diff --git a/crypto b/crypto index 66314909d..ae5b03705 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit 66314909dd060b370546b9707793a55e788a28ed +Subproject commit ae5b03705b6c4cbf1c149aa3c9372ba00cd05af5 diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index a78c1a96c..3684e9835 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -41,6 +41,7 @@ #include "ecp.h" #include "md.h" #include "pk.h" +#include "oid.h" /* Translations for symmetric crypto. */ @@ -155,6 +156,82 @@ static inline psa_algorithm_t mbedtls_psa_translate_md( mbedtls_md_type_t md_alg /* Translations for ECC. */ +static inline int mbedtls_psa_get_ecc_oid_from_id( + psa_ecc_curve_t curve, char const **oid, size_t *oid_len ) +{ + switch( curve ) + { +#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) + case PSA_ECC_CURVE_SECP192R1: + *oid = MBEDTLS_OID_EC_GRP_SECP192R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP192R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) + case PSA_ECC_CURVE_SECP224R1: + *oid = MBEDTLS_OID_EC_GRP_SECP224R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP224R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + case PSA_ECC_CURVE_SECP256R1: + *oid = MBEDTLS_OID_EC_GRP_SECP256R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP256R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + case PSA_ECC_CURVE_SECP384R1: + *oid = MBEDTLS_OID_EC_GRP_SECP384R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP384R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + case PSA_ECC_CURVE_SECP521R1: + *oid = MBEDTLS_OID_EC_GRP_SECP521R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP521R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) + case PSA_ECC_CURVE_SECP192K1: + *oid = MBEDTLS_OID_EC_GRP_SECP192K1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP192K1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) + case PSA_ECC_CURVE_SECP224K1: + *oid = MBEDTLS_OID_EC_GRP_SECP224K1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP224K1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) + case PSA_ECC_CURVE_SECP256K1: + *oid = MBEDTLS_OID_EC_GRP_SECP256K1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_SECP256K1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) + case PSA_ECC_CURVE_BRAINPOOL_P256R1: + *oid = MBEDTLS_OID_EC_GRP_BP256R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_BP256R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) + case PSA_ECC_CURVE_BRAINPOOL_P384R1: + *oid = MBEDTLS_OID_EC_GRP_BP384R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_BP384R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) + case PSA_ECC_CURVE_BRAINPOOL_P512R1: + *oid = MBEDTLS_OID_EC_GRP_BP512R1; + *oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_EC_GRP_BP512R1 ); + return( 0 ); +#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */ + } + + return( -1 ); +} + static inline psa_ecc_curve_t mbedtls_psa_translate_ecc_group( mbedtls_ecp_group_id grpid ) { switch( grpid ) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 2794ca943..3159cd32b 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -33,6 +33,10 @@ #include "ssl.h" #include "cipher.h" +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "psa/crypto.h" +#endif + #if defined(MBEDTLS_MD5_C) #include "md5.h" #endif @@ -376,11 +380,19 @@ struct mbedtls_ssl_handshake_params #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_operation_t fin_sha256_psa; +#else mbedtls_sha256_context fin_sha256; #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_operation_t fin_sha384_psa; +#else mbedtls_sha512_context fin_sha512; #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); @@ -771,6 +783,7 @@ int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_2) +/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, unsigned char *data, size_t data_len, diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 7f8abd488..c7f879ab5 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -553,7 +553,7 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, int key_len; /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */ unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES]; - unsigned char *p = (unsigned char*) sig; + unsigned char *p; mbedtls_pk_info_t pk_info = mbedtls_eckey_info; psa_algorithm_t psa_sig_md, psa_md; psa_ecc_curve_t curve = mbedtls_psa_translate_ecc_group( @@ -563,11 +563,12 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, if( curve == 0 ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); - /* mbedlts_pk_write_pubkey_der() expects a full PK context, + /* mbedtls_pk_write_pubkey() expects a full PK context; * re-construct one to make it happy */ key.pk_info = &pk_info; key.pk_ctx = ctx; - key_len = mbedtls_pk_write_pubkey_der( &key, buf, sizeof( buf ) ); + p = buf + sizeof( buf ); + key_len = mbedtls_pk_write_pubkey( &p, buf, &key ); if( key_len <= 0 ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -603,6 +604,7 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, goto cleanup; } + p = (unsigned char*) sig; if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf, signature_part_size ) ) != 0 ) { diff --git a/library/pkwrite.c b/library/pkwrite.c index 90f792a65..b87f81b8b 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -49,6 +49,7 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" +#include "mbedtls/psa_util.h" #endif #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" @@ -193,7 +194,8 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start, } else { - memmove( *p - len, start, len ); + *p -= len; + memmove( *p, start, len ); } } else @@ -208,6 +210,7 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si int ret; unsigned char *c; size_t len = 0, par_len = 0, oid_len; + mbedtls_pk_type_t pk_type; const char *oid; PK_VALIDATE_RET( key != NULL ); @@ -219,10 +222,6 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) ); - if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE ) - { - return( (int) len ); - } if( c - buf < 1 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); @@ -237,18 +236,51 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) ); - if( ( ret = mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_get_type( key ), - &oid, &oid_len ) ) != 0 ) - { - return( ret ); - } - + pk_type = mbedtls_pk_get_type( key ); #if defined(MBEDTLS_ECP_C) - if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY ) + if( pk_type == MBEDTLS_PK_ECKEY ) { MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, mbedtls_pk_ec( *key ) ) ); } #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( pk_type == MBEDTLS_PK_OPAQUE ) + { + psa_status_t status; + psa_key_type_t key_type; + psa_key_handle_t handle; + psa_ecc_curve_t curve; + + handle = *((psa_key_handle_t*) key->pk_ctx ); + + status = psa_get_key_information( handle, &key_type, + NULL /* bitsize not needed */ ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED ); + + curve = PSA_KEY_TYPE_GET_CURVE( key_type ); + if( curve == 0 ) + return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); + + ret = mbedtls_psa_get_ecc_oid_from_id( curve, &oid, &oid_len ); + if( ret != 0 ) + return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); + + /* Write EC algorithm parameters; that's akin + * to pk_write_ec_param() above. */ + MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_oid( &c, buf, + oid, oid_len ) ); + + /* The rest of the function works as for legacy EC contexts. */ + pk_type = MBEDTLS_PK_ECKEY; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + if( ( ret = mbedtls_oid_get_oid_by_pk_alg( pk_type, &oid, + &oid_len ) ) != 0 ) + { + return( ret ); + } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, buf, oid, oid_len, par_len ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 066462772..f224d5e94 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -50,10 +50,19 @@ #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "mbedtls/psa_util.h" +#include "psa/crypto.h" +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) #include "mbedtls/oid.h" #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "mbedtls/psa_util.h" +#endif + static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ); static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); @@ -490,6 +499,76 @@ static int tls1_prf( const unsigned char *secret, size_t slen, #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static int tls_prf_generic( mbedtls_md_type_t md_type, + const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen ) +{ + psa_status_t status; + psa_algorithm_t alg; + psa_key_policy_t policy; + psa_key_handle_t master_slot; + psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; + + if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + if( md_type == MBEDTLS_MD_SHA384 ) + alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); + else + alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); + + policy = psa_key_policy_init(); + psa_key_policy_set_usage( &policy, + PSA_KEY_USAGE_DERIVE, + alg ); + status = psa_set_key_policy( master_slot, &policy ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_key_derivation( &generator, + master_slot, alg, + random, rlen, + (unsigned char const *) label, + (size_t) strlen( label ), + dlen ); + if( status != PSA_SUCCESS ) + { + psa_generator_abort( &generator ); + psa_destroy_key( master_slot ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_generator_read( &generator, dstbuf, dlen ); + if( status != PSA_SUCCESS ) + { + psa_generator_abort( &generator ); + psa_destroy_key( master_slot ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_generator_abort( &generator ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( master_slot ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_destroy_key( master_slot ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + return( 0 ); +} + +#else /* MBEDTLS_USE_PSA_CRYPTO */ + static int tls_prf_generic( mbedtls_md_type_t md_type, const unsigned char *secret, size_t slen, const char *label, @@ -552,7 +631,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, return( 0 ); } - +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SHA256_C) static int tls_prf_sha256( const unsigned char *secret, size_t slen, const char *label, @@ -1347,7 +1426,7 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - mbedtls_md5_finish_ret( &md5, hash ); + mbedtls_md5_finish_ret( &md5, hash ); mbedtls_sha1_finish_ret( &sha1, hash + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); @@ -1364,6 +1443,28 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) #if defined(MBEDTLS_SHA256_C) void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_status_t status; + psa_hash_operation_t sha256_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) ); + status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 32 ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); +#else mbedtls_sha256_context sha256; mbedtls_sha256_init( &sha256 ); @@ -1377,7 +1478,7 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); mbedtls_sha256_free( &sha256 ); - +#endif /* MBEDTLS_USE_PSA_CRYPTO */ return; } #endif /* MBEDTLS_SHA256_C */ @@ -1385,6 +1486,28 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32 #if defined(MBEDTLS_SHA512_C) void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_status_t status; + psa_hash_operation_t sha384_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) ); + status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 48 ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) ); +#else mbedtls_sha512_context sha512; mbedtls_sha512_init( &sha512 ); @@ -1398,7 +1521,7 @@ void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); mbedtls_sha512_free( &sha512 ); - +#endif /* MBEDTLS_USE_PSA_CRYPTO */ return; } #endif /* MBEDTLS_SHA512_C */ @@ -6172,11 +6295,21 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &ssl->handshake->fin_sha256_psa ); + psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); +#else mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &ssl->handshake->fin_sha384_psa ); + psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); +#else mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -6190,11 +6323,19 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); +#else mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len ); +#else mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -6213,7 +6354,11 @@ static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); +#else mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); +#endif } #endif @@ -6221,7 +6366,11 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len ); +#else mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); +#endif } #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -6377,13 +6526,44 @@ static void ssl_calc_finished_tls_sha256( { int len = 12; const char *sender; - mbedtls_sha256_context sha256; unsigned char padbuf[32]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_hash_operation_t sha256_psa; + psa_status_t status; +#else + mbedtls_sha256_context sha256; +#endif mbedtls_ssl_session *session = ssl->session_negotiate; if( !session ) session = ssl->session; + sender = ( from == MBEDTLS_SSL_IS_CLIENT ) + ? "client finished" + : "server finished"; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + sha256_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) ); + + status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 ); +#else + mbedtls_sha256_init( &sha256 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); @@ -6401,19 +6581,15 @@ static void ssl_calc_finished_tls_sha256( sha256.state, sizeof( sha256.state ) ); #endif - sender = ( from == MBEDTLS_SSL_IS_CLIENT ) - ? "client finished" - : "server finished"; - mbedtls_sha256_finish_ret( &sha256, padbuf ); + mbedtls_sha256_free( &sha256 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 32, buf, len ); MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - mbedtls_sha256_free( &sha256 ); - mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); @@ -6426,13 +6602,43 @@ static void ssl_calc_finished_tls_sha384( { int len = 12; const char *sender; - mbedtls_sha512_context sha512; unsigned char padbuf[48]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t hash_size; + psa_hash_operation_t sha384_psa; + psa_status_t status; +#else + mbedtls_sha512_context sha512; +#endif mbedtls_ssl_session *session = ssl->session_negotiate; if( !session ) session = ssl->session; + sender = ( from == MBEDTLS_SSL_IS_CLIENT ) + ? "client finished" + : "server finished"; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + sha384_psa = psa_hash_operation_init(); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) ); + + status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) ); + return; + } + + status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size ); + if( status != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) ); + return; + } + MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 ); +#else mbedtls_sha512_init( &sha512 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); @@ -6450,19 +6656,15 @@ static void ssl_calc_finished_tls_sha384( sha512.state, sizeof( sha512.state ) ); #endif - sender = ( from == MBEDTLS_SSL_IS_CLIENT ) - ? "client finished" - : "server finished"; - mbedtls_sha512_finish_ret( &sha512, padbuf ); + mbedtls_sha512_free( &sha512 ); +#endif ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 48, buf, len ); MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - mbedtls_sha512_free( &sha512 ); - mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); @@ -6773,13 +6975,23 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->fin_sha256_psa = psa_hash_operation_init(); + psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); +#else mbedtls_sha256_init( &handshake->fin_sha256 ); mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->fin_sha384_psa = psa_hash_operation_init(); + psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); +#else mbedtls_sha512_init( &handshake->fin_sha512 ); mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ handshake->update_checksum = ssl_update_checksum_start; @@ -9082,11 +9294,19 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &handshake->fin_sha256_psa ); +#else mbedtls_sha256_free( &handshake->fin_sha256 ); #endif +#endif #if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &handshake->fin_sha384_psa ); +#else mbedtls_sha512_free( &handshake->fin_sha512 ); #endif +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_DHM_C) @@ -9975,6 +10195,70 @@ exit: #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_2) + +#if defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, + unsigned char *hash, size_t *hashlen, + unsigned char *data, size_t data_len, + mbedtls_md_type_t md_alg ) +{ + psa_status_t status; + psa_hash_operation_t hash_operation; + psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg ); + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) ); + + if( ( status = psa_hash_setup( &hash_operation, + hash_alg ) ) != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status ); + goto exit; + } + + if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes, + 64 ) ) != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status ); + goto exit; + } + + if( ( status = psa_hash_update( &hash_operation, + data, data_len ) ) != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status ); + goto exit; + } + + if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE, + hashlen ) ) != PSA_SUCCESS ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status ); + goto exit; + } + +exit: + if( status != PSA_SUCCESS ) + { + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + switch( status ) + { + case PSA_ERROR_NOT_SUPPORTED: + return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); + case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ + case PSA_ERROR_BUFFER_TOO_SMALL: + return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); + case PSA_ERROR_INSUFFICIENT_MEMORY: + return( MBEDTLS_ERR_MD_ALLOC_FAILED ); + default: + return( MBEDTLS_ERR_MD_HW_ACCEL_FAILED ); + } + } + return( 0 ); +} + +#else + int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, unsigned char *data, size_t data_len, @@ -9985,6 +10269,8 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); *hashlen = mbedtls_md_get_size( md_info ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) ); + mbedtls_md_init( &ctx ); /* @@ -10029,6 +10315,8 @@ exit: return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ MBEDTLS_SSL_PROTO_TLS1_2 */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 791c2c3d9..646ddd6be 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -755,16 +755,21 @@ run_test() { run_test_psa() { requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSA-supported ciphersuite: $1" \ - "$P_SRV debug_level=1 force_version=tls1_2" \ - "$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \ + "$P_SRV debug_level=2 force_version=tls1_2" \ + "$P_CLI debug_level=2 force_version=tls1_2 force_ciphersuite=$1" \ 0 \ -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ + -c "PSA calc verify" \ + -c "calc PSA finished" \ -s "Successfully setup PSA-based decryption cipher context" \ -s "Successfully setup PSA-based encryption cipher context" \ + -s "PSA calc verify" \ + -s "calc PSA finished" \ -C "Failed to setup PSA-based cipher context"\ -S "Failed to setup PSA-based cipher context"\ -s "Protocol is TLSv1.2" \ + -c "Perform PSA-based computation of digest of ServerKeyExchange" \ -S "error" \ -C "error" } diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 0eee0e3f1..05427c0c0 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1200,44 +1200,65 @@ exit: void pk_psa_sign( ) { mbedtls_pk_context pk; - psa_key_handle_t key; - unsigned char hash[50], sig[100], pkey[100]; - size_t sig_len, klen = 0; + unsigned char hash[50], sig[100], pkey_legacy[100], pkey_psa[100]; + unsigned char *pkey_legacy_start, *pkey_psa_start; + size_t sig_len, klen_legacy, klen_psa; + int ret; + psa_key_handle_t handle; /* * This tests making signatures with a wrapped PSA key: - * - generate a fresh PSA key + * - generate a fresh ECP legacy PK context * - wrap it in a PK context and make a signature this way * - extract the public key * - parse it to a PK context and verify the signature this way */ + /* Create legacy EC public/private key in PK context. */ mbedtls_pk_init( &pk ); + TEST_ASSERT( mbedtls_pk_setup( &pk, + mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == 0 ); + TEST_ASSERT( mbedtls_ecp_gen_key( MBEDTLS_ECP_DP_SECP256R1, + (mbedtls_ecp_keypair*) pk.pk_ctx, + rnd_std_rand, NULL ) == 0 ); + + /* Export underlying public key for re-importing in a legacy context. */ + ret = mbedtls_pk_write_pubkey_der( &pk, pkey_legacy, + sizeof( pkey_legacy ) ); + TEST_ASSERT( ret >= 0 ); + klen_legacy = (size_t) ret; + /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ + pkey_legacy_start = pkey_legacy + sizeof( pkey_legacy ) - klen_legacy; + + /* Turn PK context into an opaque one. */ + TEST_ASSERT( psa_allocate_key( &handle ) == PSA_SUCCESS ); + TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &pk, &handle, + PSA_ALG_SHA_256 ) == 0 ); memset( hash, 0x2a, sizeof hash ); memset( sig, 0, sizeof sig ); - memset( pkey, 0, sizeof pkey ); - - key = pk_psa_genkey(); - TEST_ASSERT( key != 0 ); - - TEST_ASSERT( mbedtls_pk_setup_opaque( &pk, key ) == 0 ); TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256, hash, sizeof hash, sig, &sig_len, NULL, NULL ) == 0 ); - mbedtls_pk_free( &pk ); + /* Export underlying public key for re-importing in a psa context. */ + ret = mbedtls_pk_write_pubkey_der( &pk, pkey_psa, + sizeof( pkey_psa ) ); + TEST_ASSERT( ret >= 0 ); + klen_psa = (size_t) ret; + /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ + pkey_psa_start = pkey_psa + sizeof( pkey_psa ) - klen_psa; - TEST_ASSERT( PSA_SUCCESS == psa_export_public_key( - key, pkey, sizeof( pkey ), &klen ) ); - TEST_ASSERT( PSA_SUCCESS == psa_destroy_key( key ) ); + TEST_ASSERT( klen_psa == klen_legacy ); + TEST_ASSERT( memcmp( pkey_psa_start, pkey_legacy_start, klen_psa ) == 0 ); + + mbedtls_pk_free( &pk ); + TEST_ASSERT( PSA_SUCCESS == psa_destroy_key( handle ) ); mbedtls_pk_init( &pk ); - - TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, pkey, klen ) == 0 ); - - + TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, pkey_legacy_start, + klen_legacy ) == 0 ); TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256, hash, sizeof hash, sig, sig_len ) == 0 );