eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'development' into development-restricted

Browse source 
* development: (66 commits)
  Document the return type change in the migration guide
  Fix return type of example key export callbacks
  Add change log
  psa: mac: Add driver dispatch tests for psa_mac_verify
  psa: mac: Add driver delegation support for psa_mac_verify()
  psa: mac: Introduce psa_mac_compute_internal
  psa: mac: Add driver dispatch tests for psa_mac_compute
  psa: mac: Improve MAC finalization code
  psa: mac: Add driver delegation support for psa_mac_compute()
  psa: mac: Add MAC compute builtin implementation
  psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
  psa: mac: Split psa_mac_setup()
  psa: mac: Re-organize psa_mac_setup() internal function
  Move export callback and context to the end of SSL context
  Improve ChangeLog wording for key export
  Remove return value from key export callback
  Make key export callback and context connection-specific
  Remove all occurrences of TLS < 1.2 PRF identifier
  Remote key export identifier used for TLS < 1.2.
  Add missing documentation for key export callback parameters
  ...
This commit is contained in:
Manuel Pégourié-Gonnard 2021-06-23 09:04:42 +02:00
commit 92f387777d
38 changed files with 763 additions and 950 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -32,8 +32,6 @@ API changes
* Drop support for parsing SSLv2 ClientHello
(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
* Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
* Drop support for compatibility with our own previous buggy
implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).
* Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
* Drop support for RC4 TLS ciphersuites.
* Drop support for single-DES ciphersuites.

9
ChangeLog.d/default-curves.txt Normal file
View file

@ -0,0 +1,9 @@
Default behavior changes
* Some default policies for X.509 certificate verification and TLS have
changed: curves and hashes weaker than 255 bits are no longer accepted
by default. The default order in TLS now favors faster curves over larger
curves.
Removals
* Remove the compile-time option
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.

3
ChangeLog.d/ecp-window-size.txt Normal file
View file

@ -0,0 +1,3 @@
Changes
* Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
during ECC operations at a negligible performance cost.

10
ChangeLog.d/key-export.txt Normal file
View file

@ -0,0 +1,10 @@
API changes
* mbedtls_ssl_conf_export_keys_ext_cb() and
mbedtls_ssl_conf_export_keys_cb() have been removed and
replaced by a new API mbedtls_ssl_set_export_keys_cb().
Raw keys and IVs are no longer passed to the callback.
Further, callbacks now receive an additional parameter
indicating the type of secret that's being exported,
paving the way for the larger number of secrets
in TLS 1.3. Finally, the key export callback and
context are now connection-specific.

5
ChangeLog.d/mbedtls_debug_print_mpi.txt Normal file
View file

@ -0,0 +1,5 @@
Bugfix
* Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
could notably be triggered by setting the TLS debug level to 3 or above
and using a Montgomery curve for the key exchange. Reported by lhuang04
in #4578. Fixes #4608.

3
ChangeLog.d/one-shot-mac.txt Normal file
View file

@ -0,0 +1,3 @@
Features
* Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification.

5
ChangeLog.d/rm-truncated-hmac-ext.txt Normal file
View file

@ -0,0 +1,5 @@
Removals
* Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
See issue #4341 for more details.

25
docs/3.0-migration-guide.d/default-curves.md Normal file
View file

@ -0,0 +1,25 @@
Strengthen default algorithm selection for X.509 and TLS
--------------------------------------------------------
The default X.509 verification profile (`mbedtls_x509_crt_profile_default`) and the default curve and hash selection in TLS have changed. They are now aligned, except that the X.509 profile only lists curves that support signature verification.
Hashes and curves weaker than 255 bits (security strength less than 128 bits) are no longer accepted by default. The following hashes have been removed: SHA-1 (formerly only accepted for key exchanges but not for certificate signatures), SHA-224 (weaker hashes were already not accepted). The following curves have been removed: secp192r1, secp224r1, secp192k1, secp224k1.
The compile-time options `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` and `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE` are no longer available.
The curve secp256k1 has also been removed from the default X.509 and TLS profiles. [RFC 8422](https://datatracker.ietf.org/doc/html/rfc8422#section-5.1.1) deprecates it in TLS, and it is very rarely used, although it is not known to be weak at the time of writing.
If you still need to accept certificates signed with algorithms that have been removed from the default profile, call `mbedtls_x509_crt_verify_with_profile` instead of `mbedtls_x509_crt_verify` and pass a profile that allows the curves and hashes you want. For example, to allow SHA-224:
```
mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default;
my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
```
If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_curves()` with the desired lists.
TLS now favors faster curves over larger curves
-----------------------------------------------
The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred over larger curves.
If you prefer a different order, call `mbedtls_ssl_conf_curves()` when configuring a TLS connection.

36
docs/3.0-migration-guide.d/key-export.md Normal file
View file

@ -0,0 +1,36 @@
SSL key export interface change
-------------------------------
This affects users of the SSL key export APIs:
```
mbedtls_ssl_conf_export_keys_cb()
mbedtls_ssl_conf_export_keys_ext_cb()
```
Those APIs have been removed and replaced by the new API
`mbedtls_ssl_set_export_keys_cb()`. This API differs from
the previous key export API in the following ways:
- It is no longer bound to an SSL configuration, but to an
SSL context. This allows users to more easily identify the
connection an exported key belongs to.
- It no longer exports raw keys and IV.
- A secret type parameter has been added to identify which key
is being exported. For TLS 1.2, only the master secret is
exported, but upcoming TLS 1.3 support will add other kinds of keys.
- The callback now specifies a void return type, rather than
returning an error code. It is the responsibility of the application
to handle failures in the key export callback, for example by
shutting down the TLS connection.
For users which do not rely on raw keys and IV, adjusting to the new
callback type should be straightforward - see the example programs
programs/ssl/ssl_client2 and programs/ssl/ssl_server2 for callbacks
for NSSKeylog, EAP-TLS and DTLS-SRTP.
Users which require access to the raw keys used to secure application
traffic may derive those by hand based on the master secret and the
handshake transcript hashes which can be obtained from the raw data
on the wire. Such users are also encouraged to reach out to the
Mbed TLS team on the mailing list, to let the team know about their
use case.

42
docs/3.0-migration-guide.md
View file

@ -65,31 +65,6 @@ If you're a library user and used to rely on having access to a structure or
function that's now in a private header, please reach out on the mailing list
and explain your need; we'll consider adding a new API in a future version.
Remove the option to allow SHA-1 by default in certificates
-----------------------------------------------------------
This does not affect users who use the default `config.h`, as this option was
already off by default.
If you used to enable `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` in your
`config.h`, first please take a moment to consider whether you really still
want to accept certificates signed with SHA-1 as those are considered insecure
and no CA has issued them for a while. If you really need to allow SHA-1 in
certificates, please set up a custom profile as follows:
```
const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
MBEDTLS_X509_ID_FLAG( /* other hash */ ) /* | etc */,
0xFFFFFFF, /* Or specific PK algs */
0xFFFFFFF, /* Or specific curves */
2048 /* Or another RSA min bitlen */
};
```
Then pass it to `mbedtls_x509_crt_verify_with_profile()` if you're verifying
a certificate chain directly, or to `mbedtls_ssl_conf_cert_profile()` if the
verification happens during a TLS handshake.
Remove the certs module from the library
----------------------------------------
@ -137,17 +112,16 @@ and relied on that version in order to communicate with peers that are not up
to date. If one of your peers is in that case, please try contacting them and
encouraging them to upgrade their software.
Remove support for compatibility with old Mbed TLS's truncated HMAC
-------------------------------------------------------------------
Remove support for truncated HMAC
---------------------------------
This doesn't affect people using the default configuration as it was already
disabled by default.
This affects users of truncated HMAC, that is, users who called
`mbedtls_ssl_conf_truncated_hmac( ..., MBEDTLS_SSL_TRUNC_HMAC_ENABLED)`,
regardless of whether the standard version was used or compatibility version
(`MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT`).
This only affects TLS users who enabled `MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT` and
used the Truncated HMAC extension to communicate with peers using old version
of Mbed TLS. Please consider using a CCM-8 ciphersuite instead of the
Truncated HMAC extension, or convincing your peer to upgrade their version of
Mbed TLS.
The recommended migration path for people who want minimal overhead is to use a
CCM-8 ciphersuite.
Remove support for TLS record-level compression
-----------------------------------------------

4
include/mbedtls/check_config.h
View file

@ -829,6 +829,10 @@
#error "MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4335"
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) //no-check-names
#error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4341"
#endif
/*
* Avoid warning from -pedantic. This is a convenient place for this
* workaround since this is included by every single file before the

30
include/mbedtls/config.h
View file

@ -1549,7 +1549,7 @@
* (see Section 5 of RFC 5764), are not handled by this feature.
* Instead, after successful completion of a handshake negotiating
* the use of DTLS-SRTP, the extended key exporter API
* mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement
* mbedtls_ssl_conf_export_keys_cb() should be used to implement
* the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
* (this is implemented in the SSL example programs).
* The resulting key should then be passed to an SRTP stack.
@ -1617,15 +1617,6 @@
*/
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
/**
* \def MBEDTLS_SSL_TRUNCATED_HMAC
*
* Enable support for RFC 6066 truncated HMAC in SSL.
*
* Comment this macro to disable support for truncated HMAC in SSL
*/
#define MBEDTLS_SSL_TRUNCATED_HMAC
/**
* \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
*
@ -3042,7 +3033,7 @@
//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
/* ECP options */
//#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */
//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
/* Entropy options */
@ -3223,23 +3214,6 @@
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
/**
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
* signature and ciphersuite selection. Without this build-time option, SHA-1
* support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
* default. At the time of writing, there is no practical attack on the use
* of SHA-1 in handshake signatures, hence this option is turned on by default
* to preserve compatibility with existing peers, but the general
* warning applies nonetheless:
*
* \warning SHA-1 is considered a weak message digest and its use constitutes
* a security risk. If possible, we recommend avoiding dependencies
* on it, and considering stronger message digests instead.
*
*/
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
/**
* Uncomment the macro to let mbed TLS use your alternate implementation of
* mbedtls_platform_zeroize(). This replaces the default implementation in

8
include/mbedtls/ecp.h
View file

@ -255,7 +255,8 @@ mbedtls_ecp_group;
#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
/*
* Maximum "window" size used for point multiplication.
* Default: 6.
* Default: a point where higher memory usage yields disminishing performance
* returns.
* Minimum value: 2. Maximum value: 7.
*
* Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
@ -272,7 +273,7 @@ mbedtls_ecp_group;
* 224 475 475 453 398 342
* 192 640 640 633 587 476
*/
#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */
#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< The maximum window size used. */
#endif /* MBEDTLS_ECP_WINDOW_SIZE */
#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
@ -505,8 +506,7 @@ mbedtls_ecp_curve_type mbedtls_ecp_get_type( const mbedtls_ecp_group *grp );
/**
* \brief This function retrieves the information defined in
* mbedtls_ecp_curve_info() for all supported curves in order
* of preference.
* mbedtls_ecp_curve_info() for all supported curves.
*
* \note This function returns information about all curves
* supported by the library. Some curves may not be

234
include/mbedtls/ssl.h
View file

@ -458,18 +458,6 @@ typedef enum
}
mbedtls_ssl_states;
/*
* The tls_prf function types.
*/
typedef enum
{
MBEDTLS_SSL_TLS_PRF_NONE,
MBEDTLS_SSL_TLS_PRF_TLS1,
MBEDTLS_SSL_TLS_PRF_SHA384,
MBEDTLS_SSL_TLS_PRF_SHA256
}
mbedtls_tls_prf_types;
/**
* \brief Callback type: send data on the network.
*
@ -958,15 +946,62 @@ struct mbedtls_ssl_session
unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
int MBEDTLS_PRIVATE(trunc_hmac); /*!< flag for truncated hmac activation */
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */
#endif
};
/*
* Identifiers for PRFs used in various versions of TLS.
*/
typedef enum
{
MBEDTLS_SSL_TLS_PRF_NONE,
MBEDTLS_SSL_TLS_PRF_SHA384,
MBEDTLS_SSL_TLS_PRF_SHA256,
MBEDTLS_SSL_HKDF_EXPAND_SHA384,
MBEDTLS_SSL_HKDF_EXPAND_SHA256
}
mbedtls_tls_prf_types;
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
typedef enum
{
MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET = 0,
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_EARLY_SECRET,
MBEDTLS_SSL_KEY_EXPORT_TLS13_EARLY_EXPORTER_SECRET,
MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET,
MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_APPLICATION_TRAFFIC_SECRET,
MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_APPLICATION_TRAFFIC_SECRET,
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
} mbedtls_ssl_key_export_type;
/**
* \brief Callback type: Export key alongside random values for
* session identification, and PRF for
* implementation of TLS key exporters.
*
* \param p_expkey Context for the callback.
* \param type The type of the key that is being exported.
* \param secret The address of the buffer holding the secret
* that's being exporterd.
* \param secret_len The length of \p secret in bytes.
* \param client_random The client random bytes.
* \param server_random The server random bytes.
* \param tls_prf_type The identifier for the PRF used in the handshake
* to which the key belongs.
*/
typedef void mbedtls_ssl_export_keys_t( void *p_expkey,
mbedtls_ssl_key_export_type type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
/**
* SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
*/
@ -1032,19 +1067,6 @@ struct mbedtls_ssl_config
void *MBEDTLS_PRIVATE(p_ticket); /*!< context for the ticket callbacks */
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/** Callback to export key block and master secret */
int (*MBEDTLS_PRIVATE(f_export_keys))( void *, const unsigned char *,
const unsigned char *, size_t, size_t, size_t );
/** Callback to export key block, master secret,
* tls_prf and random bytes. Should replace f_export_keys */
int (*MBEDTLS_PRIVATE(f_export_keys_ext))( void *, const unsigned char *,
const unsigned char *, size_t, size_t, size_t,
const unsigned char[32], const unsigned char[32],
mbedtls_tls_prf_types );
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
size_t MBEDTLS_PRIVATE(cid_len); /*!< The length of CIDs for incoming DTLS records. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
@ -1182,9 +1204,6 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_SSL_RENEGOTIATION)
unsigned int MBEDTLS_PRIVATE(disable_renegotiation) : 1; /*!< disable renegotiation? */
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
unsigned int MBEDTLS_PRIVATE(trunc_hmac) : 1; /*!< negotiate truncated hmac? */
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
unsigned int MBEDTLS_PRIVATE(session_tickets) : 1; /*!< use session tickets? */
#endif
@ -1395,6 +1414,12 @@ struct mbedtls_ssl_context
* Possible values are #MBEDTLS_SSL_CID_ENABLED
* and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/** Callback to export key block and master secret */
mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
#endif
};
/**
@ -1918,70 +1943,6 @@ typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
size_t *tlen,
uint32_t *lifetime );
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/**
* \brief Callback type: Export key block and master secret
*
* \note This is required for certain uses of TLS, e.g. EAP-TLS
* (RFC 5216) and Thread. The key pointers are ephemeral and
* therefore must not be stored. The master secret and keys
* should not be used directly except as an input to a key
* derivation function.
*
* \param p_expkey Context for the callback
* \param ms Pointer to master secret (fixed length: 48 bytes)
* \param kb Pointer to key block, see RFC 5246 section 6.3
* (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
* \param maclen MAC length
* \param keylen Key length
* \param ivlen IV length
*
* \return 0 if successful, or
* a specific MBEDTLS_ERR_XXX code.
*/
typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen );
/**
* \brief Callback type: Export key block, master secret,
* handshake randbytes and the tls_prf function
* used to derive keys.
*
* \note This is required for certain uses of TLS, e.g. EAP-TLS
* (RFC 5216) and Thread. The key pointers are ephemeral and
* therefore must not be stored. The master secret and keys
* should not be used directly except as an input to a key
* derivation function.
*
* \param p_expkey Context for the callback.
* \param ms Pointer to master secret (fixed length: 48 bytes).
* \param kb Pointer to key block, see RFC 5246 section 6.3.
* (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
* \param maclen MAC length.
* \param keylen Key length.
* \param ivlen IV length.
* \param client_random The client random bytes.
* \param server_random The server random bytes.
* \param tls_prf_type The tls_prf enum type.
*
* \return 0 if successful, or
* a specific MBEDTLS_ERR_XXX code.
*/
typedef int mbedtls_ssl_export_keys_ext_t( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
/**
* \brief Callback type: parse and load session ticket
*
@ -2033,34 +1994,26 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/**
* \brief Configure key export callback.
* (Default: none.)
* \brief Configure a key export callback.
* (Default: none.)
*
* \note See \c mbedtls_ssl_export_keys_t.
* This API can be used for two purposes:
* - Debugging: Use this API to e.g. generate an NSSKeylog
* file and use it to inspect encrypted traffic in tools
* such as Wireshark.
* - Application-specific export: Use this API to implement
* key exporters, e.g. for EAP-TLS or DTLS-SRTP.
*
* \param conf SSL configuration context
* \param f_export_keys Callback for exporting keys
* \param p_export_keys Context for the callback
*
* \param ssl The SSL context to which the export
* callback should be attached.
* \param f_export_keys The callback for the key export.
* \param p_export_keys The opaque context pointer to be passed to the
* callback \p f_export_keys.
*/
void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys );
/**
* \brief Configure extended key export callback.
* (Default: none.)
*
* \note See \c mbedtls_ssl_export_keys_ext_t.
* \warning Exported key material must not be used for any purpose
* before the (D)TLS handshake is completed
*
* \param conf SSL configuration context
* \param f_export_keys_ext Callback for exporting keys
* \param p_export_keys Context for the callback
*/
void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
void *p_export_keys );
void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
@ -2908,7 +2861,6 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_ECP_C)
/**
* \brief Set the allowed curves in order of preference.
* (Default: all defined curves.)
*
* On server: this only affects selection of the ECDHE curve;
* the curves used for ECDH and ECDSA are determined by the
@ -2929,6 +2881,19 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
* \note This list should be ordered by decreasing preference
* (preferred curve first).
*
* \note The default list is the same set of curves that
* #mbedtls_x509_crt_profile_default allows, plus
* ECDHE-only curves selected according to the same criteria.
* The order favors curves with the lowest resource usage.
*
* \note New minor versions of Mbed TLS may extend this list,
* for example if new curves are added to the library.
* New minor versions of Mbed TLS will not remove items
* from this list unless serious security concerns require it.
* New minor versions of Mbed TLS may change the order in
* keeping with the general principle of favoring the lowest
* resource usage.
*
* \param conf SSL configuration
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
@ -2940,7 +2905,6 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/**
* \brief Set the allowed hashes for signatures during the handshake.
* (Default: all available hashes except MD5.)
*
* \note This only affects which hashes are offered and can be used
* for signatures during the handshake. Hashes for message
@ -2952,6 +2916,18 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
* \note This list should be ordered by decreasing preference
* (preferred hash first).
*
* \note By default, all supported hashes whose length is at least
* 256 bits are allowed. This is the same set as the default
* for certificate verification
* (#mbedtls_x509_crt_profile_default).
* The preference order is currently unspecified and may
* change in future versions.
*
* \note New minor versions of Mbed TLS may extend this list,
* for example if new curves are added to the library.
* New minor versions of Mbed TLS will not remove items
* from this list unless serious security concerns require it.
*
* \param conf SSL configuration
* \param hashes Ordered list of allowed signature hashes,
* terminated by \c MBEDTLS_MD_NONE.
@ -3330,18 +3306,6 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c
void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
/**
* \brief Activate negotiation of truncated HMAC
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
*
* \param conf SSL configuration
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
* MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
*/
void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
/**
* \brief Enable / Disable session tickets (client only).

12
include/mbedtls/x509_crt.h
View file

@ -332,12 +332,22 @@ typedef void mbedtls_x509_crt_restart_ctx;
/**
* Default security profile. Should provide a good balance between security
* and compatibility with current deployments.
*
* This profile permits:
* - SHA2 hashes with at least 256 bits: SHA-256, SHA-384, SHA-512.
* - Elliptic curves with 255 bits and above except secp256k1.
* - RSA with 2048 bits and above.
*
* New minor versions of Mbed TLS may extend this profile, for example if
* new algorithms are added to the library. New minor versions of Mbed TLS will
* not reduce this profile unless serious security concerns require it.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
/**
* Expected next default profile. Recommended for new deployments.
* Currently targets a 128-bit security level, except for RSA-2048.
* Currently targets a 128-bit security level, except for allowing RSA-2048.
* This profile may change at any time.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;

70
library/debug.c
View file

@ -220,8 +220,8 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
const char *text, const mbedtls_mpi *X )
{
char str[DEBUG_BUF_SIZE];
int j, k, zeros = 1;
size_t i, n, idx = 0;
size_t bitlen;
size_t idx = 0;
if( NULL == ssl ||
NULL == ssl->conf ||
@ -232,55 +232,43 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
return;
}
for( n = X->n - 1; n > 0; n-- )
if( X->p[n] != 0 )
break;
for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
if( ( ( X->p[n] >> j ) & 1 ) != 0 )
break;
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
bitlen = mbedtls_mpi_bitlen( X );
mbedtls_snprintf( str, sizeof( str ), "value of '%s' (%u bits) is:\n",
text, (unsigned) bitlen );
debug_send_line( ssl, level, file, line, str );
idx = 0;
for( i = n + 1, j = 0; i > 0; i-- )
if( bitlen == 0 )
{
if( zeros && X->p[i - 1] == 0 )
continue;
for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
str[0] = ' '; str[1] = '0'; str[2] = '0';
idx = 3;
}
else
{
int n;
for( n = (int) ( ( bitlen - 1 ) / 8 ); n >= 0; n-- )
{
if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
continue;
else
zeros = 0;
if( j % 16 == 0 )
size_t limb_offset = n / sizeof( mbedtls_mpi_uint );
size_t offset_in_limb = n % sizeof( mbedtls_mpi_uint );
unsigned char octet =
( X->p[limb_offset] >> ( offset_in_limb * 8 ) ) & 0xff;
mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", octet );
idx += 3;
/* Wrap lines after 16 octets that each take 3 columns */
if( idx >= 3 * 16 )
{
if( j > 0 )
{
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
idx = 0;
}
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
idx = 0;
}
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
j++;
}
}
if( zeros == 1 )
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
if( idx != 0 )
{
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
}
}
#endif /* MBEDTLS_BIGNUM_C */

4
library/ecp.c
View file

@ -349,9 +349,9 @@ int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
* - readable name
*
* Curves are listed in order: largest curves first, and for a given size,
* fastest curves first. This provides the default order for the SSL module.
* fastest curves first.
*
* Reminder: update profiles in x509_crt.c when adding a new curves!
* Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
*/
static const mbedtls_ecp_curve_info ecp_supported_curves[] =
{

209
library/psa_crypto.c
View file

@ -2220,6 +2220,46 @@ psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
return( status );
}
static psa_status_t psa_mac_finalize_alg_and_key_validation(
psa_algorithm_t alg,
const psa_key_attributes_t *attributes,
uint8_t *mac_size )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t key_type = psa_get_key_type( attributes );
size_t key_bits = psa_get_key_bits( attributes );
if( ! PSA_ALG_IS_MAC( alg ) )
return( PSA_ERROR_INVALID_ARGUMENT );
/* Validate the combination of key type and algorithm */
status = psa_mac_key_can_do( alg, key_type );
if( status != PSA_SUCCESS )
return( status );
/* Get the output length for the algorithm and key combination */
*mac_size = PSA_MAC_LENGTH( key_type, key_bits, alg );
if( *mac_size < 4 )
{
/* A very short MAC is too short for security since it can be
* brute-forced. Ancient protocols with 32-bit MACs do exist,
* so we make this our minimum, even though 32 bits is still
* too small for security. */
return( PSA_ERROR_NOT_SUPPORTED );
}
if( *mac_size > PSA_MAC_LENGTH( key_type, key_bits,
PSA_ALG_FULL_LENGTH_MAC( alg ) ) )
{
/* It's impossible to "truncate" to a larger length than the full length
* of the algorithm. */
return( PSA_ERROR_INVALID_ARGUMENT );
}
return( PSA_SUCCESS );
}
static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
@ -2233,9 +2273,6 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
if( operation->id != 0 )
return( PSA_ERROR_BAD_STATE );
if( ! PSA_ALG_IS_MAC( alg ) )
return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_get_and_lock_key_slot_with_policy(
key,
&slot,
@ -2248,39 +2285,12 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
.core = slot->attr
};
/* Validate the combination of key type and algorithm */
status = psa_mac_key_can_do( alg, psa_get_key_type( &attributes ) );
status = psa_mac_finalize_alg_and_key_validation( alg, &attributes,
&operation->mac_size );
if( status != PSA_SUCCESS )
goto exit;
operation->is_sign = is_sign;
/* Get the output length for the algorithm and key combination */
operation->mac_size = PSA_MAC_LENGTH(
psa_get_key_type( &attributes ),
psa_get_key_bits( &attributes ),
alg );
if( operation->mac_size < 4 )
{
/* A very short MAC is too short for security since it can be
* brute-forced. Ancient protocols with 32-bit MACs do exist,
* so we make this our minimum, even though 32 bits is still
* too small for security. */
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
if( operation->mac_size > PSA_MAC_LENGTH( psa_get_key_type( &attributes ),
psa_get_key_bits( &attributes ),
PSA_ALG_FULL_LENGTH_MAC( alg ) ) )
{
/* It's impossible to "truncate" to a larger length than the full length
* of the algorithm. */
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
/* Dispatch the MAC setup call with validated input */
if( is_sign )
{
@ -2373,24 +2383,22 @@ psa_status_t psa_mac_sign_finish( psa_mac_operation_t *operation,
mac, operation->mac_size,
mac_length );
if( status == PSA_SUCCESS )
/* In case of success, set the potential excess room in the output buffer
* to an invalid value, to avoid potentially leaking a longer MAC.
* In case of error, set the output length and content to a safe default,
* such that in case the caller misses an error check, the output would be
* an unachievable MAC.
*/
if( status != PSA_SUCCESS )
{
/* Set the excess room in the output buffer to an invalid value, to
* avoid potentially leaking a longer MAC. */
if( mac_size > operation->mac_size )
memset( &mac[operation->mac_size],
'!',
mac_size - operation->mac_size );
}
else
{
/* Set the output length and content to a safe default, such that in
* case the caller misses an error check, the output would be an
* unachievable MAC. */
*mac_length = mac_size;
memset( mac, '!', mac_size );
operation->mac_size = 0;
}
if( mac_size > operation->mac_size )
memset( &mac[operation->mac_size], '!',
mac_size - operation->mac_size );
abort_status = psa_mac_abort( operation );
return( status == PSA_SUCCESS ? abort_status : status );
@ -2424,7 +2432,116 @@ cleanup:
return( status == PSA_SUCCESS ? abort_status : status );
}
static psa_status_t psa_mac_compute_internal( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
uint8_t *mac,
size_t mac_size,
size_t *mac_length,
int is_sign )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_slot_t *slot;
uint8_t operation_mac_size = 0;
status = psa_get_and_lock_key_slot_with_policy(
key, &slot,
is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH,
alg );
if( status != PSA_SUCCESS )
goto exit;
psa_key_attributes_t attributes = {
.core = slot->attr
};
status = psa_mac_finalize_alg_and_key_validation( alg, &attributes,
&operation_mac_size );
if( status != PSA_SUCCESS )
goto exit;
if( mac_size < operation_mac_size )
{
status = PSA_ERROR_BUFFER_TOO_SMALL;
goto exit;
}
status = psa_driver_wrapper_mac_compute(
&attributes,
slot->key.data, slot->key.bytes,
alg,
input, input_length,
mac, operation_mac_size, mac_length );
exit:
/* In case of success, set the potential excess room in the output buffer
* to an invalid value, to avoid potentially leaking a longer MAC.
* In case of error, set the output length and content to a safe default,
* such that in case the caller misses an error check, the output would be
* an unachievable MAC.
*/
if( status != PSA_SUCCESS )
{
*mac_length = mac_size;
operation_mac_size = 0;
}
if( mac_size > operation_mac_size )
memset( &mac[operation_mac_size], '!', mac_size - operation_mac_size );
unlock_status = psa_unlock_key_slot( slot );
return( ( status == PSA_SUCCESS ) ? unlock_status : status );
}
psa_status_t psa_mac_compute( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
uint8_t *mac,
size_t mac_size,
size_t *mac_length)
{
return( psa_mac_compute_internal( key, alg,
input, input_length,
mac, mac_size, mac_length, 1 ) );
}
psa_status_t psa_mac_verify( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
const uint8_t *mac,
size_t mac_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
uint8_t actual_mac[PSA_MAC_MAX_SIZE];
size_t actual_mac_length;
status = psa_mac_compute_internal( key, alg,
input, input_length,
actual_mac, sizeof( actual_mac ),
&actual_mac_length, 0 );
if( status != PSA_SUCCESS )
goto exit;
if( mac_length != actual_mac_length )
{
status = PSA_ERROR_INVALID_SIGNATURE;
goto exit;
}
if( mbedtls_psa_safer_memcmp( mac, actual_mac, actual_mac_length ) != 0 )
{
status = PSA_ERROR_INVALID_SIGNATURE;
goto exit;
}
exit:
mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
return ( status );
}
/****************************************************************/
/* Asymmetric cryptography */

62
library/psa_crypto_mac.c
View file

@ -355,30 +355,6 @@ static psa_status_t mac_setup( mbedtls_psa_mac_operation_t *operation,
return( status );
}
static psa_status_t mac_compute(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
uint8_t *mac,
size_t mac_size,
size_t *mac_length )
{
/* One-shot MAC has not been implemented in this PSA implementation yet. */
(void) attributes;
(void) key_buffer;
(void) key_buffer_size;
(void) alg;
(void) input;
(void) input_length;
(void) mac;
(void) mac_size;
(void) mac_length;
return( PSA_ERROR_NOT_SUPPORTED );
}
static psa_status_t mac_update(
mbedtls_psa_mac_operation_t *operation,
const uint8_t *input,
@ -493,6 +469,44 @@ cleanup:
return( status );
}
static psa_status_t mac_compute(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
uint8_t *mac,
size_t mac_size,
size_t *mac_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
status = mac_setup( &operation,
attributes, key_buffer, key_buffer_size,
alg );
if( status != PSA_SUCCESS )
goto exit;
if( input_length > 0 )
{
status = mac_update( &operation, input, input_length );
if( status != PSA_SUCCESS )
goto exit;
}
status = mac_finish_internal( &operation, mac, mac_size );
if( status == PSA_SUCCESS )
*mac_length = mac_size;
exit:
mac_abort( &operation );
return( status );
}
#endif /* BUILTIN_ALG_HMAC || BUILTIN_ALG_CMAC */
#if defined(MBEDTLS_PSA_BUILTIN_MAC)

78
library/ssl_cli.c
View file

@ -559,36 +559,6 @@ static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
*olen = 0;
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "client hello, adding truncated_hmac extension" ) );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
*p++ = 0x00;
*p++ = 0x00;
*olen = 4;
return( 0 );
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
@ -1304,16 +1274,6 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
end, &olen ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
return( ret );
}
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
end, &olen ) ) != 0 )
@ -1479,31 +1439,6 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
len != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "non-matching truncated HMAC extension" ) );
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
((void) buf);
ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
return( 0 );
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
@ -2346,19 +2281,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
break;
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
ext + 4, ext_size ) ) != 0 )
{
return( ret );
}
break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
case MBEDTLS_TLS_EXT_CID:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );

64
library/ssl_srv.c
View file

@ -543,28 +543,6 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
if( len != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
((void) buf);
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
return( 0 );
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
@ -1703,16 +1681,6 @@ read_record_header:
break;
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
if( ret != 0 )
return( ret );
break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
case MBEDTLS_TLS_EXT_CID:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
@ -1721,7 +1689,7 @@ read_record_header:
if( ret != 0 )
return( ret );
break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
@ -1967,31 +1935,6 @@ have_ciphersuite:
return( 0 );
}
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t *olen )
{
unsigned char *p = buf;
if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
{
*olen = 0;
return;
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
*p++ = 0x00;
*p++ = 0x00;
*olen = 4;
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
@ -2654,11 +2597,6 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;

136
library/ssl_tls.c
View file

@ -672,9 +672,6 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int encrypt_then_mac,
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
int trunc_hmac,
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64],
@ -845,18 +842,6 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
mac_key_len = mbedtls_md_get_size( md_info );
transform->maclen = mac_key_len;
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
/*
* If HMAC is to be truncated, we shall keep the leftmost bytes,
* (rfc 6066 page 13 or rfc 2104 section 4),
* so we only need to adjust the length here.
*/
if( trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
{
transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
/* IV length */
transform->ivlen = cipher_info->iv_size;
@ -986,23 +971,14 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
((void) mac_enc);
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( ssl->conf->f_export_keys != NULL )
if( ssl->f_export_keys != NULL )
{
ssl->conf->f_export_keys( ssl->conf->p_export_keys,
master, keyblk,
mac_key_len, keylen,
iv_copy_len );
}
if( ssl->conf->f_export_keys_ext != NULL )
{
ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys,
master, keyblk,
mac_key_len, keylen,
iv_copy_len,
randbytes + 32,
randbytes,
tls_prf_get_type( tls_prf ) );
ssl->f_export_keys( ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
master, 48,
randbytes + 32,
randbytes,
tls_prf_get_type( tls_prf ) );
}
#endif
@ -1368,9 +1344,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl->session_negotiate->encrypt_then_mac,
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl->session_negotiate->trunc_hmac,
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
@ -4141,13 +4114,6 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c
}
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
{
conf->trunc_hmac = truncate;
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
{
conf->allow_legacy_renegotiation = allow_legacy;
@ -4193,20 +4159,12 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys )
void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys )
{
conf->f_export_keys = f_export_keys;
conf->p_export_keys = p_export_keys;
}
void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
void *p_export_keys )
{
conf->f_export_keys_ext = f_export_keys_ext;
conf->p_export_keys = p_export_keys;
ssl->f_export_keys = f_export_keys;
ssl->p_export_keys = p_export_keys;
}
#endif
@ -4536,11 +4494,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 1
#else
#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 0
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
@ -4783,13 +4737,6 @@ static int ssl_session_save( const mbedtls_ssl_session *session,
*p++ = session->mfl_code;
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
used += 1;
if( used <= buf_len )
*p++ = (unsigned char)( ( session->trunc_hmac ) & 0xFF );
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
used += 1;
@ -5025,13 +4972,6 @@ static int ssl_session_load( mbedtls_ssl_session *session,
session->mfl_code = *p++;
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( 1 > (size_t)( end - p ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
session->trunc_hmac = *p++;
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if( 1 > (size_t)( end - p ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -5848,9 +5788,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl->session->encrypt_then_mac,
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl->session->trunc_hmac,
#endif
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
p, /* currently pointing to randbytes */
@ -6115,6 +6052,11 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* The selection should be the same as mbedtls_x509_crt_profile_default in
* x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
* for no fundamental reason.
* See the documentation of mbedtls_ssl_conf_curves() for what we promise
* about this list. */
static int ssl_preset_default_hashes[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
@ -6124,17 +6066,47 @@ static int ssl_preset_default_hashes[] = {
#endif
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_MD_SHA256,
#endif
#if defined(MBEDTLS_SHA224_C)
MBEDTLS_MD_SHA224,
#endif
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE
};
#endif
#if defined(MBEDTLS_ECP_C)
/* The selection should be the same as mbedtls_x509_crt_profile_default in
* x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
* curves with a lower resource usage come first.
* See the documentation of mbedtls_ssl_conf_curves() for what we promise
* about this list.
*/
static mbedtls_ecp_group_id ssl_preset_default_curves[] = {
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
MBEDTLS_ECP_DP_CURVE25519,
#endif
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_ECP_DP_SECP256R1,
#endif
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
MBEDTLS_ECP_DP_SECP384R1,
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
MBEDTLS_ECP_DP_CURVE448,
#endif
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
MBEDTLS_ECP_DP_SECP521R1,
#endif
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
MBEDTLS_ECP_DP_BP256R1,
#endif
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
MBEDTLS_ECP_DP_BP384R1,
#endif
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
MBEDTLS_ECP_DP_BP512R1,
#endif
MBEDTLS_ECP_DP_NONE
};
#endif
static int ssl_preset_suiteb_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@ -6298,7 +6270,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#endif
#if defined(MBEDTLS_ECP_C)
conf->curve_list = mbedtls_ecp_grp_id_list();
conf->curve_list = ssl_preset_default_curves;
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)

50
library/x509_crt.c
View file

@ -95,33 +95,43 @@ typedef struct {
*/
#define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
/*
* Default profile
*/
/* Default profile. Do not remove items unless there are serious security
* concerns. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
/* Only SHA-2 hashes */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
2048,
};
/*
* Next-default profile
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
{
/* Hashes from SHA-256 and above */
/* Hashes from SHA-256 and above. Note that this selection
* should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
#if defined(MBEDTLS_ECP_C)
/* Curves at or above 128-bit security level */
/* Curves at or above 128-bit security level. Note that this selection
* should be aligned with ssl_preset_default_curves in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
0,
#else
0,
#endif
2048,
};
/* Next-generation profile. Currently identical to the default, but may
* be tightened at any time. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
{
/* Hashes from SHA-256 and above. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
#if defined(MBEDTLS_ECP_C)
/* Curves at or above 128-bit security level. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |

3
programs/fuzz/fuzz_client.c
View file

@ -102,9 +102,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
{
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
}
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
#endif

3
programs/fuzz/fuzz_server.c
View file

@ -128,9 +128,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
&ticket_ctx );
}
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
#endif

55
programs/ssl/ssl_client2.c
View file

@ -235,13 +235,6 @@ int main( void )
#define USAGE_SRTP ""
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
#define USAGE_TRUNC_HMAC \
" trunc_hmac=%%d default: library default\n"
#else
#define USAGE_TRUNC_HMAC ""
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
#define USAGE_MAX_FRAG_LEN \
" max_frag_len=%%d default: 16384 (tls default)\n" \
@ -394,7 +387,6 @@ int main( void )
USAGE_TICKETS \
USAGE_EAP_TLS \
USAGE_MAX_FRAG_LEN \
USAGE_TRUNC_HMAC \
USAGE_CONTEXT_CRT_CB \
USAGE_ALPN \
USAGE_EMS \
@ -1721,11 +1713,6 @@ int main( int argc, char *argv[] )
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
if( opt.extended_ms != DFL_EXTENDED_MS )
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
@ -1736,27 +1723,6 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm );
#endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_DHM_C)
if( opt.dhmlen != DFL_DHMLEN )
mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen );
@ -1886,6 +1852,27 @@ int main( int argc, char *argv[] )
goto exit;
}
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{

1
programs/ssl/ssl_context_info.c
View file

@ -862,7 +862,6 @@ void print_deserialized_ssl_context( const uint8_t *ssl, size_t len )
print_if_bit( "MBEDTLS_HAVE_TIME", SESSION_CONFIG_TIME_BIT, session_cfg_flag );
print_if_bit( "MBEDTLS_X509_CRT_PARSE_C", SESSION_CONFIG_CRT_BIT, session_cfg_flag );
print_if_bit( "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH", SESSION_CONFIG_MFL_BIT, session_cfg_flag );
print_if_bit( "MBEDTLS_SSL_TRUNCATED_HMAC", SESSION_CONFIG_TRUNC_HMAC_BIT, session_cfg_flag );
print_if_bit( "MBEDTLS_SSL_ENCRYPT_THEN_MAC", SESSION_CONFIG_ETM_BIT, session_cfg_flag );
print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS", SESSION_CONFIG_TICKET_BIT, session_cfg_flag );
print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS and client", SESSION_CONFIG_CLIENT_TICKET_BIT, session_cfg_flag );

55
programs/ssl/ssl_server2.c
View file

@ -334,13 +334,6 @@ int main( void )
#define USAGE_MAX_FRAG_LEN ""
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
#define USAGE_TRUNC_HMAC \
" trunc_hmac=%%d default: library default\n"
#else
#define USAGE_TRUNC_HMAC ""
#endif
#if defined(MBEDTLS_SSL_ALPN)
#define USAGE_ALPN \
" alpn=%%s default: \"\" (disabled)\n" \
@ -487,7 +480,6 @@ int main( void )
USAGE_NSS_KEYLOG_FILE \
USAGE_CACHE \
USAGE_MAX_FRAG_LEN \
USAGE_TRUNC_HMAC \
USAGE_ALPN \
USAGE_EMS \
USAGE_ETM \
@ -2510,11 +2502,6 @@ int main( int argc, char *argv[] )
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
if( opt.extended_ms != DFL_EXTENDED_MS )
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
@ -2525,27 +2512,6 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm );
#endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )
@ -2872,6 +2838,27 @@ int main( int argc, char *argv[] )
goto exit;
}
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
io_ctx.ssl = &ssl;
io_ctx.net = &client_fd;
mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb,

99
programs/ssl/ssl_test_common_source.c
View file

@ -25,55 +25,46 @@
*/
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
int eap_tls_key_derivation( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
void eap_tls_key_derivation( void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
eap_tls_keys *keys = (eap_tls_keys *)p_expkey;
( ( void ) kb );
memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) );
/* We're only interested in the TLS 1.2 master secret */
if( secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET )
return;
if( secret_len != sizeof( keys->master_secret ) )
return;
memcpy( keys->master_secret, secret, sizeof( keys->master_secret ) );
memcpy( keys->randbytes, client_random, 32 );
memcpy( keys->randbytes + 32, server_random, 32 );
keys->tls_prf_type = tls_prf_type;
if( opt.debug_level > 2 )
{
mbedtls_printf("exported maclen is %u\n", (unsigned)maclen);
mbedtls_printf("exported keylen is %u\n", (unsigned)keylen);
mbedtls_printf("exported ivlen is %u\n", (unsigned)ivlen);
}
return( 0 );
}
int nss_keylog_export( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
void nss_keylog_export( void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
char nss_keylog_line[ 200 ];
size_t const client_random_len = 32;
size_t const master_secret_len = 48;
size_t len = 0;
size_t j;
int ret = 0;
/* We're only interested in the TLS 1.2 master secret */
if( secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET )
return;
((void) p_expkey);
((void) kb);
((void) maclen);
((void) keylen);
((void) ivlen);
((void) server_random);
((void) tls_prf_type);
@ -88,10 +79,10 @@ int nss_keylog_export( void *p_expkey,
len += sprintf( nss_keylog_line + len, " " );
for( j = 0; j < master_secret_len; j++ )
for( j = 0; j < secret_len; j++ )
{
len += sprintf( nss_keylog_line + len,
"%02x", ms[j] );
"%02x", secret[j] );
}
len += sprintf( nss_keylog_line + len, "\n" );
@ -108,13 +99,11 @@ int nss_keylog_export( void *p_expkey,
if( ( f = fopen( opt.nss_keylog_file, "a" ) ) == NULL )
{
ret = -1;
goto exit;
}
if( fwrite( nss_keylog_line, 1, len, f ) != len )
{
ret = -1;
fclose( f );
goto exit;
}
@ -125,35 +114,29 @@ int nss_keylog_export( void *p_expkey,
exit:
mbedtls_platform_zeroize( nss_keylog_line,
sizeof( nss_keylog_line ) );
return( ret );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
int dtls_srtp_key_derivation( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
void dtls_srtp_key_derivation( void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
dtls_srtp_keys *keys = (dtls_srtp_keys *)p_expkey;
( ( void ) kb );
memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) );
/* We're only interested in the TLS 1.2 master secret */
if( secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET )
return;
if( secret_len != sizeof( keys->master_secret ) )
return;
memcpy( keys->master_secret, secret, sizeof( keys->master_secret ) );
memcpy( keys->randbytes, client_random, 32 );
memcpy( keys->randbytes + 32, server_random, 32 );
keys->tls_prf_type = tls_prf_type;
if( opt.debug_level > 2 )
{
mbedtls_printf( "exported maclen is %u\n", (unsigned) maclen );
mbedtls_printf( "exported keylen is %u\n", (unsigned) keylen );
mbedtls_printf( "exported ivlen is %u\n", (unsigned) ivlen );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */

4
tests/context-info.sh
View file

@ -210,7 +210,6 @@ run_test "Default configuration, server" \
-u "MBEDTLS_HAVE_TIME$" \
-u "MBEDTLS_X509_CRT_PARSE_C$" \
-u "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
-u "MBEDTLS_SSL_TRUNCATED_HMAC$" \
-u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
-u "MBEDTLS_SSL_SESSION_TICKETS$" \
-u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
@ -233,7 +232,6 @@ run_test "Default configuration, client" \
-u "MBEDTLS_HAVE_TIME$" \
-u "MBEDTLS_X509_CRT_PARSE_C$" \
-u "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
-u "MBEDTLS_SSL_TRUNCATED_HMAC$" \
-u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
-u "MBEDTLS_SSL_SESSION_TICKETS$" \
-u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
@ -339,7 +337,6 @@ run_test "Minimal configuration, server" \
"srv_min_cfg.txt" \
-n "ERROR" \
-n "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
-n "MBEDTLS_SSL_TRUNCATED_HMAC$" \
-n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
-n "MBEDTLS_SSL_SESSION_TICKETS$" \
-n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
@ -350,7 +347,6 @@ run_test "Minimal configuration, client" \
"cli_min_cfg.txt" \
-n "ERROR" \
-n "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
-n "MBEDTLS_SSL_TRUNCATED_HMAC$" \
-n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
-n "MBEDTLS_SSL_SESSION_TICKETS$" \
-n "MBEDTLS_SSL_SESSION_TICKETS and client$" \

3
tests/scripts/all.sh
View file

@ -651,6 +651,9 @@ pre_check_tools () {
}
pre_generate_files() {
# since make doesn't have proper dependencies, remove any possibly outdate
# file that might be around before generating fresh ones
make neat
make generated_files
}

234
tests/ssl-opt.sh
View file

@ -1008,7 +1008,7 @@ run_test_psa() {
run_test_psa_force_curve() {
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSA - ECDH with $1" \
"$P_SRV debug_level=4 force_version=tls1_2" \
"$P_SRV debug_level=4 force_version=tls1_2 curves=$1" \
"$P_CLI debug_level=4 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
0 \
-c "Successfully setup PSA-based decryption cipher context" \
@ -1233,7 +1233,7 @@ trap cleanup INT TERM HUP
# Checks that:
# - things work with all ciphersuites active (used with config-full in all.sh)
# - the expected (highest security) parameters are selected
# - the expected parameters are selected
# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
run_test "Default" \
"$P_SRV debug_level=3" \
@ -1242,7 +1242,7 @@ run_test "Default" \
-s "Protocol is TLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
-s "client hello v3, signature_algorithm ext: 6" \
-s "ECDHE curve: secp521r1" \
-s "ECDHE curve: x25519" \
-S "error" \
-C "error"
@ -1464,102 +1464,6 @@ run_test "DTLS: multiple records in same datagram, neither client nor server"
-S "next record in same datagram" \
-C "next record in same datagram"
# Tests for Truncated HMAC extension
run_test "Truncated HMAC: client default, server default" \
"$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC: client disabled, server default" \
"$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC: client enabled, server default" \
"$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC: client enabled, server disabled" \
"$P_SRV debug_level=4 trunc_hmac=0" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC: client disabled, server enabled" \
"$P_SRV debug_level=4 trunc_hmac=1" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC: client enabled, server enabled" \
"$P_SRV debug_level=4 trunc_hmac=1" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
0 \
-S "dumping 'expected mac' (20 bytes)" \
-s "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC, DTLS: client default, server default" \
"$P_SRV dtls=1 debug_level=4" \
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC, DTLS: client disabled, server default" \
"$P_SRV dtls=1 debug_level=4" \
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC, DTLS: client enabled, server default" \
"$P_SRV dtls=1 debug_level=4" \
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
"$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
"$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
0 \
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
"$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
0 \
-S "dumping 'expected mac' (20 bytes)" \
-s "dumping 'expected mac' (10 bytes)"
# Tests for Context serialization
requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
@ -5660,22 +5564,6 @@ run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
0 \
-s "Read from client: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
"$P_SRV trunc_hmac=1" \
"$P_CLI request_size=1 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
-s "Read from client: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
"$P_SRV trunc_hmac=1" \
"$P_CLI request_size=1 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
0 \
-s "Read from client: 1 bytes read"
run_test "Small client packet TLS 1.2 AEAD" \
"$P_SRV" \
"$P_CLI request_size=1 force_version=tls1_2 \
@ -5708,24 +5596,6 @@ run_test "Small client packet DTLS 1.2, without EtM" \
0 \
-s "Read from client: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small client packet DTLS 1.2, truncated hmac" \
"$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
"$P_CLI dtls=1 request_size=1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
-s "Read from client: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
"$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
"$P_CLI dtls=1 request_size=1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
0 \
-s "Read from client: 1 bytes read"
# Tests for small server packets
run_test "Small server packet TLS 1.2 BlockCipher" \
@ -5749,22 +5619,6 @@ run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
0 \
-c "Read from server: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
"$P_SRV response_size=1 trunc_hmac=1" \
"$P_CLI force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
-c "Read from server: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
"$P_SRV response_size=1 trunc_hmac=1" \
"$P_CLI force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
0 \
-c "Read from server: 1 bytes read"
run_test "Small server packet TLS 1.2 AEAD" \
"$P_SRV response_size=1" \
"$P_CLI force_version=tls1_2 \
@ -5797,24 +5651,6 @@ run_test "Small server packet DTLS 1.2, without EtM" \
0 \
-c "Read from server: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small server packet DTLS 1.2, truncated hmac" \
"$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
"$P_CLI dtls=1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
-c "Read from server: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
"$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
"$P_CLI dtls=1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
0 \
-c "Read from server: 1 bytes read"
# Test for large client packets
# How many fragments do we expect to write $1 bytes?
@ -5845,23 +5681,6 @@ run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
"$P_SRV trunc_hmac=1" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
"$P_SRV trunc_hmac=1" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
0 \
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large client packet TLS 1.2 AEAD" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_2 \
@ -5900,15 +5719,6 @@ run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
0 \
-c "Read from server: 16384 bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
"$P_SRV response_size=16384" \
"$P_CLI force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
trunc_hmac=1" \
0 \
-c "Read from server: 16384 bytes read"
run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
"$P_SRV response_size=16384 trunc_hmac=1" \
"$P_CLI force_version=tls1_2 \
@ -5933,9 +5743,12 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \
# Tests for restartable ECC
# Force the use of a curve that supports restartable ECC (secp256r1).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, default" \
"$P_SRV auth_mode=required" \
"$P_SRV curves=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=data_files/server5.key crt_file=data_files/server5.crt \
debug_level=1" \
@ -5946,8 +5759,9 @@ run_test "EC restart: TLS, default" \
-C "mbedtls_pk_sign.*4b00"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=0" \
"$P_SRV auth_mode=required" \
"$P_SRV curves=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=data_files/server5.key crt_file=data_files/server5.crt \
debug_level=1 ec_max_ops=0" \
@ -5958,8 +5772,9 @@ run_test "EC restart: TLS, max_ops=0" \
-C "mbedtls_pk_sign.*4b00"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=65535" \
"$P_SRV auth_mode=required" \
"$P_SRV curves=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=data_files/server5.key crt_file=data_files/server5.crt \
debug_level=1 ec_max_ops=65535" \
@ -5970,8 +5785,9 @@ run_test "EC restart: TLS, max_ops=65535" \
-C "mbedtls_pk_sign.*4b00"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000" \
"$P_SRV auth_mode=required" \
"$P_SRV curves=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=data_files/server5.key crt_file=data_files/server5.crt \
debug_level=1 ec_max_ops=1000" \
@ -5982,8 +5798,9 @@ run_test "EC restart: TLS, max_ops=1000" \
-c "mbedtls_pk_sign.*4b00"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, badsign" \
"$P_SRV auth_mode=required \
"$P_SRV curves=secp256r1 auth_mode=required \
crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@ -5999,8 +5816,9 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \
-c "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
"$P_SRV auth_mode=required \
"$P_SRV curves=secp256r1 auth_mode=required \
crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@ -6016,8 +5834,9 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
-C "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
"$P_SRV auth_mode=required \
"$P_SRV curves=secp256r1 auth_mode=required \
crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@ -6033,8 +5852,9 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
-C "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: DTLS, max_ops=1000" \
"$P_SRV auth_mode=required dtls=1" \
"$P_SRV curves=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
key_file=data_files/server5.key crt_file=data_files/server5.crt \
dtls=1 debug_level=1 ec_max_ops=1000" \
@ -6045,8 +5865,9 @@ run_test "EC restart: DTLS, max_ops=1000" \
-c "mbedtls_pk_sign.*4b00"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000 no client auth" \
"$P_SRV" \
"$P_SRV curves=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \
0 \
@ -6056,8 +5877,9 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \
-C "mbedtls_pk_sign.*4b00"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
"$P_SRV psk=abc123" \
"$P_SRV curves=secp256r1 psk=abc123" \
"$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
psk=abc123 debug_level=1 ec_max_ops=1000" \
0 \
@ -8555,12 +8377,6 @@ run_test "export keys functionality" \
"$P_SRV eap_tls=1 debug_level=3" \
"$P_CLI eap_tls=1 debug_level=3" \
0 \
-s "exported maclen is " \
-s "exported keylen is " \
-s "exported ivlen is " \
-c "exported maclen is " \
-c "exported keylen is " \
-c "exported ivlen is " \
-c "EAP-TLS key material is:"\
-s "EAP-TLS key material is:"\
-c "EAP-TLS IV is:" \

39
tests/suites/test_suite_debug.data
View file

@ -37,6 +37,27 @@ mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A
Debug print buffer #5
mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30":"MyFile(0999)\: dumping 'Test return value' (49 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................\nMyFile(0999)\: 0020\: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./\nMyFile(0999)\: 0030\: 30 0\n"
Debug print mbedtls_mpi: 0 (empty representation)
mbedtls_debug_print_mpi:16:"":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (0 bits) is\:\nMyFile(0999)\: 00\n"
Debug print mbedtls_mpi: 0 (non-empty representation)
mbedtls_debug_print_mpi:16:"00000000000000":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (0 bits) is\:\nMyFile(0999)\: 00\n"
Debug print mbedtls_mpi #2: 3 bits
mbedtls_debug_print_mpi:16:"00000000000007":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (3 bits) is\:\nMyFile(0999)\: 07\n"
Debug print mbedtls_mpi: 49 bits
mbedtls_debug_print_mpi:16:"01020304050607":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (49 bits) is\:\nMyFile(0999)\: 01 02 03 04 05 06 07\n"
Debug print mbedtls_mpi: 759 bits
mbedtls_debug_print_mpi:16:"0000000000000000000000000000000000000000000000000000000041379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (759 bits) is\:\nMyFile(0999)\: 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a 14\nMyFile(0999)\: 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90 ff\nMyFile(0999)\: e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c 09\nMyFile(0999)\: 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89 af\nMyFile(0999)\: 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b 52\nMyFile(0999)\: 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"
Debug print mbedtls_mpi: 764 bits #1
mbedtls_debug_print_mpi:16:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"
Debug print mbedtls_mpi: 764 bits #2
mbedtls_debug_print_mpi:16:"0000000000000000000000000000000000000000000000000000000941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"
Debug print certificate #1 (RSA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n"
@ -44,21 +65,3 @@ mbedtls_debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(
Debug print certificate #2 (EC)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_debug_print_crt:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n"
Debug print mbedtls_mpi #1
mbedtls_debug_print_mpi:16:"01020304050607":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (49 bits) is\:\nMyFile(0999)\: 01 02 03 04 05 06 07\n"
Debug print mbedtls_mpi #2
mbedtls_debug_print_mpi:16:"00000000000007":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (3 bits) is\:\nMyFile(0999)\: 07\n"
Debug print mbedtls_mpi #3
mbedtls_debug_print_mpi:16:"00000000000000":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (0 bits) is\:\nMyFile(0999)\: 00\n"
Debug print mbedtls_mpi #4
mbedtls_debug_print_mpi:16:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"
Debug print mbedtls_mpi #5
mbedtls_debug_print_mpi:16:"0000000000000000000000000000000000000000000000000000000941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"
Debug print mbedtls_mpi #6
mbedtls_debug_print_mpi:16:"0000000000000000000000000000000000000000000000000000000041379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (759 bits) is\:\nMyFile(0999)\: 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a 14\nMyFile(0999)\: 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90 ff\nMyFile(0999)\: e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c 09\nMyFile(0999)\: 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89 af\nMyFile(0999)\: 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b 52\nMyFile(0999)\: 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n"

4
tests/suites/test_suite_debug.function
View file

@ -179,7 +179,9 @@ void mbedtls_debug_print_mpi( int radix, char * value, char * file, int line,
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 );
/* If value is empty, keep val->n == 0. */
if( value[0] != 0 )
TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);

45
tests/suites/test_suite_psa_crypto.function
View file

@ -1987,7 +1987,21 @@ void mac_sign( int key_type_arg,
mbedtls_test_set_step( output_size );
ASSERT_ALLOC( actual_mac, output_size );
/* Calculate the MAC. */
/* Calculate the MAC, one-shot case. */
TEST_EQUAL( psa_mac_compute( key, alg,
input->x, input->len,
actual_mac, output_size, &mac_length ),
expected_status );
if( expected_status == PSA_SUCCESS )
{
ASSERT_COMPARE( expected_mac->x, expected_mac->len,
actual_mac, mac_length );
}
if( output_size > 0 )
memset( actual_mac, 0, output_size );
/* Calculate the MAC, multi-part case. */
PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) );
PSA_ASSERT( psa_mac_update( &operation,
input->x, input->len ) );
@ -2039,7 +2053,11 @@ void mac_verify( int key_type_arg,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&key ) );
/* Test the correct MAC. */
/* Verify correct MAC, one-shot case. */
PSA_ASSERT( psa_mac_verify( key, alg, input->x, input->len,
expected_mac->x, expected_mac->len ) );
/* Verify correct MAC, multi-part case. */
PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
PSA_ASSERT( psa_mac_update( &operation,
input->x, input->len ) );
@ -2047,7 +2065,14 @@ void mac_verify( int key_type_arg,
expected_mac->x,
expected_mac->len ) );
/* Test a MAC that's too short. */
/* Test a MAC that's too short, one-shot case. */
TEST_EQUAL( psa_mac_verify( key, alg,
input->x, input->len,
expected_mac->x,
expected_mac->len - 1 ),
PSA_ERROR_INVALID_SIGNATURE );
/* Test a MAC that's too short, multi-part case. */
PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
PSA_ASSERT( psa_mac_update( &operation,
input->x, input->len ) );
@ -2056,9 +2081,15 @@ void mac_verify( int key_type_arg,
expected_mac->len - 1 ),
PSA_ERROR_INVALID_SIGNATURE );
/* Test a MAC that's too long. */
/* Test a MAC that's too long, one-shot case. */
ASSERT_ALLOC( perturbed_mac, expected_mac->len + 1 );
memcpy( perturbed_mac, expected_mac->x, expected_mac->len );
TEST_EQUAL( psa_mac_verify( key, alg,
input->x, input->len,
perturbed_mac, expected_mac->len + 1 ),
PSA_ERROR_INVALID_SIGNATURE );
/* Test a MAC that's too long, multi-part case. */
PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
PSA_ASSERT( psa_mac_update( &operation,
input->x, input->len ) );
@ -2072,6 +2103,12 @@ void mac_verify( int key_type_arg,
{
mbedtls_test_set_step( i );
perturbed_mac[i] ^= 1;
TEST_EQUAL( psa_mac_verify( key, alg,
input->x, input->len,
perturbed_mac, expected_mac->len ),
PSA_ERROR_INVALID_SIGNATURE );
PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
PSA_ASSERT( psa_mac_update( &operation,
input->x, input->len ) );

48
tests/suites/test_suite_psa_crypto_driver_wrappers.function
View file

@ -1118,7 +1118,31 @@ void mac_sign( int key_type_arg,
ASSERT_ALLOC( actual_mac, mac_buffer_size );
mbedtls_test_driver_mac_hooks.forced_status = forced_status;
/* Calculate the MAC. */
/*
* Calculate the MAC, one-shot case.
*/
status = psa_mac_compute( key, alg,
input->x, input->len,
actual_mac, mac_buffer_size,
&mac_length );
TEST_EQUAL( mbedtls_test_driver_mac_hooks.hits, 1 );
if( forced_status == PSA_SUCCESS ||
forced_status == PSA_ERROR_NOT_SUPPORTED )
{
PSA_ASSERT( status );
}
else
TEST_EQUAL( forced_status, status );
if( mac_buffer_size > 0 )
memset( actual_mac, 0, mac_buffer_size );
mbedtls_test_driver_mac_hooks = mbedtls_test_driver_mac_hooks_init();
mbedtls_test_driver_mac_hooks.forced_status = forced_status;
/*
* Calculate the MAC, multipart case.
*/
status = psa_mac_sign_setup( &operation, key, alg );
TEST_EQUAL( mbedtls_test_driver_mac_hooks.hits, 1 );
@ -1214,7 +1238,27 @@ void mac_verify( int key_type_arg,
mbedtls_test_driver_mac_hooks.forced_status = forced_status;
/* Test the correct MAC. */
/*
* Verify the MAC, one-shot case.
*/
status = psa_mac_verify( key, alg,
input->x, input->len,
expected_mac->x, expected_mac->len );
TEST_EQUAL( mbedtls_test_driver_mac_hooks.hits, 1 );
if( forced_status == PSA_SUCCESS ||
forced_status == PSA_ERROR_NOT_SUPPORTED )
{
PSA_ASSERT( status );
}
else
TEST_EQUAL( forced_status, status );
mbedtls_test_driver_mac_hooks = mbedtls_test_driver_mac_hooks_init();
mbedtls_test_driver_mac_hooks.forced_status = forced_status;
/*
* Verify the MAC, multi-part case.
*/
status = psa_mac_verify_setup( &operation, key, alg );
TEST_EQUAL( mbedtls_test_driver_mac_hooks.hits, 1 );

12
tests/suites/test_suite_ssl.data
View file

@ -8638,14 +8638,6 @@ ssl_tls1_3_create_psk_binder:MBEDTLS_MD_SHA256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.0 enabled
depends_on:MBEDTLS_SSL_PROTO_TLS1
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":0
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.1 enabled
depends_on:MBEDTLS_SSL_PROTO_TLS1_1
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":0
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384
depends_on:MBEDTLS_SHA384_C:MBEDTLS_SSL_PROTO_TLS1_2
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":0
@ -8654,10 +8646,6 @@ SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256
depends_on:MBEDTLS_SHA256_C:MBEDTLS_SSL_PROTO_TLS1_2
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA256:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"7f9998393198a02c8d731ccc2ef90b2c":0
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.X not enabled
depends_on:!MBEDTLS_SSL_PROTO_TLS1:!MBEDTLS_SSL_PROTO_TLS1_1
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384 SHA-384 not enabled
depends_on:!MBEDTLS_SHA384_C
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE

7
tests/suites/test_suite_ssl.function
View file

@ -1508,9 +1508,6 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
session->mfl_code = 1;
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
session->trunc_hmac = 1;
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
session->encrypt_then_mac = 1;
#endif
@ -4082,10 +4079,6 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
TEST_ASSERT( original.mfl_code == restored.mfl_code );
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
TEST_ASSERT( original.trunc_hmac == restored.trunc_hmac );
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
TEST_ASSERT( original.encrypt_then_mac == restored.encrypt_then_mac );
#endif