diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index b22d37f65..11442ed66 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -86,7 +86,6 @@ is enabled, no change required on the application side. Current exceptions: -- EC J-PAKE (when `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` is defined) - finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA, DHE-PSK) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index e7ca1b235..3dd3361a1 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -113,7 +113,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * \param curve The identifier of the elliptic curve to use, * for example #MBEDTLS_ECP_DP_SECP256R1. * \param secret The pre-shared secret (passphrase). This must be - * a readable buffer of length \p len Bytes. It need + * a readable not empty buffer of length \p len Bytes. It need * only be valid for the duration of this call. * \param len The length of the pre-shared secret \p secret. * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8fec3c6e2..dddaaea39 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3856,9 +3856,10 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, * \note The SSL context needs to be already set up. The right place * to call this function is between \c mbedtls_ssl_setup() or * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). + * Password cannot be empty (see RFC 8236). * * \param ssl SSL context - * \param pw EC J-PAKE password (pre-shared secret) + * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty * \param pw_len length of pw in bytes * * \return 0 on success, or a negative error code. diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4d7f63547..9998e5b91 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -50,7 +50,8 @@ #include "mbedtls/sha512.h" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + !defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/ecjpake.h" #endif @@ -776,7 +777,13 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ + mbedtls_svc_key_id_t psa_pake_password; + uint8_t psa_pake_ctx_is_ok; +#else mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ size_t ecjpake_cache_len; /*!< Length of cached data */ @@ -2493,6 +2500,52 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) } #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) + +typedef enum { + MBEDTLS_ECJPAKE_ROUND_ONE, + MBEDTLS_ECJPAKE_ROUND_TWO +} mbedtls_ecjpake_rounds_t; + +/** + * \brief Parse the provided input buffer for getting the first round + * of key exchange. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [in] input buffer to parse + * \param len [in] length of the input buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO + * + * \return 0 on success or a negative error code in case of failure + */ +int mbedtls_psa_ecjpake_read_round( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, mbedtls_ecjpake_rounds_t round ); + +/** + * \brief Write the first round of key exchange into the provided output + * buffer. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [out] the output buffer in which data will be written to + * \param len [in] length of the output buffer + * \param olen [out] the length of the data really written on the buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO + * + * \return 0 on success or a negative error code in case of failure + */ +int mbedtls_psa_ecjpake_write_round( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ); + +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + /** * \brief TLS record protection modes */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 506333d77..3d3491bc6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -907,7 +907,12 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->psa_pake_ctx = psa_pake_operation_init(); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) handshake->ecjpake_cache = NULL; handshake->ecjpake_cache_len = 0; @@ -1850,6 +1855,73 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, /* * Set EC J-PAKE password for current handshake */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_pake_role_t psa_role; + psa_status_t status; + + if( ssl->handshake == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + psa_role = PSA_PAKE_ROLE_SERVER; + else + psa_role = PSA_PAKE_ROLE_CLIENT; + + /* Empty password is not valid */ + if( ( pw == NULL) || ( pw_len == 0 ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + + status = psa_import_key( &attributes, pw, pw_len, + &ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); + psa_pake_cs_set_primitive( &cipher_suite, + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, + 256) ); + psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); + + status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, + ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + ssl->handshake->psa_pake_ctx_is_ok = 1; + + return( 0 ); +} +#else /* MBEDTLS_USE_PSA_CRYPTO */ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ) @@ -1870,6 +1942,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) @@ -3908,8 +3981,15 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif + #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_abort( &handshake->psa_pake_ctx ); + psa_destroy_key( handshake->psa_pake_password ); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) mbedtls_free( handshake->ecjpake_cache ); handshake->ecjpake_cache = NULL; @@ -6123,6 +6203,55 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, else #endif { +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + psa_status_t status; + psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PMS KDF for ECJPAKE" ) ); + + handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; + + status = psa_key_derivation_setup( &derivation, alg ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_key_derivation_set_capacity( &derivation, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_get_implicit_key( &handshake->psa_pake_ctx, + &derivation ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_output_bytes( &derivation, + handshake->premaster, + handshake->pmslen ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_abort( &derivation ); + if( status != PSA_SUCCESS ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } +#endif ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, lbl, seed, seed_len, master, @@ -8306,6 +8435,99 @@ end: return( ret ); } +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_psa_ecjpake_read_round( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, mbedtls_ecjpake_rounds_t round ) +{ + psa_status_t status; + size_t input_offset = 0; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; + + for( ; remaining_steps > 0; remaining_steps-- ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + } + + if( input_offset != len ) + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + + return( 0 ); +} + +int mbedtls_psa_ecjpake_write_round( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; + + for( ; remaining_steps > 0; remaining_steps-- ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* + * For each step, prepend 1 byte with the length of the data as + * given by psa_pake_output(). + */ + status = psa_pake_output( pake_ctx, step, + buf + output_offset + 1, + len - output_offset - 1, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + *(buf + output_offset) = (uint8_t) output_len; + + output_offset += output_len + 1; + } + } + + *olen = output_offset; + + return( 0 ); +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, @@ -8864,8 +9086,13 @@ int mbedtls_ssl_validate_ciphersuite( #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { return( -1 ); } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 21b3ba621..79c884b18 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -132,13 +132,18 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = buf; - size_t kkpp_len; + size_t kkpp_len = 0; *olen = 0; /* Skip costly extension if we can't use EC J-PAKE anyway */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) + return( 0 ); +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); @@ -158,6 +163,18 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); + if ( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -167,6 +184,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, "mbedtls_ecjpake_write_round_one", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); if( ssl->handshake->ecjpake_cache == NULL ) @@ -849,10 +867,11 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -889,6 +908,24 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache = NULL; ssl->handshake->ecjpake_cache_len = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( ret ); + } + + return( 0 ); +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -901,6 +938,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -2296,6 +2334,47 @@ start_processing: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we check only + * that TLS ID here + */ + uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 ); + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( read_tls_id != curve_info->tls_id ) ) + { + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + p += 3; + + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -2307,6 +2386,7 @@ start_processing: MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -3227,6 +3307,21 @@ ecdh_calc_secret: { header_len = 4; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + header_len; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + header_len; + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + out_p, end_p - out_p, &content_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); + if ( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + header_len, MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, @@ -3246,6 +3341,7 @@ ecdh_calc_secret: MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 3dab2467c..8aa89c67e 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -268,10 +268,11 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -289,16 +290,37 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, const unsigned char *buf, - size_t len ) + size_t len) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); return( 0 ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + + return( ret ); + } +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -307,6 +329,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Only mark the extension as OK when we're sure it is */ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; @@ -1996,6 +2019,18 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 ); p += 2; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); + if ( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return; + } +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -2004,6 +2039,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); return; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 ); p += 2; @@ -2813,6 +2849,46 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + ssl->out_msglen; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + ssl->out_msglen; + size_t output_offset = 0; + size_t output_len = 0; + const mbedtls_ecp_curve_info *curve_info; + + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we hardcode its + * TLS ID here + */ + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); + output_offset += 3; + + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + out_p + output_offset, + end_p - out_p - output_offset, &output_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); + if( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); + } + + output_offset += output_len; + ssl->out_msglen += output_offset; +#else size_t len = 0; ret = mbedtls_ecjpake_write_round_two( @@ -2827,6 +2903,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } ssl->out_msglen += len; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -4044,6 +4121,18 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -4060,6 +4149,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 3a69fd7d7..4fcb8bc19 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1437,6 +1437,31 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { tests/ssl-opt.sh -f "TLS 1.2" } +# We're not aware of any other (open source) implementation of EC J-PAKE in TLS +# that we could use for interop testing. However, we now have sort of two +# implementations ourselves: one using PSA, the other not. At least test that +# these two interoperate with each other. +component_test_tls1_2_ecjpake_compatibility() { + msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" + scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + make -C programs ssl/ssl_server2 ssl/ssl_client2 + cp programs/ssl/ssl_server2 s2_no_use_psa + cp programs/ssl/ssl_client2 c2_no_use_psa + + msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + make clean + make -C programs ssl/ssl_server2 ssl/ssl_client2 + make -C programs test/udp_proxy test/query_compile_time_config + + msg "test: server w/o USE_PSA - client w/ USE_PSA" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f ECJPAKE + msg "test: client w/o USE_PSA - server w/ USE_PSA" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f ECJPAKE + + rm s2_no_use_psa c2_no_use_psa +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full