Add an EC J-PAKE KDF to transform K -> SHA256(K.X) for TLS 1.2
TLS uses it to derive the session secret. The algorithm takes a serialized point in an uncompressed form, extracts the X coordinate and computes SHA256 of it. It is only expected to work with P-256. Fixes #5978. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
parent
f6a6a2d815
commit
08d34b8693
7 changed files with 129 additions and 11 deletions
|
@ -228,6 +228,12 @@ extern "C" {
|
|||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
|
||||
#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
|
||||
|
||||
#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
|
||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
|
||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */
|
||||
#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
|
||||
|
||||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
|
||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR)
|
||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1
|
||||
|
@ -629,6 +635,8 @@ extern "C" {
|
|||
#define PSA_WANT_ALG_TLS12_PRF 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
|
||||
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
|
||||
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
|
||||
#endif /* MBEDTLS_MD_C */
|
||||
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
|
|
|
@ -88,6 +88,8 @@
|
|||
#define PSA_WANT_ALG_STREAM_CIPHER 1
|
||||
#define PSA_WANT_ALG_TLS12_PRF 1
|
||||
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
|
||||
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
|
||||
|
||||
/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
|
||||
* Note: when adding support, also adjust include/mbedtls/config_psa.h */
|
||||
//#define PSA_WANT_ALG_XTS 1
|
||||
|
|
|
@ -239,6 +239,15 @@
|
|||
*/
|
||||
#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128
|
||||
|
||||
/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,
|
||||
* which is expected to work with P-256 curve only. */
|
||||
#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65
|
||||
|
||||
/* The size of a serialized K.X coordinate to be used in
|
||||
* psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256
|
||||
* curve. */
|
||||
#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32
|
||||
|
||||
/** The maximum size of a block cipher. */
|
||||
#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
|
||||
|
||||
|
|
|
@ -202,6 +202,12 @@ typedef struct
|
|||
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF ||
|
||||
MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
|
||||
MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
|
||||
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
|
||||
typedef struct
|
||||
{
|
||||
uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE];
|
||||
} psa_tls12_ecjpake_to_pms_t;
|
||||
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
|
||||
|
||||
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
|
||||
|
@ -266,6 +272,9 @@ struct psa_key_derivation_s
|
|||
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
|
||||
psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf);
|
||||
#endif
|
||||
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
|
||||
psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms);
|
||||
#endif
|
||||
} MBEDTLS_PRIVATE(ctx);
|
||||
};
|
||||
|
|
|
@ -2021,6 +2021,14 @@
|
|||
#define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \
|
||||
(PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
|
||||
|
||||
/* Macro to build a KDF that takes the shared secret K (an EC point in case
|
||||
* of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2 will
|
||||
* use to derive the session secret. Uses PSA_ALG_SHA_256.
|
||||
*/
|
||||
#define PSA_ALG_TLS12_ECJPAKE_TO_PMS ((psa_algorithm_t)0x08000600)
|
||||
#define PSA_ALG_IS_TLS12_ECJPAKE_TO_PMS(alg) \
|
||||
(alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS)
|
||||
|
||||
/* This flag indicates whether the key derivation algorithm is suitable for
|
||||
* use on low-entropy secrets such as password - these algorithms are also
|
||||
* known as key stretching or password hashing schemes. These are also the
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue