public key. */ + mbedtls_pk_init(&ssl->handshake->peer_pubkey); + ret = mbedtls_pk_parse_subpubkey(&start, end, + &ssl->handshake->peer_pubkey); + if (ret != 0) { + /* We should have parsed the public key before. */ + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + + return 0; +} +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + +int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) +{ + int ret = 0; + int crt_expected; +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET + ? ssl->handshake->sni_authmode + : ssl->conf->authmode; +#else + const int authmode = ssl->conf->authmode; +#endif + void *rs_ctx = NULL; + mbedtls_x509_crt *chain = NULL; + + MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); + + crt_expected = ssl_parse_certificate_coordinate(ssl, authmode); + if (crt_expected == SSL_CERTIFICATE_SKIP) { + MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); + goto exit; + } - ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + if (ssl->handshake->ecrs_enabled && + ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) { + chain = ssl->handshake->ecrs_peer_cert; + ssl->handshake->ecrs_peer_cert = NULL; + goto crt_verify; } +#endif if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { + /* mbedtls_ssl_read_record may have sent an alert already. We + let it decide whether to alert. */ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); goto exit; } - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; +#if defined(MBEDTLS_SSL_SRV_C) + if (ssl_srv_check_client_no_crt_notification(ssl) == 0) { + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; + + if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) { + ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; + } + goto exit; } +#endif /* MBEDTLS_SSL_SRV_C */ - if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) { - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + /* Clear existing peer CRT structure in case we tried to + * reuse a session but it failed, and allocate a new one. */ + ssl_clear_peer_cert(ssl->session_negotiate); + + chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); + if (chain == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", + sizeof(mbedtls_x509_crt))); + mbedtls_ssl_send_alert_message(ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); + + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; goto exit; } + mbedtls_x509_crt_init(chain); - if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - ret = MBEDTLS_ERR_SSL_DECODE_ERROR; + ret = ssl_parse_certificate_chain(ssl, chain); + if (ret != 0) { goto exit; } - if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), - buf, hash_len) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto exit; +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + if (ssl->handshake->ecrs_enabled) { + ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; } -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->verify_data_len = hash_len; - memcpy(ssl->peer_verify_data, buf, hash_len); +crt_verify: + if (ssl->handshake->ecrs_enabled) { + rs_ctx = &ssl->handshake->ecrs_ctx; + } #endif - if (ssl->handshake->resume != 0) { -#if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; + ret = ssl_parse_certificate_verify(ssl, authmode, + chain, rs_ctx); + if (ret != 0) { + goto exit; + } + +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + { + unsigned char *crt_start, *pk_start; + size_t crt_len, pk_len; + + /* We parse the CRT chain without copying, so + * these pointers point into the input buffer, + * and are hence still valid after freeing the + * CRT chain. */ + + crt_start = chain->raw.p; + crt_len = chain->raw.len; + + pk_start = chain->pk_raw.p; + pk_len = chain->pk_raw.len; + + /* Free the CRT structures before computing + * digest and copying the peer's public key. */ + mbedtls_x509_crt_free(chain); + mbedtls_free(chain); + chain = NULL; + + ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len); + if (ret != 0) { + goto exit; } -#endif -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; + + ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len); + if (ret != 0) { + goto exit; } -#endif - } else { + } +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* Pass ownership to session structure. */ + ssl->session_negotiate->peer_cert = chain; + chain = NULL; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); + +exit: + + if (ret == 0) { ssl->state++; } -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - mbedtls_ssl_recv_flight_completed(ssl); +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { + ssl->handshake->ecrs_peer_cert = chain; + chain = NULL; } #endif - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); + if (chain != NULL) { + mbedtls_x509_crt_free(chain); + mbedtls_free(chain); + } -exit: - mbedtls_platform_zeroize(buf, hash_len); return ret; } +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) -/* - * Helper to get TLS 1.2 PRF from ciphersuite - * (Duplicates bits of logic from ssl_set_handshake_prfs().) - */ -static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) +static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx, + unsigned char *padbuf, size_t hlen, + unsigned char *buf, int from) { - const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = - mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); -#if defined(MBEDTLS_MD_CAN_SHA384) - if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) { - return tls_prf_sha384; - } else -#endif -#if defined(MBEDTLS_MD_CAN_SHA256) - { - if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) { - return tls_prf_sha256; - } - } -#endif -#if !defined(MBEDTLS_MD_CAN_SHA384) && \ - !defined(MBEDTLS_MD_CAN_SHA256) - (void) ciphersuite_info; + unsigned int len = 12; + const char *sender; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + psa_hash_operation_t *hs_op = ctx; + psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT; + size_t hash_size; +#else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_context_t *hs_ctx = ctx; + mbedtls_md_context_t cloned_ctx; + mbedtls_md_init(&cloned_ctx); #endif - return NULL; -} -#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ - -static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) -{ - ((void) tls_prf); -#if defined(MBEDTLS_MD_CAN_SHA384) - if (tls_prf == tls_prf_sha384) { - return MBEDTLS_SSL_TLS_PRF_SHA384; - } else -#endif -#if defined(MBEDTLS_MD_CAN_SHA256) - if (tls_prf == tls_prf_sha256) { - return MBEDTLS_SSL_TLS_PRF_SHA256; - } else -#endif - return MBEDTLS_SSL_TLS_PRF_NONE; -} + mbedtls_ssl_session *session = ssl->session_negotiate; + if (!session) { + session = ssl->session; + } -/* - * Populate a transform structure with session keys and all the other - * necessary information. - * - * Parameters: - * - [in/out]: transform: structure to populate - * [in] must be just initialised with mbedtls_ssl_transform_init() - * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf() - * - [in] ciphersuite - * - [in] master - * - [in] encrypt_then_mac - * - [in] tls_prf: pointer to PRF to use for key derivation - * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random - * - [in] tls_version: TLS version - * - [in] endpoint: client or server - * - [in] ssl: used for: - * - ssl->conf->{f,p}_export_keys - * [in] optionally used for: - * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg - */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, - int ciphersuite, - const unsigned char master[48], -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - int encrypt_then_mac, -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - ssl_tls_prf_t tls_prf, - const unsigned char randbytes[64], - mbedtls_ssl_protocol_version tls_version, - unsigned endpoint, - const mbedtls_ssl_context *ssl) -{ - int ret = 0; - unsigned char keyblk[256]; - unsigned char *key1; - unsigned char *key2; - unsigned char *mac_enc; - unsigned char *mac_dec; - size_t mac_key_len = 0; - size_t iv_copy_len; - size_t keylen; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - mbedtls_ssl_mode_t ssl_mode; -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - const mbedtls_cipher_info_t *cipher_info; - const mbedtls_md_info_t *md_info; -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ + sender = (from == MBEDTLS_SSL_IS_CLIENT) + ? "client finished" + : "server finished"; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_type_t key_type; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_algorithm_t alg; - psa_algorithm_t mac_alg = 0; - size_t key_bits; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#endif + MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls")); - /* - * Some data just needs copying into the structure - */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - transform->encrypt_then_mac = encrypt_then_mac; -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - transform->tls_version = tls_version; + status = psa_hash_clone(hs_op, &cloned_op); + if (status != PSA_SUCCESS) { + goto exit; + } -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) - memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); -#endif + status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size); + if (status != PSA_SUCCESS) { + goto exit; + } + MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen); +#else + MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls")); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform - * generation separate. This should never happen. */ - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); + if (ret != 0) { + goto exit; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); + if (ret != 0) { + goto exit; + } + + ret = mbedtls_md_finish(&cloned_ctx, padbuf); + if (ret != 0) { + goto exit; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen); /* - * Get various info structures + * TLSv1.2: + * hash = PRF( master, finished_label, + * Hash( handshake ) )[0.11] */ - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); - if (ciphersuite_info == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", - ciphersuite)); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + ssl->handshake->tls_prf(session->master, 48, sender, + padbuf, hlen, buf, len); - ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - encrypt_then_mac, -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - ciphersuite_info); + MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); - if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { - transform->taglen = - ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; - } + mbedtls_platform_zeroize(padbuf, hlen); + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); +exit: #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, - transform->taglen, - &alg, - &key_type, - &key_bits)) != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); - goto end; - } + psa_hash_abort(&cloned_op); + return mbedtls_md_error_from_psa(status); #else - cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher); - if (cipher_info == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", - ciphersuite_info->cipher)); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + mbedtls_md_free(&cloned_ctx); + return ret; #endif /* MBEDTLS_USE_PSA_CRYPTO */ +} +#if defined(MBEDTLS_MD_CAN_SHA256) +static int ssl_calc_finished_tls_sha256( + mbedtls_ssl_context *ssl, unsigned char *buf, int from) +{ + unsigned char padbuf[32]; + return ssl_calc_finished_tls_generic(ssl, #if defined(MBEDTLS_USE_PSA_CRYPTO) - mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); - if (mac_alg == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found", - (unsigned) ciphersuite_info->mac)); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + &ssl->handshake->fin_sha256_psa, #else - md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac); - if (md_info == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found", - (unsigned) ciphersuite_info->mac)); - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + &ssl->handshake->fin_sha256, +#endif + padbuf, sizeof(padbuf), + buf, from); +} +#endif /* MBEDTLS_MD_CAN_SHA256*/ -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - /* Copy own and peer's CID if the use of the CID - * extension has been negotiated. */ - if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform")); - transform->in_cid_len = ssl->own_cid_len; - memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len); - MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid, - transform->in_cid_len); +#if defined(MBEDTLS_MD_CAN_SHA384) +static int ssl_calc_finished_tls_sha384( + mbedtls_ssl_context *ssl, unsigned char *buf, int from) +{ + unsigned char padbuf[48]; + return ssl_calc_finished_tls_generic(ssl, +#if defined(MBEDTLS_USE_PSA_CRYPTO) + &ssl->handshake->fin_sha384_psa, +#else + &ssl->handshake->fin_sha384, +#endif + padbuf, sizeof(padbuf), + buf, from); +} +#endif /* MBEDTLS_MD_CAN_SHA384*/ - transform->out_cid_len = ssl->handshake->peer_cid_len; - memcpy(transform->out_cid, ssl->handshake->peer_cid, - ssl->handshake->peer_cid_len); - MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid, - transform->out_cid_len); - } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) +{ + MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free")); /* - * Compute key block using the PRF + * Free our handshake params */ - ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); - return ret; + mbedtls_ssl_handshake_free(ssl); + mbedtls_free(ssl->handshake); + ssl->handshake = NULL; + + /* + * Free the previous transform and switch in the current one + */ + if (ssl->transform) { + mbedtls_ssl_transform_free(ssl->transform); + mbedtls_free(ssl->transform); } + ssl->transform = ssl->transform_negotiate; + ssl->transform_negotiate = NULL; - MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s", - mbedtls_ssl_get_ciphersuite_name(ciphersuite))); - MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48); - MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64); - MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256); + MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free")); +} + +void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) +{ + int resume = ssl->handshake->resume; + + MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); + +#if defined(MBEDTLS_SSL_RENEGOTIATION) + if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { + ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; + ssl->renego_records_seen = 0; + } +#endif /* - * Determine the appropriate key, IV and MAC length. + * Free the previous session and switch in the current one */ - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - keylen = PSA_BITS_TO_BYTES(key_bits); -#else - keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; + if (ssl->session) { +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + /* RFC 7366 3.1: keep the EtM state */ + ssl->session_negotiate->encrypt_then_mac = + ssl->session->encrypt_then_mac; #endif -#if defined(MBEDTLS_SSL_HAVE_AEAD) - if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { - size_t explicit_ivlen; + mbedtls_ssl_session_free(ssl->session); + mbedtls_free(ssl->session); + } + ssl->session = ssl->session_negotiate; + ssl->session_negotiate = NULL; - transform->maclen = 0; - mac_key_len = 0; + /* + * Add cache entry + */ + if (ssl->conf->f_set_cache != NULL && + ssl->session->id_len != 0 && + resume == 0) { + if (ssl->conf->f_set_cache(ssl->conf->p_cache, + ssl->session->id, + ssl->session->id_len, + ssl->session) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session")); + } + } - /* All modes haves 96-bit IVs, but the length of the static parts vary - * with mode and version: - * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes - * (to be concatenated with a dynamically chosen IV of 8 Bytes) - * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's - * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record - * sequence number). - */ - transform->ivlen = 12; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake->flight != NULL) { + /* Cancel handshake timer */ + mbedtls_ssl_set_timer(ssl, 0); - int is_chachapoly = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20); -#else - is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info) - == MBEDTLS_MODE_CHACHAPOLY); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + /* Keep last flight around in case we need to resend it: + * we need the handshake and transform structures for that */ + MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); + } else +#endif + mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl); - if (is_chachapoly) { - transform->fixed_ivlen = 12; - } else { - transform->fixed_ivlen = 4; - } + ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; - /* Minimum length of encrypted record */ - explicit_ivlen = transform->ivlen - transform->fixed_ivlen; - transform->minlen = explicit_ivlen + transform->taglen; - } else -#endif /* MBEDTLS_SSL_HAVE_AEAD */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) - if (ssl_mode == MBEDTLS_SSL_MODE_STREAM || - ssl_mode == MBEDTLS_SSL_MODE_CBC || - ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type); -#else - size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); +} -#if defined(MBEDTLS_USE_PSA_CRYPTO) - /* Get MAC length */ - mac_key_len = PSA_HASH_LENGTH(mac_alg); -#else - /* Initialize HMAC contexts */ - if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 || - (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); - goto end; - } +int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) +{ + int ret; + unsigned int hash_len; - /* Get MAC length */ - mac_key_len = mbedtls_md_get_size(md_info); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - transform->maclen = mac_key_len; + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); - /* IV length */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) - transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg); -#else - transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); - /* Minimum length */ - if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { - transform->minlen = transform->maclen; - } else { - /* - * GenericBlockCipher: - * 1. if EtM is in use: one block plus MAC - * otherwise: * first multiple of blocklen greater than maclen - * 2. IV - */ -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { - transform->minlen = transform->maclen - + block_size; - } else + ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); + } + + /* + * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites + * may define some other value. Currently (early 2016), no defined + * ciphersuite does this (and this is unlikely to change as activity has + * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. + */ + hash_len = 12; + +#if defined(MBEDTLS_SSL_RENEGOTIATION) + ssl->verify_data_len = hash_len; + memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len); #endif - { - transform->minlen = transform->maclen - + block_size - - transform->maclen % block_size; - } - if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { - transform->minlen += transform->ivlen; - } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; - goto end; - } + ssl->out_msglen = 4 + hash_len; + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; + + /* + * In case of session resuming, invert the client and server + * ChangeCipherSpec messages order. + */ + if (ssl->handshake->resume != 0) { +#if defined(MBEDTLS_SSL_CLI_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { + ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; } - } else -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; +#endif +#if defined(MBEDTLS_SSL_SRV_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { + ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; + } +#endif + } else { + ssl->state++; } - MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u", - (unsigned) keylen, - (unsigned) transform->minlen, - (unsigned) transform->ivlen, - (unsigned) transform->maclen)); - /* - * Finally setup the cipher contexts, IVs and MAC secrets. + * Switch to our negotiated transform and session parameters for outbound + * data. */ -#if defined(MBEDTLS_SSL_CLI_C) - if (endpoint == MBEDTLS_SSL_IS_CLIENT) { - key1 = keyblk + mac_key_len * 2; - key2 = keyblk + mac_key_len * 2 + keylen; + MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); - mac_enc = keyblk; - mac_dec = keyblk + mac_key_len; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { + unsigned char i; - iv_copy_len = (transform->fixed_ivlen) ? - transform->fixed_ivlen : transform->ivlen; - memcpy(transform->iv_enc, key2 + keylen, iv_copy_len); - memcpy(transform->iv_dec, key2 + keylen + iv_copy_len, - iv_copy_len); - } else -#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SRV_C) - if (endpoint == MBEDTLS_SSL_IS_SERVER) { - key1 = keyblk + mac_key_len * 2 + keylen; - key2 = keyblk + mac_key_len * 2; + /* Remember current epoch settings for resending */ + ssl->handshake->alt_transform_out = ssl->transform_out; + memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, + sizeof(ssl->handshake->alt_out_ctr)); - mac_enc = keyblk + mac_key_len; - mac_dec = keyblk; + /* Set sequence_number to zero */ + memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2); - iv_copy_len = (transform->fixed_ivlen) ? - transform->fixed_ivlen : transform->ivlen; - memcpy(transform->iv_dec, key1 + keylen, iv_copy_len); - memcpy(transform->iv_enc, key1 + keylen + iv_copy_len, - iv_copy_len); + + /* Increment epoch */ + for (i = 2; i > 0; i--) { + if (++ssl->cur_out_ctr[i - 1] != 0) { + break; + } + } + + /* The loop goes to its end iff the counter is wrapping */ + if (i == 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); + return MBEDTLS_ERR_SSL_COUNTER_WRAPPING; + } } else -#endif /* MBEDTLS_SSL_SRV_C */ - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; - goto end; +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); + + ssl->transform_out = ssl->transform_negotiate; + ssl->session_out = ssl->session_negotiate; + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { + mbedtls_ssl_send_flight_completed(ssl); } +#endif - if (ssl->f_export_keys != NULL) { - ssl->f_export_keys(ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, - master, 48, - randbytes + 32, - randbytes, - tls_prf_get_type(tls_prf)); + if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + return ret; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - transform->psa_alg = alg; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); + return ret; + } +#endif - if (alg != MBEDTLS_SSL_NULL_CIPHER) { - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, key_type); + MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); - if ((status = psa_import_key(&attributes, - key1, - PSA_BITS_TO_BYTES(key_bits), - &transform->psa_key_enc)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); - ret = PSA_TO_MBEDTLS_ERR(status); - MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); - goto end; - } + return 0; +} - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); +#define SSL_MAX_HASH_LEN 12 - if ((status = psa_import_key(&attributes, - key2, - PSA_BITS_TO_BYTES(key_bits), - &transform->psa_key_dec)) != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); - goto end; - } - } -#else - if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, - cipher_info)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); - goto end; +int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned int hash_len = 12; + unsigned char buf[SSL_MAX_HASH_LEN]; + + MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); + + ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); } - if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, - cipher_info)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); - goto end; + if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); + goto exit; } - if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, - (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), - MBEDTLS_ENCRYPT)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); - goto end; + if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + goto exit; } - if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, - (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), - MBEDTLS_DECRYPT)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); - goto end; + if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) { + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + goto exit; } -#if defined(MBEDTLS_CIPHER_MODE_CBC) - if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) { - if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc, - MBEDTLS_PADDING_NONE)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); - goto end; - } - - if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec, - MBEDTLS_PADDING_NONE)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); - goto end; - } + if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); + ret = MBEDTLS_ERR_SSL_DECODE_ERROR; + goto exit; } -#endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) - /* For HMAC-based ciphersuites, initialize the HMAC transforms. - For AEAD-based ciphersuites, there is nothing to do here. */ - if (mac_key_len != 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg); + if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), + buf, hash_len) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto exit; + } - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); - psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg)); - psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); +#if defined(MBEDTLS_SSL_RENEGOTIATION) + ssl->verify_data_len = hash_len; + memcpy(ssl->peer_verify_data, buf, hash_len); +#endif - if ((status = psa_import_key(&attributes, - mac_enc, mac_key_len, - &transform->psa_mac_enc)) != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); - goto end; + if (ssl->handshake->resume != 0) { +#if defined(MBEDTLS_SSL_CLI_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { + ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; } - - if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) || - ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING) -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) #endif - )) { - /* mbedtls_ct_hmac() requires the key to be exportable */ - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | - PSA_KEY_USAGE_VERIFY_HASH); - } else { - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); +#if defined(MBEDTLS_SSL_SRV_C) + if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { + ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; } +#endif + } else { + ssl->state++; + } - if ((status = psa_import_key(&attributes, - mac_dec, mac_key_len, - &transform->psa_mac_dec)) != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); - goto end; - } -#else - ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len); - if (ret != 0) { - goto end; - } - ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len); - if (ret != 0) { - goto end; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { + mbedtls_ssl_recv_flight_completed(ssl); } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif - ((void) mac_dec); - ((void) mac_enc); + MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); -end: - mbedtls_platform_zeroize(keyblk, sizeof(keyblk)); +exit: + mbedtls_platform_zeroize(buf, hash_len); return ret; } -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) -int mbedtls_psa_ecjpake_read_round( - psa_pake_operation_t *pake_ctx, - const unsigned char *buf, - size_t len, mbedtls_ecjpake_rounds_t round) +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +/* + * Helper to get TLS 1.2 PRF from ciphersuite + * (Duplicates bits of logic from ssl_set_handshake_prfs().) + */ +static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) { - psa_status_t status; - size_t input_offset = 0; - /* - * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice - * At round two perform a single cycle - */ - unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - - for (; remaining_steps > 0; remaining_steps--) { - for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; - step <= PSA_PAKE_STEP_ZK_PROOF; - ++step) { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; - - if (input_offset + length > len) { - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - } - - status = psa_pake_input(pake_ctx, step, - buf + input_offset, length); - if (status != PSA_SUCCESS) { - return PSA_TO_MBEDTLS_ERR(status); - } - - input_offset += length; + const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = + mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); +#if defined(MBEDTLS_MD_CAN_SHA384) + if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) { + return tls_prf_sha384; + } else +#endif +#if defined(MBEDTLS_MD_CAN_SHA256) + { + if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) { + return tls_prf_sha256; } } +#endif +#if !defined(MBEDTLS_MD_CAN_SHA384) && \ + !defined(MBEDTLS_MD_CAN_SHA256) + (void) ciphersuite_info; +#endif - if (input_offset != len) { - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - } + return NULL; +} +#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ - return 0; +static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) +{ + ((void) tls_prf); +#if defined(MBEDTLS_MD_CAN_SHA384) + if (tls_prf == tls_prf_sha384) { + return MBEDTLS_SSL_TLS_PRF_SHA384; + } else +#endif +#if defined(MBEDTLS_MD_CAN_SHA256) + if (tls_prf == tls_prf_sha256) { + return MBEDTLS_SSL_TLS_PRF_SHA256; + } else +#endif + return MBEDTLS_SSL_TLS_PRF_NONE; } -int mbedtls_psa_ecjpake_write_round( - psa_pake_operation_t *pake_ctx, - unsigned char *buf, - size_t len, size_t *olen, - mbedtls_ecjpake_rounds_t round) +/* + * Populate a transform structure with session keys and all the other + * necessary information. + * + * Parameters: + * - [in/out]: transform: structure to populate + * [in] must be just initialised with mbedtls_ssl_transform_init() + * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf() + * - [in] ciphersuite + * - [in] master + * - [in] encrypt_then_mac + * - [in] tls_prf: pointer to PRF to use for key derivation + * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random + * - [in] tls_version: TLS version + * - [in] endpoint: client or server + * - [in] ssl: used for: + * - ssl->conf->{f,p}_export_keys + * [in] optionally used for: + * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, + int ciphersuite, + const unsigned char master[48], +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + int encrypt_then_mac, +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + ssl_tls_prf_t tls_prf, + const unsigned char randbytes[64], + mbedtls_ssl_protocol_version tls_version, + unsigned endpoint, + const mbedtls_ssl_context *ssl) { - psa_status_t status; - size_t output_offset = 0; - size_t output_len; + int ret = 0; + unsigned char keyblk[256]; + unsigned char *key1; + unsigned char *key2; + unsigned char *mac_enc; + unsigned char *mac_dec; + size_t mac_key_len = 0; + size_t iv_copy_len; + size_t keylen; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_mode_t ssl_mode; +#if !defined(MBEDTLS_USE_PSA_CRYPTO) + const mbedtls_cipher_info_t *cipher_info; + const mbedtls_md_info_t *md_info; +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_type_t key_type; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t alg; + psa_algorithm_t mac_alg = 0; + size_t key_bits; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; +#endif + /* - * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice - * At round two perform a single cycle + * Some data just needs copying into the structure */ - unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - - for (; remaining_steps > 0; remaining_steps--) { - for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; - step <= PSA_PAKE_STEP_ZK_PROOF; - ++step) { - /* - * For each step, prepend 1 byte with the length of the data as - * given by psa_pake_output(). - */ - status = psa_pake_output(pake_ctx, step, - buf + output_offset + 1, - len - output_offset - 1, - &output_len); - if (status != PSA_SUCCESS) { - return PSA_TO_MBEDTLS_ERR(status); - } +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + transform->encrypt_then_mac = encrypt_then_mac; +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + transform->tls_version = tls_version; - *(buf + output_offset) = (uint8_t) output_len; +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) + memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); +#endif - output_offset += output_len + 1; - } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { + /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform + * generation separate. This should never happen. */ + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - *olen = output_offset; - - return 0; -} -#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, - unsigned char *hash, size_t *hashlen, - unsigned char *data, size_t data_len, - mbedtls_md_type_t md_alg) -{ - psa_status_t status; - psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; - psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg); - - MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange")); - - if ((status = psa_hash_setup(&hash_operation, - hash_alg)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status); - goto exit; + /* + * Get various info structures + */ + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); + if (ciphersuite_info == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", + ciphersuite)); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes, - 64)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); - goto exit; - } + ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + encrypt_then_mac, +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + ciphersuite_info); - if ((status = psa_hash_update(&hash_operation, - data, data_len)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); - goto exit; + if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { + transform->taglen = + ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; } - if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE, - hashlen)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status); - goto exit; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, + transform->taglen, + &alg, + &key_type, + &key_bits)) != PSA_SUCCESS) { + ret = PSA_TO_MBEDTLS_ERR(status); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); + goto end; } - -exit: - if (status != PSA_SUCCESS) { - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - switch (status) { - case PSA_ERROR_NOT_SUPPORTED: - return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; - case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ - case PSA_ERROR_BUFFER_TOO_SMALL: - return MBEDTLS_ERR_MD_BAD_INPUT_DATA; - case PSA_ERROR_INSUFFICIENT_MEMORY: - return MBEDTLS_ERR_MD_ALLOC_FAILED; - default: - return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; - } +#else + cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher); + if (cipher_info == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", + ciphersuite_info->cipher)); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - return 0; -} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); + if (mac_alg == 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found", + (unsigned) ciphersuite_info->mac)); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } #else + md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac); + if (md_info == NULL) { + MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found", + (unsigned) ciphersuite_info->mac)); + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ -int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, - unsigned char *hash, size_t *hashlen, - unsigned char *data, size_t data_len, - mbedtls_md_type_t md_alg) -{ - int ret = 0; - mbedtls_md_context_t ctx; - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); - *hashlen = mbedtls_md_get_size(md_info); +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + /* Copy own and peer's CID if the use of the CID + * extension has been negotiated. */ + if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform")); - MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange")); + transform->in_cid_len = ssl->own_cid_len; + memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len); + MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid, + transform->in_cid_len); - mbedtls_md_init(&ctx); + transform->out_cid_len = ssl->handshake->peer_cid_len; + memcpy(transform->out_cid, ssl->handshake->peer_cid, + ssl->handshake->peer_cid_len); + MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid, + transform->out_cid_len); + } +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ /* - * digitally-signed struct { - * opaque client_random[32]; - * opaque server_random[32]; - * ServerDHParams params; - * }; + * Compute key block using the PRF */ - if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); - goto exit; - } - if ((ret = mbedtls_md_starts(&ctx)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret); - goto exit; - } - if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); - goto exit; - } - if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); - goto exit; - } - if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); - goto exit; + ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); + return ret; } -exit: - mbedtls_md_free(&ctx); + MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s", + mbedtls_ssl_get_ciphersuite_name(ciphersuite))); + MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48); + MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64); + MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256); - if (ret != 0) { - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - } + /* + * Determine the appropriate key, IV and MAC length. + */ - return ret; -} -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + keylen = PSA_BITS_TO_BYTES(key_bits); +#else + keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; +#endif -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HAVE_AEAD) + if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { + size_t explicit_ivlen; -/* Find the preferred hash for a given signature algorithm. */ -unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( - mbedtls_ssl_context *ssl, - unsigned int sig_alg) -{ - unsigned int i; - uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; + transform->maclen = 0; + mac_key_len = 0; - if (sig_alg == MBEDTLS_SSL_SIG_ANON) { - return MBEDTLS_SSL_HASH_NONE; - } + /* All modes haves 96-bit IVs, but the length of the static parts vary + * with mode and version: + * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes + * (to be concatenated with a dynamically chosen IV of 8 Bytes) + * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's + * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record + * sequence number). + */ + transform->ivlen = 12; - for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { - unsigned int hash_alg_received = - MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( - received_sig_algs[i]); - unsigned int sig_alg_received = - MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( - received_sig_algs[i]); + int is_chachapoly = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20); +#else + is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info) + == MBEDTLS_MODE_CHACHAPOLY); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ - mbedtls_md_type_t md_alg = - mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received); - if (md_alg == MBEDTLS_MD_NONE) { - continue; + if (is_chachapoly) { + transform->fixed_ivlen = 12; + } else { + transform->fixed_ivlen = 4; } - if (sig_alg == sig_alg_received) { + /* Minimum length of encrypted record */ + explicit_ivlen = transform->ivlen - transform->fixed_ivlen; + transform->minlen = explicit_ivlen + transform->taglen; + } else +#endif /* MBEDTLS_SSL_HAVE_AEAD */ +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) + if (ssl_mode == MBEDTLS_SSL_MODE_STREAM || + ssl_mode == MBEDTLS_SSL_MODE_CBC || + ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) { - psa_algorithm_t psa_hash_alg = - mbedtls_md_psa_alg_from_type(md_alg); - - if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && - !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, - PSA_ALG_ECDSA(psa_hash_alg), - PSA_KEY_USAGE_SIGN_HASH)) { - continue; - } - - if (sig_alg_received == MBEDTLS_SSL_SIG_RSA && - !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, - PSA_ALG_RSA_PKCS1V15_SIGN( - psa_hash_alg), - PSA_KEY_USAGE_SIGN_HASH)) { - continue; - } - } + size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type); +#else + size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info); #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return hash_alg_received; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + /* Get MAC length */ + mac_key_len = PSA_HASH_LENGTH(mac_alg); +#else + /* Initialize HMAC contexts */ + if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 || + (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); + goto end; } - } - return MBEDTLS_SSL_HASH_NONE; -} - -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + /* Get MAC length */ + mac_key_len = mbedtls_md_get_size(md_info); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + transform->maclen = mac_key_len; -/* Serialization of TLS 1.2 sessions: - * - * struct { - * opaque ticket<0..2^24-1>; // length 0 means no ticket - * uint32 ticket_lifetime; - * } ClientOnlyData; - * - * struct { - * uint64 start_time; - * uint8 session_id_len; // at most 32 - * opaque session_id[32]; - * opaque master[48]; // fixed length in the standard - * uint32 verify_result; - * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert - * select (endpoint) { - * case client: ClientOnlyData; - * case server: uint64 ticket_creation_time; - * }; - * uint8 mfl_code; // up to 255 according to standard - * uint8 encrypt_then_mac; // 0 or 1 - * } serialized_session_tls12; - */ -static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, - unsigned char *buf, - size_t buf_len) -{ - unsigned char *p = buf; - size_t used = 0; + /* IV length */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg); +#else + transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_HAVE_TIME) - uint64_t start; + /* Minimum length */ + if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { + transform->minlen = transform->maclen; + } else { + /* + * GenericBlockCipher: + * 1. if EtM is in use: one block plus MAC + * otherwise: * first multiple of blocklen greater than maclen + * 2. IV + */ +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { + transform->minlen = transform->maclen + + block_size; + } else #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - size_t cert_len; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ - - /* - * Time - */ -#if defined(MBEDTLS_HAVE_TIME) - used += 8; - - if (used <= buf_len) { - start = (uint64_t) session->start; + { + transform->minlen = transform->maclen + + block_size + - transform->maclen % block_size; + } - MBEDTLS_PUT_UINT64_BE(start, p, 0); - p += 8; + if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { + transform->minlen += transform->ivlen; + } else { + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto end; + } + } + } else +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ + { + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } -#endif /* MBEDTLS_HAVE_TIME */ + + MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u", + (unsigned) keylen, + (unsigned) transform->minlen, + (unsigned) transform->ivlen, + (unsigned) transform->maclen)); /* - * Basic mandatory fields + * Finally setup the cipher contexts, IVs and MAC secrets. */ - used += 1 /* id_len */ - + sizeof(session->id) - + sizeof(session->master) - + 4; /* verify_result */ +#if defined(MBEDTLS_SSL_CLI_C) + if (endpoint == MBEDTLS_SSL_IS_CLIENT) { + key1 = keyblk + mac_key_len * 2; + key2 = keyblk + mac_key_len * 2 + keylen; - if (used <= buf_len) { - *p++ = MBEDTLS_BYTE_0(session->id_len); - memcpy(p, session->id, 32); - p += 32; + mac_enc = keyblk; + mac_dec = keyblk + mac_key_len; - memcpy(p, session->master, 48); - p += 48; + iv_copy_len = (transform->fixed_ivlen) ? + transform->fixed_ivlen : transform->ivlen; + memcpy(transform->iv_enc, key2 + keylen, iv_copy_len); + memcpy(transform->iv_dec, key2 + keylen + iv_copy_len, + iv_copy_len); + } else +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_SRV_C) + if (endpoint == MBEDTLS_SSL_IS_SERVER) { + key1 = keyblk + mac_key_len * 2 + keylen; + key2 = keyblk + mac_key_len * 2; - MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0); - p += 4; - } + mac_enc = keyblk + mac_key_len; + mac_dec = keyblk; - /* - * Peer's end-entity certificate - */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - if (session->peer_cert == NULL) { - cert_len = 0; - } else { - cert_len = session->peer_cert->raw.len; + iv_copy_len = (transform->fixed_ivlen) ? + transform->fixed_ivlen : transform->ivlen; + memcpy(transform->iv_dec, key1 + keylen, iv_copy_len); + memcpy(transform->iv_enc, key1 + keylen + iv_copy_len, + iv_copy_len); + } else +#endif /* MBEDTLS_SSL_SRV_C */ + { + MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto end; } - used += 3 + cert_len; - - if (used <= buf_len) { - *p++ = MBEDTLS_BYTE_2(cert_len); - *p++ = MBEDTLS_BYTE_1(cert_len); - *p++ = MBEDTLS_BYTE_0(cert_len); - - if (session->peer_cert != NULL) { - memcpy(p, session->peer_cert->raw.p, cert_len); - p += cert_len; - } - } -#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - if (session->peer_cert_digest != NULL) { - used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len; - if (used <= buf_len) { - *p++ = (unsigned char) session->peer_cert_digest_type; - *p++ = (unsigned char) session->peer_cert_digest_len; - memcpy(p, session->peer_cert_digest, - session->peer_cert_digest_len); - p += session->peer_cert_digest_len; - } - } else { - used += 2; - if (used <= buf_len) { - *p++ = (unsigned char) MBEDTLS_MD_NONE; - *p++ = 0; - } + if (ssl->f_export_keys != NULL) { + ssl->f_export_keys(ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, + master, 48, + randbytes + 32, + randbytes, + tls_prf_get_type(tls_prf)); } -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ - /* - * Session ticket if any, plus associated data - */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -#if defined(MBEDTLS_SSL_CLI_C) - if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { - used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + transform->psa_alg = alg; + + if (alg != MBEDTLS_SSL_NULL_CIPHER) { + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); - if (used <= buf_len) { - *p++ = MBEDTLS_BYTE_2(session->ticket_len); - *p++ = MBEDTLS_BYTE_1(session->ticket_len); - *p++ = MBEDTLS_BYTE_0(session->ticket_len); + if ((status = psa_import_key(&attributes, + key1, + PSA_BITS_TO_BYTES(key_bits), + &transform->psa_key_enc)) != PSA_SUCCESS) { + MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); + ret = PSA_TO_MBEDTLS_ERR(status); + MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); + goto end; + } - if (session->ticket != NULL) { - memcpy(p, session->ticket, session->ticket_len); - p += session->ticket_len; - } + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); - MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); - p += 4; + if ((status = psa_import_key(&attributes, + key2, + PSA_BITS_TO_BYTES(key_bits), + &transform->psa_key_dec)) != PSA_SUCCESS) { + ret = PSA_TO_MBEDTLS_ERR(status); + MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); + goto end; } } -#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - used += 8; +#else + if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, + cipher_info)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); + goto end; + } - if (used <= buf_len) { - MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); - p += 8; - } + if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, + cipher_info)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); + goto end; } -#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - /* - * Misc extension-related info - */ -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - used += 1; + if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, + (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), + MBEDTLS_ENCRYPT)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); + goto end; + } - if (used <= buf_len) { - *p++ = session->mfl_code; + if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, + (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), + MBEDTLS_DECRYPT)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); + goto end; } -#endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - used += 1; +#if defined(MBEDTLS_CIPHER_MODE_CBC) + if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) { + if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc, + MBEDTLS_PADDING_NONE)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); + goto end; + } - if (used <= buf_len) { - *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac); + if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec, + MBEDTLS_PADDING_NONE)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); + goto end; + } } -#endif +#endif /* MBEDTLS_CIPHER_MODE_CBC */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ - return used; -} +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) + /* For HMAC-based ciphersuites, initialize the HMAC transforms. + For AEAD-based ciphersuites, there is nothing to do here. */ + if (mac_key_len != 0) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg); -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls12_session_load(mbedtls_ssl_session *session, - const unsigned char *buf, - size_t len) -{ -#if defined(MBEDTLS_HAVE_TIME) - uint64_t start; -#endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - size_t cert_len; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); + psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg)); + psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); - const unsigned char *p = buf; - const unsigned char * const end = buf + len; + if ((status = psa_import_key(&attributes, + mac_enc, mac_key_len, + &transform->psa_mac_enc)) != PSA_SUCCESS) { + ret = PSA_TO_MBEDTLS_ERR(status); + MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); + goto end; + } - /* - * Time - */ -#if defined(MBEDTLS_HAVE_TIME) - if (8 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) || + ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) +#endif + )) { + /* mbedtls_ct_hmac() requires the key to be exportable */ + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | + PSA_KEY_USAGE_VERIFY_HASH); + } else { + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + } + + if ((status = psa_import_key(&attributes, + mac_dec, mac_key_len, + &transform->psa_mac_dec)) != PSA_SUCCESS) { + ret = PSA_TO_MBEDTLS_ERR(status); + MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); + goto end; + } +#else + ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len); + if (ret != 0) { + goto end; + } + ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len); + if (ret != 0) { + goto end; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ - start = MBEDTLS_GET_UINT64_BE(p, 0); - p += 8; + ((void) mac_dec); + ((void) mac_enc); - session->start = (time_t) start; -#endif /* MBEDTLS_HAVE_TIME */ +end: + mbedtls_platform_zeroize(keyblk, sizeof(keyblk)); + return ret; +} +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_psa_ecjpake_read_round( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, mbedtls_ecjpake_rounds_t round) +{ + psa_status_t status; + size_t input_offset = 0; /* - * Basic mandatory fields + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle */ - if (1 + 32 + 48 + 4 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - session->id_len = *p++; - memcpy(session->id, p, 32); - p += 32; + for (; remaining_steps > 0; remaining_steps--) { + for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step) { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; - memcpy(session->master, p, 48); - p += 48; + if (input_offset + length > len) { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } - session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; + status = psa_pake_input(pake_ctx, step, + buf + input_offset, length); + if (status != PSA_SUCCESS) { + return PSA_TO_MBEDTLS_ERR(status); + } - /* Immediately clear invalid pointer values that have been read, in case - * we exit early before we replaced them with valid ones. */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - session->peer_cert = NULL; -#else - session->peer_cert_digest = NULL; -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) - session->ticket = NULL; -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ + input_offset += length; + } + } + + if (input_offset != len) { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + return 0; +} +int mbedtls_psa_ecjpake_write_round( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; /* - * Peer certificate + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - /* Deserialize CRT from the end of the ticket. */ - if (3 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - cert_len = MBEDTLS_GET_UINT24_BE(p, 0); - p += 3; + for (; remaining_steps > 0; remaining_steps--) { + for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step) { + /* + * For each step, prepend 1 byte with the length of the data as + * given by psa_pake_output(). + */ + status = psa_pake_output(pake_ctx, step, + buf + output_offset + 1, + len - output_offset - 1, + &output_len); + if (status != PSA_SUCCESS) { + return PSA_TO_MBEDTLS_ERR(status); + } - if (cert_len != 0) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + *(buf + output_offset) = (uint8_t) output_len; - if (cert_len > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + output_offset += output_len + 1; } + } - session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); + *olen = output_offset; - if (session->peer_cert == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } + return 0; +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO - mbedtls_x509_crt_init(session->peer_cert); +#if defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, + unsigned char *hash, size_t *hashlen, + unsigned char *data, size_t data_len, + mbedtls_md_type_t md_alg) +{ + psa_status_t status; + psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; + psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg); - if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert, - p, cert_len)) != 0) { - mbedtls_x509_crt_free(session->peer_cert); - mbedtls_free(session->peer_cert); - session->peer_cert = NULL; - return ret; - } + MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange")); - p += cert_len; + if ((status = psa_hash_setup(&hash_operation, + hash_alg)) != PSA_SUCCESS) { + MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status); + goto exit; } -#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - /* Deserialize CRT digest from the end of the ticket. */ - if (2 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + + if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes, + 64)) != PSA_SUCCESS) { + MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); + goto exit; } - session->peer_cert_digest_type = (mbedtls_md_type_t) *p++; - session->peer_cert_digest_len = (size_t) *p++; + if ((status = psa_hash_update(&hash_operation, + data, data_len)) != PSA_SUCCESS) { + MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); + goto exit; + } - if (session->peer_cert_digest_len != 0) { - const mbedtls_md_info_t *md_info = - mbedtls_md_info_from_type(session->peer_cert_digest_type); - if (md_info == NULL) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE, + hashlen)) != PSA_SUCCESS) { + MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status); + goto exit; + } - if (session->peer_cert_digest_len > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; +exit: + if (status != PSA_SUCCESS) { + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); + switch (status) { + case PSA_ERROR_NOT_SUPPORTED: + return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; + case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ + case PSA_ERROR_BUFFER_TOO_SMALL: + return MBEDTLS_ERR_MD_BAD_INPUT_DATA; + case PSA_ERROR_INSUFFICIENT_MEMORY: + return MBEDTLS_ERR_MD_ALLOC_FAILED; + default: + return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } + } + return 0; +} - session->peer_cert_digest = - mbedtls_calloc(1, session->peer_cert_digest_len); - if (session->peer_cert_digest == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } +#else - memcpy(session->peer_cert_digest, p, - session->peer_cert_digest_len); - p += session->peer_cert_digest_len; - } -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, + unsigned char *hash, size_t *hashlen, + unsigned char *data, size_t data_len, + mbedtls_md_type_t md_alg) +{ + int ret = 0; + mbedtls_md_context_t ctx; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); + *hashlen = mbedtls_md_get_size(md_info); + + MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange")); + + mbedtls_md_init(&ctx); /* - * Session ticket and associated data + * digitally-signed struct { + * opaque client_random[32]; + * opaque server_random[32]; + * ServerDHParams params; + * }; */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -#if defined(MBEDTLS_SSL_CLI_C) - if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { - if (3 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); + goto exit; + } + if ((ret = mbedtls_md_starts(&ctx)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret); + goto exit; + } + if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); + goto exit; + } + if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); + goto exit; + } + if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); + goto exit; + } - session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); - p += 3; +exit: + mbedtls_md_free(&ctx); - if (session->ticket_len != 0) { - if (session->ticket_len > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + if (ret != 0) { + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); + } - session->ticket = mbedtls_calloc(1, session->ticket_len); - if (session->ticket == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } + return ret; +} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ - memcpy(session->ticket, p, session->ticket_len); - p += session->ticket_len; - } +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - if (4 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } +/* Find the preferred hash for a given signature algorithm. */ +unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( + mbedtls_ssl_context *ssl, + unsigned int sig_alg) +{ + unsigned int i; + uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; - session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; - } -#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - if (8 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); - p += 8; + if (sig_alg == MBEDTLS_SSL_SIG_ANON) { + return MBEDTLS_SSL_HASH_NONE; } -#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - /* - * Misc extension-related info - */ -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if (1 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { + unsigned int hash_alg_received = + MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( + received_sig_algs[i]); + unsigned int sig_alg_received = + MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( + received_sig_algs[i]); - session->mfl_code = *p++; -#endif + mbedtls_md_type_t md_alg = + mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received); + if (md_alg == MBEDTLS_MD_NONE) { + continue; + } -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - if (1 > (size_t) (end - p)) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } + if (sig_alg == sig_alg_received) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) { + psa_algorithm_t psa_hash_alg = + mbedtls_md_psa_alg_from_type(md_alg); - session->encrypt_then_mac = *p++; -#endif + if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && + !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, + PSA_ALG_ECDSA(psa_hash_alg), + PSA_KEY_USAGE_SIGN_HASH)) { + continue; + } - /* Done, should have consumed entire buffer */ - if (p != end) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + if (sig_alg_received == MBEDTLS_SSL_SIG_RSA && + !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, + PSA_ALG_RSA_PKCS1V15_SIGN( + psa_hash_alg), + PSA_KEY_USAGE_SIGN_HASH)) { + continue; + } + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + return hash_alg_received; + } } - return 0; + return MBEDTLS_SSL_HASH_NONE; } + +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ int mbedtls_ssl_validate_ciphersuite( -- cgit v1.1 From 80a9668762de6a3486b8addd334ca565f2a61712 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 29 Feb 2024 17:10:57 +0000 Subject: Add config guards to session struct comments This shows which fields of the session are dependent on which config options. Signed-off-by: David Horstmann --- library/ssl_tls.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 870f7d9..699de40 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3363,23 +3363,35 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, /* Serialization of TLS 1.2 sessions: * * struct { - * opaque ticket<0..2^24-1>; // length 0 means no ticket - * uint32 ticket_lifetime; + * #if defined(MBEDTLS_SSL_SESSION_TICKETS) + * opaque ticket<0..2^24-1>; // length 0 means no ticket + * uint32 ticket_lifetime; + * #endif * } ClientOnlyData; * * struct { - * uint64 start_time; + * #if defined(MBEDTLS_HAVE_TIME) + * uint64 start_time; + * #endif * uint8 session_id_len; // at most 32 * opaque session_id[32]; * opaque master[48]; // fixed length in the standard * uint32 verify_result; - * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert + * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert + * #else + * opaque peer_cert_digest<0..2^8-1> + * #endif * select (endpoint) { * case client: ClientOnlyData; * case server: uint64 ticket_creation_time; * }; - * uint8 mfl_code; // up to 255 according to standard - * uint8 encrypt_then_mac; // 0 or 1 + * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + * uint8 mfl_code; // up to 255 according to standard + * #endif + * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + * uint8 encrypt_then_mac; // 0 or 1 + * #endif * } serialized_session_tls12; */ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, @@ -3746,8 +3758,12 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, /* Serialization of TLS 1.3 sessions: * * struct { + * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) * opaque hostname<0..2^16-1>; + * #endif + * #if defined(MBEDTLS_HAVE_TIME) * uint64 ticket_reception_time; + * #endif * uint32 ticket_lifetime; * opaque ticket<1..2^16-1>; * } ClientOnlyData; @@ -3756,11 +3772,17 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, * uint32 ticket_age_add; * uint8 ticket_flags; * opaque resumption_key<0..255>; + * #if defined(MBEDTLS_SSL_EARLY_DATA) * uint32 max_early_data_size; + * #endif + * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) * uint16 record_size_limit; + * #endif * select ( endpoint ) { * case client: ClientOnlyData; + * #if defined(MBEDTLS_HAVE_TIME) * case server: uint64 ticket_creation_time; + * #endif * }; * } serialized_session_tls13; * -- cgit v1.1 From cb01b361e1f67cfa636615abd47f5946cc2df49d Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 29 Feb 2024 17:31:46 +0000 Subject: Move session descriptions into a single comment Describe the TLS 1.2, TLS 1.3 and full session structs in the same place for ease of reference. Signed-off-by: David Horstmann --- library/ssl_tls.c | 137 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 75 insertions(+), 62 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 699de40..c56df86 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3360,39 +3360,11 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_CLI_C */ -/* Serialization of TLS 1.2 sessions: - * - * struct { - * #if defined(MBEDTLS_SSL_SESSION_TICKETS) - * opaque ticket<0..2^24-1>; // length 0 means no ticket - * uint32 ticket_lifetime; - * #endif - * } ClientOnlyData; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + +/* Serialization of TLS 1.2 sessions * - * struct { - * #if defined(MBEDTLS_HAVE_TIME) - * uint64 start_time; - * #endif - * uint8 session_id_len; // at most 32 - * opaque session_id[32]; - * opaque master[48]; // fixed length in the standard - * uint32 verify_result; - * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert - * #else - * opaque peer_cert_digest<0..2^8-1> - * #endif - * select (endpoint) { - * case client: ClientOnlyData; - * case server: uint64 ticket_creation_time; - * }; - * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - * uint8 mfl_code; // up to 255 according to standard - * #endif - * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - * uint8 encrypt_then_mac; // 0 or 1 - * #endif - * } serialized_session_tls12; + * For more detail, see the description of ssl_session_save(). */ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, unsigned char *buf, @@ -3757,35 +3729,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Serialization of TLS 1.3 sessions: * - * struct { - * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - * opaque hostname<0..2^16-1>; - * #endif - * #if defined(MBEDTLS_HAVE_TIME) - * uint64 ticket_reception_time; - * #endif - * uint32 ticket_lifetime; - * opaque ticket<1..2^16-1>; - * } ClientOnlyData; - * - * struct { - * uint32 ticket_age_add; - * uint8 ticket_flags; - * opaque resumption_key<0..255>; - * #if defined(MBEDTLS_SSL_EARLY_DATA) - * uint32 max_early_data_size; - * #endif - * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) - * uint16 record_size_limit; - * #endif - * select ( endpoint ) { - * case client: ClientOnlyData; - * #if defined(MBEDTLS_HAVE_TIME) - * case server: uint64 ticket_creation_time; - * #endif - * }; - * } serialized_session_tls13; - * + * For more detail, see the description of ssl_session_save(). */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL @@ -4149,7 +4093,76 @@ static const unsigned char ssl_serialized_session_header[] = { * Serialize a session in the following format: * (in the presentation language of TLS, RFC 8446 section 3) * - * struct { + * TLS 1.2 session: + * + * struct { + * #if defined(MBEDTLS_SSL_SESSION_TICKETS) + * opaque ticket<0..2^24-1>; // length 0 means no ticket + * uint32 ticket_lifetime; + * #endif + * } ClientOnlyData; + * + * struct { + * #if defined(MBEDTLS_HAVE_TIME) + * uint64 start_time; + * #endif + * uint8 session_id_len; // at most 32 + * opaque session_id[32]; + * opaque master[48]; // fixed length in the standard + * uint32 verify_result; + * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert + * #else + * opaque peer_cert_digest<0..2^8-1> + * #endif + * select (endpoint) { + * case client: ClientOnlyData; + * case server: uint64 ticket_creation_time; + * }; + * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + * uint8 mfl_code; // up to 255 according to standard + * #endif + * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + * uint8 encrypt_then_mac; // 0 or 1 + * #endif + * } serialized_session_tls12; + * + * + * TLS 1.3 Session: + * + * struct { + * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + * opaque hostname<0..2^16-1>; + * #endif + * #if defined(MBEDTLS_HAVE_TIME) + * uint64 ticket_reception_time; + * #endif + * uint32 ticket_lifetime; + * opaque ticket<1..2^16-1>; + * } ClientOnlyData; + * + * struct { + * uint32 ticket_age_add; + * uint8 ticket_flags; + * opaque resumption_key<0..255>; + * #if defined(MBEDTLS_SSL_EARLY_DATA) + * uint32 max_early_data_size; + * #endif + * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) + * uint16 record_size_limit; + * #endif + * select ( endpoint ) { + * case client: ClientOnlyData; + * #if defined(MBEDTLS_HAVE_TIME) + * case server: uint64 ticket_creation_time; + * #endif + * }; + * } serialized_session_tls13; + * + * + * SSL session: + * + * struct { * * opaque mbedtls_version[3]; // library version: major, minor, patch * opaque session_format[2]; // library-version specific 16-bit field -- cgit v1.1 From 531aca28103063dc75066346ee2a1e2bc2272218 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 29 Feb 2024 18:14:28 +0000 Subject: Fix missing fields in ssl session struct comment The endpoint and version were factorized out into the main session. Update the session struct comment to reflect these new fields, as was previously missed. Signed-off-by: David Horstmann --- library/ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c56df86..42bf670 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4180,6 +4180,8 @@ static const unsigned char ssl_serialized_session_header[] = { * uint8_t minor_ver; // Protocol minor version. Possible values: * // - TLS 1.2 (0x0303) * // - TLS 1.3 (0x0304) + * uint8_t endpoint; + * uint16_t ciphersuite; * * select (serialized_session.tls_version) { * -- cgit v1.1 From 79aaaa46e9390d7752d2f76e941d69ec85c13441 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 29 Feb 2024 18:41:36 +0000 Subject: Fix formatting Signed-off-by: Dave Rodgman --- tests/scripts/quiet/make | 1 + tests/scripts/quiet/quiet.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make index b232316..d022551 100755 --- a/tests/scripts/quiet/make +++ b/tests/scripts/quiet/make @@ -8,6 +8,7 @@ # If you are debugging a build / CI issue, you can get complete unsilenced logs # by un-commenting the following line (or setting VERBOSE_LOGS in your environment): + # export VERBOSE_LOGS=1 # don't silence invocations containing these arguments diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh index 01ef422..30ee569 100755 --- a/tests/scripts/quiet/quiet.sh +++ b/tests/scripts/quiet/quiet.sh @@ -8,6 +8,7 @@ # If you are debugging a build / CI issue, you can get complete unsilenced logs # by un-commenting the following line (or setting VERBOSE_LOGS in your environment): +# # VERBOSE_LOGS=1 # # This script provides most of the functionality for the adjacent make and cmake -- cgit v1.1 From 5d3036e6d5f8269cb7c77b23128ff3be289e0d72 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 23 Feb 2024 07:43:45 +0100 Subject: tests: ssl: Add max_early_data_size option Signed-off-by: Ronald Cron --- tests/include/test/ssl_helpers.h | 1 + tests/src/test_helpers/ssl_helpers.c | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 5b071f7..71259d6 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -114,6 +114,7 @@ typedef struct mbedtls_test_handshake_test_options { void (*cli_log_fun)(void *, int, const char *, int, const char *); int resize_buffers; int early_data; + int max_early_data_size; #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_context *cache; #endif diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 7a28bd8..bf29b47 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -68,6 +68,7 @@ void mbedtls_test_init_handshake_options( opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; opts->resize_buffers = 1; opts->early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + opts->max_early_data_size = -1; #if defined(MBEDTLS_SSL_CACHE_C) TEST_CALLOC(opts->cache, 1); mbedtls_ssl_cache_init(opts->cache); @@ -815,6 +816,13 @@ int mbedtls_test_ssl_endpoint_init( #if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_conf_early_data(&(ep->conf), options->early_data); +#if defined(MBEDTLS_SSL_SRV_C) + if (endpoint_type == MBEDTLS_SSL_IS_SERVER && + (options->max_early_data_size >= 0)) { + mbedtls_ssl_conf_max_early_data_size(&(ep->conf), + options->max_early_data_size); + } +#endif #endif #if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C) -- cgit v1.1 From 26a9811027cef5a8e87d033f56454a8dfe934d7c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 23 Feb 2024 08:23:40 +0100 Subject: ssl: Add early_data_count field Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 5 ++++- library/ssl_tls.c | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 78395d2..15bd6fd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1859,7 +1859,8 @@ struct mbedtls_ssl_context { * within a single datagram. */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_SRV_C) /* * One of: * MBEDTLS_SSL_EARLY_DATA_NO_DISCARD @@ -1868,6 +1869,8 @@ struct mbedtls_ssl_context { */ uint8_t MBEDTLS_PRIVATE(discard_early_data_record); #endif + uint32_t MBEDTLS_PRIVATE(early_data_count); /*!< Number of received/written early data bytes */ +#endif /* MBEDTLS_SSL_EARLY_DATA */ /* * Record layer (outgoing data) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5b0a4b9..ee72179 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1105,6 +1105,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_SRV_C) ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; #endif + ssl->early_data_count = 0; #endif /* MBEDTLS_SSL_EARLY_DATA */ /* Initialize structures */ -- cgit v1.1 From c2865197478cddf22572c774481fb90db2c2f461 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 7 Feb 2024 14:01:03 +0100 Subject: tls13: srv: Do not forget to include max_early_data_size in the ticket Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3a968aa..2391915 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -3141,6 +3141,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, ssl->conf->max_early_data_size > 0) { mbedtls_ssl_tls13_session_set_ticket_flags( session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); + session->max_early_data_size = ssl->conf->max_early_data_size; } #endif /* MBEDTLS_SSL_EARLY_DATA */ -- cgit v1.1 From 85718043820d3dd9bd8922e269332430278b820c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 22 Feb 2024 10:22:09 +0100 Subject: tls13: srv: Enforce maximum size of early data Signed-off-by: Ronald Cron --- library/ssl_misc.h | 3 +++ library/ssl_tls13_generic.c | 41 +++++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_server.c | 13 +++++-------- 3 files changed, 49 insertions(+), 8 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d8844fc..883b988 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2150,6 +2150,9 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); + +int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, + size_t early_data_len); #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index bc73704..a3b4d35 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1454,6 +1454,47 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, return 0; } + +#if defined(MBEDTLS_SSL_SRV_C) +int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, + size_t early_data_len) +{ + uint32_t uint32_early_data_len = (uint32_t) early_data_len; + + /* + * This function should be called only while an handshake is in progress + * and thus a session under negotiation. Add a sanity check to detect a + * misuse. + */ + if (ssl->session_negotiate == NULL) { + return MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + + /* RFC 8446 section 4.6.1 + * + * A server receiving more than max_early_data_size bytes of 0-RTT data + * SHOULD terminate the connection with an "unexpected_message" alert. + */ + if (uint32_early_data_len > + (ssl->session_negotiate->max_early_data_size - + ssl->early_data_count)) { + + MBEDTLS_SSL_DEBUG_MSG( + 2, ("EarlyData: Too many early data received, %u > %u", + ssl->early_data_count + uint32_early_data_len, + ssl->session_negotiate->max_early_data_size)); + + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, + MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); + return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + } + + ssl->early_data_count += uint32_early_data_len; + + return 0; +} +#endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_EARLY_DATA */ /* Reset SSL context and update hash for handling HRR. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2391915..449fa38 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2913,17 +2913,14 @@ static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) } if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data")); - /* RFC 8446 section 4.6.1 - * - * A server receiving more than max_early_data_size bytes of 0-RTT data - * SHOULD terminate the connection with an "unexpected_message" alert. - * - * TODO: Add received data size check here. - */ if (ssl->in_offt == NULL) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data")); /* Set the reading pointer */ ssl->in_offt = ssl->in_msg; + ret = mbedtls_ssl_tls13_check_early_data_len(ssl, ssl->in_msglen); + if (ret != 0) { + return ret; + } } return SSL_GOT_EARLY_DATA; } -- cgit v1.1 From 2160bfe4e23af0c290c23a0c7d83637fb7adb658 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 7 Feb 2024 08:04:07 +0100 Subject: tests: ssl: Test enforcement of maximum early data size Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 9 ++ tests/suites/test_suite_ssl.function | 163 +++++++++++++++++++++++++++++++++++ 2 files changed, 172 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 385682a..1f70538 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3309,3 +3309,12 @@ tls13_write_early_data:TEST_EARLY_DATA_SERVER_REJECTS TLS 1.3 write early data, hello retry request tls13_write_early_data:TEST_EARLY_DATA_HRR + +TLS 1.3 srv, max early data size, default +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1 + +TLS 1.3 srv, max early data size, max=3 (small but !0) +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3 + +TLS 1.3 srv, max early data size, max=97 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d327828..1408361 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4448,3 +4448,166 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* + * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is + * a temporary workaround to not run the test in Windows-2013 where there is + * an issue with mbedtls_vsnprintf(). + */ +/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ +void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) +{ + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options client_options; + mbedtls_test_handshake_test_options server_options; + mbedtls_ssl_session saved_session; + mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; + char pattern[128]; + unsigned char buf_write[64]; + size_t early_data_len = sizeof(buf_write); + uint32_t written_early_data_size = 0; + int write_early_data_flag = 1; + uint32_t max_early_data_size; + + mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); + mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); + mbedtls_test_init_handshake_options(&client_options); + mbedtls_test_init_handshake_options(&server_options); + mbedtls_ssl_session_init(&saved_session); + + PSA_INIT(); + + /* + * Run first handshake to get a ticket from the server. + */ + + client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + server_options.max_early_data_size = max_early_data_size_arg; + + ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, + &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Prepare for handshake with the ticket. + */ + server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; + server_options.srv_log_obj = &server_pattern; + server_pattern.pattern = pattern; + + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + break; + + default: + TEST_FAIL("Unknown scenario."); + } + + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, + &client_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, + &server_options, NULL, NULL, NULL); + TEST_EQUAL(ret, 0); + + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, + mbedtls_test_ticket_write, + mbedtls_test_ticket_parse, + NULL); + + ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), + &(server_ep.socket), 1024); + TEST_EQUAL(ret, 0); + + max_early_data_size = saved_session.max_early_data_size; + + ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); + TEST_EQUAL(ret, 0); + + /* + * Start an handshake based on the ticket up to the point where early data + * can be sent from client side. Then send in a loop as much early data as + * possible without going over the maximum permitted size for the ticket. + * Finally, do a last writting to go past that maximum permitted size and + * check that we detect it. + */ + TEST_EQUAL(mbedtls_test_move_handshake_to_state( + &(client_ep.ssl), &(server_ep.ssl), + MBEDTLS_SSL_SERVER_HELLO), 0); + + TEST_ASSERT(client_ep.ssl.early_data_status != + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT); + + ret = mbedtls_ssl_handshake(&(server_ep.ssl)); + TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); + + while (write_early_data_flag) { + unsigned char buf_read[23]; + uint32_t read_early_data_size = 0; + uint32_t remaining = max_early_data_size - + server_ep.ssl.early_data_count; + + /* Reach maximum early data exactly */ + if (early_data_len >= remaining) { + early_data_len = remaining; + write_early_data_flag = 0; + } + + for (size_t i = 0; i < early_data_len; i++) { + buf_write[i] = (unsigned char) (written_early_data_size + i); + } + + ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len); + TEST_EQUAL(ret, early_data_len); + written_early_data_size += early_data_len; + + switch (scenario) { + case TEST_EARLY_DATA_ACCEPTED: + while (read_early_data_size < early_data_len) { + ret = mbedtls_ssl_handshake(&(server_ep.ssl)); + TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); + + ret = mbedtls_ssl_read_early_data(&(server_ep.ssl), + buf_read, + sizeof(buf_read)); + TEST_ASSERT(ret > 0); + + TEST_MEMORY_COMPARE(buf_read, ret, + buf_write + read_early_data_size, ret); + read_early_data_size += ret; + + TEST_EQUAL(server_ep.ssl.early_data_count, + written_early_data_size); + } + break; + } + TEST_ASSERT(server_ep.ssl.early_data_count <= max_early_data_size); + } + + mbedtls_debug_set_threshold(3); + ret = write_early_data(&(client_ep.ssl), buf_write, 1); + TEST_EQUAL(ret, 1); + + ret = mbedtls_snprintf(pattern, sizeof(pattern), + "EarlyData: Too many early data received"); + TEST_ASSERT(ret < (int) sizeof(pattern)); + + ret = mbedtls_ssl_handshake(&(server_ep.ssl)); + TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); + TEST_EQUAL(server_pattern.counter, 1); + +exit: + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_free_handshake_options(&client_options); + mbedtls_test_free_handshake_options(&server_options); + mbedtls_ssl_session_free(&saved_session); + mbedtls_debug_set_threshold(0); + PSA_DONE(); +} +/* END_CASE */ -- cgit v1.1 From 919e596c05c14f7754655b970c5fab47824a2bd5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 8 Feb 2024 15:48:29 +0100 Subject: Enforce maximum size of early data when rejected Signed-off-by: Ronald Cron --- library/ssl_msg.c | 6 ++++- tests/suites/test_suite_ssl.data | 9 ++++++++ tests/suites/test_suite_ssl.function | 45 +++++++++++++++++++++++++++++++++--- 3 files changed, 56 insertions(+), 4 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 2a6d434..6c508d6 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4005,7 +4005,11 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) { MBEDTLS_SSL_DEBUG_MSG( 3, ("EarlyData: deprotect and discard app data records.")); - /* TODO: Add max_early_data_size check here, see issue 6347 */ + + ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len); + if (ret != 0) { + return ret; + } ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */ diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1f70538..6fb3d83 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3318,3 +3318,12 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3 TLS 1.3 srv, max early data size, max=97 tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97 + +TLS 1.3 srv, max early data size, server rejects, default +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1 + +TLS 1.3 srv, max early data size, server rejects, max=3 (very small) +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3 + +TLS 1.3 srv, max early data size, server rejects, max=97 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 1408361..0c1d606 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4466,6 +4466,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) char pattern[128]; unsigned char buf_write[64]; size_t early_data_len = sizeof(buf_write); + uint32_t expended_early_data_len = 0; uint32_t written_early_data_size = 0; int write_early_data_flag = 1; uint32_t max_early_data_size; @@ -4503,6 +4504,14 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) case TEST_EARLY_DATA_ACCEPTED: break; + case TEST_EARLY_DATA_SERVER_REJECTS: + server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + ret = mbedtls_snprintf(pattern, sizeof(pattern), + "EarlyData: deprotect and discard app data records."); + TEST_ASSERT(ret < (int) sizeof(pattern)); + mbedtls_debug_set_threshold(3); + break; + default: TEST_FAIL("Unknown scenario."); } @@ -4552,7 +4561,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) uint32_t remaining = max_early_data_size - server_ep.ssl.early_data_count; - /* Reach maximum early data exactly */ + /* In case of accepted early data, reach max_early_data_size exactly. */ if (early_data_len >= remaining) { early_data_len = remaining; write_early_data_flag = 0; @@ -4585,13 +4594,43 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) written_early_data_size); } break; + + case TEST_EARLY_DATA_SERVER_REJECTS: + ret = mbedtls_ssl_handshake(&(server_ep.ssl)); + /* + * Can be the case if max_early_data_size is smaller then the + * smallest inner content or protected record. + */ + if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { + /* Beyond 64 for max_early_data_size it is suspicious */ + TEST_ASSERT(max_early_data_size < 64); + goto exit; + } + + TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ); + + TEST_EQUAL(server_pattern.counter, 1); + server_pattern.counter = 0; + if (expended_early_data_len == 0) { + expended_early_data_len = server_ep.ssl.early_data_count; + } + remaining = max_early_data_size - server_ep.ssl.early_data_count; + + if (expended_early_data_len > remaining) { + write_early_data_flag = 0; + } + break; } TEST_ASSERT(server_ep.ssl.early_data_count <= max_early_data_size); } mbedtls_debug_set_threshold(3); - ret = write_early_data(&(client_ep.ssl), buf_write, 1); - TEST_EQUAL(ret, 1); + + early_data_len = (scenario == TEST_EARLY_DATA_ACCEPTED) ? + 1 : sizeof(buf_write); + + ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len); + TEST_EQUAL(ret, early_data_len); ret = mbedtls_snprintf(pattern, sizeof(pattern), "EarlyData: Too many early data received"); -- cgit v1.1 From 01d273d31f40402dce5ec47dc43782702ad5c5c3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Feb 2024 16:17:10 +0100 Subject: Enforce maximum size of early data in case of HRR Signed-off-by: Ronald Cron --- library/ssl_msg.c | 7 ++++++- tests/suites/test_suite_ssl.data | 9 +++++++++ tests/suites/test_suite_ssl.function | 19 ++++++++++++++++++- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 6c508d6..a8ff1c1 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4135,7 +4135,12 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) { MBEDTLS_SSL_DEBUG_MSG( 3, ("EarlyData: Ignore application message before 2nd ClientHello")); - /* TODO: Add max_early_data_size check here, see issue 6347 */ + + ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len); + if (ret != 0) { + return ret; + } + return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) { ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6fb3d83..03de4a9 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3327,3 +3327,12 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3 TLS 1.3 srv, max early data size, server rejects, max=97 tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97 + +TLS 1.3 srv, max early data size, HRR, default +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1 + +TLS 1.3 srv, max early data size, HRR, max=3 (very small) +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3 + +TLS 1.3 srv, max early data size, HRR, max=97 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 0c1d606..fc1bc3e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4463,6 +4463,11 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) mbedtls_test_handshake_test_options server_options; mbedtls_ssl_session saved_session; mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; + uint16_t group_list[3] = { + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE + }; char pattern[128]; unsigned char buf_write[64]; size_t early_data_len = sizeof(buf_write); @@ -4484,8 +4489,10 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) */ client_options.pk_alg = MBEDTLS_PK_ECDSA; + client_options.group_list = group_list; client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.pk_alg = MBEDTLS_PK_ECDSA; + server_options.group_list = group_list; server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; server_options.max_early_data_size = max_early_data_size_arg; @@ -4512,6 +4519,15 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) mbedtls_debug_set_threshold(3); break; + case TEST_EARLY_DATA_HRR: + server_options.group_list = group_list + 1; + ret = mbedtls_snprintf( + pattern, sizeof(pattern), + "EarlyData: Ignore application message before 2nd ClientHello"); + TEST_ASSERT(ret < (int) sizeof(pattern)); + mbedtls_debug_set_threshold(3); + break; + default: TEST_FAIL("Unknown scenario."); } @@ -4595,7 +4611,8 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) } break; - case TEST_EARLY_DATA_SERVER_REJECTS: + case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ + case TEST_EARLY_DATA_HRR: ret = mbedtls_ssl_handshake(&(server_ep.ssl)); /* * Can be the case if max_early_data_size is smaller then the -- cgit v1.1 From dc81b7343f325f7e62ec038330d4f7505a37ed96 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 26 Feb 2024 15:02:26 +0100 Subject: tests: srv max early data size: Add reach_max test arg Add the reach_max flag argument for the test13_srv_max_early_data_size test function. Non zero value only valid in case of TEST_EARLY_DATA_ACCEPTED scenario. Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 27 +++++++++++++++++--------- tests/suites/test_suite_ssl.function | 37 +++++++++++++++++++++++++++++------- 2 files changed, 48 insertions(+), 16 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 03de4a9..f3d9ef0 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3311,28 +3311,37 @@ TLS 1.3 write early data, hello retry request tls13_write_early_data:TEST_EARLY_DATA_HRR TLS 1.3 srv, max early data size, default -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:0 + +TLS 1.3 srv, max early data size, default, reach max +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:1 TLS 1.3 srv, max early data size, max=3 (small but !0) -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:0 + +TLS 1.3 srv, max early data size, max=3 (small but !0), reach max +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:1 TLS 1.3 srv, max early data size, max=97 -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97:0 + +TLS 1.3 srv, max early data size, max=97, reach max +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97:1 TLS 1.3 srv, max early data size, server rejects, default -tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1:0 TLS 1.3 srv, max early data size, server rejects, max=3 (very small) -tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3:0 TLS 1.3 srv, max early data size, server rejects, max=97 -tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97:0 TLS 1.3 srv, max early data size, HRR, default -tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1:0 TLS 1.3 srv, max early data size, HRR, max=3 (very small) -tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:0 TLS 1.3 srv, max early data size, HRR, max=97 -tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index fc1bc3e..5f6029e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4455,7 +4455,7 @@ exit: * an issue with mbedtls_vsnprintf(). */ /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ -void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) +void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int reach_max) { int ret = -1; mbedtls_test_ssl_endpoint client_ep, server_ep; @@ -4470,7 +4470,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) }; char pattern[128]; unsigned char buf_write[64]; - size_t early_data_len = sizeof(buf_write); + size_t early_data_len; uint32_t expended_early_data_len = 0; uint32_t written_early_data_size = 0; int write_early_data_flag = 1; @@ -4485,6 +4485,14 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) PSA_INIT(); /* + * Reach maximum early data size exactly option only available in case of + * TEST_EARLY_DATA_ACCEPTED scenario. + */ + if (reach_max) { + TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); + } + + /* * Run first handshake to get a ticket from the server. */ @@ -4577,10 +4585,24 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) uint32_t remaining = max_early_data_size - server_ep.ssl.early_data_count; - /* In case of accepted early data, reach max_early_data_size exactly. */ + early_data_len = sizeof(buf_write); + /* + * Adjust the length of next data to write depending on the remaining + * number of early data bytes we are allowed to write and if we want + * to reach the maximum exactly or not. + */ if (early_data_len >= remaining) { - early_data_len = remaining; - write_early_data_flag = 0; + if (reach_max) { + early_data_len = remaining; + write_early_data_flag = 0; + } else { + if (early_data_len == remaining) { + early_data_len /= 2; + } else { + early_data_len = remaining + 1; + break; + } + } } for (size_t i = 0; i < early_data_len; i++) { @@ -4643,8 +4665,9 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg) mbedtls_debug_set_threshold(3); - early_data_len = (scenario == TEST_EARLY_DATA_ACCEPTED) ? - 1 : sizeof(buf_write); + if (reach_max) { + TEST_EQUAL(server_ep.ssl.early_data_count, max_early_data_size); + } ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len); TEST_EQUAL(ret, early_data_len); -- cgit v1.1 From 70eab45ba6c91a5a840d8beaf8d440b23dcb0867 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 26 Feb 2024 15:50:15 +0100 Subject: tls13: generic: Fix log Signed-off-by: Ronald Cron --- library/ssl_tls13_generic.c | 2 +- tests/suites/test_suite_ssl.function | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a3b4d35..c5698f6 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1480,7 +1480,7 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, ssl->early_data_count)) { MBEDTLS_SSL_DEBUG_MSG( - 2, ("EarlyData: Too many early data received, %u > %u", + 2, ("EarlyData: Too much early data received, %u > %u", ssl->early_data_count + uint32_early_data_len, ssl->session_negotiate->max_early_data_size)); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 5f6029e..aca8276 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4673,7 +4673,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in TEST_EQUAL(ret, early_data_len); ret = mbedtls_snprintf(pattern, sizeof(pattern), - "EarlyData: Too many early data received"); + "EarlyData: Too much early data received"); TEST_ASSERT(ret < (int) sizeof(pattern)); ret = mbedtls_ssl_handshake(&(server_ep.ssl)); -- cgit v1.1 From 19bfe0a6310acd686cbf70b429ed80b075f9a0d1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 26 Feb 2024 16:43:01 +0100 Subject: tls13: Rename early_data_count to total_early_data_size Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 2 +- library/ssl_tls.c | 2 +- library/ssl_tls13_generic.c | 6 +++--- tests/suites/test_suite_ssl.function | 12 ++++++------ 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 15bd6fd..9a66663 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1869,7 +1869,7 @@ struct mbedtls_ssl_context { */ uint8_t MBEDTLS_PRIVATE(discard_early_data_record); #endif - uint32_t MBEDTLS_PRIVATE(early_data_count); /*!< Number of received/written early data bytes */ + uint32_t MBEDTLS_PRIVATE(total_early_data_size); /*!< Number of received/written early data bytes */ #endif /* MBEDTLS_SSL_EARLY_DATA */ /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ee72179..5bedd91 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1105,7 +1105,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_SRV_C) ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; #endif - ssl->early_data_count = 0; + ssl->total_early_data_size = 0; #endif /* MBEDTLS_SSL_EARLY_DATA */ /* Initialize structures */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index c5698f6..eec2bb4 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1477,11 +1477,11 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, */ if (uint32_early_data_len > (ssl->session_negotiate->max_early_data_size - - ssl->early_data_count)) { + ssl->total_early_data_size)) { MBEDTLS_SSL_DEBUG_MSG( 2, ("EarlyData: Too much early data received, %u > %u", - ssl->early_data_count + uint32_early_data_len, + ssl->total_early_data_size + uint32_early_data_len, ssl->session_negotiate->max_early_data_size)); MBEDTLS_SSL_PEND_FATAL_ALERT( @@ -1490,7 +1490,7 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } - ssl->early_data_count += uint32_early_data_len; + ssl->total_early_data_size += uint32_early_data_len; return 0; } diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index aca8276..791386b 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4583,7 +4583,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in unsigned char buf_read[23]; uint32_t read_early_data_size = 0; uint32_t remaining = max_early_data_size - - server_ep.ssl.early_data_count; + server_ep.ssl.total_early_data_size; early_data_len = sizeof(buf_write); /* @@ -4628,7 +4628,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in buf_write + read_early_data_size, ret); read_early_data_size += ret; - TEST_EQUAL(server_ep.ssl.early_data_count, + TEST_EQUAL(server_ep.ssl.total_early_data_size, written_early_data_size); } break; @@ -4651,22 +4651,22 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in TEST_EQUAL(server_pattern.counter, 1); server_pattern.counter = 0; if (expended_early_data_len == 0) { - expended_early_data_len = server_ep.ssl.early_data_count; + expended_early_data_len = server_ep.ssl.total_early_data_size; } - remaining = max_early_data_size - server_ep.ssl.early_data_count; + remaining = max_early_data_size - server_ep.ssl.total_early_data_size; if (expended_early_data_len > remaining) { write_early_data_flag = 0; } break; } - TEST_ASSERT(server_ep.ssl.early_data_count <= max_early_data_size); + TEST_ASSERT(server_ep.ssl.total_early_data_size <= max_early_data_size); } mbedtls_debug_set_threshold(3); if (reach_max) { - TEST_EQUAL(server_ep.ssl.early_data_count, max_early_data_size); + TEST_EQUAL(server_ep.ssl.total_early_data_size, max_early_data_size); } ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len); -- cgit v1.1 From 25ad10a920979c2236ca14494a055a596c21e93c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 29 Feb 2024 00:39:23 +0100 Subject: tests: ssl: Improve tls13_srv_max_early_data_size() Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.data | 46 +++++++++---------- tests/suites/test_suite_ssl.function | 89 +++++++++++++++--------------------- 2 files changed, 61 insertions(+), 74 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index f3d9ef0..c0c816c 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3310,38 +3310,38 @@ tls13_write_early_data:TEST_EARLY_DATA_SERVER_REJECTS TLS 1.3 write early data, hello retry request tls13_write_early_data:TEST_EARLY_DATA_HRR -TLS 1.3 srv, max early data size, default -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:0 +TLS 1.3 srv, max early data size, dflt, wsz=96 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:96 -TLS 1.3 srv, max early data size, default, reach max -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:1 +TLS 1.3 srv, max early data size, dflt, wsz=128 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:128 -TLS 1.3 srv, max early data size, max=3 (small but !0) -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:0 +TLS 1.3 srv, max early data size, 3, wsz=2 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:2 -TLS 1.3 srv, max early data size, max=3 (small but !0), reach max -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:1 +TLS 1.3 srv, max early data size, 3, wsz=3 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:3 -TLS 1.3 srv, max early data size, max=97 -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97:0 +TLS 1.3 srv, max early data size, 98, wsz=23 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:23 -TLS 1.3 srv, max early data size, max=97, reach max -tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:97:1 +TLS 1.3 srv, max early data size, 98, wsz=49 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:49 -TLS 1.3 srv, max early data size, server rejects, default -tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1:0 +TLS 1.3 srv, max early data size, server rejects, dflt, wsz=128 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1:128 -TLS 1.3 srv, max early data size, server rejects, max=3 (very small) -tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3:0 +TLS 1.3 srv, max early data size, server rejects, 3, wsz=3 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3:3 -TLS 1.3 srv, max early data size, server rejects, max=97 -tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:97:0 +TLS 1.3 srv, max early data size, server rejects, 98, wsz=49 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:98:49 -TLS 1.3 srv, max early data size, HRR, default -tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1:0 +TLS 1.3 srv, max early data size, HRR, dflt, wsz=128 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1:128 -TLS 1.3 srv, max early data size, HRR, max=3 (very small) -tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:0 +TLS 1.3 srv, max early data size, HRR, 3, wsz=3 +tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3 -TLS 1.3 srv, max early data size, HRR, max=97 +TLS 1.3 srv, max early data size, HRR, 98, wsz=49 tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 791386b..d89d8ac 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4455,7 +4455,7 @@ exit: * an issue with mbedtls_vsnprintf(). */ /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ -void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int reach_max) +void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg) { int ret = -1; mbedtls_test_ssl_endpoint client_ep, server_ep; @@ -4469,11 +4469,12 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; char pattern[128]; - unsigned char buf_write[64]; - size_t early_data_len; + unsigned char *buf_write = NULL; + uint32_t write_size = (uint32_t) write_size_arg; + unsigned char *buf_read = NULL; + uint32_t read_size; uint32_t expended_early_data_len = 0; uint32_t written_early_data_size = 0; - int write_early_data_flag = 1; uint32_t max_early_data_size; mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); @@ -4481,16 +4482,16 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in mbedtls_test_init_handshake_options(&client_options); mbedtls_test_init_handshake_options(&server_options); mbedtls_ssl_session_init(&saved_session); - - PSA_INIT(); + TEST_CALLOC(buf_write, write_size); /* - * Reach maximum early data size exactly option only available in case of - * TEST_EARLY_DATA_ACCEPTED scenario. + * Allocate a smaller buffer for early data reading to exercise the reading + * of data in one record in multiple calls. */ - if (reach_max) { - TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); - } + read_size = (write_size / 2) + 1; + TEST_CALLOC(buf_read, read_size); + + PSA_INIT(); /* * Run first handshake to get a ticket from the server. @@ -4579,49 +4580,45 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in ret = mbedtls_ssl_handshake(&(server_ep.ssl)); TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); - while (write_early_data_flag) { - unsigned char buf_read[23]; + /* + * Write and if possible read as much as possible chunks of write_size + * bytes data without getting over the max_early_data_size limit. + */ + do { uint32_t read_early_data_size = 0; - uint32_t remaining = max_early_data_size - - server_ep.ssl.total_early_data_size; - early_data_len = sizeof(buf_write); + if ((written_early_data_size + write_size) > max_early_data_size) { + break; + } + /* - * Adjust the length of next data to write depending on the remaining - * number of early data bytes we are allowed to write and if we want - * to reach the maximum exactly or not. + * If the server rejected early data, base the determination of when + * to stop the loop on the expended size (padding and encryption + * expansion) of early data on server side and the number of early data + * received so far by the server (multiple of the expended size). */ - if (early_data_len >= remaining) { - if (reach_max) { - early_data_len = remaining; - write_early_data_flag = 0; - } else { - if (early_data_len == remaining) { - early_data_len /= 2; - } else { - early_data_len = remaining + 1; - break; - } - } + if ((expended_early_data_len != 0) && + ((server_ep.ssl.total_early_data_size + + expended_early_data_len) > max_early_data_size)) { + break; } - for (size_t i = 0; i < early_data_len; i++) { + for (size_t i = 0; i < write_size; i++) { buf_write[i] = (unsigned char) (written_early_data_size + i); } - ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len); - TEST_EQUAL(ret, early_data_len); - written_early_data_size += early_data_len; + ret = write_early_data(&(client_ep.ssl), buf_write, write_size); + TEST_EQUAL(ret, write_size); + written_early_data_size += write_size; switch (scenario) { case TEST_EARLY_DATA_ACCEPTED: - while (read_early_data_size < early_data_len) { + while (read_early_data_size < write_size) { ret = mbedtls_ssl_handshake(&(server_ep.ssl)); TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); ret = mbedtls_ssl_read_early_data(&(server_ep.ssl), - buf_read, - sizeof(buf_read)); + buf_read, read_size); TEST_ASSERT(ret > 0); TEST_MEMORY_COMPARE(buf_read, ret, @@ -4653,24 +4650,14 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in if (expended_early_data_len == 0) { expended_early_data_len = server_ep.ssl.total_early_data_size; } - remaining = max_early_data_size - server_ep.ssl.total_early_data_size; - - if (expended_early_data_len > remaining) { - write_early_data_flag = 0; - } break; } TEST_ASSERT(server_ep.ssl.total_early_data_size <= max_early_data_size); - } + } while (1); mbedtls_debug_set_threshold(3); - - if (reach_max) { - TEST_EQUAL(server_ep.ssl.total_early_data_size, max_early_data_size); - } - - ret = write_early_data(&(client_ep.ssl), buf_write, early_data_len); - TEST_EQUAL(ret, early_data_len); + ret = write_early_data(&(client_ep.ssl), buf_write, write_size); + TEST_EQUAL(ret, write_size); ret = mbedtls_snprintf(pattern, sizeof(pattern), "EarlyData: Too much early data received"); -- cgit v1.1 From fcbf776d0661bdeee4c7b663c041e16561e8ca0e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 1 Mar 2024 10:00:42 +0100 Subject: tests: ssl: Restore write_early_data test function For negative testing of early data (tests related to max_early_data_size in this PR), restore the test function to write early data that was first introduced to be able to test the reading of early data with the writing part and was removed (as not used anymore) by the PR 8760. Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d89d8ac..c1622e3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -18,6 +18,47 @@ #define TEST_EARLY_DATA_SERVER_REJECTS 2 #define TEST_EARLY_DATA_HRR 3 +#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ + defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ + defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ + defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \ + defined(MBEDTLS_MD_CAN_SHA256) && \ + defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \ + defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS) +/* + * Test function to write early data for negative tests where + * mbedtls_ssl_write_early_data() cannot be used. + */ +static int write_early_data(mbedtls_ssl_context *ssl, + unsigned char *buf, size_t len) +{ + int ret = mbedtls_ssl_get_max_out_record_payload(ssl); + + TEST_ASSERT(ret > 0); + TEST_ASSERT(len <= (size_t) ret); + + ret = mbedtls_ssl_flush_output(ssl); + TEST_EQUAL(ret, 0); + TEST_EQUAL(ssl->out_left, 0); + + ssl->out_msglen = len; + ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; + if (len > 0) { + memcpy(ssl->out_msg, buf, len); + } + + ret = mbedtls_ssl_write_record(ssl, 1); + TEST_EQUAL(ret, 0); + + ret = len; + +exit: + return ret; +} +#endif + /* END_HEADER */ /* BEGIN_DEPENDENCIES -- cgit v1.1 From f686f1dc17958e7cd36edd24bb991fcdabb94f3e Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 1 Mar 2024 11:20:32 +0000 Subject: Fix naming inconsistencies in config bits Signed-off-by: David Horstmann --- library/ssl_tls.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 42bf670..97f34d0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4007,9 +4007,9 @@ static int ssl_tls13_session_load(const mbedtls_ssl_session *session, #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) -#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1 #else -#define SSL_SERIALIZED_SESSION_KEEP_PEER_CRT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -4060,7 +4060,7 @@ static int ssl_tls13_session_load(const mbedtls_ssl_session *session, #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 -#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT 6 +#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 @@ -4074,7 +4074,7 @@ static int ssl_tls13_session_load(const mbedtls_ssl_session *session, (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ - (SSL_SERIALIZED_SESSION_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_CRT_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ -- cgit v1.1 From 7335082ef6fff182cabb4fda806c636e037ac3b2 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 1 Mar 2024 11:29:36 +0000 Subject: Add ChangeLog entry for ssl serialization bitflags Signed-off-by: David Horstmann --- ChangeLog.d/fix-ssl-session-serialization-config.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix-ssl-session-serialization-config.txt diff --git a/ChangeLog.d/fix-ssl-session-serialization-config.txt b/ChangeLog.d/fix-ssl-session-serialization-config.txt new file mode 100644 index 0000000..ca1cc81 --- /dev/null +++ b/ChangeLog.d/fix-ssl-session-serialization-config.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix missing bitflags in SSL session serialization headers. Their absence + allowed SSL sessions saved in one configuration to be loaded in a + different, incompatible configuration. -- cgit v1.1 From 76ba26a542908cec66a2fb0b324af7ea795bf9d3 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 1 Mar 2024 12:03:35 +0000 Subject: Fixup: add peer_cert_digest_type to comment Signed-off-by: David Horstmann --- library/ssl_tls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 97f34d0..7dd8e4d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4113,6 +4113,7 @@ static const unsigned char ssl_serialized_session_header[] = { * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert * #else + * uint8 peer_cert_digest_type; * opaque peer_cert_digest<0..2^8-1> * #endif * select (endpoint) { -- cgit v1.1 From 71fa1a94e7781d1269eca79630fe3df0a1f6b2c4 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 1 Mar 2024 12:32:18 +0000 Subject: Fix code style Signed-off-by: David Horstmann --- library/ssl_tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7dd8e4d..b09db1e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4074,7 +4074,8 @@ static int ssl_tls13_session_load(const mbedtls_ssl_session *session, (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ - (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \ + (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \ + SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ -- cgit v1.1 From 8a4df2293a5247b7a5b659d5588a3850f4512ae5 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 1 Mar 2024 15:12:59 +0000 Subject: Adjust default unroll settings Signed-off-by: Dave Rodgman --- library/sha3.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index b41879c..2bc3b4c 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -20,26 +20,29 @@ * Unrolling has a major impact on both performance and code size. gcc performance benefits a lot * from manually unrolling at higher optimisation levels. * - * Rolling up the theta loop saves a lot of code-size at small performance cost. The code-size - * saving then enables us to unroll the other loops for a net code-size saving with a net - * performance win. - * * Depending on your size/perf priorities, compiler and target, it may be beneficial to adjust - * these; the defaults here should give sensible trade-offs for gcc and clang. + * these; the defaults here should give sensible trade-offs for gcc and clang on aarch64 and + * x86-64. */ #if !defined(MBEDTLS_SHA3_THETA_UNROLL) - #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names + #if defined(__OPTIMIZE_SIZE__) + #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names + #else + #define MBEDTLS_SHA3_THETA_UNROLL 1 //no-check-names + #endif #endif #if !defined(MBEDTLS_SHA3_PI_UNROLL) - #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names + #if defined(__OPTIMIZE_SIZE__) + #define MBEDTLS_SHA3_PI_UNROLL 0 //no-check-names + #else + #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names + #endif #endif #if !defined(MBEDTLS_SHA3_CHI_UNROLL) - #if !defined(MBEDTLS_COMPILER_IS_GCC) || defined(__OPTIMIZE_SIZE__) -/* GCC doesn't perform well with the rolled-up version, especially at -O2, so only enable on gcc - * if optimising for size. Always enable for other compilers. */ - #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names - #else + #if defined(__OPTIMIZE_SIZE__) #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names + #else + #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names #endif #endif #if !defined(MBEDTLS_SHA3_RHO_UNROLL) -- cgit v1.1 From 10b040fa6f7433849208c66ef29e714869138975 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 5 Feb 2024 09:38:09 +0100 Subject: tests: ssl_helpers: Rename rng_get to mbedtls_test_random mbedtls_test_ as the prefix for test APIs _random like in mbedtls_ctr/hmac_drbg_random Signed-off-by: Ronald Cron --- tests/include/test/ssl_helpers.h | 7 ++++++- tests/src/test_helpers/ssl_helpers.c | 4 ++-- tests/suites/test_suite_debug.function | 10 +++++----- tests/suites/test_suite_ssl.function | 14 +++++++------- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 9493b69..f214ce0 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -193,7 +193,12 @@ typedef struct mbedtls_test_ssl_endpoint { #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -int rng_get(void *p_rng, unsigned char *output, size_t output_len); +/* + * Random number generator aimed for TLS unitary tests. Its main purpose is to + * simplify the set-up of a random number generator for TLS + * unitary tests: no need to set up a good entropy source for example. + */ +int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len); /* * This function can be passed to mbedtls to receive output logs from it. In diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index de76b09..860b0a3 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -12,7 +12,7 @@ #include "md_psa.h" #if defined(MBEDTLS_SSL_TLS_C) -int rng_get(void *p_rng, unsigned char *output, size_t output_len) +int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len) { (void) p_rng; for (size_t i = 0; i < output_len; i++) { @@ -754,7 +754,7 @@ int mbedtls_test_ssl_endpoint_init( mbedtls_ssl_init(&(ep->ssl)); mbedtls_ssl_config_init(&(ep->conf)); - mbedtls_ssl_conf_rng(&(ep->conf), rng_get, NULL); + mbedtls_ssl_conf_rng(&(ep->conf), mbedtls_test_random, NULL); TEST_ASSERT(mbedtls_ssl_conf_get_user_data_p(&ep->conf) == NULL); TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), 0); diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index fca7ea0..426d835 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -66,7 +66,7 @@ void debug_print_msg_threshold(int threshold, int level, char *file, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, @@ -107,7 +107,7 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, @@ -145,7 +145,7 @@ void mbedtls_debug_print_buf(char *file, int line, char *text, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, @@ -185,7 +185,7 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, @@ -227,7 +227,7 @@ void mbedtls_debug_print_mpi(char *value, char *file, int line, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 050e525..82b541c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1121,7 +1121,7 @@ void ssl_dtls_replay(data_t *prevs, data_t *new, int ret) mbedtls_ssl_config_init(&conf); MD_OR_USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, @@ -2894,7 +2894,7 @@ void conf_version(int endpoint, int transport, mbedtls_ssl_conf_transport(&conf, transport); mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version); mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result); TEST_EQUAL(mbedtls_ssl_conf_get_endpoint( @@ -2936,7 +2936,7 @@ void conf_curve() mbedtls_ssl_init(&ssl); MD_OR_USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); @@ -2969,7 +2969,7 @@ void conf_group() mbedtls_ssl_config conf; mbedtls_ssl_config_init(&conf); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); @@ -3075,7 +3075,7 @@ void cookie_parsing(data_t *cookie, int exp_ret) mbedtls_ssl_config_init(&conf); USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_DATAGRAM, @@ -3130,7 +3130,7 @@ void cid_sanity() mbedtls_ssl_config_init(&conf); MD_OR_USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, @@ -3390,7 +3390,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg) mbedtls_ssl_config_init(&conf); - mbedtls_ssl_conf_rng(&conf, rng_get, NULL); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, -- cgit v1.1 From aab4a546bf1637294b0d3f07d068b6a12d05c497 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 23 Feb 2024 18:51:11 +0100 Subject: tests: Set the default conf then customize Set the default conf then customize, not the other way around. Signed-off-by: Ronald Cron --- tests/suites/test_suite_debug.function | 20 +++++--------------- tests/suites/test_suite_ssl.function | 13 +++++-------- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 426d835..fd5d1f5 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -66,14 +66,12 @@ void debug_print_msg_threshold(int threshold, int level, char *file, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); - + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); @@ -107,14 +105,12 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); - + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); @@ -145,14 +141,12 @@ void mbedtls_debug_print_buf(char *file, int line, char *text, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); - + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); @@ -185,14 +179,12 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); - + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); @@ -227,14 +219,12 @@ void mbedtls_debug_print_mpi(char *value, char *file, int line, memset(buffer.buf, 0, 2000); buffer.ptr = buffer.buf; - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); - + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 82b541c..528897c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1121,12 +1121,12 @@ void ssl_dtls_replay(data_t *prevs, data_t *new, int ret) mbedtls_ssl_config_init(&conf); MD_OR_USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT) == 0); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); + TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); /* Read previous record numbers */ @@ -3075,12 +3075,11 @@ void cookie_parsing(data_t *cookie, int exp_ret) mbedtls_ssl_config_init(&conf); USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id, @@ -3130,13 +3129,12 @@ void cid_sanity() mbedtls_ssl_config_init(&conf); MD_OR_USE_PSA_INIT(); - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) == 0); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); @@ -3390,12 +3388,11 @@ void ssl_ecjpake_set_password(int use_opaque_arg) mbedtls_ssl_config_init(&conf); - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT), 0); + mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); -- cgit v1.1 From ada2ec34821074fc25b0741e4d140975aa531cb2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 1 Mar 2024 18:04:14 +0100 Subject: psa_crypto_stubs/changelog: fix typos Signed-off-by: Valerio Setti --- ChangeLog.d/8825.txt | 2 +- tests/src/psa_crypto_stubs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/8825.txt b/ChangeLog.d/8825.txt index f892f80..914bd08 100644 --- a/ChangeLog.d/8825.txt +++ b/ChangeLog.d/8825.txt @@ -2,5 +2,5 @@ Features * mbedtls_psa_get_random() is always available as soon as MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be - used as random number generator function(f_rng) and context (p_rng) in + used as random number generator function (f_rng) and context (p_rng) in legacy functions. diff --git a/tests/src/psa_crypto_stubs.c b/tests/src/psa_crypto_stubs.c index be01121..f3ca850 100644 --- a/tests/src/psa_crypto_stubs.c +++ b/tests/src/psa_crypto_stubs.c @@ -22,4 +22,4 @@ psa_status_t psa_generate_random(uint8_t *output, return PSA_ERROR_COMMUNICATION_FAILURE; } -#endif /* MBEDTLS_PSA_CRYPTO_CLIENT !MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */ -- cgit v1.1 From e93cd1b5805e2ee52ab7a1aefd1634f6cb90c0e1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 1 Mar 2024 19:30:00 +0100 Subject: tests: ssl: Free write/read test buffers Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c1622e3..c381860 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4523,6 +4523,8 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in mbedtls_test_init_handshake_options(&client_options); mbedtls_test_init_handshake_options(&server_options); mbedtls_ssl_session_init(&saved_session); + PSA_INIT(); + TEST_CALLOC(buf_write, write_size); /* @@ -4532,8 +4534,6 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in read_size = (write_size / 2) + 1; TEST_CALLOC(buf_read, read_size); - PSA_INIT(); - /* * Run first handshake to get a ticket from the server. */ @@ -4714,6 +4714,8 @@ exit: mbedtls_test_free_handshake_options(&client_options); mbedtls_test_free_handshake_options(&server_options); mbedtls_ssl_session_free(&saved_session); + mbedtls_free(buf_write); + mbedtls_free(buf_read); mbedtls_debug_set_threshold(0); PSA_DONE(); } -- cgit v1.1 From 3cfdd73dfac81dfca138640e6c41dfe03684a291 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Sat, 2 Mar 2024 09:14:13 +0000 Subject: Changelog: Added changelog for `mbedtls_ecdh_get_grp_id`. Signed-off-by: Minos Galanakis --- ChangeLog.d/add_get_ecp_group_id.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/add_get_ecp_group_id.txt diff --git a/ChangeLog.d/add_get_ecp_group_id.txt b/ChangeLog.d/add_get_ecp_group_id.txt new file mode 100644 index 0000000..3328062 --- /dev/null +++ b/ChangeLog.d/add_get_ecp_group_id.txt @@ -0,0 +1,3 @@ +Features + * Add new accessor to expose the private group id member of + `mbedtls_ecdh_context` structure. -- cgit v1.1 From 2abbac74dc89f5367eabed0bc03ad3e42499d206 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 18 Jan 2024 17:05:21 +0000 Subject: x509: Added `mbedtls_x509_crt_get_ca_istrue()` API accessor. Signed-off-by: Minos Galanakis --- include/mbedtls/x509_crt.h | 12 ++++++++++++ library/x509_crt.c | 8 ++++++++ 2 files changed, 20 insertions(+) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 3f1a1e7..fc1d0bc 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -916,6 +916,18 @@ static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type; } +/** + * \brief Access the ca_istrue field + * + * \param[in] crt Certificate to be queried, must not be \c NULL + * + * \return \c 1 if this a CA certificate \c 0 otherwise. + * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not support + * the Optional Basic Constraint extension. + * + */ +int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt); + /** \} name Structures and functions for parsing and writing X.509 certificates */ #if defined(MBEDTLS_X509_CRT_WRITE_C) diff --git a/library/x509_crt.c b/library/x509_crt.c index 7f0160a..2fd56fb 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -3290,4 +3290,12 @@ void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx) } #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ +int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt) +{ + if ((crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) != 0) { + return crt->MBEDTLS_PRIVATE(ca_istrue); + } + return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; +} + #endif /* MBEDTLS_X509_CRT_PARSE_C */ -- cgit v1.1 From a83ada4eba4f32f012a638a52890559f6d634970 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 19 Jan 2024 10:59:07 +0000 Subject: tests: Added test for `mbedtls_x509_crt_get_ca_istrue()` Signed-off-by: Minos Galanakis --- tests/suites/test_suite_x509parse.data | 8 ++++++++ tests/suites/test_suite_x509parse.function | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 2b0920d..7519d82 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -3155,6 +3155,14 @@ X509 File parse (conforms to RFC 5480 / RFC 5758 - AlgorithmIdentifier's paramet depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 x509parse_crt_file:"data_files/parse_input/server5.crt":0 +X509 File parse & read the ca_istrue field (Not Set) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_get_ca_istrue:"data_files/parse_input/server1.crt":0 + +X509 File parse & read the ca_istrue field (Set) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1 + X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 66477e0..f3ae0f4 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1083,6 +1083,21 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ +void mbedtls_x509_get_ca_istrue(char *crt_file, int result) +{ + mbedtls_x509_crt crt; + mbedtls_x509_crt_init(&crt); + USE_PSA_INIT(); + + TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0); + TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result); +exit: + mbedtls_x509_crt_free(&crt); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ void x509parse_crt(data_t *buf, char *result_str, int result) { -- cgit v1.1 From 79ee110446e9ac37c3fdef5cd3c3c72bbce8b2cd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 14 Feb 2024 21:34:21 +0000 Subject: Added changelog Signed-off-by: Minos Galanakis --- ChangeLog.d/x509-add-ca_istrue.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/x509-add-ca_istrue.txt diff --git a/ChangeLog.d/x509-add-ca_istrue.txt b/ChangeLog.d/x509-add-ca_istrue.txt new file mode 100644 index 0000000..4594c22 --- /dev/null +++ b/ChangeLog.d/x509-add-ca_istrue.txt @@ -0,0 +1,4 @@ +Features + * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of + `mbedtls_x509_crt` structure. This requires setting + MBEDTLS_X509_EXT_BASIC_CONSTRAINTS. -- cgit v1.1 From 987cf898db9bff52ec13b08a67f85517cab26fd2 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 4 Mar 2024 10:24:27 +0100 Subject: ssl_helpers: Restore rng_seed incrementation Signed-off-by: Ronald Cron --- tests/src/test_helpers/ssl_helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 860b0a3..53003b2 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -43,7 +43,7 @@ void mbedtls_test_init_handshake_options( mbedtls_test_handshake_test_options *opts) { #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) - int rng_seed = 0xBEEF; + static int rng_seed = 0xBEEF; srand(rng_seed); rng_seed += 0xD0; -- cgit v1.1 From ddbe4ae9011a8c1be4494b027a6dc6eb1ef132b2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 4 Mar 2024 18:30:09 +0100 Subject: Fix intended code blocks that were not suitably indented Signed-off-by: Gilles Peskine --- include/mbedtls/pk.h | 63 ++++++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index ff80290..d83152c 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -484,20 +484,20 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg, * \brief Determine valid PSA attributes that can be used to * import a key into PSA. * - * The attributes determined by this function are suitable - * for calling mbedtls_pk_import_into_psa() to create - * a PSA key with the same key material. - * - * The typical flow of operations involving this function is - * ``` - * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - * int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); - * if (ret != 0) ...; // error handling omitted - * // Tweak attributes if desired - * psa_key_id_t key_id = 0; - * ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); - * if (ret != 0) ...; // error handling omitted - * ``` + * The attributes determined by this function are suitable + * for calling mbedtls_pk_import_into_psa() to create + * a PSA key with the same key material. + * + * The typical flow of operations involving this function is + * ``` + * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + * int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); + * if (ret != 0) ...; // error handling omitted + * // Tweak attributes if desired + * psa_key_id_t key_id = 0; + * ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); + * if (ret != 0) ...; // error handling omitted + * ``` * * \note This function does not support RSA-alt contexts * (set up with mbedtls_pk_setup_rsa_alt()). @@ -596,24 +596,23 @@ int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk, /** * \brief Import a key into the PSA key store. * - * This function is equivalent to calling psa_import_key() - * with the key material from \p pk. - * - * The typical way to use this function is: - * -# Call mbedtls_pk_get_psa_attributes() to obtain - * attributes for the given key. - * -# If desired, modify the attributes, for example: - * - To create a persistent key, call - * psa_set_key_identifier() and optionally - * psa_set_key_lifetime(). - * - To import only the public part of a key pair: - * ``` - * psa_set_key_type(&attributes, - * PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( - * psa_get_key_type(&attributes))); - * ``` - * - Restrict the key usage if desired. - * -# Call mbedtls_pk_import_into_psa(). + * This function is equivalent to calling psa_import_key() + * with the key material from \p pk. + * + * The typical way to use this function is: + * -# Call mbedtls_pk_get_psa_attributes() to obtain + * attributes for the given key. + * -# If desired, modify the attributes, for example: + * - To create a persistent key, call + * psa_set_key_identifier() and optionally + * psa_set_key_lifetime(). + * - To import only the public part of a key pair: + * + * psa_set_key_type(&attributes, + * PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( + * psa_get_key_type(&attributes))); + * - Restrict the key usage if desired. + * -# Call mbedtls_pk_import_into_psa(). * * \note This function does not support RSA-alt contexts * (set up with mbedtls_pk_setup_rsa_alt()). -- cgit v1.1 From a38fad9dad256be6e7f1595b4112e4a945448bb3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 4 Mar 2024 18:27:32 +0000 Subject: Adjust defaults Signed-off-by: Dave Rodgman --- library/sha3.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/library/sha3.c b/library/sha3.c index 2bc3b4c..81ea6a8 100644 --- a/library/sha3.c +++ b/library/sha3.c @@ -25,26 +25,18 @@ * x86-64. */ #if !defined(MBEDTLS_SHA3_THETA_UNROLL) - #if defined(__OPTIMIZE_SIZE__) - #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names - #else - #define MBEDTLS_SHA3_THETA_UNROLL 1 //no-check-names - #endif -#endif -#if !defined(MBEDTLS_SHA3_PI_UNROLL) - #if defined(__OPTIMIZE_SIZE__) - #define MBEDTLS_SHA3_PI_UNROLL 0 //no-check-names - #else - #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names - #endif + #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names #endif #if !defined(MBEDTLS_SHA3_CHI_UNROLL) #if defined(__OPTIMIZE_SIZE__) - #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names - #else #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names + #else + #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names #endif #endif +#if !defined(MBEDTLS_SHA3_PI_UNROLL) + #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names +#endif #if !defined(MBEDTLS_SHA3_RHO_UNROLL) #define MBEDTLS_SHA3_RHO_UNROLL 1 //no-check-names #endif -- cgit v1.1 From 87b4f6d86c17fa4f6f08ff1df71b78001b85e883 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 5 Mar 2024 11:05:51 +0000 Subject: x509: Reworded documentation bits. Signed-off-by: Minos Galanakis --- ChangeLog.d/x509-add-ca_istrue.txt | 3 ++- include/mbedtls/x509_crt.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/x509-add-ca_istrue.txt b/ChangeLog.d/x509-add-ca_istrue.txt index 4594c22..c950dbc 100644 --- a/ChangeLog.d/x509-add-ca_istrue.txt +++ b/ChangeLog.d/x509-add-ca_istrue.txt @@ -1,4 +1,5 @@ Features * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of `mbedtls_x509_crt` structure. This requires setting - MBEDTLS_X509_EXT_BASIC_CONSTRAINTS. + the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's + ext_types field. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index fc1d0bc..1ce0d23 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -922,7 +922,7 @@ static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, * \param[in] crt Certificate to be queried, must not be \c NULL * * \return \c 1 if this a CA certificate \c 0 otherwise. - * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not support + * \return MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain * the Optional Basic Constraint extension. * */ -- cgit v1.1 From 2e7dfd518121f483f20c06ac58f0a6062b1c7e4a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 5 Mar 2024 10:54:33 +0100 Subject: tls13: Remove unnecessary cast from size_t to uint32_t Signed-off-by: Ronald Cron --- library/ssl_tls13_generic.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index eec2bb4..9fbd3ac 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1459,8 +1459,6 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, size_t early_data_len) { - uint32_t uint32_early_data_len = (uint32_t) early_data_len; - /* * This function should be called only while an handshake is in progress * and thus a session under negotiation. Add a sanity check to detect a @@ -1475,13 +1473,13 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, * A server receiving more than max_early_data_size bytes of 0-RTT data * SHOULD terminate the connection with an "unexpected_message" alert. */ - if (uint32_early_data_len > + if (early_data_len > (ssl->session_negotiate->max_early_data_size - ssl->total_early_data_size)) { MBEDTLS_SSL_DEBUG_MSG( - 2, ("EarlyData: Too much early data received, %u > %u", - ssl->total_early_data_size + uint32_early_data_len, + 2, ("EarlyData: Too much early data received, %u + %" MBEDTLS_PRINTF_SIZET " > %u", + ssl->total_early_data_size, early_data_len, ssl->session_negotiate->max_early_data_size)); MBEDTLS_SSL_PEND_FATAL_ALERT( @@ -1490,7 +1488,13 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } - ssl->total_early_data_size += uint32_early_data_len; + /* + * The check just above implies that early_data_len is lower than + * UINT32_MAX thus its cast to an uint32_t below is safe. We need it + * to appease some compilers. + */ + + ssl->total_early_data_size += (uint32_t) early_data_len; return 0; } -- cgit v1.1 From 053b7886e5620be4910ba915d527d4b73a98849c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 5 Mar 2024 11:46:32 +0000 Subject: Ensure drivers have threading enabled if required Signed-off-by: Paul Elliott --- tests/include/test/drivers/config_test_driver.h | 2 ++ tests/scripts/all.sh | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/tests/include/test/drivers/config_test_driver.h b/tests/include/test/drivers/config_test_driver.h index 4eb27f0..ec8bcb6 100644 --- a/tests/include/test/drivers/config_test_driver.h +++ b/tests/include/test/drivers/config_test_driver.h @@ -40,5 +40,7 @@ //#define MBEDTLS_MD_C //#define MBEDTLS_PEM_PARSE_C //#define MBEDTLS_BASE64_C +//#define MBEDTLS_THREADING_C +//#define MBEDTLS_THREADING_PTHREAD #endif /* MBEDTLS_CONFIG_H */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c25f044..37cf6af 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -889,6 +889,16 @@ helper_libtestdriver1_adjust_config() { # Dynamic secure element support is a deprecated feature and needs to be disabled here. # This is done to have the same form of psa_key_attributes_s for libdriver and library. scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + + # If threading is enabled on the normal build, then we need to enable it in the drivers as well, + # otherwise we will end up running multithreaded tests without mutexes to protect them. + if scripts/config.py get MBEDTLS_THREADING_C; then + scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_THREADING_C + fi + + if scripts/config.py get MBEDTLS_THREADING_PTHREAD; then + scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_THREADING_PTHREAD + fi } # When called with no parameter this function disables all builtin curves. -- cgit v1.1 From 581e63637acec0e4b5e14ef909124ce0a2f2a947 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 5 Mar 2024 11:46:22 +0000 Subject: test_suite_x509parse: Added test-case for legacy certificate Signed-off-by: Minos Galanakis --- tests/suites/test_suite_x509parse.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 7519d82..754660c 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -3163,6 +3163,10 @@ X509 File parse & read the ca_istrue field (Set) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1 +X509 File parse & read the ca_istrue field (Legacy Certificate) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 +mbedtls_x509_get_ca_istrue:"data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0 -- cgit v1.1 From 967f8cde843675d6ecf88f53440c55a7be49bf54 Mon Sep 17 00:00:00 2001 From: Moritz Fischer Date: Sat, 2 Mar 2024 00:55:06 +0000 Subject: library: psa_crypto: Explicitly initialize shared_secret When building with -Og (specifically Zephyr with CONFIG_DEBUG_OPTIMIZATIONS=y) one observes the following warning: 'shared_secret' may be used uninitialized [-Werror=maybe-uninitialized] Fix this by zero initializing 'shared_secret' similar to the issue addressed in commit 2fab5c960 ("Work around for GCC bug"). Signed-off-by: Moritz Fischer --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ca01e76..96b8250 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7046,7 +7046,7 @@ static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *o size_t peer_key_length) { psa_status_t status; - uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE]; + uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 }; size_t shared_secret_length = 0; psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg); -- cgit v1.1 From 3a1b786d5d059f20ac9014801fe4543ace8a46be Mon Sep 17 00:00:00 2001 From: Ryan Date: Fri, 1 Mar 2024 17:24:04 +0000 Subject: Add a concurrent key generation test function Split into n threads, each thread will repeatedly generate, exercise and destroy a key. Then join the threads, and ensure using PSA_DONE that no keys still exist. Signed-off-by: Ryan Everett --- tests/suites/test_suite_psa_crypto.function | 117 ++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 09874a1..1141597 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -28,6 +28,10 @@ #define TEST_DRIVER_LOCATION 0x7fffff #endif +#if defined(MBEDTLS_THREADING_PTHREAD) +#include "mbedtls/threading.h" +#endif + /* If this comes up, it's a bug in the test code or in the test data. */ #define UNUSED 0xdeadbeef @@ -1333,6 +1337,66 @@ exit: return 0; } +#if defined(MBEDTLS_THREADING_PTHREAD) +typedef struct generate_key_context { + psa_key_type_t type; + psa_key_usage_t usage; + size_t bits; + psa_algorithm_t alg; + psa_status_t expected_status; + psa_key_attributes_t *attributes; + int is_large_key; + int reps; +} +generate_key_context; +void *thread_generate_key(void *ctx) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; + generate_key_context *gkc = (struct generate_key_context *) ctx; + + /* If there are race conditions, it is likely the case that they do not + * arise every time the code runs. We repeat the code to increase the + * chance that any race conditions will be hit. */ + for (int n = 0; n < gkc->reps; n++) { + /* Generate a key */ + psa_status_t status = psa_generate_key(gkc->attributes, &key); + + if (gkc->is_large_key > 0) { + TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); + } + + TEST_EQUAL(status, gkc->expected_status); + if (gkc->expected_status != PSA_SUCCESS) { + PSA_ASSERT(psa_destroy_key(key)); + goto exit; + } + + /* Test the key information */ + PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); + TEST_EQUAL(psa_get_key_type(&got_attributes), gkc->type); + TEST_EQUAL(psa_get_key_bits(&got_attributes), gkc->bits); + + /* Do something with the key according + * to its type and permitted usage. */ + if (!mbedtls_test_psa_exercise_key(key, gkc->usage, gkc->alg)) { + psa_destroy_key(key); + goto exit; + } + psa_reset_key_attributes(&got_attributes); + + PSA_ASSERT(psa_destroy_key(key)); + } +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&got_attributes); + return NULL; +} +#endif /* MBEDTLS_THREADING_PTHREAD */ + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -9783,6 +9847,59 @@ exit: } /* END_CASE */ +#if defined MBEDTLS_THREADING_PTHREAD + +/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */ +void concurrently_generate_keys(int type_arg, + int bits_arg, + int usage_arg, + int alg_arg, + int expected_status_arg, + int is_large_key_arg, + int arg_thread_count, + int reps_arg) +{ + size_t thread_count = (size_t) arg_thread_count; + mbedtls_test_thread_t *threads = NULL; + generate_key_context gkc; + gkc.type = type_arg; + gkc.usage = usage_arg; + gkc.bits = bits_arg; + gkc.alg = alg_arg; + gkc.expected_status = expected_status_arg; + gkc.is_large_key = is_large_key_arg; + gkc.reps = reps_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, usage_arg); + psa_set_key_algorithm(&attributes, alg_arg); + psa_set_key_type(&attributes, type_arg); + psa_set_key_bits(&attributes, bits_arg); + gkc.attributes = &attributes; + + TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count); + + /* Split threads to generate key then destroy key. */ + for (size_t i = 0; i < thread_count; i++) { + TEST_EQUAL( + mbedtls_test_thread_create(&threads[i], thread_generate_key, + (void *) &gkc), 0); + } + + /* Join threads. */ + for (size_t i = 0; i < thread_count; i++) { + TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); + } + +exit: + mbedtls_free(threads); + PSA_DONE(); +} +/* END_CASE */ +#endif + /* BEGIN_CASE */ void generate_key(int type_arg, int bits_arg, -- cgit v1.1 From 2066d0451f2644606573c05f1c12d7eeebd49069 Mon Sep 17 00:00:00 2001 From: Ryan Date: Fri, 1 Mar 2024 17:25:54 +0000 Subject: Add test cases for concurrently_generate_keys For every generate_key test there is now a concurrently_generate_keys test. 8 threads per test, and 5 repetitions. Signed-off-by: Ryan Everett --- tests/suites/test_suite_psa_crypto.data | 144 ++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c55af03..b633c6f 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -7532,6 +7532,150 @@ PSA generate key ext: ECC, params.data non-empty depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT +PSA concurrent key generation: bad type (RSA public key) +depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5 + +PSA concurrent key generation: raw data, 0 bits: invalid argument +depends_on:MBEDTLS_THREADING_PTHREAD +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:0:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5 + +PSA concurrent key generation: raw data, 7 bits: invalid argument +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:7:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5 + +PSA concurrent key generation: raw data, 8 bits +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation- raw data, 9 bits: invalid argument +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:9:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5 + +PSA concurrent key generation: raw data, (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:(MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: raw data, (2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:(2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: raw data, 65528 bits (large key, ok if it fits) +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:65528:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:1:8:5 + +PSA concurrent key generation: raw data, 65536 bits (not supported) +depends_on:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:65536:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_NOT_SUPPORTED:0:8:5 + +PSA concurrent key generation: AES, 128 bits, CTR +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: AES, 128 bits, GCM +depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_GCM:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: DES, 64 bits, CBC-nopad +depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: DES, 128 bits, CBC-nopad +depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: DES, 192 bits, CBC-nopad +depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DES:192:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: invalid key size: AES, 64 bits +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_AES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_ERROR_INVALID_ARGUMENT:0:8:5 + +PSA concurrent key generation: RSA, minimum allowed key size, good, sign (PKCS#1 v1.5) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS > 128:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: RSA, 1032 bits, good, sign (PKCS#1 v1.5) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1032:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1032:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: RSA, 1024 bits, good, sign (PSS SHA-256) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1024:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: RSA, 1024 bits, good, sign (PSS-any-salt SHA-256) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1024:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: RSA, minimum allowed key size, good, encrypt (PKCS#1 v1.5) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS >= 256:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 2048:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: RSA, 1024 bits, good, encrypt (OAEP SHA-256) +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1024:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: RSA, 0 bits: invalid +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_INVALID_ARGUMENT:0:8:5 + +PSA concurrent key generation: RSA, size not multiple of 8: not supported +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS + 62:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0:8:5 + +PSA concurrent key generation: RSA, size not multiple of 2: not supported +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS + 63:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0:8:5 + +PSA concurrent key generation: RSA, maximum size exceeded +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_MAX_KEY_BITS+8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0:8:5 + +PSA concurrent key generation: ECC, SECP256R1, good +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: ECC, SECP256R1, incorrect bit size +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_THREADING_PTHREAD +# INVALID_ARGUMENT would make more sense, but our code as currently structured +# doesn't fully relate the curve with its size. +concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_ERROR_NOT_SUPPORTED:0:8:5 + +PSA concurrent key generation: ECC, Curve25519, good +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_255:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: ECC, Curve448, good +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_448:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: FFDH, 2048 bits, good +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_2048:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: FFDH, 3072 bits, good +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_3072:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: FFDH, 4096 bits, good +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_4096:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: FFDH, 6144 bits, good +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_6144:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: FFDH, 8192 bits, good +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_8192:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5 + +PSA concurrent key generation: FFDH, 1024 bits, invalid bits +depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD +concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0:8:5 + Key production parameters initializers key_production_parameters_init: -- cgit v1.1 From b0b3c0d80ab8c7c986a13d901c661bb7f4da1090 Mon Sep 17 00:00:00 2001 From: Ryan Date: Fri, 1 Mar 2024 17:30:12 +0000 Subject: Disable MBEDTLS_SELF_TEST in the TSan config Enabling this causes TSan warnings, as some self-tests use unprotected globals (see X_count variables in ecp.c). This isn't an issue, as these globals are only read in self tests, which do not use threads. Signed-off-by: Ryan Everett --- tests/scripts/all.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index fcb465e..2b7ed00 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2198,6 +2198,8 @@ component_test_tsan () { scripts/config.py full scripts/config.py set MBEDTLS_THREADING_C scripts/config.py set MBEDTLS_THREADING_PTHREAD + # Self-tests do not currently use multiple threads. + scripts/config.py unset MBEDTLS_SELF_TEST CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan . make -- cgit v1.1 From 16d5160504f05c76401b12702c6cfb3ef9549163 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 5 Mar 2024 14:54:28 +0000 Subject: Allow the use of threading dependancies in PSA tests. Signed-off-by: Paul Elliott --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2b7ed00..99c1d49 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1110,6 +1110,9 @@ component_check_test_dependencies () { echo "MBEDTLS_ECP_RESTARTABLE" >> $expected # No PSA equivalent - needed by some init tests echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected + # No PSA equivalent - required to run threaded tests. + echo "MBEDTLS_THREADING_C" >> $expected + echo "MBEDTLS_THREADING_PTHREAD" >> $expected # Compare reality with expectation. # We want an exact match, to ensure the above list remains up-to-date. -- cgit v1.1 From 63c1cf7eaaef45f99a29a93e35f10fc4b66e36a4 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 5 Mar 2024 17:35:16 +0000 Subject: Remove MBEDTLS_THREADING_C check in check_test_dependencies At the moment our tests only check for MBEDTLS_THREADIN_PTHREAD Signed-off-by: Ryan Everett --- tests/scripts/all.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 99c1d49..9191f65 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1111,7 +1111,6 @@ component_check_test_dependencies () { # No PSA equivalent - needed by some init tests echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected # No PSA equivalent - required to run threaded tests. - echo "MBEDTLS_THREADING_C" >> $expected echo "MBEDTLS_THREADING_PTHREAD" >> $expected # Compare reality with expectation. -- cgit v1.1 From 93795f2639a4ab68ced9b9211fc55bf1d5343108 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 7 Mar 2024 09:24:56 +0100 Subject: tls13: Improve comment about cast to uint32_t Signed-off-by: Ronald Cron --- library/ssl_tls13_generic.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 9fbd3ac..d448a05 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1472,6 +1472,10 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, * * A server receiving more than max_early_data_size bytes of 0-RTT data * SHOULD terminate the connection with an "unexpected_message" alert. + * Note that if it is still possible to send early_data_len bytes of early + * data, it means that early_data_len is smaller than max_early_data_size + * (type uint32_t) and can fit in an uint32_t. We use this further + * down. */ if (early_data_len > (ssl->session_negotiate->max_early_data_size - @@ -1489,11 +1493,10 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, } /* - * The check just above implies that early_data_len is lower than - * UINT32_MAX thus its cast to an uint32_t below is safe. We need it - * to appease some compilers. + * early_data_len has been checked to be less than max_early_data_size + * that is uint32_t. Its cast to an uint32_t below is thus safe. We need + * the cast to appease some compilers. */ - ssl->total_early_data_size += (uint32_t) early_data_len; return 0; -- cgit v1.1 From 6e31127f08908101f8ed750a62a0cc6786c7c8ba Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 5 Dec 2023 17:57:01 +0100 Subject: tls13: srv: Define specific return macros for binder check Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3a968aa..6fcf8a2 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -324,6 +324,8 @@ static int ssl_tls13_offered_psks_check_identity_match( return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; } +#define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1 +#define SSL_TLS1_3_BINDER_MATCH 0 MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, @@ -368,12 +370,12 @@ static int ssl_tls13_offered_psks_check_binder_match( MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len); if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) { - return SSL_TLS1_3_OFFERED_PSK_MATCH; + return SSL_TLS1_3_BINDER_MATCH; } mbedtls_platform_zeroize(server_computed_binder, sizeof(server_computed_binder)); - return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + return SSL_TLS1_3_BINDER_DOES_NOT_MATCH; } MBEDTLS_CHECK_RETURN_CRITICAL @@ -626,7 +628,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( ret = ssl_tls13_offered_psks_check_binder_match( ssl, binder, binder_len, psk_type, mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac)); - if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) { + if (ret != SSL_TLS1_3_BINDER_MATCH) { /* For security reasons, the handshake should be aborted when we * fail to validate a binder value. See RFC 8446 section 4.2.11.2 * and appendix E.6. */ -- cgit v1.1 From 3cdcac564721f3ab0283e7f341d0be26696e3c52 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 5 Dec 2023 17:43:02 +0100 Subject: tls13: srv: Fix return value Fix the value returned by ssl_tls13_offered_psks_check_identity_match_ticket() when there is no ticket parser function defined or no time. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6fcf8a2..f23ba76 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -123,7 +123,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( /* Ticket parser is not configured, Skip */ if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) { - return 0; + return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; } /* We create a copy of the encrypted ticket since the ticket parsing @@ -171,7 +171,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( * * We regard the ticket with incompatible key exchange modes as not match. */ - ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); key_exchanges = 0; @@ -186,11 +185,12 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( if (key_exchanges == 0) { MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); + ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; goto exit; } - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; #if defined(MBEDTLS_HAVE_TIME) + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; now = mbedtls_ms_time(); if (now < session->ticket_creation_time) { @@ -244,7 +244,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( } ret = 0; - #endif /* MBEDTLS_HAVE_TIME */ exit: -- cgit v1.1 From fbae94a52f5835a1eedb1fdc7bdfff326cf217ae Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 5 Dec 2023 18:15:14 +0100 Subject: tls13: srv: Improve ticket identity check return values Improve the values returned by ssl_tls13_offered_psks_check_identity_match_ticket(). Distinguish between the two following cases: 1) the PSK identity is not a valid ticket identity 2) the PSK identity is a valid ticket identity but the ticket cannot be used for session resumption. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 61 ++++++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index f23ba76..ca5e112 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -90,8 +90,9 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, return 0; } -#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1 -#define SSL_TLS1_3_OFFERED_PSK_MATCH 0 +#define SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH 2 +#define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1 +#define SSL_TLS1_3_PSK_IDENTITY_MATCH 0 #if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL @@ -123,7 +124,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( /* Ticket parser is not configured, Skip */ if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) { - return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; } /* We create a copy of the encrypted ticket since the ticket parsing @@ -138,28 +139,36 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( } memcpy(ticket_buffer, identity, identity_len); - if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, - session, - ticket_buffer, identity_len)) != 0) { - if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); - } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { + ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, + session, + ticket_buffer, identity_len); + if (ret == 0) { + ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; + } else { + if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); + ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; } else { - MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret); + if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { + MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); + } else { + MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret); + } + ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; } } /* We delete the temporary buffer */ mbedtls_free(ticket_buffer); - if (ret == 0 && session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket TLS version is not 1.3.")); - /* TODO: Define new return value for this case. */ - ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; + if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { + goto exit; } - if (ret != 0) { + ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; + + if (session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket TLS version is not 1.3.")); goto exit; } @@ -185,12 +194,10 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( if (key_exchanges == 0) { MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); - ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; goto exit; } #if defined(MBEDTLS_HAVE_TIME) - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; now = mbedtls_ms_time(); if (now < session->ticket_creation_time) { @@ -242,12 +249,12 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( age_diff)); goto exit; } - - ret = 0; #endif /* MBEDTLS_HAVE_TIME */ + ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; + exit: - if (ret != 0) { + if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { mbedtls_ssl_session_free(session); } @@ -277,7 +284,7 @@ static int ssl_tls13_offered_psks_check_identity_match( #if defined(MBEDTLS_SSL_SESSION_TICKETS) if (ssl_tls13_offered_psks_check_identity_match_ticket( ssl, identity, identity_len, obfuscated_ticket_age, - session) == SSL_TLS1_3_OFFERED_PSK_MATCH) { + session) == SSL_TLS1_3_PSK_IDENTITY_MATCH) { ssl->handshake->resume = 1; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; ret = mbedtls_ssl_set_hs_psk(ssl, @@ -293,7 +300,7 @@ static int ssl_tls13_offered_psks_check_identity_match( session->resumption_key_len); MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u", (unsigned) obfuscated_ticket_age)); - return SSL_TLS1_3_OFFERED_PSK_MATCH; + return SSL_TLS1_3_PSK_IDENTITY_MATCH; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -301,9 +308,9 @@ static int ssl_tls13_offered_psks_check_identity_match( if (ssl->conf->f_psk != NULL) { if (ssl->conf->f_psk( ssl->conf->p_psk, ssl, identity, identity_len) == 0) { - return SSL_TLS1_3_OFFERED_PSK_MATCH; + return SSL_TLS1_3_PSK_IDENTITY_MATCH; } - return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; } MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len); @@ -317,10 +324,10 @@ static int ssl_tls13_offered_psks_check_identity_match( MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); return ret; } - return SSL_TLS1_3_OFFERED_PSK_MATCH; + return SSL_TLS1_3_PSK_IDENTITY_MATCH; } - return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; } #define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1 @@ -588,7 +595,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( ret = ssl_tls13_offered_psks_check_identity_match( ssl, identity, identity_len, obfuscated_ticket_age, &psk_type, &session); - if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) { + if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { continue; } -- cgit v1.1 From 7a30cf595437cea6119041a1a5cfef9ca394d227 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 23 Feb 2024 14:38:59 +0100 Subject: tls13: srv: Stop earlier identity check If an identity has been determined as a ticket identity but the ticket is not usable, do not try to check if the identity is that of an external provided PSK. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index ca5e112..873f909 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -282,9 +282,9 @@ static int ssl_tls13_offered_psks_check_identity_match( ssl->handshake->resume = 0; #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (ssl_tls13_offered_psks_check_identity_match_ticket( - ssl, identity, identity_len, obfuscated_ticket_age, - session) == SSL_TLS1_3_PSK_IDENTITY_MATCH) { + ret = ssl_tls13_offered_psks_check_identity_match_ticket( + ssl, identity, identity_len, obfuscated_ticket_age, session); + if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) { ssl->handshake->resume = 1; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; ret = mbedtls_ssl_set_hs_psk(ssl, @@ -301,6 +301,8 @@ static int ssl_tls13_offered_psks_check_identity_match( MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u", (unsigned) obfuscated_ticket_age)); return SSL_TLS1_3_PSK_IDENTITY_MATCH; + } else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) { + return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -- cgit v1.1 From 12e72f16646e43a07dad19ffeeae5f8db92e8313 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 15:49:38 +0100 Subject: tls13: srv: Always parse the pre-shared key extension Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 7 ++++--- tests/opt-testcases/tls13-kex-modes.sh | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 873f909..3b7fc83 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1744,10 +1744,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, /* Update checksum with either * - The entire content of the CH message, if no PSK extension is present * - The content up to but excluding the PSK extension, if present. + * Always parse the pre-shared key extension when present in the + * ClientHello even if some pre-requisites for PSK key exchange modes are + * not met. That way we always validate the syntax of the extension. */ - /* If we've settled on a PSK-based exchange, parse PSK identity ext */ - if (ssl_tls13_key_exchange_is_psk_available(ssl) || - ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) { + if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) { ret = handshake->update_checksum(ssl, buf, pre_shared_key_ext - buf); if (0 != ret) { diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 4581bc5..6556cd4 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -550,7 +550,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \ -s "found pre_shared_key extension" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -S "Pre shared key found" \ + -s "Pre shared key found" \ -S "No matched PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ @@ -733,7 +733,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -S "Pre shared key found" \ + -s "Pre shared key found" \ -S "No matched PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ @@ -1413,7 +1413,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -S "Pre shared key found" \ + -s "Pre shared key found" \ -S "No matched PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -- cgit v1.1 From f7e9916b3d46e84d873591802e8bd95540e800c1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 16:04:02 +0100 Subject: tls13: srv: Fix MBEDTLS_SSL_SESSION_TICKETS guard position Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3b7fc83..d0e8195 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -608,18 +608,16 @@ static int ssl_tls13_parse_pre_shared_key_ext( ssl, ciphersuites, ciphersuites_end, &cipher_suite, &ciphersuite_info); break; - case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: #if defined(MBEDTLS_SSL_SESSION_TICKETS) + case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: ret = ssl_tls13_select_ciphersuite_for_resumption( ssl, ciphersuites, ciphersuites_end, &session, &cipher_suite, &ciphersuite_info); if (ret != 0) { mbedtls_ssl_session_free(&session); } -#else - ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; -#endif break; +#endif default: return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } -- cgit v1.1 From 89089cc69beceb78c698da9c789b111dc06dafb2 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 14 Feb 2024 18:18:08 +0100 Subject: tls13: srv: Factorize ciphersuite selection code Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 213 +++++++++++++++++++-------------------------- 1 file changed, 88 insertions(+), 125 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d0e8195..25279b3 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -39,6 +39,62 @@ static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite( return ciphersuite_info; } +static void ssl_tls13_select_ciphersuite( + mbedtls_ssl_context *ssl, + const unsigned char *cipher_suites, + const unsigned char *cipher_suites_end, + int psk_ciphersuite_id, + psa_algorithm_t psk_hash_alg, + const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info) +{ + *selected_ciphersuite_info = NULL; + + /* + * This function assumes that the length of the list of ciphersuites is + * even and it should have been checked it is so in the main ClientHello + * parsing function. Double check here. + */ + if ((cipher_suites_end - cipher_suites) & 1) { + return; + } + + for (const unsigned char *p = cipher_suites; + p < cipher_suites_end; p += 2) { + /* + * "cipher_suites_end - p is even" is an invariant of the loop. As + * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and it + * is thus safe to read two bytes. + */ + uint16_t id = MBEDTLS_GET_UINT16_BE(p, 0); + + const mbedtls_ssl_ciphersuite_t *info = + ssl_tls13_validate_peer_ciphersuite(ssl, id); + if (info == NULL) { + continue; + } + + /* + * If a valid PSK ciphersuite identifier has been passed in, we seek + * for an exact match. + */ + if (psk_ciphersuite_id != 0) { + if (id != psk_ciphersuite_id) { + continue; + } + } else if (psk_hash_alg != PSA_ALG_NONE) { + if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac) != + psk_hash_alg) { + continue; + } + } + + *selected_ciphersuite_info = info; + return; + } + + MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite")); +} + #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* From RFC 8446: * @@ -386,92 +442,8 @@ static int ssl_tls13_offered_psks_check_binder_match( return SSL_TLS1_3_BINDER_DOES_NOT_MATCH; } -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_select_ciphersuite_for_psk( - mbedtls_ssl_context *ssl, - const unsigned char *cipher_suites, - const unsigned char *cipher_suites_end, - uint16_t *selected_ciphersuite, - const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info) -{ - psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256; - - *selected_ciphersuite = 0; - *selected_ciphersuite_info = NULL; - - /* RFC 8446, page 55. - * - * For externally established PSKs, the Hash algorithm MUST be set when the - * PSK is established or default to SHA-256 if no such algorithm is defined. - * - */ - - /* - * Search for a matching ciphersuite - */ - for (const unsigned char *p = cipher_suites; - p < cipher_suites_end; p += 2) { - uint16_t cipher_suite; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - - cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); - ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl, - cipher_suite); - if (ciphersuite_info == NULL) { - continue; - } - - /* MAC of selected ciphersuite MUST be same with PSK binder if exist. - * Otherwise, client should reject. - */ - if (psk_hash_alg == - mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac)) { - *selected_ciphersuite = cipher_suite; - *selected_ciphersuite_info = ciphersuite_info; - return 0; - } - } - MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite")); - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; -} - #if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_select_ciphersuite_for_resumption( - mbedtls_ssl_context *ssl, - const unsigned char *cipher_suites, - const unsigned char *cipher_suites_end, - mbedtls_ssl_session *session, - uint16_t *selected_ciphersuite, - const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info) -{ - - *selected_ciphersuite = 0; - *selected_ciphersuite_info = NULL; - for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) { - uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - - if (cipher_suite != session->ciphersuite) { - continue; - } - - ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl, - cipher_suite); - if (ciphersuite_info == NULL) { - continue; - } - - *selected_ciphersuite = cipher_suite; - *selected_ciphersuite_info = ciphersuite_info; - - return 0; - } - - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; -} - -MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst, const mbedtls_ssl_session *src) { @@ -569,7 +541,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( const unsigned char *binder; size_t binder_len; int psk_type; - uint16_t cipher_suite; + int psk_ciphersuite_id; + psa_algorithm_t psk_hash_alg; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session session; @@ -602,33 +575,39 @@ static int ssl_tls13_parse_pre_shared_key_ext( } MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity")); + switch (psk_type) { case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL: - ret = ssl_tls13_select_ciphersuite_for_psk( - ssl, ciphersuites, ciphersuites_end, - &cipher_suite, &ciphersuite_info); + psk_ciphersuite_id = 0; + psk_hash_alg = PSA_ALG_SHA_256; break; #if defined(MBEDTLS_SSL_SESSION_TICKETS) case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: - ret = ssl_tls13_select_ciphersuite_for_resumption( - ssl, ciphersuites, ciphersuites_end, &session, - &cipher_suite, &ciphersuite_info); - if (ret != 0) { - mbedtls_ssl_session_free(&session); - } + psk_ciphersuite_id = session.ciphersuite; + psk_hash_alg = PSA_ALG_NONE; break; #endif default: return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } - if (ret != 0) { - /* See below, no cipher_suite available, abort handshake */ + + ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end, + psk_ciphersuite_id, psk_hash_alg, + &ciphersuite_info); + + if (ciphersuite_info == NULL) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_session_free(&session); +#endif + /* + * We consider finding a ciphersuite suitable for the PSK as part + * of the validation of its binder. Thus if we do not find one, we + * abort the handshake with a decrypt_error alert. + */ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); - MBEDTLS_SSL_DEBUG_RET( - 2, "ssl_tls13_select_ciphersuite", ret); - return ret; + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; } ret = ssl_tls13_offered_psks_check_binder_match( @@ -654,9 +633,10 @@ static int ssl_tls13_parse_pre_shared_key_ext( /* Update handshake parameters */ ssl->handshake->ciphersuite_info = ciphersuite_info; - ssl->session_negotiate->ciphersuite = cipher_suite; + ssl->session_negotiate->ciphersuite = ciphersuite_info->id; MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s", - cipher_suite, ciphersuite_info->name)); + ((unsigned) ciphersuite_info->id), + ciphersuite_info->name)); #if defined(MBEDTLS_SSL_SESSION_TICKETS) if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate, @@ -1472,37 +1452,20 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, */ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites", cipher_suites, cipher_suites_len); - for (const unsigned char *cipher_suites_p = cipher_suites; - cipher_suites_p < cipher_suites_end; cipher_suites_p += 2) { - uint16_t cipher_suite; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - /* - * "cipher_suites_end - cipher_suites_p is even" is an invariant of the - * loop. As cipher_suites_end - cipher_suites_p > 0, we have - * cipher_suites_end - cipher_suites_p >= 2 and it is thus safe to read - * two bytes. - */ - cipher_suite = MBEDTLS_GET_UINT16_BE(cipher_suites_p, 0); - ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( - ssl, cipher_suite); - if (ciphersuite_info == NULL) { - continue; - } - - ssl->session_negotiate->ciphersuite = cipher_suite; - handshake->ciphersuite_info = ciphersuite_info; - MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s", - cipher_suite, - ciphersuite_info->name)); - break; - } + ssl_tls13_select_ciphersuite(ssl, cipher_suites, cipher_suites_end, + 0, PSA_ALG_NONE, &handshake->ciphersuite_info); if (handshake->ciphersuite_info == NULL) { MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; } + ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id; + + MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s", + ((unsigned) handshake->ciphersuite_info->id), + handshake->ciphersuite_info->name)); /* ... * opaque legacy_compression_methods<1..2^8-1>; -- cgit v1.1 From cf284565c5aa4ccc64ac3959f1b35bbf04792064 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 16 Feb 2024 18:54:10 +0100 Subject: tls13: srv: Determine best key exchange mode for a PSK Determine best key exchange for for ticket based and external PSKs. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 51 ++++++------ tests/opt-testcases/tls13-kex-modes.sh | 143 +++++++++++++++++---------------- tests/opt-testcases/tls13-misc.sh | 34 ++++---- 3 files changed, 114 insertions(+), 114 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 25279b3..9b273b8 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -166,7 +166,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *ticket_buffer; - unsigned int key_exchanges; #if defined(MBEDTLS_HAVE_TIME) mbedtls_ms_time_t now; mbedtls_ms_time_t server_age; @@ -228,31 +227,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( goto exit; } - /* RFC 8446 section 4.2.9 - * - * Servers SHOULD NOT send NewSessionTicket with tickets that are not - * compatible with the advertised modes; however, if a server does so, - * the impact will just be that the client's attempts at resumption fail. - * - * We regard the ticket with incompatible key exchange modes as not match. - */ - MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); - - key_exchanges = 0; - if (mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(session) && - ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) { - key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; - } - if (mbedtls_ssl_tls13_session_ticket_allow_psk(session) && - ssl_tls13_key_exchange_is_psk_available(ssl)) { - key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; - } - - if (key_exchanges == 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); - goto exit; - } - #if defined(MBEDTLS_HAVE_TIME) now = mbedtls_ms_time(); @@ -543,6 +517,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( int psk_type; int psk_ciphersuite_id; psa_algorithm_t psk_hash_alg; + int allowed_key_exchange_modes; + int key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session session; @@ -580,17 +556,38 @@ static int ssl_tls13_parse_pre_shared_key_ext( case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL: psk_ciphersuite_id = 0; psk_hash_alg = PSA_ALG_SHA_256; + allowed_key_exchange_modes = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; break; #if defined(MBEDTLS_SSL_SESSION_TICKETS) case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: psk_ciphersuite_id = session.ciphersuite; psk_hash_alg = PSA_ALG_NONE; + ssl->session_negotiate->ticket_flags = session.ticket_flags; + allowed_key_exchange_modes = + session.ticket_flags & + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; break; #endif default: return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } + if ((allowed_key_exchange_modes & + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) && + ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) { + key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + } else if ((allowed_key_exchange_modes & + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) && + ssl_tls13_key_exchange_is_psk_available(ssl)) { + key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + } + + if (key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) { + MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable PSK key exchange mode")); + continue; + } + ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end, psk_ciphersuite_id, psk_hash_alg, &ciphersuite_info); @@ -664,7 +661,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( return ret; } if (matched_identity == -1) { - MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket.")); + MBEDTLS_SSL_DEBUG_MSG(3, ("No usable PSK or ticket.")); return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 6556cd4..49f06e0 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -23,7 +23,7 @@ run_test "TLS 1.3: G->m: all/psk, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -41,7 +41,7 @@ run_test "TLS 1.3: G->m: all/psk, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -78,7 +78,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk, good" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -96,7 +96,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -133,7 +133,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_ephemeral, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -151,7 +151,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_ephemeral, fail, key id mismatch" -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -188,7 +188,7 @@ run_test "TLS 1.3: G->m: all/psk_ephemeral, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -206,7 +206,7 @@ run_test "TLS 1.3: G->m: all/psk_ephemeral, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -261,7 +261,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -280,7 +280,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_all, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -319,7 +319,7 @@ run_test "TLS 1.3: G->m: all/psk_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -338,7 +338,7 @@ run_test "TLS 1.3: G->m: all/psk_all, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -377,7 +377,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_all, good" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -396,7 +396,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_all, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -435,7 +435,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -454,7 +454,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good, key id mismatch, -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -493,7 +493,7 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -512,7 +512,7 @@ run_test "TLS 1.3: G->m: all/ephemeral_all, good, key id mismatch, dhe." \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -550,8 +550,9 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \ -s "found pre_shared_key extension" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -s "No suitable PSK key exchange mode" \ + -S "Pre shared key found" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -572,7 +573,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -592,7 +593,7 @@ run_test "TLS 1.3: G->m: ephemeral_all/all, good, key id mismatch, dhe." \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -633,7 +634,7 @@ run_test "TLS 1.3: G->m: all/all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -653,7 +654,7 @@ run_test "TLS 1.3: G->m: all/all, good, key id mismatch, dhe." \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -694,7 +695,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/all, good" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -733,8 +734,9 @@ run_test "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -s "No suitable PSK key exchange mode" \ + -S "Pre shared key found" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -754,7 +756,7 @@ run_test "TLS 1.3: G->m: all/psk_or_ephemeral, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -793,7 +795,7 @@ run_test "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, good" \ -S "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -921,7 +923,7 @@ run_test "TLS 1.3: O->m: all/psk, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -s "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -938,7 +940,7 @@ run_test "TLS 1.3: O->m: all/psk, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -973,7 +975,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_ephemeral, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -990,7 +992,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_ephemeral, fail, key id mismatch" -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1025,7 +1027,7 @@ run_test "TLS 1.3: O->m: all/psk_ephemeral, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1042,7 +1044,7 @@ run_test "TLS 1.3: O->m: all/psk_ephemeral, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1078,7 +1080,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1096,7 +1098,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_all, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1133,7 +1135,7 @@ run_test "TLS 1.3: O->m: all/psk_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1151,7 +1153,7 @@ run_test "TLS 1.3: O->m: all/psk_all, fail, key id mismatch" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1188,7 +1190,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1206,7 +1208,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good, key id mismatch, -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -1243,7 +1245,7 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1261,7 +1263,7 @@ run_test "TLS 1.3: O->m: all/ephemeral_all, good, key id mismatch, dhe." \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -1299,7 +1301,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1318,7 +1320,7 @@ run_test "TLS 1.3: O->m: ephemeral_all/all, good, key id mismatch, dhe." \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -1357,7 +1359,7 @@ run_test "TLS 1.3: O->m: all/all, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" @@ -1376,7 +1378,7 @@ run_test "TLS 1.3: O->m: all/all, good, key id mismatch, dhe." \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -1413,8 +1415,9 @@ run_test "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \ -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -S "Found PSK KEX MODE" \ - -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -s "No suitable PSK key exchange mode" \ + -S "Pre shared key found" \ + -s "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -1433,7 +1436,7 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, good" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" \ -s "Pre shared key found" \ - -S "No matched PSK or ticket" \ + -S "No usable PSK or ticket" \ -S "key exchange mode: psk$" \ -S "key exchange mode: psk_ephemeral" \ -s "key exchange mode: ephemeral" @@ -1580,7 +1583,7 @@ run_test "TLS 1.3: m->m: psk/psk, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" + -s "No usable PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1665,7 +1668,7 @@ run_test "TLS 1.3: m->m: psk/psk_all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1711,7 +1714,7 @@ run_test "TLS 1.3: m->m: psk/all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1769,7 +1772,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_ephemeral, fail, key id mismatch" -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1827,7 +1830,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, fail, key id mismatch" -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" + -s "No usable PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1870,7 +1873,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -1916,7 +1919,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2047,7 +2050,7 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_ephemeral, fail, key id mismatch" -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" + -s "No usable PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2106,7 +2109,7 @@ run_test "TLS 1.3: m->m: ephemeral_all/ephemeral_all,good,key id mismatch,fal -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "key exchange mode: ephemeral" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2152,7 +2155,7 @@ run_test "TLS 1.3: m->m: ephemeral_all/psk_all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2199,7 +2202,7 @@ run_test "TLS 1.3: m->m: ephemeral_all/all, good, key id mismatch, fallback" -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "key exchange mode: ephemeral" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2288,7 +2291,7 @@ run_test "TLS 1.3: m->m: psk_all/psk_ephemeral, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2348,7 +2351,7 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral_all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" + -s "No usable PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2392,7 +2395,7 @@ run_test "TLS 1.3: m->m: psk_all/psk_all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2438,7 +2441,7 @@ run_test "TLS 1.3: m->m: psk_all/all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" + -s "No usable PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2485,7 +2488,7 @@ run_test "TLS 1.3: m->m: all/psk, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2532,7 +2535,7 @@ run_test "TLS 1.3: m->m: all/psk_ephemeral, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2595,7 +2598,7 @@ run_test "TLS 1.3: m->m: all/ephemeral_all, good, key id mismatch, fallback" -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -c "Selected key exchange mode: ephemeral" \ -c "HTTP/1.0 200 OK" @@ -2643,7 +2646,7 @@ run_test "TLS 1.3: m->m: all/psk_all, fail, key id mismatch" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -2690,7 +2693,7 @@ run_test "TLS 1.3: m->m: all/all, good, key id mismatch, fallback" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ + -s "No usable PSK or ticket" \ -s "key exchange mode: ephemeral" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index ad062dc..3a21a74 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -353,8 +353,8 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ -s "key exchange mode: ephemeral" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk$" \ - -s "No suitable key exchange mode" \ - -s "No matched PSK or ticket" + -s "No suitable PSK key exchange mode" \ + -s "No usable PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ @@ -365,7 +365,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ @@ -381,8 +381,8 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ -s "key exchange mode: ephemeral" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk$" \ - -s "No suitable key exchange mode" \ - -s "No matched PSK or ticket" + -s "No suitable PSK key exchange mode" \ + -s "No usable PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ @@ -393,7 +393,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ @@ -409,8 +409,8 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ -s "key exchange mode: ephemeral" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk$" \ - -s "No suitable key exchange mode" \ - -s "No matched PSK or ticket" + -s "No suitable PSK key exchange mode" \ + -s "No usable PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ @@ -425,8 +425,8 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ -s "key exchange mode: ephemeral" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk$" \ - -s "No suitable key exchange mode" \ - -s "No matched PSK or ticket" + -s "No suitable PSK key exchange mode" \ + -s "No usable PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ @@ -437,7 +437,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemera "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" \ -s "key exchange mode: psk_ephemeral" @@ -450,7 +450,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" \ -s "key exchange mode: psk_ephemeral" @@ -468,8 +468,8 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ -s "key exchange mode: ephemeral" \ -S "key exchange mode: psk_ephemeral" \ -S "key exchange mode: psk$" \ - -s "No suitable key exchange mode" \ - -s "No matched PSK or ticket" + -s "No suitable PSK key exchange mode" \ + -s "No usable PSK or ticket" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ @@ -481,7 +481,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ @@ -494,7 +494,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" \ -s "key exchange mode: psk_ephemeral" @@ -508,7 +508,7 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ - -S "No suitable key exchange mode" \ + -S "No suitable PSK key exchange mode" \ -s "found matched identity" \ -s "key exchange mode: psk_ephemeral" -- cgit v1.1 From 1f63fe4d74520a031f3beb62866e47901203ca09 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 23 Feb 2024 15:49:12 +0100 Subject: tls13: srv: Fix resume flag in case of cancelled PSK If we prefer ephemeral key exchange mode over the pure PSK one, make sure the resume flag is disabled as eventually we are not going to resume a session even if we aimed to at some point. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 1 + tests/opt-testcases/tls13-misc.sh | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 9b273b8..9aec227 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1074,6 +1074,7 @@ static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral")); } else if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) { + ssl->handshake->resume = 0; ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral")); diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 3a21a74..90c0fb2 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -535,3 +535,18 @@ run_test "TLS 1.3 G->m: EarlyData: feature is enabled, good." \ -s "$( tail -1 $EARLY_DATA_INPUT )" \ -s "200 early data bytes read" \ -s "106 early data bytes read" + +requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ + MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "TLS 1.3 m->m: Ephemeral over PSK kex with early data enabled" \ + "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=1024" \ + "$P_CLI debug_level=4 early_data=$EARLY_DATA_INPUT tls13_kex_modes=psk_or_ephemeral reco_mode=1 reconnect=1" \ + 0 \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk" \ + -s "found matched identity" \ + -s "EarlyData: rejected, not a session resumption" \ + -C "EncryptedExtensions: early_data(42) extension exists." -- cgit v1.1 From 79cdd4156ffcd4ac85272d6a8856092a4e6aa8eb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 20 Feb 2024 17:19:28 +0100 Subject: tls13: srv: Improve key exchange mode determination For PSK based key exchange modes do not check twice anymore if they can be selected or not. Check it only when looping over the offered PSKs to select one. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 157 +++++++++++++++++++++++---------------------- 1 file changed, 82 insertions(+), 75 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 9aec227..d6dd481 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -437,6 +437,12 @@ static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst, } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +struct psk_attributes { + int type; + int key_exchange_mode; +}; +#define PSK_ATTRIBUTES_INIT { 0, 0 } + /* Parser for pre_shared_key extension in client hello * struct { * opaque identity<1..2^16-1>; @@ -463,7 +469,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( const unsigned char *pre_shared_key_ext, const unsigned char *pre_shared_key_ext_end, const unsigned char *ciphersuites, - const unsigned char *ciphersuites_end) + const unsigned char *ciphersuites_end, + struct psk_attributes *psk) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *identities = pre_shared_key_ext; @@ -514,11 +521,9 @@ static int ssl_tls13_parse_pre_shared_key_ext( uint32_t obfuscated_ticket_age; const unsigned char *binder; size_t binder_len; - int psk_type; int psk_ciphersuite_id; psa_algorithm_t psk_hash_alg; int allowed_key_exchange_modes; - int key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session session; @@ -545,14 +550,14 @@ static int ssl_tls13_parse_pre_shared_key_ext( ret = ssl_tls13_offered_psks_check_identity_match( ssl, identity, identity_len, obfuscated_ticket_age, - &psk_type, &session); + &psk->type, &session); if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { continue; } MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity")); - switch (psk_type) { + switch (psk->type) { case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL: psk_ciphersuite_id = 0; psk_hash_alg = PSA_ALG_SHA_256; @@ -573,17 +578,19 @@ static int ssl_tls13_parse_pre_shared_key_ext( return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } + psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; + if ((allowed_key_exchange_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) && ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) { - key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; } else if ((allowed_key_exchange_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) && ssl_tls13_key_exchange_is_psk_available(ssl)) { - key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; } - if (key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) { + if (psk->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) { MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable PSK key exchange mode")); continue; } @@ -608,7 +615,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( } ret = ssl_tls13_offered_psks_check_binder_match( - ssl, binder, binder_len, psk_type, + ssl, binder, binder_len, psk->type, mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac)); if (ret != SSL_TLS1_3_BINDER_MATCH) { /* For security reasons, the handshake should be aborted when we @@ -635,7 +642,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( ((unsigned) ciphersuite_info->id), ciphersuite_info->name)); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { + if (psk->type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate, &session); mbedtls_ssl_session_free(&session); @@ -1004,19 +1011,6 @@ static int ssl_tls13_ticket_is_kex_mode_permitted(mbedtls_ssl_context *ssl, #endif return 1; } -#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ - -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl) -{ -#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) - return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) && - ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl); -#else - ((void) ssl); - return 0; -#endif -} MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl) @@ -1047,53 +1041,18 @@ static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context return 0; #endif } +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ -static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl) { - /* - * Determine the key exchange algorithm to use. - * There are three types of key exchanges supported in TLS 1.3: - * - (EC)DH with ECDSA, - * - (EC)DH with PSK, - * - plain PSK. - * - * The PSK-based key exchanges may additionally be used with 0-RTT. - * - * Our built-in order of preference is - * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral ) - * 2 ) Certificate Mode ( ephemeral ) - * 3 ) Plain PSK Mode ( psk ) - */ - - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; - - if (ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) { - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; - MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral")); - } else - if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) { - ssl->handshake->resume = 0; - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; - MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral")); - } else - if (ssl_tls13_key_exchange_is_psk_available(ssl)) { - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; - MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk")); - } else { - MBEDTLS_SSL_DEBUG_MSG( - 1, - ("ClientHello message misses mandatory extensions.")); - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } - +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) && + ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl); +#else + ((void) ssl); return 0; - +#endif } #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ @@ -1287,6 +1246,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, int no_usable_share_for_key_agreement = 0; #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + int got_psk = 0; + struct psk_attributes psk = PSK_ATTRIBUTES_INIT; const unsigned char *pre_shared_key_ext = NULL; const unsigned char *pre_shared_key_ext_end = NULL; #endif @@ -1718,10 +1679,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, pre_shared_key_ext, pre_shared_key_ext_end, cipher_suites, - cipher_suites_end); - if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { - handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY); - } else if (ret != 0) { + cipher_suites_end, + &psk); + if (ret == 0) { + got_psk = 1; + } else if (ret != MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_pre_shared_key_ext", ret); return ret; @@ -1736,12 +1698,57 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } } - ret = ssl_tls13_determine_key_exchange_mode(ssl); - if (ret < 0) { - return ret; + /* + * Determine the key exchange algorithm to use. + * There are three types of key exchanges supported in TLS 1.3: + * - (EC)DH with ECDSA, + * - (EC)DH with PSK, + * - plain PSK. + * + * The PSK-based key exchanges may additionally be used with 0-RTT. + * + * Our built-in order of preference is + * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral ) + * 2 ) Certificate Mode ( ephemeral ) + * 3 ) Plain PSK Mode ( psk ) + */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + if (got_psk && (psk.key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL)) { + handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral")); + + } else +#endif + if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) { + handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral")); + + } +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + else if (got_psk && (psk.key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK)) { + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk")); + } +#endif + else { + MBEDTLS_SSL_DEBUG_MSG( + 1, + ("ClientHello message misses mandatory extensions.")); + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } + + if (handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) { + handshake->resume = 0; } - if (ssl->handshake->key_exchange_mode != + if (handshake->key_exchange_mode != MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) { hrr_required = (no_usable_share_for_key_agreement != 0); } -- cgit v1.1 From e8c162d7ba89ed7fc32e1797d829ecaa24f818c0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 10:15:44 +0100 Subject: tls13: srv: Simplify kex availability checks Regarding the possibility of selecting a key exchange mode, the check of the ticket flags is now separated from the check of the ClientHello content and server configuration. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d6dd481..a496981 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -995,30 +995,10 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_ticket_is_kex_mode_permitted(mbedtls_ssl_context *ssl, - unsigned int kex_mode) -{ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (ssl->handshake->resume) { - if (!mbedtls_ssl_tls13_session_ticket_has_flags( - ssl->session_negotiate, kex_mode)) { - return 0; - } - } -#else - ((void) ssl); - ((void) kex_mode); -#endif - return 1; -} - -MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl) { #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) - return ssl_tls13_ticket_is_kex_mode_permitted( - ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) && - mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) && + return mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) && mbedtls_ssl_tls13_is_psk_supported(ssl) && ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl); #else @@ -1031,9 +1011,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl) { #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) - return ssl_tls13_ticket_is_kex_mode_permitted( - ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) && - mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) && + return mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) && mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) && ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl); #else -- cgit v1.1 From 3e47eec4311b1d3e3d45b8e4b1864b4338f5426d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 21 Feb 2024 10:29:24 +0100 Subject: tls13: srv: Simplify resumption detection Avoid marking we resume and then cancelling it. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index a496981..391b8d4 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -309,13 +309,11 @@ static int ssl_tls13_offered_psks_check_identity_match( *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len); - ssl->handshake->resume = 0; #if defined(MBEDTLS_SSL_SESSION_TICKETS) ret = ssl_tls13_offered_psks_check_identity_match_ticket( ssl, identity, identity_len, obfuscated_ticket_age, session); if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) { - ssl->handshake->resume = 1; *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; ret = mbedtls_ssl_set_hs_psk(ssl, session->resumption_key, @@ -1721,10 +1719,13 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } - if (handshake->key_exchange_mode == - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) { - handshake->resume = 0; +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + if ((handshake->key_exchange_mode != + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) && + (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION)) { + handshake->resume = 1; } +#endif if (handshake->key_exchange_mode != MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) { -- cgit v1.1 From 74a1629231362268ec2e3a34391499511ef22172 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 23 Feb 2024 17:07:41 +0100 Subject: tls13: srv: Move PSK ciphersuite selection up Move PSK ciphersuite selection up to the main ClientHello parsing function. That way the ciphersuite selection only happens in this function. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 391b8d4..ad1be2f 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -438,8 +438,9 @@ static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst, struct psk_attributes { int type; int key_exchange_mode; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; }; -#define PSK_ATTRIBUTES_INIT { 0, 0 } +#define PSK_ATTRIBUTES_INIT { 0, 0, 0 } /* Parser for pre_shared_key extension in client hello * struct { @@ -522,7 +523,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( int psk_ciphersuite_id; psa_algorithm_t psk_hash_alg; int allowed_key_exchange_modes; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session session; mbedtls_ssl_session_init(&session); @@ -595,9 +596,9 @@ static int ssl_tls13_parse_pre_shared_key_ext( ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end, psk_ciphersuite_id, psk_hash_alg, - &ciphersuite_info); + &psk->ciphersuite_info); - if (ciphersuite_info == NULL) { + if (psk->ciphersuite_info == NULL) { #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session_free(&session); #endif @@ -614,7 +615,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( ret = ssl_tls13_offered_psks_check_binder_match( ssl, binder, binder_len, psk->type, - mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac)); + mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) psk->ciphersuite_info->mac)); if (ret != SSL_TLS1_3_BINDER_MATCH) { /* For security reasons, the handshake should be aborted when we * fail to validate a binder value. See RFC 8446 section 4.2.11.2 @@ -633,12 +634,6 @@ static int ssl_tls13_parse_pre_shared_key_ext( matched_identity = identity_id; - /* Update handshake parameters */ - ssl->handshake->ciphersuite_info = ciphersuite_info; - ssl->session_negotiate->ciphersuite = ciphersuite_info->id; - MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s", - ((unsigned) ciphersuite_info->id), - ciphersuite_info->name)); #if defined(MBEDTLS_SSL_SESSION_TICKETS) if (psk->type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate, @@ -1720,10 +1715,18 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) - if ((handshake->key_exchange_mode != - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) && - (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION)) { - handshake->resume = 1; + if (handshake->key_exchange_mode & + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL) { + handshake->ciphersuite_info = psk.ciphersuite_info; + ssl->session_negotiate->ciphersuite = psk.ciphersuite_info->id; + + MBEDTLS_SSL_DEBUG_MSG(2, ("Select PSK ciphersuite: %04x - %s", + ((unsigned) psk.ciphersuite_info->id), + psk.ciphersuite_info->name)); + + if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { + handshake->resume = 1; + } } #endif -- cgit v1.1 From 3811765c0c919787f85602f37f89e4f1cbf9fc08 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 5 Mar 2024 09:05:46 +0100 Subject: tls13: srv: Add/Improve comments Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 40 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index ad1be2f..4b6845d 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -50,9 +50,9 @@ static void ssl_tls13_select_ciphersuite( *selected_ciphersuite_info = NULL; /* - * This function assumes that the length of the list of ciphersuites is - * even and it should have been checked it is so in the main ClientHello - * parsing function. Double check here. + * In a compliant ClientHello the byte-length of the list of ciphersuites + * is even and this function relies on this fact. This should have been + * checked in the main ClientHello parsing function. Double check here. */ if ((cipher_suites_end - cipher_suites) & 1) { return; @@ -146,6 +146,27 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, return 0; } +/* + * Non-error return values of + * ssl_tls13_offered_psks_check_identity_match_ticket() and + * ssl_tls13_offered_psks_check_identity_match(). They are positive to + * not collide with error codes that are negative. Zero + * (SSL_TLS1_3_PSK_IDENTITY_MATCH) in case of success as it may be propagated + * up by the callers of this function as a generic success condition. + * + * The return value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE means + * that the pre-shared-key identity matches that of a ticket or an external + * provisioned pre-shared-key. We have thus been able to retrieve the + * attributes of the pre-shared-key but at least one of them does not meet + * some criteria and the pre-shared-key cannot be used. For example, a ticket + * is expired or its version is not TLS 1.3. Note eventually that the return + * value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE does not have + * anything to do with binder check. A binder check is done only when a + * suitable pre-shared-key has been selected and only for that selected + * pre-shared-key: if the binder check fails, we fail the handshake and we do + * not try to find another pre-shared-key for which the binder check would + * succeed as recommended by the specification. + */ #define SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH 2 #define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1 #define SSL_TLS1_3_PSK_IDENTITY_MATCH 0 @@ -220,6 +241,10 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( goto exit; } + /* + * The identity matches that of a ticket. Now check that it has suitable + * attributes and bet it will not be the case. + */ ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; if (session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { @@ -281,6 +306,9 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( } #endif /* MBEDTLS_HAVE_TIME */ + /* + * All good, we have found a suitable ticket. + */ ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; exit: @@ -360,6 +388,12 @@ static int ssl_tls13_offered_psks_check_identity_match( return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; } +/* + * Non-error return values of ssl_tls13_offered_psks_check_binder_match(). + * They are positive to not collide with error codes that are negative. Zero + * (SSL_TLS1_3_BINDER_MATCH) in case of success as it may be propagated up + * by the callers of this function as a generic success condition. + */ #define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1 #define SSL_TLS1_3_BINDER_MATCH 0 MBEDTLS_CHECK_RETURN_CRITICAL -- cgit v1.1 From f602f7ba5092a04edc4febcbbcf2239383f5b21c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 5 Mar 2024 09:11:55 +0100 Subject: tls13: srv: Code improvements Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 4b6845d..94ceee6 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -218,20 +218,24 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, session, ticket_buffer, identity_len); - if (ret == 0) { - ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; - } else { - if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { + switch (ret) { + case 0: + ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; + break; + + case MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED: MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; - } else { - if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); - } else { - MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret); - } + break; + + case MBEDTLS_ERR_SSL_INVALID_MAC: + MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); + ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; + break; + + default: + MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret); ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; - } } /* We delete the temporary buffer */ -- cgit v1.1 From 16cc3704239f44e59e8d7017e11676a3eee8c10a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 7 Mar 2024 15:04:56 +0100 Subject: tls13: srv: Fix initialization value Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 94ceee6..f7b3401 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -478,7 +478,7 @@ struct psk_attributes { int key_exchange_mode; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; }; -#define PSK_ATTRIBUTES_INIT { 0, 0, 0 } +#define PSK_ATTRIBUTES_INIT { 0, 0, NULL } /* Parser for pre_shared_key extension in client hello * struct { -- cgit v1.1 From 7cab4f885b17ed365408a28f9a8c57d1e96d830c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 7 Mar 2024 15:09:09 +0100 Subject: tls13: srv: Fix/Improve comments Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index f7b3401..9f93478 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -74,8 +74,8 @@ static void ssl_tls13_select_ciphersuite( } /* - * If a valid PSK ciphersuite identifier has been passed in, we seek - * for an exact match. + * If a valid PSK ciphersuite identifier has been passed in, we want + * an exact match. */ if (psk_ciphersuite_id != 0) { if (id != psk_ciphersuite_id) { @@ -155,7 +155,7 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, * up by the callers of this function as a generic success condition. * * The return value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE means - * that the pre-shared-key identity matches that of a ticket or an external + * that the pre-shared-key identity matches that of a ticket or an externally- * provisioned pre-shared-key. We have thus been able to retrieve the * attributes of the pre-shared-key but at least one of them does not meet * some criteria and the pre-shared-key cannot be used. For example, a ticket @@ -1673,7 +1673,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, /* Update checksum with either * - The entire content of the CH message, if no PSK extension is present * - The content up to but excluding the PSK extension, if present. - * Always parse the pre-shared key extension when present in the + * Always parse the pre-shared-key extension when present in the * ClientHello even if some pre-requisites for PSK key exchange modes are * not met. That way we always validate the syntax of the extension. */ -- cgit v1.1 From 19521ddc36c04bbf963f24c050a8017cbba532dd Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 7 Mar 2024 15:09:41 +0100 Subject: tls13: srv: Fix/Improve debug logs Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 9f93478..7b66820 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -92,7 +92,8 @@ static void ssl_tls13_select_ciphersuite( return; } - MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite")); + MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%x", + (unsigned) psk_ciphersuite_id, psk_hash_alg)); } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -210,7 +211,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket( */ ticket_buffer = mbedtls_calloc(1, identity_len); if (ticket_buffer == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); return MBEDTLS_ERR_SSL_ALLOC_FAILED; } memcpy(ticket_buffer, identity, identity_len); -- cgit v1.1 From e14770fc420fa0744ed30fc45c3408f26959a7f6 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 8 Mar 2024 08:57:36 +0100 Subject: ssl-opt.sh: Fix early data test option Signed-off-by: Ronald Cron --- tests/opt-testcases/tls13-misc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 90c0fb2..066fa3f 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -543,7 +543,7 @@ requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: Ephemeral over PSK kex with early data enabled" \ "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=1024" \ - "$P_CLI debug_level=4 early_data=$EARLY_DATA_INPUT tls13_kex_modes=psk_or_ephemeral reco_mode=1 reconnect=1" \ + "$P_CLI debug_level=4 early_data=1 tls13_kex_modes=psk_or_ephemeral reco_mode=1 reconnect=1" \ 0 \ -s "key exchange mode: ephemeral" \ -S "key exchange mode: psk" \ -- cgit v1.1 From db944a78636de2e18b77a911a20d9ee20f06dee9 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 8 Mar 2024 11:32:53 +0100 Subject: ssl_msg.c: Fix log position Signed-off-by: Ronald Cron --- library/ssl_msg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index a8ff1c1..0c71157 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4133,14 +4133,15 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl, */ if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) { if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) { - MBEDTLS_SSL_DEBUG_MSG( - 3, ("EarlyData: Ignore application message before 2nd ClientHello")); ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len); if (ret != 0) { return ret; } + MBEDTLS_SSL_DEBUG_MSG( + 3, ("EarlyData: Ignore application message before 2nd ClientHello")); + return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) { ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; -- cgit v1.1 From 1a13e2f43ee62c626ef794bb9896cc543fc29777 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 8 Mar 2024 14:44:35 +0100 Subject: tests: ssl: Improve test code for very small max_early_data_size Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c381860..7ba5670 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4675,12 +4675,27 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in case TEST_EARLY_DATA_HRR: ret = mbedtls_ssl_handshake(&(server_ep.ssl)); /* - * Can be the case if max_early_data_size is smaller then the - * smallest inner content or protected record. + * In this write loop we try to always stay below the + * max_early_data_size limit but if max_early_data_size is very + * small we may exceed the max_early_data_size limit on the + * first write. In TEST_EARLY_DATA_SERVER_REJECTS/ + * TEST_EARLY_DATA_HRR scenario, this is for sure the case if + * max_early_data_size is smaller than the smallest possible + * inner content/protected record. Take into account this + * possibility here but only for max_early_data_size values + * that are close to write_size. Below, chosen 1 for one byte + * of inner type and 16 bytes for AEAD expansion (IV, ...). */ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { - /* Beyond 64 for max_early_data_size it is suspicious */ - TEST_ASSERT(max_early_data_size < 64); + if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) { + TEST_LE_U(max_early_data_size, + write_size + 1 + + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY); + } else { + TEST_LE_U(max_early_data_size, + write_size + 1 + 16 + + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY); + } goto exit; } -- cgit v1.1 From 4facb0a9cd27ace3ee681a63bb107d509830bab7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 8 Mar 2024 11:40:07 +0100 Subject: tests: ssl: Improve early data test code Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 7ba5670..f4288d1 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -37,7 +37,7 @@ static int write_early_data(mbedtls_ssl_context *ssl, int ret = mbedtls_ssl_get_max_out_record_payload(ssl); TEST_ASSERT(ret > 0); - TEST_ASSERT(len <= (size_t) ret); + TEST_LE_U(len, (size_t) ret); ret = mbedtls_ssl_flush_output(ssl); TEST_EQUAL(ret, 0); @@ -4514,7 +4514,7 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in uint32_t write_size = (uint32_t) write_size_arg; unsigned char *buf_read = NULL; uint32_t read_size; - uint32_t expended_early_data_len = 0; + uint32_t expanded_early_data_chunk_size = 0; uint32_t written_early_data_size = 0; uint32_t max_early_data_size; @@ -4634,13 +4634,13 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in /* * If the server rejected early data, base the determination of when - * to stop the loop on the expended size (padding and encryption + * to stop the loop on the expanded size (padding and encryption * expansion) of early data on server side and the number of early data - * received so far by the server (multiple of the expended size). + * received so far by the server (multiple of the expanded size). */ - if ((expended_early_data_len != 0) && + if ((expanded_early_data_chunk_size != 0) && ((server_ep.ssl.total_early_data_size + - expended_early_data_len) > max_early_data_size)) { + expanded_early_data_chunk_size) > max_early_data_size)) { break; } @@ -4703,12 +4703,12 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in TEST_EQUAL(server_pattern.counter, 1); server_pattern.counter = 0; - if (expended_early_data_len == 0) { - expended_early_data_len = server_ep.ssl.total_early_data_size; + if (expanded_early_data_chunk_size == 0) { + expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size; } break; } - TEST_ASSERT(server_ep.ssl.total_early_data_size <= max_early_data_size); + TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size); } while (1); mbedtls_debug_set_threshold(3); -- cgit v1.1 From 52472104a24637e94abe5926abe7682476006913 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 8 Mar 2024 11:29:28 +0100 Subject: tests: suite: early data: Add comments Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index f4288d1..64ee0f7 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4200,6 +4200,10 @@ void tls13_write_early_data(int scenario) break; case TEST_EARLY_DATA_HRR: + /* + * Remove server support for the group negotiated in + * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest. + */ server_options.group_list = group_list + 1; break; @@ -4570,6 +4574,10 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in break; case TEST_EARLY_DATA_HRR: + /* + * Remove server support for the group negotiated in + * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest. + */ server_options.group_list = group_list + 1; ret = mbedtls_snprintf( pattern, sizeof(pattern), @@ -4628,6 +4636,11 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in do { uint32_t read_early_data_size = 0; + /* + * The contents of the early data are not very important, write a + * pattern that varies byte-by-byte and is different for every chunk of + * early data. + */ if ((written_early_data_size + write_size) > max_early_data_size) { break; } -- cgit v1.1 From e1295fabaf39abd5cadea749a6c1e07fee2b7de3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 8 Mar 2024 17:03:16 +0100 Subject: tests: ssl: early data: Fix comments Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 64ee0f7..20f8037 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4202,7 +4202,7 @@ void tls13_write_early_data(int scenario) case TEST_EARLY_DATA_HRR: /* * Remove server support for the group negotiated in - * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest. + * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest. */ server_options.group_list = group_list + 1; break; @@ -4696,8 +4696,9 @@ void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, in * max_early_data_size is smaller than the smallest possible * inner content/protected record. Take into account this * possibility here but only for max_early_data_size values - * that are close to write_size. Below, chosen 1 for one byte - * of inner type and 16 bytes for AEAD expansion (IV, ...). + * that are close to write_size. Below, '1' is for the inner + * type byte and '16' is to take into account some AEAD + * expansion (tag, ...). */ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) { -- cgit v1.1 From 30f49f19cca6f8e30c470c7f84dce98a8c6438d2 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 8 Mar 2024 16:29:54 +0000 Subject: Hinder unwanted optimisations We want this function to be constant time. Make it less likely that the compiler optimises it. Signed-off-by: Janos Follath --- library/bignum_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index f66739d..8374f3a 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -859,7 +859,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, size_t limbs) { - mbedtls_mpi_uint bits = 0; + volatile mbedtls_mpi_uint bits = 0; for (size_t i = 0; i < limbs; i++) { bits |= A[i]; -- cgit v1.1 From 4ec0fb592475add23df9284ee82b6805f82e24d9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 8 Mar 2024 17:22:40 +0000 Subject: Avoid implementation defined behaviour The conversion back to signed short is an issue: the uint cast results in (-1 + UINT_MAX), which is OK. But then that can't be cast back to a signed value: "if the new type is signed and the value cannot be represented in it; either the result is implementation-defined or an implementation-defined signal is raised." Signed-off-by: Janos Follath --- library/bignum.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 0e3eb4b..78f6149 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -37,6 +37,19 @@ #include "mbedtls/platform.h" + + +/* + * Conditionally select an MPI sign in constant time. + * (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid + * values.) + */ +static inline unsigned short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond, + unsigned short sign1, unsigned short sign2) +{ + return (unsigned short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1; +} + /* * Compare signed values in constant time */ @@ -112,7 +125,7 @@ int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, { mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign); - X->s = (int) mbedtls_ct_uint_if(do_assign, Y->s, X->s); + X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s); mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign); @@ -149,8 +162,8 @@ int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n)); s = X->s; - X->s = (int) mbedtls_ct_uint_if(do_swap, Y->s, X->s); - Y->s = (int) mbedtls_ct_uint_if(do_swap, s, Y->s); + X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s); + Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s); mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap); @@ -1690,7 +1703,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, */ if (A->s == -1 && (E->p[0] & 1) != 0) { mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n); - X->s = mbedtls_ct_uint_if(is_x_non_zero, -1, 1); + X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1); MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X)); } -- cgit v1.1 From 16ef486c2ce8e28a9f39ed3b713472b2d0bd3a39 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 8 Mar 2024 17:25:57 +0000 Subject: Improve style Signed-off-by: Janos Follath --- library/bignum.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 78f6149..22e22aa 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1694,8 +1694,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, */ mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T); - mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, - T); + mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T); /* -- cgit v1.1 From d868b746a8ffc8746f7833fdcb82e71359c25419 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 8 Mar 2024 18:35:09 +0000 Subject: Fix potential bug in psa_destroy_key where multiple threads can return PSA_SUCCESS Threads lose the mutex between locking the slot and changing the slot's state. Make it so that threads check if another thread has completed a destruction during this period. Also fix the issue with the incorrect status variable being used. Signed-off-by: Ryan Everett --- library/psa_crypto.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d4a8307..0fe1fbc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1106,6 +1106,17 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) * fully destroyed. */ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( &mbedtls_threading_key_slot_mutex)); + + if (slot->state == PSA_SLOT_PENDING_DELETION) { + /* Another thread has destroyed the key between us locking the slot + * and us gaining the mutex. Unregister from the slot, + * and report that the key does not exist. */ + status = psa_unregister_read(slot); + + PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( + &mbedtls_threading_key_slot_mutex)); + return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status; + } #endif /* Set the key slot containing the key description's state to * PENDING_DELETION. This stops new operations from registering @@ -1115,10 +1126,10 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) * If the key is persistent, we can now delete the copy of the key * from memory. If the key is opaque, we require the driver to * deal with the deletion. */ - status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL, - PSA_SLOT_PENDING_DELETION); + overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL, + PSA_SLOT_PENDING_DELETION); - if (status != PSA_SUCCESS) { + if (overall_status != PSA_SUCCESS) { goto exit; } -- cgit v1.1 From b888bc0be67bb605fe938ad787b3b621ab6129ba Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 11 Mar 2024 09:29:53 +0000 Subject: Fix typo Signed-off-by: Janos Follath --- library/bignum.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 22e22aa..eecdf1e 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -44,10 +44,10 @@ * (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid * values.) */ -static inline unsigned short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond, - unsigned short sign1, unsigned short sign2) +static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond, + signed short sign1, signed short sign2) { - return (unsigned short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1; + return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1; } /* -- cgit v1.1 From d6df0a5dacc0dd1cef11b5232eb546124bfe9f18 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 11 Mar 2024 09:40:03 +0000 Subject: Fix use of volatile We need the pointer, A, to be volatile, to ensure the reads happen. bits does not need to be volatile. Signed-off-by: Janos Follath --- library/bignum_core.c | 4 ++-- library/bignum_core.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 8374f3a..db6e231 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -856,10 +856,10 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, return c; } -mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, +mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(volatile const mbedtls_mpi_uint *A, size_t limbs) { - volatile mbedtls_mpi_uint bits = 0; + mbedtls_mpi_uint bits = 0; for (size_t i = 0; i < limbs; i++) { bits |= A[i]; diff --git a/library/bignum_core.h b/library/bignum_core.h index 92c8d47..00c557b 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -665,7 +665,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, * \return MBEDTLS_CT_FALSE if `A == 0` * MBEDTLS_CT_TRUE if `A != 0`. */ -mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, +mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(volatile const mbedtls_mpi_uint *A, size_t limbs); /** -- cgit v1.1 From adb9d2d8221755ea7d3a2fc75ad918dd23639161 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 11 Mar 2024 10:03:05 +0000 Subject: Remove volatile from declaration Use of volatile is more an internal implementation detail (ensuring const-time) than part of the contract (the caller doesn't care about volatile as such). Signed-off-by: Janos Follath --- library/bignum_core.c | 5 +++-- library/bignum_core.h | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index db6e231..54b5195 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -856,13 +856,14 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, return c; } -mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(volatile const mbedtls_mpi_uint *A, +mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, size_t limbs) { + volatile const mbedtls_mpi_uint* force_read_A = A; mbedtls_mpi_uint bits = 0; for (size_t i = 0; i < limbs; i++) { - bits |= A[i]; + bits |= force_read_A[i]; } return mbedtls_ct_bool(bits); diff --git a/library/bignum_core.h b/library/bignum_core.h index 00c557b..92c8d47 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -665,7 +665,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, * \return MBEDTLS_CT_FALSE if `A == 0` * MBEDTLS_CT_TRUE if `A != 0`. */ -mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(volatile const mbedtls_mpi_uint *A, +mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, size_t limbs); /** -- cgit v1.1 From 23dc8b5fd8ec57b293dc510e22d124a58fa11b1b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 11 Mar 2024 10:39:57 +0000 Subject: Fix code style Co-authored-by: Dave Rodgman Signed-off-by: Janos Follath --- library/bignum_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 54b5195..1a3e0b9 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -859,7 +859,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A, size_t limbs) { - volatile const mbedtls_mpi_uint* force_read_A = A; + volatile const mbedtls_mpi_uint *force_read_A = A; mbedtls_mpi_uint bits = 0; for (size_t i = 0; i < limbs; i++) { -- cgit v1.1 From d282e264cd2aa36d2e078931ab02497c26ad2e09 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 11 Mar 2024 15:28:48 +0000 Subject: Fix IAR warning Signed-off-by: Dave Rodgman --- library/bignum.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index eecdf1e..c45fd5b 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1692,10 +1692,12 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, /* * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod(). */ - mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); - mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T); - mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); - mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T); + { + mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); + mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T); + mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); + mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T); + } /* * Correct for negative A. -- cgit v1.1 From 88c2755a3049304973031a3cacbfbd5dff1b63eb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 11 Mar 2024 18:49:54 +0100 Subject: mbedtls_pk_decrypt/encrypt actually check the padding mode The sign/verify functions happily use the wrong algorithm, but the encrypt/decrypt functions error out if the padding mode specifies V21. Signed-off-by: Gilles Peskine --- ChangeLog.d/8824.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/8824.txt b/ChangeLog.d/8824.txt index abc305f..6d6bcb7 100644 --- a/ChangeLog.d/8824.txt +++ b/ChangeLog.d/8824.txt @@ -1,7 +1,8 @@ Bugfix * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in - the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled, they always - used PKCS#1 v1.5 even when the RSA context was configured for PKCS#1 v2.1 - (PSS/OAEP). Fixes #8824. + the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the + RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify + functions performed a PKCS#1 v1.5 signature instead and the + encrypt/decrypt functions returned an error. Fixes #8824. -- cgit v1.1