From 64a336932c3341c80411af43c1fef77bf1e874b9 Mon Sep 17 00:00:00 2001 From: Turiiya <34311583+ttytm@users.noreply.github.com> Date: Thu, 28 Mar 2024 07:46:21 +0100 Subject: [PATCH] thirdparty,net.mbedtls: update `mbedtls` to latest compatible version v3.3.0 (#21118) --- .../3rdparty/everest/library/everest.c | 5 - thirdparty/mbedtls/README.md | 24 +- thirdparty/mbedtls/include/mbedtls/aes.h | 8 +- thirdparty/mbedtls/include/mbedtls/asn1.h | 28 +- .../mbedtls/include/mbedtls/asn1write.h | 2 +- thirdparty/mbedtls/include/mbedtls/bignum.h | 69 +- .../mbedtls/include/mbedtls/build_info.h | 71 +- .../mbedtls/include/mbedtls/check_config.h | 171 +- thirdparty/mbedtls/include/mbedtls/cipher.h | 5 - .../mbedtls/include/mbedtls/config_psa.h | 36 +- .../mbedtls/include/mbedtls/constant_time.h | 3 +- thirdparty/mbedtls/include/mbedtls/ecdsa.h | 4 +- thirdparty/mbedtls/include/mbedtls/ecjpake.h | 27 +- thirdparty/mbedtls/include/mbedtls/ecp.h | 2 +- thirdparty/mbedtls/include/mbedtls/error.h | 7 +- .../mbedtls/include/mbedtls/legacy_or_psa.h | 215 +++ thirdparty/mbedtls/include/mbedtls/lms.h | 451 +++++ .../mbedtls/include/mbedtls/mbedtls_config.h | 309 +++- thirdparty/mbedtls/include/mbedtls/md.h | 2 +- thirdparty/mbedtls/include/mbedtls/oid.h | 27 +- thirdparty/mbedtls/include/mbedtls/pem.h | 5 - thirdparty/mbedtls/include/mbedtls/pk.h | 5 - thirdparty/mbedtls/include/mbedtls/pkcs12.h | 2 +- thirdparty/mbedtls/include/mbedtls/pkcs5.h | 30 +- thirdparty/mbedtls/include/mbedtls/pkcs7.h | 268 +++ thirdparty/mbedtls/include/mbedtls/platform.h | 7 + thirdparty/mbedtls/include/mbedtls/psa_util.h | 17 +- .../mbedtls/include/mbedtls/ripemd160.h | 2 +- thirdparty/mbedtls/include/mbedtls/rsa.h | 4 +- thirdparty/mbedtls/include/mbedtls/ssl.h | 405 ++++- .../include/mbedtls/ssl_ciphersuites.h | 10 + .../mbedtls/include/mbedtls/ssl_ticket.h | 8 +- thirdparty/mbedtls/include/mbedtls/x509_crt.h | 20 +- thirdparty/mbedtls/include/psa/crypto.h | 6 +- .../mbedtls/include/psa/crypto_compat.h | 2 +- .../mbedtls/include/psa/crypto_config.h | 3 + thirdparty/mbedtls/include/psa/crypto_extra.h | 66 +- .../mbedtls/include/psa/crypto_platform.h | 9 +- .../mbedtls/include/psa/crypto_se_driver.h | 12 +- thirdparty/mbedtls/include/psa/crypto_sizes.h | 11 +- .../mbedtls/include/psa/crypto_struct.h | 9 + thirdparty/mbedtls/include/psa/crypto_types.h | 4 +- .../mbedtls/include/psa/crypto_values.h | 30 +- thirdparty/mbedtls/library/aes.c | 112 +- thirdparty/mbedtls/library/aesni.c | 2 +- thirdparty/mbedtls/library/aesni.h | 3 +- thirdparty/mbedtls/library/aria.c | 61 +- thirdparty/mbedtls/library/asn1parse.c | 21 +- thirdparty/mbedtls/library/asn1write.c | 12 +- thirdparty/mbedtls/library/base64.c | 5 - thirdparty/mbedtls/library/bignum.c | 726 +++----- thirdparty/mbedtls/library/bignum_core.c | 795 +++++++++ thirdparty/mbedtls/library/bignum_core.h | 602 +++++++ thirdparty/mbedtls/library/bignum_internal.h | 50 - thirdparty/mbedtls/library/bignum_mod.c | 288 ++++ thirdparty/mbedtls/library/bignum_mod.h | 290 ++++ thirdparty/mbedtls/library/bignum_mod_raw.c | 199 +++ thirdparty/mbedtls/library/bignum_mod_raw.h | 250 +++ thirdparty/mbedtls/library/bn_mul.h | 50 +- thirdparty/mbedtls/library/camellia.c | 49 +- thirdparty/mbedtls/library/ccm.c | 2 +- thirdparty/mbedtls/library/chacha20.c | 35 - thirdparty/mbedtls/library/chachapoly.c | 40 - .../mbedtls/library/check_crypto_config.h | 10 + thirdparty/mbedtls/library/cipher.c | 67 +- thirdparty/mbedtls/library/cipher_wrap.c | 6 - thirdparty/mbedtls/library/common.h | 39 + thirdparty/mbedtls/library/constant_time.c | 76 +- .../mbedtls/library/constant_time_internal.h | 26 +- thirdparty/mbedtls/library/ctr_drbg.c | 10 +- thirdparty/mbedtls/library/debug.c | 16 +- thirdparty/mbedtls/library/des.c | 7 - thirdparty/mbedtls/library/dhm.c | 37 - thirdparty/mbedtls/library/ecdh.c | 54 +- thirdparty/mbedtls/library/ecdsa.c | 58 - thirdparty/mbedtls/library/ecjpake.c | 233 ++- thirdparty/mbedtls/library/ecp.c | 160 +- thirdparty/mbedtls/library/ecp_curves.c | 10 +- thirdparty/mbedtls/library/entropy.c | 9 - thirdparty/mbedtls/library/entropy_poll.c | 2 - thirdparty/mbedtls/library/error.c | 60 +- thirdparty/mbedtls/library/gcm.c | 49 +- thirdparty/mbedtls/library/hash_info.c | 127 ++ thirdparty/mbedtls/library/hash_info.h | 99 ++ thirdparty/mbedtls/library/hmac_drbg.c | 7 - thirdparty/mbedtls/library/lmots.c | 826 +++++++++ thirdparty/mbedtls/library/lmots.h | 322 ++++ thirdparty/mbedtls/library/lms.c | 789 +++++++++ thirdparty/mbedtls/library/md.c | 6 - thirdparty/mbedtls/library/md5.c | 7 - thirdparty/mbedtls/library/mps_reader.c | 7 +- thirdparty/mbedtls/library/mps_trace.h | 6 - thirdparty/mbedtls/library/net_sockets.c | 4 - thirdparty/mbedtls/library/nist_kw.c | 7 - thirdparty/mbedtls/library/oid.c | 100 +- thirdparty/mbedtls/library/padlock.c | 12 +- thirdparty/mbedtls/library/pem.c | 122 +- thirdparty/mbedtls/library/pk.c | 59 +- thirdparty/mbedtls/library/pk_wrap.c | 19 +- thirdparty/mbedtls/library/pkcs12.c | 150 +- thirdparty/mbedtls/library/pkcs5.c | 200 ++- thirdparty/mbedtls/library/pkcs7.c | 728 ++++++++ thirdparty/mbedtls/library/pkparse.c | 31 - thirdparty/mbedtls/library/pkwrite.c | 27 - thirdparty/mbedtls/library/poly1305.c | 31 - thirdparty/mbedtls/library/psa_crypto.c | 296 ++-- thirdparty/mbedtls/library/psa_crypto_aead.c | 18 +- .../mbedtls/library/psa_crypto_cipher.c | 25 +- .../mbedtls/library/psa_crypto_cipher.h | 2 +- .../mbedtls/library/psa_crypto_client.c | 4 - thirdparty/mbedtls/library/psa_crypto_core.h | 92 +- .../library/psa_crypto_driver_wrappers.c | 363 ++-- .../library/psa_crypto_driver_wrappers.h | 18 +- thirdparty/mbedtls/library/psa_crypto_ecp.c | 82 +- thirdparty/mbedtls/library/psa_crypto_ecp.h | 49 + thirdparty/mbedtls/library/psa_crypto_hash.c | 45 - thirdparty/mbedtls/library/psa_crypto_hash.h | 9 - thirdparty/mbedtls/library/psa_crypto_mac.c | 1 + thirdparty/mbedtls/library/psa_crypto_pake.c | 938 ++++++++++ thirdparty/mbedtls/library/psa_crypto_rsa.c | 15 +- thirdparty/mbedtls/library/psa_crypto_se.c | 4 - thirdparty/mbedtls/library/psa_crypto_se.h | 2 +- .../library/psa_crypto_slot_management.c | 5 - .../mbedtls/library/psa_crypto_storage.c | 6 - thirdparty/mbedtls/library/psa_its_file.c | 4 - thirdparty/mbedtls/library/ripemd160.c | 7 - thirdparty/mbedtls/library/rsa.c | 464 +++-- thirdparty/mbedtls/library/sha1.c | 31 - thirdparty/mbedtls/library/sha256.c | 49 +- thirdparty/mbedtls/library/sha512.c | 47 +- thirdparty/mbedtls/library/ssl_cache.c | 6 - thirdparty/mbedtls/library/ssl_ciphersuites.c | 464 +++-- thirdparty/mbedtls/library/ssl_client.c | 149 +- thirdparty/mbedtls/library/ssl_cookie.c | 19 +- .../mbedtls/library/ssl_debug_helpers.h | 28 +- .../library/ssl_debug_helpers_generated.c | 6 +- thirdparty/mbedtls/library/ssl_misc.h | 589 +++++-- thirdparty/mbedtls/library/ssl_msg.c | 343 +++- thirdparty/mbedtls/library/ssl_ticket.c | 16 +- thirdparty/mbedtls/library/ssl_tls.c | 1465 +++++++++++++--- thirdparty/mbedtls/library/ssl_tls12_client.c | 323 ++-- thirdparty/mbedtls/library/ssl_tls12_server.c | 176 +- thirdparty/mbedtls/library/ssl_tls13_client.c | 1090 +++++++++++- .../mbedtls/library/ssl_tls13_generic.c | 344 ++-- thirdparty/mbedtls/library/ssl_tls13_keys.c | 517 ++++-- thirdparty/mbedtls/library/ssl_tls13_keys.h | 44 +- thirdparty/mbedtls/library/ssl_tls13_server.c | 1511 +++++++++++++++-- thirdparty/mbedtls/library/version_features.c | 36 + thirdparty/mbedtls/library/x509.c | 57 +- thirdparty/mbedtls/library/x509_crl.c | 34 +- thirdparty/mbedtls/library/x509_crt.c | 132 +- thirdparty/mbedtls/library/x509_csr.c | 20 +- thirdparty/mbedtls/library/x509write_crt.c | 50 +- thirdparty/mbedtls/library/x509write_csr.c | 11 +- thirdparty/mbedtls/update.vsh | 21 + vlib/net/mbedtls/mbedtls.c.v | 50 +- 156 files changed, 16291 insertions(+), 4394 deletions(-) create mode 100644 thirdparty/mbedtls/include/mbedtls/legacy_or_psa.h create mode 100644 thirdparty/mbedtls/include/mbedtls/lms.h create mode 100644 thirdparty/mbedtls/include/mbedtls/pkcs7.h create mode 100644 thirdparty/mbedtls/library/bignum_core.c create mode 100644 thirdparty/mbedtls/library/bignum_core.h delete mode 100644 thirdparty/mbedtls/library/bignum_internal.h create mode 100644 thirdparty/mbedtls/library/bignum_mod.c create mode 100644 thirdparty/mbedtls/library/bignum_mod.h create mode 100644 thirdparty/mbedtls/library/bignum_mod_raw.c create mode 100644 thirdparty/mbedtls/library/bignum_mod_raw.h create mode 100644 thirdparty/mbedtls/library/hash_info.c create mode 100644 thirdparty/mbedtls/library/hash_info.h create mode 100644 thirdparty/mbedtls/library/lmots.c create mode 100644 thirdparty/mbedtls/library/lmots.h create mode 100644 thirdparty/mbedtls/library/lms.c create mode 100644 thirdparty/mbedtls/library/pkcs7.c create mode 100644 thirdparty/mbedtls/library/psa_crypto_pake.c create mode 100755 thirdparty/mbedtls/update.vsh diff --git a/thirdparty/mbedtls/3rdparty/everest/library/everest.c b/thirdparty/mbedtls/3rdparty/everest/library/everest.c index 82c4e03adb5f8e..fefc6a2ce4df4a 100644 --- a/thirdparty/mbedtls/3rdparty/everest/library/everest.c +++ b/thirdparty/mbedtls/3rdparty/everest/library/everest.c @@ -28,12 +28,7 @@ #include "everest/x25519.h" #include "everest/everest.h" -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) diff --git a/thirdparty/mbedtls/README.md b/thirdparty/mbedtls/README.md index 8978fafb61794e..1a4edb05cc5ae1 100644 --- a/thirdparty/mbedtls/README.md +++ b/thirdparty/mbedtls/README.md @@ -17,7 +17,9 @@ We provide some non-standard configurations focused on specific use cases in the Documentation ------------- -Documentation for the Mbed TLS interfaces in the default library configuration is available as part of the [Mbed TLS documentation](https://tls.mbed.org/api/). +The main Mbed TLS documentation is available via [ReadTheDocs](https://mbed-tls.readthedocs.io/). + +Documentation for the PSA Cryptography API is available [on GitHub](https://arm-software.github.io/psa-api/crypto/). To generate a local copy of the library documentation in HTML format, tailored to your compile-time configuration: @@ -103,9 +105,9 @@ Setting the variable `SHARED` in your environment will build shared libraries in Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -Wextra`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line. -Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue. +Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://mbed-tls.readthedocs.io/en/latest/kb/) for articles on your platform or issue. -In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS Knowledge Base](https://tls.mbed.org/kb). +In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS Knowledge Base](https://mbed-tls.readthedocs.io/en/latest/kb/). ### CMake @@ -240,7 +242,7 @@ For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, ad - `tests/ssl-opt.sh` runs integration tests for various TLS options (renegotiation, resumption, etc.) and tests interoperability of these options with other implementations. - `tests/compat.sh` tests interoperability of every ciphersuite with other implementations. - `tests/scripts/test-ref-configs.pl` test builds in various reduced configurations. -- `tests/scripts/key-exchanges.pl` test builds in configurations with a single key exchange enabled +- `tests/scripts/depends.py` test builds in configurations with a single curve, key exchange, hash, cipher, or pkalg on. - `tests/scripts/all.sh` runs a combination of the above tests, plus some more, with various build options (such as ASan, full `mbedtls_config.h`, etc). Porting Mbed TLS @@ -248,9 +250,9 @@ Porting Mbed TLS Mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following Knowledge Base articles useful: -- [Porting Mbed TLS to a new environment or OS](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS) -- [What external dependencies does Mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on) -- [How do I configure Mbed TLS](https://tls.mbed.org/kb/compiling-and-building/how-do-i-configure-mbedtls) +- [Porting Mbed TLS to a new environment or OS](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS/) +- [What external dependencies does Mbed TLS rely on?](https://mbed-tls.readthedocs.io/en/latest/kb/development/what-external-dependencies-does-mbedtls-rely-on/) +- [How do I configure Mbed TLS](https://mbed-tls.readthedocs.io/en/latest/kb/compiling-and-building/how-do-i-configure-mbedtls/) Mbed TLS is mostly written in portable C99; however, it has a few platform requirements that go beyond the standard, but are met by most modern architectures: @@ -263,11 +265,11 @@ Mbed TLS is mostly written in portable C99; however, it has a few platform requi PSA cryptography API -------------------- -### PSA API design +### PSA API Arm's [Platform Security Architecture (PSA)](https://developer.arm.com/architectures/security-architectures/platform-security-architecture) is a holistic set of threat models, security analyses, hardware and firmware architecture specifications, and an open source firmware reference implementation. PSA provides a recipe, based on industry best practice, that allows security to be consistently designed in, at both a hardware and firmware level. -The [PSA cryptography API](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface) provides access to a set of cryptographic primitives. It has a dual purpose. First, it can be used in a PSA-compliant platform to build services, such as secure boot, secure storage and secure communication. Second, it can also be used independently of other PSA components on any platform. +The [PSA cryptography API](https://arm-software.github.io/psa-api/crypto/) provides access to a set of cryptographic primitives. It has a dual purpose. First, it can be used in a PSA-compliant platform to build services, such as secure boot, secure storage and secure communication. Second, it can also be used independently of other PSA components on any platform. The design goals of the PSA cryptography API include: @@ -279,10 +281,6 @@ The design goals of the PSA cryptography API include: Arm welcomes feedback on the design of the API. If you think something could be improved, please open an issue on our Github repository. Alternatively, if you prefer to provide your feedback privately, please email us at [`mbed-crypto@arm.com`](mailto:mbed-crypto@arm.com). All feedback received by email is treated confidentially. -### PSA API documentation - -A browsable copy of the PSA Cryptography API documents is available on the [PSA cryptography interfaces documentation portal](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface) in [PDF](https://armmbed.github.io/mbed-crypto/PSA_Cryptography_API_Specification.pdf) and [HTML](https://armmbed.github.io/mbed-crypto/html/index.html) formats. - ### PSA implementation in Mbed TLS Mbed TLS includes a reference implementation of the PSA Cryptography API. diff --git a/thirdparty/mbedtls/include/mbedtls/aes.h b/thirdparty/mbedtls/include/mbedtls/aes.h index 144bd89e24fb63..1cd20fe06cb610 100644 --- a/thirdparty/mbedtls/include/mbedtls/aes.h +++ b/thirdparty/mbedtls/include/mbedtls/aes.h @@ -61,11 +61,6 @@ /** Invalid input data. */ #define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #ifdef __cplusplus extern "C" { #endif @@ -80,7 +75,8 @@ extern "C" { typedef struct mbedtls_aes_context { int MBEDTLS_PRIVATE(nr); /*!< The number of rounds. */ - uint32_t *MBEDTLS_PRIVATE(rk); /*!< AES round keys. */ + size_t MBEDTLS_PRIVATE(rk_offset); /*!< The offset in array elements to AES + round keys in the buffer. */ uint32_t MBEDTLS_PRIVATE(buf)[68]; /*!< Unaligned data buffer. This buffer can hold 32 extra Bytes, which can be used for one of the following purposes: diff --git a/thirdparty/mbedtls/include/mbedtls/asn1.h b/thirdparty/mbedtls/include/mbedtls/asn1.h index be2cae7b5aa99c..5e3f3878c12f6d 100644 --- a/thirdparty/mbedtls/include/mbedtls/asn1.h +++ b/thirdparty/mbedtls/include/mbedtls/asn1.h @@ -24,6 +24,7 @@ #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" +#include "mbedtls/platform_util.h" #include @@ -38,8 +39,9 @@ /** * \name ASN1 Error codes - * These error codes are OR'ed to X509 error codes for + * These error codes are combined with other error codes for * higher error granularity. + * e.g. X.509 and PKCS #7 error codes * ASN1 is a standard to specify data structures. * \{ */ @@ -606,25 +608,41 @@ int mbedtls_asn1_get_alg_null( unsigned char **p, const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( const mbedtls_asn1_named_data *list, const char *oid, size_t len ); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief Free a mbedtls_asn1_named_data entry * + * \deprecated This function is deprecated and will be removed in a + * future version of the library. + * Please use mbedtls_asn1_free_named_data_list() + * or mbedtls_asn1_free_named_data_list_shallow(). + * * \param entry The named data entry to free. * This function calls mbedtls_free() on * `entry->oid.p` and `entry->val.p`. */ -void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry ); +void MBEDTLS_DEPRECATED mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry ); +#endif /* MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Free all entries in a mbedtls_asn1_named_data list. * * \param head Pointer to the head of the list of named data entries to free. - * This function calls mbedtls_asn1_free_named_data() and - * mbedtls_free() on each list element and - * sets \c *head to \c NULL. + * This function calls mbedtls_free() on + * `entry->oid.p` and `entry->val.p` and then on `entry` + * for each list entry, and sets \c *head to \c NULL. */ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ); +/** + * \brief Free all shallow entries in a mbedtls_asn1_named_data list, + * but do not free internal pointer targets. + * + * \param name Head of the list of named data entries to free. + * This function calls mbedtls_free() on each list element. + */ +void mbedtls_asn1_free_named_data_list_shallow( mbedtls_asn1_named_data *name ); + /** \} name Functions to parse ASN.1 data structures */ /** \} addtogroup asn1_module */ diff --git a/thirdparty/mbedtls/include/mbedtls/asn1write.h b/thirdparty/mbedtls/include/mbedtls/asn1write.h index e696e8a4c9943f..e6f0479ca45d3e 100644 --- a/thirdparty/mbedtls/include/mbedtls/asn1write.h +++ b/thirdparty/mbedtls/include/mbedtls/asn1write.h @@ -86,7 +86,7 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, const unsigned char *start #if defined(MBEDTLS_BIGNUM_C) /** - * \brief Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER) + * \brief Write an arbitrary-precision number (#MBEDTLS_ASN1_INTEGER) * in ASN.1 format. * * \note This function works backwards in data buffer. diff --git a/thirdparty/mbedtls/include/mbedtls/bignum.h b/thirdparty/mbedtls/include/mbedtls/bignum.h index 5277f56d96cd2e..877fbc7ceb4d9b 100644 --- a/thirdparty/mbedtls/include/mbedtls/bignum.h +++ b/thirdparty/mbedtls/include/mbedtls/bignum.h @@ -179,6 +179,20 @@ #endif /* !MBEDTLS_NO_UDBL_DIVISION */ #endif /* !MBEDTLS_HAVE_INT64 */ +/** \typedef mbedtls_mpi_uint + * \brief The type of machine digits in a bignum, called _limbs_. + * + * This is always an unsigned integer type with no padding bits. The size + * is platform-dependent. + */ + +/** \typedef mbedtls_mpi_sint + * \brief The signed type corresponding to #mbedtls_mpi_uint. + * + * This is always an signed integer type with no padding bits. The size + * is platform-dependent. + */ + #ifdef __cplusplus extern "C" { #endif @@ -188,9 +202,27 @@ extern "C" { */ typedef struct mbedtls_mpi { - int MBEDTLS_PRIVATE(s); /*!< Sign: -1 if the mpi is negative, 1 otherwise */ - size_t MBEDTLS_PRIVATE(n); /*!< total # of limbs */ - mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); /*!< pointer to limbs */ + /** Sign: -1 if the mpi is negative, 1 otherwise. + * + * The number 0 must be represented with `s = +1`. Although many library + * functions treat all-limbs-zero as equivalent to a valid representation + * of 0 regardless of the sign bit, there are exceptions, so bignum + * functions and external callers must always set \c s to +1 for the + * number zero. + * + * Note that this implies that calloc() or `... = {0}` does not create + * a valid MPI representation. You must call mbedtls_mpi_init(). + */ + int MBEDTLS_PRIVATE(s); + + /** Total number of limbs in \c p. */ + size_t MBEDTLS_PRIVATE(n); + + /** Pointer to limbs. + * + * This may be \c NULL if \c n is 0. + */ + mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); } mbedtls_mpi; @@ -277,7 +309,7 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ); * \param Y The MPI to be assigned from. This must point to an * initialized MPI. * \param assign The condition deciding whether to perform the - * assignment or not. Possible values: + * assignment or not. Must be either 0 or 1: * * \c 1: Perform the assignment `X = Y`. * * \c 0: Keep the original value of \p X. * @@ -288,6 +320,10 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ); * information through branch prediction and/or memory access * patterns analysis). * + * \warning If \p assign is neither 0 nor 1, the result of this function + * is indeterminate, and the resulting value in \p X might be + * neither its original value nor the value in \p Y. + * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. * \return Another negative error code on other kinds of failure. @@ -300,24 +336,28 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned * * \param X The first MPI. This must be initialized. * \param Y The second MPI. This must be initialized. - * \param assign The condition deciding whether to perform - * the swap or not. Possible values: + * \param swap The condition deciding whether to perform + * the swap or not. Must be either 0 or 1: * * \c 1: Swap the values of \p X and \p Y. * * \c 0: Keep the original values of \p X and \p Y. * * \note This function is equivalent to - * if( assign ) mbedtls_mpi_swap( X, Y ); + * if( swap ) mbedtls_mpi_swap( X, Y ); * except that it avoids leaking any information about whether - * the assignment was done or not (the above code may leak + * the swap was done or not (the above code may leak * information through branch prediction and/or memory access * patterns analysis). * + * \warning If \p swap is neither 0 nor 1, the result of this function + * is indeterminate, and both \p X and \p Y might end up with + * values different to either of the original ones. + * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed. * \return Another negative error code on other kinds of failure. * */ -int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign ); +int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap ); /** * \brief Store integer value in MPI. @@ -750,11 +790,11 @@ int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, * * \param Q The destination MPI for the quotient. * This may be \c NULL if the value of the - * quotient is not needed. + * quotient is not needed. This must not alias A or B. * \param R The destination MPI for the remainder value. * This may be \c NULL if the value of the - * remainder is not needed. - * \param A The dividend. This must point to an initialized MPi. + * remainder is not needed. This must not alias A or B. + * \param A The dividend. This must point to an initialized MPI. * \param B The divisor. This must point to an initialized MPI. * * \return \c 0 if successful. @@ -771,10 +811,10 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, * * \param Q The destination MPI for the quotient. * This may be \c NULL if the value of the - * quotient is not needed. + * quotient is not needed. This must not alias A. * \param R The destination MPI for the remainder value. * This may be \c NULL if the value of the - * remainder is not needed. + * remainder is not needed. This must not alias A. * \param A The dividend. This must point to an initialized MPi. * \param b The divisor. * @@ -829,6 +869,7 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, * \brief Perform a sliding-window exponentiation: X = A^E mod N * * \param X The destination MPI. This must point to an initialized MPI. + * This must not alias E or N. * \param A The base of the exponentiation. * This must point to an initialized MPI. * \param E The exponent MPI. This must point to an initialized MPI. diff --git a/thirdparty/mbedtls/include/mbedtls/build_info.h b/thirdparty/mbedtls/include/mbedtls/build_info.h index 234debd0121ce3..049a120ef1d10f 100644 --- a/thirdparty/mbedtls/include/mbedtls/build_info.h +++ b/thirdparty/mbedtls/include/mbedtls/build_info.h @@ -37,22 +37,28 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 3 -#define MBEDTLS_VERSION_MINOR 2 -#define MBEDTLS_VERSION_PATCH 1 +#define MBEDTLS_VERSION_MINOR 3 +#define MBEDTLS_VERSION_PATCH 0 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x03020100 -#define MBEDTLS_VERSION_STRING "3.2.1" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.2.1" +#define MBEDTLS_VERSION_NUMBER 0x03030000 +#define MBEDTLS_VERSION_STRING "3.3.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.3.0" #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) #define _CRT_SECURE_NO_DEPRECATE 1 #endif +/* Define `inline` on some non-C99-compliant compilers. */ +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" #else @@ -74,10 +80,61 @@ #include MBEDTLS_USER_CONFIG_FILE #endif -#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO) +/* The PK wrappers need pk_write functions to format RSA key objects + * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO, + * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). + * PSA crypto also needs pk_write to export RSA keys (otherwise the build + * goes through but psa_export_key() and psa_export_public_key() fail on + * RSA keys), and pk_parse to work with RSA keys in almost any way. + */ +#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C) +#define MBEDTLS_PK_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PK_PARSE_C +#endif + +/* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions + * to pass ECC keys to PSA. */ +#if defined(MBEDTLS_PK_C) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECP_C) #define MBEDTLS_PK_WRITE_C #endif -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) + +#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#endif + +#if !defined(MBEDTLS_SSL_PROTO_TLS1_3) +#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +#undef MBEDTLS_SSL_EARLY_DATA +#endif + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED +#endif + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) || \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED +#endif + +/* Make sure all configuration symbols are set before including check_config.h, + * even the ones that are calculated programmatically. */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \ + defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ #include "mbedtls/config_psa.h" #endif diff --git a/thirdparty/mbedtls/include/mbedtls/check_config.h b/thirdparty/mbedtls/include/mbedtls/check_config.h index 5fe98498408389..04e43e39d7d8be 100644 --- a/thirdparty/mbedtls/include/mbedtls/check_config.h +++ b/thirdparty/mbedtls/include/mbedtls/check_config.h @@ -32,6 +32,8 @@ #error "mbed TLS requires a platform with 8-bit chars" #endif +#include + #if defined(_WIN32) #if !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_C is required on Windows" @@ -108,7 +110,8 @@ #endif #if defined(MBEDTLS_ECJPAKE_C) && \ - ( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) ) + ( !defined(MBEDTLS_ECP_C) || \ + !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) ) #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" #endif @@ -153,20 +156,19 @@ #error "MBEDTLS_PKCS12_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PKCS5_C) && (!defined(MBEDTLS_MD_C) || \ - !defined(MBEDTLS_CIPHER_C)) +#if defined(MBEDTLS_PKCS5_C) && \ + ( !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) || \ + !defined(MBEDTLS_CIPHER_C) ) #error "MBEDTLS_PKCS5_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_MD_C) +#if defined(MBEDTLS_PKCS12_C) && \ + !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) #error "MBEDTLS_PKCS12_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PKCS1_V15) && !defined(MBEDTLS_MD_C) -#error "MBEDTLS_PKCS1_V15 defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_PKCS1_V21) && !defined(MBEDTLS_MD_C) +#if defined(MBEDTLS_PKCS1_V21) && \ + !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) #error "MBEDTLS_PKCS1_V21 defined, but not all prerequisites" #endif @@ -320,11 +322,20 @@ #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) || \ + ( !defined(MBEDTLS_ECJPAKE_C) || \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ) #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif +/* Use of EC J-PAKE in TLS requires SHA-256. + * This will be taken from MD if it is present, or from PSA if MD is absent. + * Note: ECJPAKE_C depends on MD_C || PSA_CRYPTO_C. */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + !( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) && \ + !( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) ) +#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ ( !defined(MBEDTLS_SHA256_C) && \ @@ -333,6 +344,27 @@ #error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" #endif +#if defined(MBEDTLS_MD_C) && !( \ + defined(MBEDTLS_MD5_C) || \ + defined(MBEDTLS_RIPEMD160_C) || \ + defined(MBEDTLS_SHA1_C) || \ + defined(MBEDTLS_SHA224_C) || \ + defined(MBEDTLS_SHA256_C) || \ + defined(MBEDTLS_SHA384_C) || \ + defined(MBEDTLS_SHA512_C) ) +#error "MBEDTLS_MD_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_LMS_C) && \ + ! ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) ) +#error "MBEDTLS_LMS_C requires MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256" +#endif + +#if defined(MBEDTLS_LMS_PRIVATE) && \ + ( !defined(MBEDTLS_LMS_C) ) +#error "MBEDTLS_LMS_PRIVATE requires MBEDTLS_LMS_C" +#endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) ) #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites" @@ -359,7 +391,7 @@ #endif #if defined(MBEDTLS_PK_C) && \ - ( !defined(MBEDTLS_MD_C) || ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) ) ) + !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) #error "MBEDTLS_PK_C defined, but not all prerequisites" #endif @@ -503,6 +535,20 @@ #error "MBEDTLS_PLATFORM_SNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_SNPRINTF/MBEDTLS_PLATFORM_SNPRINTF_ALT cannot be defined simultaneously" #endif +#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C) +#error "MBEDTLS_PLATFORM_VSNPRINTF_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C) +#error "MBEDTLS_PLATFORM_VSNPRINTF_MACRO defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO) &&\ + ( defined(MBEDTLS_PLATFORM_STD_VSNPRINTF) ||\ + defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) ) +#error "MBEDTLS_PLATFORM_VSNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_VSNPRINTF/MBEDTLS_PLATFORM_VSNPRINTF_ALT cannot be defined simultaneously" +#endif + #if defined(MBEDTLS_PLATFORM_STD_MEM_HDR) &&\ !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) #error "MBEDTLS_PLATFORM_STD_MEM_HDR defined, but not all prerequisites" @@ -734,23 +780,47 @@ #error "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) && \ - !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + !( defined(MBEDTLS_SHA1_C) || defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA512_C) ) #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif -/* - * HKDF is mandatory for TLS 1.3. - * Otherwise support for at least one ciphersuite mandates either SHA_256 or - * SHA_384. - */ +/* TLS 1.3 requires separate HKDF parts from PSA */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ - ( ( !defined(MBEDTLS_HKDF_C) ) || \ - ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) || \ - ( !defined(MBEDTLS_PSA_CRYPTO_C) ) ) + !( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_HKDF_EXTRACT) && defined(PSA_WANT_ALG_HKDF_EXPAND) ) #error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" #endif +/* TLS 1.3 requires at least one ciphersuite, so at least SHA-256 or SHA-384 */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* We always need at least one of the hashes via PSA (for use with HKDF) */ +#if !( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384) ) +#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" +#endif /* !(PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384) */ +#if !defined(MBEDTLS_USE_PSA_CRYPTO) +/* When USE_PSA_CRYPTO is not defined, we also need SHA-256 or SHA-384 via the + * legacy interface, including via the MD layer, for the parts of the code + * that are shared with TLS 1.2 (running handshake hash). */ +#if !defined(MBEDTLS_MD_C) || \ + !( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) ) +#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" +#endif /* !MBEDTLS_MD_C || !(MBEDTLS_SHA256_C || MBEDTLS_SHA384_C) */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) +#if !( defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && \ + ( defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PKCS1_V21) ) ) +#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites" +#endif +#endif + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) +#if !( defined(MBEDTLS_ECDH_C) ) +#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined, but not all prerequisites" +#endif +#endif + /* * The current implementation of TLS 1.3 requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE. */ @@ -774,6 +844,20 @@ "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) && \ + ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ + !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) ) +#error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) && \ + ( !defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) || \ + ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE < 0 ) || \ + ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE > UINT32_MAX ) ) +#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(0..UINT32_MAX)" +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites" @@ -784,7 +868,7 @@ #endif #if defined(MBEDTLS_SSL_TLS_C) && ( !defined(MBEDTLS_CIPHER_C) || \ - !defined(MBEDTLS_MD_C) ) + ( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) ) #error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites" #endif @@ -828,6 +912,19 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 +#if defined(MBEDTLS_DEPRECATED_REMOVED) +#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" +#endif +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 */ + #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequisites" @@ -843,6 +940,16 @@ #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TICKET_C) && \ + !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) +#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) && \ + MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH >= 256 +#error "MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH must be less than 256" +#endif + #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ !defined(MBEDTLS_X509_CRT_PARSE_C) #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" @@ -876,14 +983,16 @@ #endif #if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ - !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \ - !defined(MBEDTLS_PK_PARSE_C) ) + !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \ + !defined(MBEDTLS_PK_PARSE_C) || \ + ( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) ) #error "MBEDTLS_X509_USE_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) || \ - !defined(MBEDTLS_PK_WRITE_C) ) + !defined(MBEDTLS_PK_PARSE_C) || \ + ( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) ) #error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites" #endif @@ -924,7 +1033,9 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif - +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) +#error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" +#endif /* Reject attempts to enable options that have been removed and that could * cause a build to succeed but with features removed. */ @@ -973,6 +1084,14 @@ #error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4341" #endif +#if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ + ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ + ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) || \ + ( !defined(MBEDTLS_MD_C) ) ) +#error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" +#endif + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/thirdparty/mbedtls/include/mbedtls/cipher.h b/thirdparty/mbedtls/include/mbedtls/cipher.h index a3f52ea71f4029..151da1d83ef159 100644 --- a/thirdparty/mbedtls/include/mbedtls/cipher.h +++ b/thirdparty/mbedtls/include/mbedtls/cipher.h @@ -46,11 +46,6 @@ #define MBEDTLS_CIPHER_MODE_STREAM #endif -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** The selected feature is not available. */ #define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 /** Bad input parameters. */ diff --git a/thirdparty/mbedtls/include/mbedtls/config_psa.h b/thirdparty/mbedtls/include/mbedtls/config_psa.h index 2a6672e17a2a5e..5727c5eb77437b 100644 --- a/thirdparty/mbedtls/include/mbedtls/config_psa.h +++ b/thirdparty/mbedtls/include/mbedtls/config_psa.h @@ -7,7 +7,7 @@ * those definitions to define symbols used in the library code. * * Users and integrators should not edit this file, please edit - * include/mbedtls/mbedtls_config.h for MBETLS_XXX settings or + * include/mbedtls/mbedtls_config.h for MBEDTLS_XXX settings or * include/psa/crypto_config.h for PSA_WANT_XXX settings. */ /* @@ -146,6 +146,15 @@ extern "C" { #define MBEDTLS_MD5_C #endif +#if defined(PSA_WANT_ALG_JPAKE) +#define MBEDTLS_PSA_BUILTIN_PAKE 1 +#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1 +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ECJPAKE_C +#endif /* PSA_WANT_ALG_JPAKE */ + #if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) #define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1 #define MBEDTLS_RIPEMD160_C @@ -158,7 +167,6 @@ extern "C" { #define MBEDTLS_BIGNUM_C #define MBEDTLS_OID_C #define MBEDTLS_PKCS1_V21 -#define MBEDTLS_MD_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */ #endif /* PSA_WANT_ALG_RSA_OAEP */ @@ -179,7 +187,6 @@ extern "C" { #define MBEDTLS_BIGNUM_C #define MBEDTLS_OID_C #define MBEDTLS_PKCS1_V15 -#define MBEDTLS_MD_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */ #endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */ @@ -190,7 +197,6 @@ extern "C" { #define MBEDTLS_BIGNUM_C #define MBEDTLS_OID_C #define MBEDTLS_PKCS1_V21 -#define MBEDTLS_MD_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */ #endif /* PSA_WANT_ALG_RSA_PSS */ @@ -231,6 +237,12 @@ extern "C" { #endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */ #endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */ +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS) +#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1 +#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */ +#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */ + #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1 @@ -450,6 +462,8 @@ extern "C" { #if !defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305) #if defined(PSA_WANT_KEY_TYPE_CHACHA20) #define MBEDTLS_CHACHAPOLY_C +#define MBEDTLS_CHACHA20_C +#define MBEDTLS_POLY1305_C #define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 #endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ #endif /* !MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 */ @@ -621,10 +635,11 @@ extern "C" { #define PSA_WANT_ALG_HKDF_EXPAND 1 #endif /* MBEDTLS_HKDF_C */ -#if defined(MBEDTLS_MD_C) #define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_KEY_TYPE_HMAC + +#if defined(MBEDTLS_MD_C) #define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1 @@ -636,6 +651,12 @@ extern "C" { #define PSA_WANT_ALG_MD5 1 #endif +#if defined(MBEDTLS_ECJPAKE_C) +#define MBEDTLS_PSA_BUILTIN_PAKE 1 +#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1 +#define PSA_WANT_ALG_JPAKE 1 +#endif + #if defined(MBEDTLS_RIPEMD160_C) #define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1 #define PSA_WANT_ALG_RIPEMD160 1 @@ -706,6 +727,11 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) +#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#endif + #if defined(MBEDTLS_CHACHA20_C) #define PSA_WANT_KEY_TYPE_CHACHA20 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 diff --git a/thirdparty/mbedtls/include/mbedtls/constant_time.h b/thirdparty/mbedtls/include/mbedtls/constant_time.h index c5de57a01f089e..fb1f7e98ea6cb4 100644 --- a/thirdparty/mbedtls/include/mbedtls/constant_time.h +++ b/thirdparty/mbedtls/include/mbedtls/constant_time.h @@ -1,6 +1,7 @@ /** * Constant-time functions - * + */ +/* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * diff --git a/thirdparty/mbedtls/include/mbedtls/ecdsa.h b/thirdparty/mbedtls/include/mbedtls/ecdsa.h index 71b73eee541d62..967f07b9b51b1a 100644 --- a/thirdparty/mbedtls/include/mbedtls/ecdsa.h +++ b/thirdparty/mbedtls/include/mbedtls/ecdsa.h @@ -245,10 +245,8 @@ int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, * This must be initialized. * * \return \c 0 on success. - * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature - * is invalid. * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX - * error code on failure for any other reason. + * error code on failure. */ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, const unsigned char *buf, size_t blen, diff --git a/thirdparty/mbedtls/include/mbedtls/ecjpake.h b/thirdparty/mbedtls/include/mbedtls/ecjpake.h index 7853a6a8378d04..3dd3361a1b1d0f 100644 --- a/thirdparty/mbedtls/include/mbedtls/ecjpake.h +++ b/thirdparty/mbedtls/include/mbedtls/ecjpake.h @@ -70,7 +70,7 @@ typedef enum { */ typedef struct mbedtls_ecjpake_context { - const mbedtls_md_info_t *MBEDTLS_PRIVATE(md_info); /**< Hash to use */ + mbedtls_md_type_t MBEDTLS_PRIVATE(md_type); /**< Hash to use */ mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /**< Elliptic curve */ mbedtls_ecjpake_role MBEDTLS_PRIVATE(role); /**< Are we client or server? */ int MBEDTLS_PRIVATE(point_format); /**< Format for point export */ @@ -113,7 +113,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * \param curve The identifier of the elliptic curve to use, * for example #MBEDTLS_ECP_DP_SECP256R1. * \param secret The pre-shared secret (passphrase). This must be - * a readable buffer of length \p len Bytes. It need + * a readable not empty buffer of length \p len Bytes. It need * only be valid for the duration of this call. * \param len The length of the pre-shared secret \p secret. * @@ -258,6 +258,29 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); +/** + * \brief Write the shared key material to be passed to a Key + * Derivation Function as described in RFC8236. + * + * \param ctx The ECJPAKE context to use. This must be initialized, + * set up and have performed both round one and two. + * \param buf The buffer to write the derived secret to. This must + * be a writable buffer of length \p len Bytes. + * \param len The length of \p buf in Bytes. + * \param olen The address at which to store the total number of bytes + * written to \p buf. This must not be \c NULL. + * \param f_rng The RNG function to use. This must not be \c NULL. + * \param p_rng The RNG parameter to be passed to \p f_rng. This + * may be \c NULL if \p f_rng doesn't use a context. + * + * \return \c 0 if successful. + * \return A negative error code on failure. + */ +int mbedtls_ecjpake_write_shared_key( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + /** * \brief This clears an ECJPAKE context and frees any * embedded data structure. diff --git a/thirdparty/mbedtls/include/mbedtls/ecp.h b/thirdparty/mbedtls/include/mbedtls/ecp.h index ac8b7c0dafd84c..0c1790d5214f71 100644 --- a/thirdparty/mbedtls/include/mbedtls/ecp.h +++ b/thirdparty/mbedtls/include/mbedtls/ecp.h @@ -918,7 +918,7 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, * \note To prevent timing attacks, this function * executes the exact same sequence of base-field * operations for any valid \p m. It avoids any if-branch or - * array index depending on the value of \p m. If also uses + * array index depending on the value of \p m. It also uses * \p f_rng to randomize some intermediate results. * * \param grp The ECP group to use. diff --git a/thirdparty/mbedtls/include/mbedtls/error.h b/thirdparty/mbedtls/include/mbedtls/error.h index 8b2b9ea5804322..4a97d652be228c 100644 --- a/thirdparty/mbedtls/include/mbedtls/error.h +++ b/thirdparty/mbedtls/include/mbedtls/error.h @@ -26,11 +26,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** * Error code layout. * @@ -82,6 +77,7 @@ * POLY1305 3 0x0057-0x005B * CHACHAPOLY 2 0x0054-0x0056 * PLATFORM 2 0x0070-0x0072 + * LMS 5 0x0011-0x0019 * * High-level module nr (3 bits - 0x0...-0x7...) * Name ID Nr of Errors @@ -95,6 +91,7 @@ * ECP 4 10 (Started from top) * MD 5 5 * HKDF 5 1 (Started from top) + * PKCS7 5 12 (Started from 0x5300) * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 22 (Started from top, plus 0x6000) diff --git a/thirdparty/mbedtls/include/mbedtls/legacy_or_psa.h b/thirdparty/mbedtls/include/mbedtls/legacy_or_psa.h new file mode 100644 index 00000000000000..f872ddaf1f354c --- /dev/null +++ b/thirdparty/mbedtls/include/mbedtls/legacy_or_psa.h @@ -0,0 +1,215 @@ +/** + * Macros to express dependencies for code and tests that may use either the + * legacy API or PSA in various builds. This whole header file is currently + * for internal use only and both the header file and the macros it defines + * may change or be removed without notice. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * Note: applications that are targeting a specific configuration do not need + * to use these macros; instead they should directly use the functions they + * know are available in their configuration. + * + * Note: code that is purely based on PSA Crypto (psa_xxx() functions) + * does not need to use these macros; instead it should use the relevant + * PSA_WANT_xxx macros. + * + * Note: code that is purely based on the legacy crypto APIs (mbedtls_xxx()) + * does not need to use these macros; instead it should use the relevant + * MBEDTLS_xxx macros. + * + * These macros are for code that wants to use and will do so + * using or PSA depending on , where: + * - will generally be an algorithm (SHA-256, ECDH) but may + * also be a key type (AES, RSA, EC) or domain parameters (elliptic curve); + * - will be either: + * - low-level module API (aes.h, sha256.h), or + * - an abstraction layer (md.h, cipher.h); + * - will be either: + * - depending on what's available in the build: + * legacy API used if available, PSA otherwise + * (this is done to ensure backwards compatibility); or + * - depending on whether MBEDTLS_USE_PSA_CRYPTO is defined. + * + * Examples: + * - TLS 1.2 will compute hashes using either mbedtls_md_xxx() (and + * mbedtls_sha256_xxx()) or psa_aead_xxx() depending on whether + * MBEDTLS_USE_PSA_CRYPTO is defined; + * - RSA PKCS#1 v2.1 will compute hashes (for padding) using either + * `mbedtls_md()` if it's available, or `psa_hash_compute()` otherwise; + * - PEM decoding of PEM-encrypted keys will compute MD5 hashes using either + * `mbedtls_md5_xxx()` if it's available, or `psa_hash_xxx()` otherwise. + * + * Note: the macros are essential to express test dependencies. Inside code, + * we could instead just use the equivalent pre-processor condition, but + * that's not possible in test dependencies where we need a single macro. + * Hopefully, using these macros in code will also help with consistency. + * + * The naming scheme for these macros is: + * MBEDTLS_HAS_feature_VIA_legacy_OR_PSA(_condition) + * where: + * - feature is expressed the same way as in PSA_WANT macros, for example: + * KEY_TYPE_AES, ALG_SHA_256, ECC_SECP_R1_256; + * - legacy is either LOWLEVEL or the name of the layer: MD, CIPHER; + * - condition is omitted if it's based on availability, else it's + * BASED_ON_USE_PSA. + * + * Coming back to the examples above: + * - TLS 1.2 will determine if it can use SHA-256 using + * MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA + * for the purposes of negotiation, and in test dependencies; + * - RSA PKCS#1 v2.1 tests that used SHA-256 will depend on + * MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA + * - PEM decoding code and its associated tests will depend on + * MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA + * + * Note: every time it's possible to use, say SHA-256, via the MD API, then + * it's also possible to use it via the low-level API. So, code that wants to + * use SHA-256 via both APIs only needs to depend on the MD macro. Also, it + * just so happens that all the code choosing which API to use based on + * MBEDTLS_USE_PSA_CRYPTO (X.509, TLS 1.2/shared), always uses the abstraction + * layer (sometimes in addition to the low-level API), so we don't need the + * MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA_BASED_ON_USE_PSA macros. + * (PK, while obeying MBEDTLS_USE_PSA_CRYPTO, doesn't compute hashes itself, + * even less makes use of ciphers.) + * + * Note: the macros MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA are the minimal + * condition for being able to use at all. As such, they should be + * used for guarding data about , such as OIDs or size. For example, + * OID values related to SHA-256 are only useful when SHA-256 can be used at + * least in some way. + */ + +#ifndef MBEDTLS_OR_PSA_HELPERS_H +#define MBEDTLS_OR_PSA_HELPERS_H + +#include "mbedtls/build_info.h" +#if defined(MBEDTLS_PSA_CRYPTO_C) +#include "psa/crypto.h" +#endif /* MBEDTLS_PSA_CRYPTO_C */ + +/* + * Hashes + */ + +/* Hashes using low-level or PSA based on availability */ +#if defined(MBEDTLS_MD5_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_MD5) ) +#define MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA +#endif +#if defined(MBEDTLS_RIPEMD160_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_RIPEMD160) ) +#define MBEDTLS_HAS_ALG_RIPEMD160_VIA_LOWLEVEL_OR_PSA +#endif +#if defined(MBEDTLS_SHA1_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) ) +#define MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA +#endif +#if defined(MBEDTLS_SHA224_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_224) ) +#define MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA +#endif +#if defined(MBEDTLS_SHA256_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) ) +#define MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA +#endif +#if defined(MBEDTLS_SHA384_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384) ) +#define MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA +#endif +#if defined(MBEDTLS_SHA512_C) || \ + ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512) ) +#define MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA +#endif + +/* Hashes using MD or PSA based on availability */ +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_MD5_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_MD5) ) +#define MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA +#endif +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_RIPEMD160_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_RIPEMD160) ) +#define MBEDTLS_HAS_ALG_RIPEMD160_VIA_MD_OR_PSA +#endif +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) ) +#define MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA +#endif +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA224_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_224) ) +#define MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA +#endif +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) ) +#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA +#endif +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384) ) +#define MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA +#endif +#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA512_C) ) || \ + ( !defined(MBEDTLS_MD_C) && \ + defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512) ) +#define MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA +#endif + +/* Hashes using MD or PSA based on MBEDTLS_USE_PSA_CRYPTO */ +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_MD5_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_MD5) ) +#define MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_RIPEMD160_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_RIPEMD160) ) +#define MBEDTLS_HAS_ALG_RIPEMD160_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_1) ) +#define MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA224_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_224) ) +#define MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_256) ) +#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_384) ) +#define MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA512_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_512) ) +#define MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA +#endif + +#endif /* MBEDTLS_OR_PSA_HELPERS_H */ diff --git a/thirdparty/mbedtls/include/mbedtls/lms.h b/thirdparty/mbedtls/include/mbedtls/lms.h new file mode 100644 index 00000000000000..1179cd1b3d89bd --- /dev/null +++ b/thirdparty/mbedtls/include/mbedtls/lms.h @@ -0,0 +1,451 @@ +/** + * \file lms.h + * + * \brief This file provides an API for the LMS post-quantum-safe stateful-hash + public-key signature scheme as defined in RFC8554 and NIST.SP.200-208. + * This implementation currently only supports a single parameter set + * MBEDTLS_LMS_SHA256_M32_H10 in order to reduce complexity. This is one + * of the signature schemes recommended by the IETF draft SUIT standard + * for IOT firmware upgrades (RFC9019). + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef MBEDTLS_LMS_H +#define MBEDTLS_LMS_H + +#include +#include + +#include "mbedtls/private_access.h" +#include "mbedtls/build_info.h" + +#define MBEDTLS_ERR_LMS_BAD_INPUT_DATA -0x0011 /**< Bad data has been input to an LMS function */ +#define MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS -0x0013 /**< Specified LMS key has utilised all of its private keys */ +#define MBEDTLS_ERR_LMS_VERIFY_FAILED -0x0015 /**< LMS signature verification failed */ +#define MBEDTLS_ERR_LMS_ALLOC_FAILED -0x0017 /**< LMS failed to allocate space for a private key */ +#define MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL -0x0019 /**< Input/output buffer is too small to contain requited data */ + +/* Currently only defined for SHA256, 32 is the max hash output size */ +#define MBEDTLS_LMOTS_N_HASH_LEN_MAX (32u) +#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX (34u) +#define MBEDTLS_LMOTS_N_HASH_LEN(type) ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 32u : 0) +#define MBEDTLS_LMOTS_I_KEY_ID_LEN (16u) +#define MBEDTLS_LMOTS_Q_LEAF_ID_LEN (4u) +#define MBEDTLS_LMOTS_TYPE_LEN (4u) +#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 34u : 0) +#define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) (MBEDTLS_LMOTS_N_HASH_LEN(type)) + +#define MBEDTLS_LMOTS_SIG_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \ + MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) + \ + (MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) * \ + MBEDTLS_LMOTS_N_HASH_LEN(type))) + + +#define MBEDTLS_LMS_TYPE_LEN (4) +#define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0) + +/* The length of a hash output, Currently only implemented for SHA256. + * Max is 32 bytes. + */ +#define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0) +#define MBEDTLS_LMS_M_NODE_BYTES_MAX 32 + +#define MBEDTLS_LMS_SIG_LEN(type, otstype) (MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \ + MBEDTLS_LMOTS_SIG_LEN(otstype) + \ + MBEDTLS_LMS_TYPE_LEN + \ + (MBEDTLS_LMS_H_TREE_HEIGHT(type) * \ + MBEDTLS_LMS_M_NODE_BYTES(type))) + +#define MBEDTLS_LMS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMS_TYPE_LEN + \ + MBEDTLS_LMOTS_TYPE_LEN + \ + MBEDTLS_LMOTS_I_KEY_ID_LEN + \ + MBEDTLS_LMS_M_NODE_BYTES(type)) + + +#ifdef __cplusplus +extern "C" { +#endif + +/** The Identifier of the LMS parameter set, as per + * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml + * We are only implementing a subset of the types, particularly H10, for the sake of simplicity. + */ +typedef enum { + MBEDTLS_LMS_SHA256_M32_H10 = 0x6, +} mbedtls_lms_algorithm_type_t; + +/** The Identifier of the LMOTS parameter set, as per + * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml. + * We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicity. + */ +typedef enum { + MBEDTLS_LMOTS_SHA256_N32_W8 = 4 +} mbedtls_lmots_algorithm_type_t; + +/** LMOTS parameters structure. + * + * This contains the metadata associated with an LMOTS key, detailing the + * algorithm type, the key ID, and the leaf identifier should be key be part of + * a LMS key. + */ +typedef struct { + unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key + identifier. */ + unsigned char MBEDTLS_PRIVATE(q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN]); /*!< Which + leaf of the LMS key this is. + 0 if the key is not part of an LMS key. */ + mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as + per IANA. Only SHA256_N32_W8 is + currently supported. */ +} mbedtls_lmots_parameters_t; + +/** LMOTS public context structure. + * + * A LMOTS public key is a hash output, and the applicable parameter set. + * + * The context must be initialized before it is used. A public key must either + * be imported or generated from a private context. + * + * \dot + * digraph lmots_public_t { + * UNINITIALIZED -> INIT [label="init"]; + * HAVE_PUBLIC_KEY -> INIT [label="free"]; + * INIT -> HAVE_PUBLIC_KEY [label="import_public_key"]; + * INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"]; + * HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"]; + * } + * \enddot + */ +typedef struct { + mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params); + unsigned char MBEDTLS_PRIVATE(public_key)[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key. + Boolean values only. */ +} mbedtls_lmots_public_t; + +#if defined(MBEDTLS_LMS_PRIVATE) +/** LMOTS private context structure. + * + * A LMOTS private key is one hash output for each of digit of the digest + + * checksum, and the applicable parameter set. + * + * The context must be initialized before it is used. A public key must either + * be imported or generated from a private context. + * + * \dot + * digraph lmots_public_t { + * UNINITIALIZED -> INIT [label="init"]; + * HAVE_PRIVATE_KEY -> INIT [label="free"]; + * INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"]; + * HAVE_PRIVATE_KEY -> INIT [label="sign"]; + * } + * \enddot + */ +typedef struct { + mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params); + unsigned char MBEDTLS_PRIVATE(private_key)[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key. + Boolean values only. */ +} mbedtls_lmots_private_t; +#endif /* defined(MBEDTLS_LMS_PRIVATE) */ + + +/** LMS parameters structure. + * + * This contains the metadata associated with an LMS key, detailing the + * algorithm type, the type of the underlying OTS algorithm, and the key ID. + */ +typedef struct { + unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key + identifier. */ + mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(otstype); /*!< The LM-OTS key type identifier as + per IANA. Only SHA256_N32_W8 is + currently supported. */ + mbedtls_lms_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LMS key type identifier as per + IANA. Only SHA256_M32_H10 is currently + supported. */ +} mbedtls_lms_parameters_t; + +/** LMS public context structure. + * + *A LMS public key is the hash output that is the root of the Merkle tree, and + * the applicable parameter set + * + * The context must be initialized before it is used. A public key must either + * be imported or generated from a private context. + * + * \dot + * digraph lms_public_t { + * UNINITIALIZED -> INIT [label="init"]; + * HAVE_PUBLIC_KEY -> INIT [label="free"]; + * INIT -> HAVE_PUBLIC_KEY [label="import_public_key"]; + * INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"]; + * HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"]; + * } + * \enddot + */ +typedef struct { + mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params); + unsigned char MBEDTLS_PRIVATE(T_1_pub_key)[MBEDTLS_LMS_M_NODE_BYTES_MAX]; /*!< The public key, in + the form of the Merkle tree root node. */ + unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key. + Boolean values only. */ +} mbedtls_lms_public_t; + + +#if defined(MBEDTLS_LMS_PRIVATE) +/** LMS private context structure. + * + * A LMS private key is a set of LMOTS private keys, an index to the next usable + * key, and the applicable parameter set. + * + * The context must be initialized before it is used. A public key must either + * be imported or generated from a private context. + * + * \dot + * digraph lms_public_t { + * UNINITIALIZED -> INIT [label="init"]; + * HAVE_PRIVATE_KEY -> INIT [label="free"]; + * INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"]; + * } + * \enddot + */ +typedef struct { + mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params); + uint32_t MBEDTLS_PRIVATE(q_next_usable_key); /*!< The index of the next OTS key that has not + been used. */ + mbedtls_lmots_private_t *MBEDTLS_PRIVATE(ots_private_keys); /*!< The private key material. One OTS key + for each leaf node in the Merkle tree. NULL + when have_private_key is 0 and non-NULL otherwise. + is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) in length. */ + mbedtls_lmots_public_t *MBEDTLS_PRIVATE(ots_public_keys); /*!< The OTS key public keys, used to + build the Merkle tree. NULL + when have_private_key is 0 and + non-NULL otherwise. + Is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) + in length. */ + unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key. + Boolean values only. */ +} mbedtls_lms_private_t; +#endif /* defined(MBEDTLS_LMS_PRIVATE) */ + +/** + * \brief This function initializes an LMS public context + * + * \param ctx The uninitialized LMS context that will then be + * initialized. + */ +void mbedtls_lms_public_init( mbedtls_lms_public_t *ctx ); + +/** + * \brief This function uninitializes an LMS public context + * + * \param ctx The initialized LMS context that will then be + * uninitialized. + */ +void mbedtls_lms_public_free( mbedtls_lms_public_t *ctx ); + +/** + * \brief This function imports an LMS public key into a + * public LMS context. + * + * \note Before this function is called, the context must + * have been initialized. + * + * \note See IETF RFC8554 for details of the encoding of + * this public key. + * + * \param ctx The initialized LMS context store the key in. + * \param key The buffer from which the key will be read. + * #MBEDTLS_LMS_PUBLIC_KEY_LEN bytes will be read from + * this. + * \param key_size The size of the key being imported. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lms_import_public_key( mbedtls_lms_public_t *ctx, + const unsigned char *key, size_t key_size ); + +/** + * \brief This function exports an LMS public key from a + * LMS public context that already contains a public + * key. + * + * \note Before this function is called, the context must + * have been initialized and the context must contain + * a public key. + * + * \note See IETF RFC8554 for details of the encoding of + * this public key. + * + * \param ctx The initialized LMS public context that contains + * the public key. + * \param key The buffer into which the key will be output. Must + * be at least #MBEDTLS_LMS_PUBLIC_KEY_LEN in size. + * \param key_size The size of the key buffer. + * \param key_len If not NULL, will be written with the size of the + * key. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lms_export_public_key( const mbedtls_lms_public_t *ctx, + unsigned char *key, size_t key_size, + size_t *key_len ); + +/** + * \brief This function verifies a LMS signature, using a + * LMS context that contains a public key. + * + * \note Before this function is called, the context must + * have been initialized and must contain a public key + * (either by import or generation). + * + * \param ctx The initialized LMS public context from which the + * public key will be read. + * \param msg The buffer from which the message will be read. + * \param msg_size The size of the message that will be read. + * \param sig The buf from which the signature will be read. + * #MBEDTLS_LMS_SIG_LEN bytes will be read from + * this. + * \param sig_size The size of the signature to be verified. + * + * \return \c 0 on successful verification. + * \return A non-zero error code on failure. + */ +int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx, + const unsigned char *msg, size_t msg_size, + const unsigned char *sig, size_t sig_size ); + +#if defined(MBEDTLS_LMS_PRIVATE) +/** + * \brief This function initializes an LMS private context + * + * \param ctx The uninitialized LMS private context that will + * then be initialized. */ +void mbedtls_lms_private_init( mbedtls_lms_private_t *ctx ); + +/** + * \brief This function uninitializes an LMS private context + * + * \param ctx The initialized LMS private context that will then + * be uninitialized. + */ +void mbedtls_lms_private_free( mbedtls_lms_private_t *ctx ); + +/** + * \brief This function generates an LMS private key, and + * stores in into an LMS private context. + * + * \warning This function is **not intended for use in + * production**, due to as-yet unsolved problems with + * handling stateful keys. The API for this function + * may change considerably in future versions. + * + * \note The seed must have at least 256 bits of entropy. + * + * \param ctx The initialized LMOTS context to generate the key + * into. + * \param type The LMS parameter set identifier. + * \param otstype The LMOTS parameter set identifier. + * \param f_rng The RNG function to be used to generate the key ID. + * \param p_rng The RNG context to be passed to f_rng + * \param seed The seed used to deterministically generate the + * key. + * \param seed_size The length of the seed. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lms_generate_private_key( mbedtls_lms_private_t *ctx, + mbedtls_lms_algorithm_type_t type, + mbedtls_lmots_algorithm_type_t otstype, + int (*f_rng)(void *, unsigned char *, size_t), + void* p_rng, const unsigned char *seed, + size_t seed_size ); + +/** + * \brief This function calculates an LMS public key from a + * LMS context that already contains a private key. + * + * \note Before this function is called, the context must + * have been initialized and the context must contain + * a private key. + * + * \param ctx The initialized LMS public context to calculate the key + * from and store it into. + * + * \param priv_ctx The LMS private context to read the private key + * from. This must have been initialized and contain a + * private key. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lms_calculate_public_key( mbedtls_lms_public_t *ctx, + const mbedtls_lms_private_t *priv_ctx ); + +/** + * \brief This function creates a LMS signature, using a + * LMS context that contains unused private keys. + * + * \warning This function is **not intended for use in + * production**, due to as-yet unsolved problems with + * handling stateful keys. The API for this function + * may change considerably in future versions. + * + * \note Before this function is called, the context must + * have been initialized and must contain a private + * key. + * + * \note Each of the LMOTS private keys inside a LMS private + * key can only be used once. If they are reused, then + * attackers may be able to forge signatures with that + * key. This is all handled transparently, but it is + * important to not perform copy operations on LMS + * contexts that contain private key material. + * + * \param ctx The initialized LMS private context from which the + * private key will be read. + * \param f_rng The RNG function to be used for signature + * generation. + * \param p_rng The RNG context to be passed to f_rng + * \param msg The buffer from which the message will be read. + * \param msg_size The size of the message that will be read. + * \param sig The buf into which the signature will be stored. + * Must be at least #MBEDTLS_LMS_SIG_LEN in size. + * \param sig_size The size of the buffer the signature will be + * written into. + * \param sig_len If not NULL, will be written with the size of the + * signature. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lms_sign( mbedtls_lms_private_t *ctx, + int (*f_rng)(void *, unsigned char *, size_t), + void* p_rng, const unsigned char *msg, + unsigned int msg_size, unsigned char *sig, size_t sig_size, + size_t *sig_len ); +#endif /* defined(MBEDTLS_LMS_PRIVATE) */ + +#ifdef __cplusplus +} +#endif + +#endif /* MBEDTLS_LMS_H */ diff --git a/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h b/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h index 984f9d8a226ca8..78c36354334075 100644 --- a/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h +++ b/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h @@ -260,7 +260,7 @@ * * Uncomment to get errors on using deprecated functions and features. */ -#define MBEDTLS_DEPRECATED_REMOVED +//#define MBEDTLS_DEPRECATED_REMOVED /** \} name SECTION: System support */ @@ -958,7 +958,7 @@ * might still happen. For this reason, this is disabled by default. * * Requires: MBEDTLS_ECJPAKE_C - * MBEDTLS_SHA256_C + * SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C) * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * This enables the following ciphersuites (if other requisites are @@ -1110,7 +1110,7 @@ * Include backtrace information with each allocated block. * * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C - * GLIBC-compatible backtrace() an backtrace_symbols() support + * GLIBC-compatible backtrace() and backtrace_symbols() support * * Uncomment this macro to include backtrace information */ @@ -1130,7 +1130,7 @@ * * Enable support for PKCS#1 v1.5 encoding. * - * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C + * Requires: MBEDTLS_RSA_C * * This enables support for PKCS#1 v1.5 operations. */ @@ -1141,7 +1141,15 @@ * * Enable support for PKCS#1 v2.1 encoding. * - * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C + * Requires: MBEDTLS_RSA_C and (MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C). + * + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() + * before doing any PKCS#1 v2.1 operation. + * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ @@ -1317,21 +1325,16 @@ /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID * - * Enable support for the DTLS Connection ID extension - * (version draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * Enable support for the DTLS Connection ID (CID) extension, * which allows to identify DTLS connections across changes - * in the underlying transport. + * in the underlying transport. The CID functionality is described + * in RFC 9146. * * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for * more information. * - * \warning The Connection ID extension is still in draft state. - * We make no stability promises for the availability - * or the shape of the API controlled by this option. - * * The maximum lengths of outgoing and incoming CIDs can be configured * through the options * - MBEDTLS_SSL_CID_OUT_LEN_MAX @@ -1341,7 +1344,30 @@ * * Uncomment to enable the Connection ID extension. */ -//#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID + + +/** + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + * + * Defines whether RFC 9146 (default) or the legacy version + * (version draft-ietf-tls-dtls-connection-id-05, + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * is used. + * + * Set the value to 0 for the standard version, and + * 1 for the legacy draft version. + * + * \deprecated Support for the legacy version of the DTLS + * Connection ID feature is deprecated. Please + * switch to the standardized version defined + * in RFC 9146 enabled by utilizing + * MBEDTLS_SSL_DTLS_CONNECTION_ID without use + * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. + * + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID + */ +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 /** * \def MBEDTLS_SSL_ASYNC_PRIVATE @@ -1377,6 +1403,8 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * * Comment to disable the context serialization APIs. */ #define MBEDTLS_SSL_CONTEXT_SERIALIZATION @@ -1489,8 +1517,14 @@ * * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). * - * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C - * (Depends on ciphersuites) + * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and + * (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C) + * With MBEDTLS_USE_PSA_CRYPTO: + * PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or + * PSA_WANT_ALG_SHA_512 + * + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call + * psa_crypto_init() before doing any TLS operations. * * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 */ @@ -1509,11 +1543,11 @@ * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * Requires: MBEDTLS_PSA_CRYPTO_C * - * Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use - * PSA for all crypto operations, you need to also enable - * MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are - * common with TLS 1.2 (record protection, running handshake hash) will still - * use non-PSA crypto. + * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditionally + * for most operations, if you want it to only use PSA for all crypto + * operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 + * operations, and functions that are common with TLS 1.2 (record protection, + * running handshake hash) will still use non-PSA crypto. * * Uncomment this macro to enable the support for TLS 1.3. */ @@ -1541,6 +1575,121 @@ */ //#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +/** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + * + * Enable TLS 1.3 PSK key exchange mode. + * + * Comment to disable support for the PSK key exchange mode in TLS 1.3. If + * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any + * effect on the build. + * + */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + +/** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + * + * Enable TLS 1.3 ephemeral key exchange mode. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or + * MBEDTLS_PKCS1_V21 + * + * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. + * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any + * effect on the build. + * + */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + +/** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + * + * Enable TLS 1.3 PSK ephemeral key exchange mode. + * + * Requires: MBEDTLS_ECDH_C + * + * Comment to disable support for the PSK ephemeral key exchange mode in + * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not + * have any effect on the build. + * + */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + +/** + * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + * + * Maximum time difference in milliseconds tolerated between the age of a + * ticket from the server and client point of view. + * From the client point of view, the age of a ticket is the time difference + * between the time when the client proposes to the server to use the ticket + * (time of writing of the Pre-Shared Key Extension including the ticket) and + * the time the client received the ticket from the server. + * From the server point of view, the age of a ticket is the time difference + * between the time when the server receives a proposition from the client + * to use the ticket and the time when the ticket was created by the server. + * The server age is expected to be always greater than the client one and + * MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the + * maximum difference tolerated for the server to accept the ticket. + * This is not used in TLS 1.2. + * + */ +#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 + +/** + * \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH + * + * Size in bytes of a ticket nonce. This is not used in TLS 1.2. + * + * This must be less than 256. + */ +#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 + +/** + * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS + * + * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server + * after handshake completion. This is not used in TLS 1.2 and relevant only if + * the MBEDTLS_SSL_SESSION_TICKETS option is enabled. + * + */ +#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 + +/** +* \def MBEDTLS_SSL_EARLY_DATA +* +* Enable support for RFC 8446 TLS 1.3 early data. +* +* Requires: MBEDTLS_SSL_SESSION_TICKETS and either +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +* +* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 +* is not enabled, this option does not have any effect on the build. +* +* This feature is experimental, not completed and thus not ready for +* production. +* +*/ +//#define MBEDTLS_SSL_EARLY_DATA + +/** + * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + * + * The default maximum amount of 0-RTT data. See the documentation of + * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information. + * + * It must be positive and smaller than UINT32_MAX. + * + * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not + * have any impact on the build. + * + * This feature is experimental, not completed and thus not ready for + * production. + * + */ +#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 + /** * \def MBEDTLS_SSL_PROTO_DTLS * @@ -2001,6 +2150,9 @@ * Enable the multi-precision integer library. * * Module: library/bignum.c + * library/bignum_core.c + * library/bignum_mod.c + * library/bignum_mod_raw.c * Caller: library/dhm.c * library/ecp.c * library/ecdsa.c @@ -2317,7 +2469,15 @@ * This module is used by the following key exchanges: * ECJPAKE * - * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C + * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C + * + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() + * before doing any EC J-PAKE operations. + * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. */ #define MBEDTLS_ECJPAKE_C @@ -2405,6 +2565,32 @@ */ #define MBEDTLS_HMAC_DRBG_C +/** + * \def MBEDTLS_LMS_C + * + * Enable the LMS stateful-hash asymmetric signature algorithm. + * + * Module: library/lms.c + * Caller: + * + * Requires: MBEDTLS_PSA_CRYPTO_C + * + * Uncomment to enable the LMS verification algorithm and public key operations. + */ +#define MBEDTLS_LMS_C + +/** + * \def MBEDTLS_LMS_PRIVATE + * + * Enable LMS private-key operations and signing code. Functions enabled by this + * option are experimental, and should not be used in production. + * + * Requires: MBEDTLS_LMS_C + * + * Uncomment to enable the LMS signature algorithm and private key operations. + */ +//#define MBEDTLS_LMS_PRIVATE + /** * \def MBEDTLS_NIST_KW_C * @@ -2423,6 +2609,9 @@ * * Enable the generic message digest layer. * + * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, + * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, + * MBEDTLS_SHA512_C. * Module: library/md.c * Caller: library/constant_time.c * library/ecdsa.c @@ -2495,7 +2684,7 @@ * * \note See also our Knowledge Base article about porting to a new * environment: - * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS * * Module: library/net_sockets.c * @@ -2628,12 +2817,40 @@ * * Module: library/pkcs5.c * - * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C. + * + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() + * before doing any PKCS5 operation. + * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. * * This module adds support for the PKCS#5 functions. */ #define MBEDTLS_PKCS5_C +/** + * \def MBEDTLS_PKCS7_C + * + * This feature is a work in progress and not ready for production. Testing and + * validation is incomplete, and handling of malformed inputs may not be robust. + * The API may change. + * + * Enable PKCS7 core for using PKCS7 formatted signatures. + * RFC Link - https://tools.ietf.org/html/rfc2315 + * + * Module: library/pkcs7.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, + * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C + * + * This module is required for the PKCS7 parsing modules. + */ +//#define MBEDTLS_PKCS7_C + /** * \def MBEDTLS_PKCS12_C * @@ -2643,7 +2860,16 @@ * Module: library/pkcs12.c * Caller: library/pkparse.c * - * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C and either + * MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C. + * + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() + * before doing any PKCS12 operation. + * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. * * This module enables PKCS#12 functions. */ @@ -2660,7 +2886,7 @@ * above to be specified at runtime or compile time respectively. * * \note This abstraction layer must be enabled on Windows (including MSYS2) - * as other module rely on it for a fixed snprintf implementation. + * as other modules rely on it for a fixed snprintf implementation. * * Module: library/platform.c * Caller: Most other .c files @@ -2988,7 +3214,8 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO + * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && + * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) */ #define MBEDTLS_SSL_TICKET_C @@ -3044,7 +3271,7 @@ * contexts are not shared between threads. If you do intend to use contexts * between threads, you will need to enable this layer to prevent race * conditions. See also our Knowledge Base article about threading: - * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading + * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading * * Module: library/threading.c * @@ -3076,7 +3303,7 @@ * * \note See also our Knowledge Base article about porting to a new * environment: - * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS * * Module: library/timing.c */ @@ -3103,8 +3330,11 @@ * library/x509_crt.c * library/x509_csr.c * - * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, - * MBEDTLS_PK_PARSE_C + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, + * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO) + * + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call + * psa_crypto_init() before doing any X.509 operation. * * This module is required for the X.509 parsing modules. */ @@ -3161,7 +3391,11 @@ * * Module: library/x509_create.c * - * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, + * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO) + * + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call + * psa_crypto_init() before doing any X.509 create operation. * * This module is the basis for creating X.509 certificates and CSRs. */ @@ -3502,17 +3736,6 @@ //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ -/** \def MBEDTLS_TLS_EXT_CID - * - * At the time of writing, the CID extension has not been assigned its - * final value. Set this configuration option to make Mbed TLS use a - * different value. - * - * A future minor revision of Mbed TLS may change the default value of - * this option to match evolving standards and usage. - */ -//#define MBEDTLS_TLS_EXT_CID 254 - /** * Complete list of ciphersuites to use, in order of preference. * diff --git a/thirdparty/mbedtls/include/mbedtls/md.h b/thirdparty/mbedtls/include/mbedtls/md.h index 612061d152e29e..fbf938dd1c2255 100644 --- a/thirdparty/mbedtls/include/mbedtls/md.h +++ b/thirdparty/mbedtls/include/mbedtls/md.h @@ -199,7 +199,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac ); /** - * \brief This function clones the state of an message-digest + * \brief This function clones the state of a message-digest * context. * * \note You must call mbedtls_md_setup() on \c dst before calling diff --git a/thirdparty/mbedtls/include/mbedtls/oid.h b/thirdparty/mbedtls/include/mbedtls/oid.h index a031fe2ddb6116..e5c4b92493f26d 100644 --- a/thirdparty/mbedtls/include/mbedtls/oid.h +++ b/thirdparty/mbedtls/include/mbedtls/oid.h @@ -34,9 +34,7 @@ #include "mbedtls/cipher.h" #endif -#if defined(MBEDTLS_MD_C) #include "mbedtls/md.h" -#endif /** OID is not found. */ #define MBEDTLS_ERR_OID_NOT_FOUND -0x002E @@ -222,6 +220,7 @@ #define MBEDTLS_OID_PKCS MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */ #define MBEDTLS_OID_PKCS1 MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */ #define MBEDTLS_OID_PKCS5 MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */ +#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */ #define MBEDTLS_OID_PKCS9 MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */ #define MBEDTLS_OID_PKCS12 MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */ @@ -302,6 +301,16 @@ #define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */ #define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */ +/* + * PKCS#7 OIDs + */ +#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */ +#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */ +#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */ +#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */ +#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */ + /* * PKCS#8 OIDs */ @@ -519,7 +528,6 @@ int mbedtls_oid_get_oid_by_ec_grp( mbedtls_ecp_group_id grp_id, const char **oid, size_t *olen ); #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_MD_C) /** * \brief Translate SignatureAlgorithm OID into md_type and pk_type * @@ -556,25 +564,24 @@ int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t const char **oid, size_t *olen ); /** - * \brief Translate hash algorithm OID into md_type + * \brief Translate hmac algorithm OID into md_type * * \param oid OID to use - * \param md_alg place to store message digest algorithm + * \param md_hmac place to store message hmac algorithm * * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND */ -int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg ); +int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac ); /** - * \brief Translate hmac algorithm OID into md_type + * \brief Translate hash algorithm OID into md_type * * \param oid OID to use - * \param md_hmac place to store message hmac algorithm + * \param md_alg place to store message digest algorithm * * \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND */ -int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac ); -#endif /* MBEDTLS_MD_C */ +int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg ); #if !defined(MBEDTLS_X509_REMOVE_INFO) /** diff --git a/thirdparty/mbedtls/include/mbedtls/pem.h b/thirdparty/mbedtls/include/mbedtls/pem.h index c75a1246ad7b6d..a4c6fb89f9a39b 100644 --- a/thirdparty/mbedtls/include/mbedtls/pem.h +++ b/thirdparty/mbedtls/include/mbedtls/pem.h @@ -27,11 +27,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** * \name PEM Error codes * These error codes are returned in case of errors reading the diff --git a/thirdparty/mbedtls/include/mbedtls/pk.h b/thirdparty/mbedtls/include/mbedtls/pk.h index 867961d3294bd9..db0bfacab3e37b 100644 --- a/thirdparty/mbedtls/include/mbedtls/pk.h +++ b/thirdparty/mbedtls/include/mbedtls/pk.h @@ -44,11 +44,6 @@ #include "psa/crypto.h" #endif -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** Memory allocation failed. */ #define MBEDTLS_ERR_PK_ALLOC_FAILED -0x3F80 /** Type mismatch, eg attempt to encrypt with an ECDSA key */ diff --git a/thirdparty/mbedtls/include/mbedtls/pkcs12.h b/thirdparty/mbedtls/include/mbedtls/pkcs12.h index 1b87aea925e1fa..327996a9ed4915 100644 --- a/thirdparty/mbedtls/include/mbedtls/pkcs12.h +++ b/thirdparty/mbedtls/include/mbedtls/pkcs12.h @@ -94,7 +94,7 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, * no byte order mark and with a null terminator (i.e. the * last two bytes should be 0x00 0x00). * \param pwdlen length of the password (may be 0). - * \param salt Salt buffer to use This may only be \c NULL when + * \param salt Salt buffer to use. This may only be \c NULL when * \p saltlen is 0. * \param saltlen length of the salt (may be zero) * \param mbedtls_md mbedtls_md type to use during the derivation diff --git a/thirdparty/mbedtls/include/mbedtls/pkcs5.h b/thirdparty/mbedtls/include/mbedtls/pkcs5.h index 71d716be71f33f..cf156644dcc16f 100644 --- a/thirdparty/mbedtls/include/mbedtls/pkcs5.h +++ b/thirdparty/mbedtls/include/mbedtls/pkcs5.h @@ -70,9 +70,33 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, #endif /* MBEDTLS_ASN1_PARSE_C */ +/** + * \brief PKCS#5 PBKDF2 using HMAC without using the HMAC context + * + * \param md_type Hash algorithm used + * \param password Password to use when generating key + * \param plen Length of password + * \param salt Salt to use when generating key + * \param slen Length of salt + * \param iteration_count Iteration count + * \param key_length Length of generated key in bytes + * \param output Generated key. Must be at least as big as key_length + * + * \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. + */ +int mbedtls_pkcs5_pbkdf2_hmac_ext( mbedtls_md_type_t md_type, + const unsigned char *password, + size_t plen, const unsigned char *salt, size_t slen, + unsigned int iteration_count, + uint32_t key_length, unsigned char *output ); + +#if defined(MBEDTLS_MD_C) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief PKCS#5 PBKDF2 using HMAC * + * \deprecated Superseded by mbedtls_pkcs5_pbkdf2_hmac_ext(). + * * \param ctx Generic HMAC context * \param password Password to use when generating key * \param plen Length of password @@ -84,11 +108,13 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, * * \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. */ -int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password, +int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, + const unsigned char *password, size_t plen, const unsigned char *salt, size_t slen, unsigned int iteration_count, uint32_t key_length, unsigned char *output ); - +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ +#endif /* MBEDTLS_MD_C */ #if defined(MBEDTLS_SELF_TEST) /** diff --git a/thirdparty/mbedtls/include/mbedtls/pkcs7.h b/thirdparty/mbedtls/include/mbedtls/pkcs7.h new file mode 100644 index 00000000000000..bf61a63a0311ed --- /dev/null +++ b/thirdparty/mbedtls/include/mbedtls/pkcs7.h @@ -0,0 +1,268 @@ +/** + * \file pkcs7.h + * + * \brief PKCS7 generic defines and structures + * https://tools.ietf.org/html/rfc2315 + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * This feature is a work in progress and not ready for production. The API may + * change. Furthermore, please note that the implementation has only been + * validated with well-formed inputs, not yet with untrusted inputs (which is + * almost always the case in practice). + * + * Note: For the time being, this implementation of the PKCS7 cryptographic + * message syntax is a partial implementation of RFC 2315. + * Differences include: + * - The RFC specifies 6 different content types. The only type currently + * supported in Mbed TLS is the signed data content type. + * - The only supported PKCS7 Signed Data syntax version is version 1 + * - The RFC specifies support for BER. This implementation is limited to + * DER only. + * - The RFC specifies that multiple digest algorithms can be specified + * in the Signed Data type. Only one digest algorithm is supported in Mbed TLS. + * - The RFC specifies the Signed Data type can contain multiple X509 or PKCS6 + * certificates. In Mbed TLS, this list can only contain 0 or 1 certificates + * and they must be in X509 format. + * - The RFC specifies the Signed Data type can contain + * certificate-revocation lists (crls). This implementation has no support + * for crls so it is assumed to be an empty list. + * - The RFC allows for SignerInfo structure to optionally contain + * unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is + * assumed these fields are empty. + */ + +#ifndef MBEDTLS_PKCS7_H +#define MBEDTLS_PKCS7_H + +#include "mbedtls/private_access.h" + +#include "mbedtls/build_info.h" + +#include "mbedtls/asn1.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" + +/** + * \name PKCS7 Module Error codes + * \{ + */ +#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x5380 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS7 date issued/expired dates are invalid */ +/* \} name */ + +/** + * \name PKCS7 Supported Version + * \{ + */ +#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01 +/* \} name */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Type-length-value structure that allows for ASN1 using DER. + */ +typedef mbedtls_asn1_buf mbedtls_pkcs7_buf; + +/** + * Container for ASN1 named information objects. + * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). + */ +typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; + +/** + * Container for a sequence of ASN.1 items + */ +typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; + +/** + * PKCS7 types + */ +typedef enum { + MBEDTLS_PKCS7_NONE=0, + MBEDTLS_PKCS7_DATA, + MBEDTLS_PKCS7_SIGNED_DATA, + MBEDTLS_PKCS7_ENVELOPED_DATA, + MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA, + MBEDTLS_PKCS7_DIGESTED_DATA, + MBEDTLS_PKCS7_ENCRYPTED_DATA, +} +mbedtls_pkcs7_type; + +/** + * Structure holding PKCS7 signer info + */ +typedef struct mbedtls_pkcs7_signer_info +{ + int MBEDTLS_PRIVATE(version); + mbedtls_x509_buf MBEDTLS_PRIVATE(serial); + mbedtls_x509_name MBEDTLS_PRIVATE(issuer); + mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); + mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next); +} +mbedtls_pkcs7_signer_info; + +/** + * Structure holding attached data as part of PKCS7 signed data format + */ +typedef struct mbedtls_pkcs7_data +{ + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data); +} +mbedtls_pkcs7_data; + +/** + * Structure holding the signed data section + */ +typedef struct mbedtls_pkcs7_signed_data +{ + int MBEDTLS_PRIVATE(version); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers); + struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content); + int MBEDTLS_PRIVATE(no_of_certs); + mbedtls_x509_crt MBEDTLS_PRIVATE(certs); + int MBEDTLS_PRIVATE(no_of_crls); + mbedtls_x509_crl MBEDTLS_PRIVATE(crl); + int MBEDTLS_PRIVATE(no_of_signers); + mbedtls_pkcs7_signer_info MBEDTLS_PRIVATE(signers); +} +mbedtls_pkcs7_signed_data; + +/** + * Structure holding PKCS7 structure, only signed data for now + */ +typedef struct mbedtls_pkcs7 +{ + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid); + mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); +} +mbedtls_pkcs7; + +/** + * \brief Initialize pkcs7 structure. + * + * \param pkcs7 pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); + +/** + * \brief Parse a single DER formatted pkcs7 content. + * + * \param pkcs7 The pkcs7 structure to be filled by parser for the output. + * \param buf The buffer holding the DER encoded pkcs7. + * \param buflen The size in bytes of \p buf. + * + * \note This function makes an internal copy of the PKCS7 buffer + * \p buf. In particular, \p buf may be destroyed or reused + * after this call returns. + * + * \return The \c mbedtls_pkcs7_type of \p buf, if successful. + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, + const size_t buflen ); + +/** + * \brief Verification of PKCS7 signature against a caller-supplied + * certificate. + * + * For each signer in the PKCS structure, this function computes + * a signature over the supplied data, using the supplied + * certificate and the same digest algorithm as specified by the + * signer. It then compares this signature against the + * signer's signature; verification succeeds if any comparison + * matches. + * + * This function does not use the certificates held within the + * PKCS7 structure itself. + * + * \param pkcs7 PKCS7 structure containing signature. + * \param cert Certificate containing key to verify signature. + * \param data Plain data on which signature has to be verified. + * \param datalen Length of the data. + * + * \note This function internally calculates the hash on the supplied + * plain data for signature verification. + * + * \return 0 if the signature verifies, or a negative error code on failure. + */ +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ); + +/** + * \brief Verification of PKCS7 signature against a caller-supplied + * certificate. + * + * For each signer in the PKCS structure, this function computes + * a signature over the supplied hash, using the supplied + * certificate and the same digest algorithm as specified by the + * signer. It then compares this signature against the + * signer's signature; verification succeeds if any comparison + * matches. + * + * This function does not use the certificates held within the + * PKCS7 structure itself. + * + * \param pkcs7 PKCS7 structure containing signature. + * \param cert Certificate containing key to verify signature. + * \param hash Hash of the plain data on which signature has to be verified. + * \param hashlen Length of the hash. + * + * \note This function is different from mbedtls_pkcs7_signed_data_verify() + * in a way that it directly receives the hash of the data. + * + * \return 0 if the signature verifies, or a negative error code on failure. + */ +int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *hash, size_t hashlen); + +/** + * \brief Unallocate all PKCS7 data and zeroize the memory. + * It doesn't free pkcs7 itself. It should be done by the caller. + * + * \param pkcs7 PKCS7 structure to free. + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ); + +#ifdef __cplusplus +} +#endif + +#endif /* pkcs7.h */ diff --git a/thirdparty/mbedtls/include/mbedtls/platform.h b/thirdparty/mbedtls/include/mbedtls/platform.h index a5a43ac6d2bf4f..62e12d267c9eb3 100644 --- a/thirdparty/mbedtls/include/mbedtls/platform.h +++ b/thirdparty/mbedtls/include/mbedtls/platform.h @@ -11,6 +11,13 @@ * implementations of these functions, or implementations specific to * their platform, which can be statically linked to the library or * dynamically configured at runtime. + * + * When all compilation options related to platform abstraction are + * disabled, this header just defines `mbedtls_xxx` function names + * as aliases to the standard `xxx` function. + * + * Most modules in the library and example programs are expected to + * include this header. */ /* * Copyright The Mbed TLS Contributors diff --git a/thirdparty/mbedtls/include/mbedtls/psa_util.h b/thirdparty/mbedtls/include/mbedtls/psa_util.h index 8dd47f644546d9..f030bea94e6cd5 100644 --- a/thirdparty/mbedtls/include/mbedtls/psa_util.h +++ b/thirdparty/mbedtls/include/mbedtls/psa_util.h @@ -124,35 +124,38 @@ static inline psa_key_usage_t mbedtls_psa_translate_cipher_operation( /* Translations for hashing. */ +/* Note: this function should not be used from inside the library, use + * mbedtls_hash_info_psa_from_md() from the internal hash_info.h instead. + * It is kept only for compatibility in case applications were using it. */ static inline psa_algorithm_t mbedtls_psa_translate_md( mbedtls_md_type_t md_alg ) { switch( md_alg ) { -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_MD5_C) || defined(PSA_WANT_ALG_MD5) case MBEDTLS_MD_MD5: return( PSA_ALG_MD5 ); #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_SHA1_C) || defined(PSA_WANT_ALG_SHA_1) case MBEDTLS_MD_SHA1: return( PSA_ALG_SHA_1 ); #endif -#if defined(MBEDTLS_SHA224_C) +#if defined(MBEDTLS_SHA224_C) || defined(PSA_WANT_ALG_SHA_224) case MBEDTLS_MD_SHA224: return( PSA_ALG_SHA_224 ); #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_SHA256_C) || defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_MD_SHA256: return( PSA_ALG_SHA_256 ); #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_SHA384_C) || defined(PSA_WANT_ALG_SHA_384) case MBEDTLS_MD_SHA384: return( PSA_ALG_SHA_384 ); #endif -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_SHA512_C) || defined(PSA_WANT_ALG_SHA_512) case MBEDTLS_MD_SHA512: return( PSA_ALG_SHA_512 ); #endif -#if defined(MBEDTLS_RIPEMD160_C) +#if defined(MBEDTLS_RIPEMD160_C) || defined(PSA_WANT_ALG_RIPEMD160) case MBEDTLS_MD_RIPEMD160: return( PSA_ALG_RIPEMD160 ); #endif diff --git a/thirdparty/mbedtls/include/mbedtls/ripemd160.h b/thirdparty/mbedtls/include/mbedtls/ripemd160.h index 9132a83be3ebc9..397ec841cc318a 100644 --- a/thirdparty/mbedtls/include/mbedtls/ripemd160.h +++ b/thirdparty/mbedtls/include/mbedtls/ripemd160.h @@ -66,7 +66,7 @@ void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx ); void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx ); /** - * \brief Clone (the state of) an RIPEMD-160 context + * \brief Clone (the state of) a RIPEMD-160 context * * \param dst The destination context * \param src The context to be cloned diff --git a/thirdparty/mbedtls/include/mbedtls/rsa.h b/thirdparty/mbedtls/include/mbedtls/rsa.h index e43ef9694c3dc5..2bfaf8f7117aa4 100644 --- a/thirdparty/mbedtls/include/mbedtls/rsa.h +++ b/thirdparty/mbedtls/include/mbedtls/rsa.h @@ -239,7 +239,7 @@ int mbedtls_rsa_import( mbedtls_rsa_context *ctx, * \param N The RSA modulus. This may be \c NULL. * \param N_len The Byte length of \p N; it is ignored if \p N == NULL. * \param P The first prime factor of \p N. This may be \c NULL. - * \param P_len The Byte length of \p P; it ns ignored if \p P == NULL. + * \param P_len The Byte length of \p P; it is ignored if \p P == NULL. * \param Q The second prime factor of \p N. This may be \c NULL. * \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. * \param D The private exponent. This may be \c NULL. @@ -479,7 +479,7 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ); * the current function does not have access to them, * and therefore cannot check them. See mbedtls_rsa_complete(). * If you want to check the consistency of the entire - * content of an PKCS1-encoded RSA private key, for example, you + * content of a PKCS1-encoded RSA private key, for example, you * should use mbedtls_rsa_validate_params() before setting * up the RSA context. * Additionally, if the implementation performs empirical checks, diff --git a/thirdparty/mbedtls/include/mbedtls/ssl.h b/thirdparty/mbedtls/include/mbedtls/ssl.h index b3b5d47f84420b..3f48377b6dc8a7 100644 --- a/thirdparty/mbedtls/include/mbedtls/ssl.h +++ b/thirdparty/mbedtls/include/mbedtls/ssl.h @@ -52,9 +52,7 @@ #include "mbedtls/platform_time.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* * SSL Error codes @@ -99,9 +97,15 @@ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 /* Error space gap */ -/* Error space gap */ -/* Error space gap */ -/* Error space gap */ +/** + * Received NewSessionTicket Post Handshake Message. + * This error code is experimental and may be changed or removed without notice. + */ +#define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00 +/** Not possible to read early data */ +#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 +/** Not possible to write early data */ +#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C00 /* Error space gap */ /* Error space gap */ /* Error space gap */ @@ -169,6 +173,15 @@ /** Invalid value in SSL config */ #define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 +/* + * Constants from RFC 8446 for TLS 1.3 PSK modes + * + * Those are used in the Pre-Shared Key Exchange Modes extension. + * See Section 4.2.9 in RFC 8446. + */ +#define MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE 0 /* Pure PSK-based exchange */ +#define MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE 1 /* PSK+ECDHE-based exchange */ + /* * TLS 1.3 NamedGroup values * @@ -239,12 +252,14 @@ ( MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL | \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE ( 0 ) + /* * Various constants */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) -/* These are the high an low bytes of ProtocolVersion as defined by: +/* These are the high and low bytes of ProtocolVersion as defined by: * - RFC 5246: ProtocolVersion version = { 3, 3 }; // TLS v1.2 * - RFC 8446: see section 4.2.1 */ @@ -318,12 +333,22 @@ #define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED 1 #define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED 0 +#define MBEDTLS_SSL_EARLY_DATA_DISABLED 0 +#define MBEDTLS_SSL_EARLY_DATA_ENABLED 1 + #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1 #define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT 1 #define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0 +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(PSA_WANT_ALG_SHA_384) +#define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 48 +#elif defined(PSA_WANT_ALG_SHA_256) +#define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 32 +#endif +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /* * Default range for DTLS retransmission timer value, in milliseconds. * RFC 6347 4.2.4.1 says from 1 second to 60 seconds. @@ -383,6 +408,14 @@ /** \} name SECTION: Module settings */ +/* + * Default to standard CID mode + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#endif + /* * Length of the verify data for secure renegotiation */ @@ -551,15 +584,10 @@ #define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */ #define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */ -/* The value of the CID extension is still TBD as of - * draft-ietf-tls-dtls-connection-id-05 - * (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05). - * - * A future minor revision of Mbed TLS may change the default value of - * this option to match evolving standards and usage. - */ -#if !defined(MBEDTLS_TLS_EXT_CID) -#define MBEDTLS_TLS_EXT_CID 254 /* TBD */ +#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#define MBEDTLS_TLS_EXT_CID 54 /* RFC 9146 DTLS 1.2 CID */ +#else +#define MBEDTLS_TLS_EXT_CID 254 /* Pre-RFC 9146 DTLS 1.2 CID */ #endif #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ @@ -609,7 +637,8 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) -#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE +#define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE + /* Length in number of bytes of the TLS sequence number */ #define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8 @@ -639,8 +668,8 @@ typedef enum MBEDTLS_SSL_SERVER_FINISHED, MBEDTLS_SSL_FLUSH_BUFFERS, MBEDTLS_SSL_HANDSHAKE_WRAPUP, - MBEDTLS_SSL_HANDSHAKE_OVER, - MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET, + + MBEDTLS_SSL_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, @@ -649,6 +678,9 @@ typedef enum MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST, + MBEDTLS_SSL_HANDSHAKE_OVER, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH, } mbedtls_ssl_states; @@ -735,7 +767,7 @@ typedef int mbedtls_ssl_recv_timeout_t( void *ctx, * for the associated \c mbedtls_ssl_get_timer_t callback to * return correct information. * - * \note If using a event-driven style of programming, an event must + * \note If using an event-driven style of programming, an event must * be generated when the final delay is passed. The event must * cause a call to \c mbedtls_ssl_handshake() with the proper * SSL context to be scheduled. Care must be taken to ensure @@ -778,6 +810,21 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +typedef uint8_t mbedtls_ssl_tls13_ticket_flags; + +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */ +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 ) + +#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK \ + ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION | \ + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION | \ + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + /** * \brief Callback type: server-side session cache getter * @@ -1138,7 +1185,6 @@ struct mbedtls_ssl_session mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ #endif int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ - int MBEDTLS_PRIVATE(compression); /*!< chosen compression */ size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ @@ -1162,6 +1208,23 @@ struct mbedtls_ssl_session uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< ticket lifetime hint */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) + uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ + uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ + uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ + uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */ + unsigned char MBEDTLS_PRIVATE(resumption_key)[MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN]; + +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C) + char *MBEDTLS_PRIVATE(hostname); /*!< host name binded with tickets */ +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C) + mbedtls_time_t MBEDTLS_PRIVATE(ticket_received); /*!< time ticket was received */ +#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_CLI_C */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */ #endif @@ -1291,9 +1354,17 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_RENEGOTIATION) uint8_t MBEDTLS_PRIVATE(disable_renegotiation); /*!< disable renegotiation? */ #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_CLI_C) + uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */ #endif + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_PROTO_TLS1_3) + uint16_t MBEDTLS_PRIVATE(new_session_tickets_count); /*!< number of NewSessionTicket */ +#endif + #if defined(MBEDTLS_SSL_SRV_C) uint8_t MBEDTLS_PRIVATE(cert_req_ca_list); /*!< enable sending CA list in Certificate Request messages? */ @@ -1349,11 +1420,13 @@ struct mbedtls_ssl_config void *MBEDTLS_PRIVATE(p_vrfy); /*!< context for X.509 verify calllback */ #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_SSL_SRV_C) /** Callback to retrieve PSK key from identity */ int (*MBEDTLS_PRIVATE(f_psk))(void *, mbedtls_ssl_context *, const unsigned char *, size_t); void *MBEDTLS_PRIVATE(p_psk); /*!< context for PSK callback */ #endif +#endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) /** Callback to create & write a cookie for ClientHello verification */ @@ -1398,13 +1471,13 @@ struct mbedtls_ssl_config void *MBEDTLS_PRIVATE(p_async_config_data); /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ #endif const uint16_t *MBEDTLS_PRIVATE(sig_algs); /*!< allowed signature algorithms */ -#endif +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */ @@ -1417,7 +1490,7 @@ struct mbedtls_ssl_config mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */ #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field @@ -1448,7 +1521,19 @@ struct mbedtls_ssl_config * Its value is non-zero if and only if * \c psk is not \c NULL or \c psk_opaque * is not \c 0. */ -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ + +#if defined(MBEDTLS_SSL_EARLY_DATA) + int MBEDTLS_PRIVATE(early_data_enabled); /*!< Early data enablement: + * - MBEDTLS_SSL_EARLY_DATA_DISABLED, + * - MBEDTLS_SSL_EARLY_DATA_ENABLED */ + +#if defined(MBEDTLS_SSL_SRV_C) + /* The maximum amount of 0-RTT data. RFC 8446 section 4.6.1 */ + uint32_t MBEDTLS_PRIVATE(max_early_data_size); +#endif /* MBEDTLS_SSL_SRV_C */ + +#endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_SSL_ALPN) const char **MBEDTLS_PRIVATE(alpn_list); /*!< ordered list of protocols */ @@ -1728,6 +1813,10 @@ struct mbedtls_ssl_context * and #MBEDTLS_SSL_CID_DISABLED. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) + int MBEDTLS_PRIVATE(early_data_status); +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ + /** Callback to export key block and master secret */ mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */ @@ -1859,6 +1948,59 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); */ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA) +/** +* \brief Set the early data mode +* Default: disabled on server and client +* +* \param conf The SSL configuration to use. +* \param early_data_enabled can be: +* +* MBEDTLS_SSL_EARLY_DATA_DISABLED: early data functionality is disabled +* This is the default on client and server. +* +* MBEDTLS_SSL_EARLY_DATA_ENABLED: early data functionality is enabled and +* may be negotiated in the handshake. Application using +* early data functionality needs to be aware of the +* lack of replay protection of the early data application +* payloads. +* +* \warning This interface is experimental and may change without notice. +* +*/ +void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, + int early_data_enabled ); + +#if defined(MBEDTLS_SSL_SRV_C) +/** + * \brief Set the maximum amount of 0-RTT data in bytes + * Default: #MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + * + * This function sets the value of the max_early_data_size + * field of the early data indication extension included in + * the NewSessionTicket messages that the server may send. + * + * The value defines the maximum amount of 0-RTT data + * in bytes that a client will be allowed to send when using + * one of the tickets defined by the NewSessionTicket messages. + * + * \note When resuming a session using a ticket, if the server receives more + * early data than allowed for the ticket, it terminates the connection. + * The maximum amount of 0-RTT data should thus be large enough + * to allow a minimum of early data to be exchanged. + * + * \param[in] conf The SSL configuration to use. + * \param[in] max_early_data_size The maximum amount of 0-RTT data. + * + * \warning This interface is experimental and may change without notice. + * + */ +void mbedtls_ssl_tls13_conf_max_early_data_size( + mbedtls_ssl_config *conf, uint32_t max_early_data_size ); +#endif /* MBEDTLS_SSL_SRV_C */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set the verification callback (Optional). @@ -1970,8 +2112,9 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * \brief Configure the use of the Connection ID (CID) * extension in the next handshake. * - * Reference: draft-ietf-tls-dtls-connection-id-05 + * Reference: RFC 9146 (or draft-ietf-tls-dtls-connection-id-05 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 + * for legacy version) * * The DTLS CID extension allows the reliable association of * DTLS records to DTLS connections across changes in the @@ -2028,7 +2171,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * the `ServerHello` contains the CID extension, too, * the CID extension will actually be put to use. * - On the Server, enabling the use of the CID through - * this call implies that that the server will look for + * this call implies that the server will look for * the CID extension in a `ClientHello` from the client, * and, if present, reply with a CID extension in its * `ServerHello`. @@ -2282,7 +2425,7 @@ int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, * here, except if using an event-driven style. * * \note See also the "DTLS tutorial" article in our knowledge base. - * https://tls.mbed.org/kb/how-to/dtls-tutorial + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/dtls-tutorial */ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, void *p_timer, @@ -2474,7 +2617,7 @@ static inline uintptr_t mbedtls_ssl_conf_get_user_data_n( * \note The library stores \c p without accessing it. It is the responsibility * of the caller to ensure that the pointer remains valid. * - * \param ssl The SSL context context to modify. + * \param ssl The SSL context to modify. * \param p The new value of the user data. */ static inline void mbedtls_ssl_set_user_data_p( @@ -2488,7 +2631,7 @@ static inline void mbedtls_ssl_set_user_data_p( * * You can retrieve this value later with mbedtls_ssl_get_user_data_n(). * - * \param ssl The SSL context context to modify. + * \param ssl The SSL context to modify. * \param n The new value of the user data. */ static inline void mbedtls_ssl_set_user_data_n( @@ -2505,7 +2648,7 @@ static inline void mbedtls_ssl_set_user_data_n( * called. The value is undefined if mbedtls_ssl_set_user_data_n() has * been called without a subsequent call to mbedtls_ssl_set_user_data_p(). * - * \param ssl The SSL context context to modify. + * \param ssl The SSL context to modify. * \return The current value of the user data. */ static inline void *mbedtls_ssl_get_user_data_p( @@ -2521,7 +2664,7 @@ static inline void *mbedtls_ssl_get_user_data_p( * called. The value is undefined if mbedtls_ssl_set_user_data_p() has * been called without a subsequent call to mbedtls_ssl_set_user_data_n(). * - * \param ssl The SSL context context to modify. + * \param ssl The SSL context to modify. * \return The current value of the user data. */ static inline uintptr_t mbedtls_ssl_get_user_data_n( @@ -3250,7 +3393,7 @@ int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, mbedtls_pk_context *pk_key ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) /** * \brief Configure pre-shared keys (PSKs) and their * identities to be used in PSK-based ciphersuites. @@ -3375,6 +3518,7 @@ int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl, mbedtls_svc_key_id_t psk ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_SRV_C) /** * \brief Set the PSK callback (server-side only). * @@ -3417,7 +3561,8 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_psk ); -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) /** @@ -3550,7 +3695,7 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf, const uint16_t *groups ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) /** * \brief Set the allowed hashes for signatures during the handshake. @@ -3596,7 +3741,7 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, const uint16_t* sig_algs ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** @@ -3743,9 +3888,10 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, * \note The SSL context needs to be already set up. The right place * to call this function is between \c mbedtls_ssl_setup() or * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). + * Password cannot be empty (see RFC 8236). * * \param ssl SSL context - * \param pw EC J-PAKE password (pre-shared secret) + * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty * \param pw_len length of pw in bytes * * \return 0 on success, or a negative error code. @@ -4071,7 +4217,8 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order ); #endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_CLI_C) /** * \brief Enable / Disable session tickets (client only). * (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) @@ -4083,7 +4230,34 @@ void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order ); * MBEDTLS_SSL_SESSION_TICKETS_DISABLED) */ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_PROTO_TLS1_3) +/** + * \brief Number of NewSessionTicket messages for the server to send + * after handshake completion. + * + * \note The default value is + * \c MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS. + * + * \note In case of a session resumption, this setting only partially apply. + * At most one ticket is sent in that case to just renew the pool of + * tickets of the client. The rationale is to avoid the number of + * tickets on the server to become rapidly out of control when the + * server has the same configuration for all its connection instances. + * + * \param conf SSL configuration + * \param num_tickets Number of NewSessionTicket. + * + */ +void mbedtls_ssl_conf_new_session_tickets( mbedtls_ssl_config *conf, + uint16_t num_tickets ); +#endif /* MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_SSL_SRV_C && + MBEDTLS_SSL_PROTO_TLS1_3*/ #if defined(MBEDTLS_SSL_RENEGOTIATION) /** @@ -4515,7 +4689,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); */ static inline int mbedtls_ssl_is_handshake_over( mbedtls_ssl_context *ssl ) { - return( ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_HANDSHAKE_OVER ); + return( ssl->MBEDTLS_PRIVATE( state ) >= MBEDTLS_SSL_HANDSHAKE_OVER ); } /** @@ -4703,7 +4877,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * * \note When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ, * it must be called later with the *same* arguments, - * until it returns a value greater that or equal to 0. When + * until it returns a value greater than or equal to 0. When * the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be * some partial data in the output buffer, however this is not * yet sent. @@ -4755,6 +4929,151 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, */ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_EARLY_DATA) + +#if defined(MBEDTLS_SSL_SRV_C) +/** + * \brief Read at most 'len' application data bytes while performing + * the handshake (early data). + * + * \note This function behaves mainly as mbedtls_ssl_read(). The + * specification of mbedtls_ssl_read() relevant to TLS 1.3 + * (thus not the parts specific to (D)TLS 1.2) applies to this + * function and the present documentation is restricted to the + * differences with mbedtls_ssl_read(). + * + * \param ssl SSL context + * \param buf buffer that will hold the data + * \param len maximum number of bytes to read + * + * \return One additional specific return value: + * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA. + * + * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it + * is not possible to read early data for the SSL context + * \p ssl. + * + * It may have been possible and it is not possible + * anymore because the server received the End of Early Data + * message or the maximum number of allowed early data for the + * PSK in use has been reached. + * + * It may never have been possible and will never be possible + * for the SSL context \p ssl because the use of early data + * is disabled for that context or more generally the context + * is not suitably configured to enable early data or the + * client does not use early data or the first call to the + * function was done while the handshake was already too + * advanced to gather and accept early data. + * + * It is not possible to read early data for the SSL context + * \p ssl but this does not preclude for using it with + * mbedtls_ssl_write(), mbedtls_ssl_read() or + * mbedtls_ssl_handshake(). + * + * \note When a server wants to retrieve early data, it is expected + * that this function starts the handshake for the SSL context + * \p ssl. But this is not mandatory. + * + */ +int mbedtls_ssl_read_early_data( mbedtls_ssl_context *ssl, + unsigned char *buf, size_t len ); +#endif /* MBEDTLS_SSL_SRV_C */ + +#if defined(MBEDTLS_SSL_CLI_C) +/** + * \brief Try to write exactly 'len' application data bytes while + * performing the handshake (early data). + * + * \note This function behaves mainly as mbedtls_ssl_write(). The + * specification of mbedtls_ssl_write() relevant to TLS 1.3 + * (thus not the parts specific to (D)TLS1.2) applies to this + * function and the present documentation is restricted to the + * differences with mbedtls_ssl_write(). + * + * \param ssl SSL context + * \param buf buffer holding the data + * \param len how many bytes must be written + * + * \return One additional specific return value: + * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA. + * + * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA is returned when it + * is not possible to write early data for the SSL context + * \p ssl. + * + * It may have been possible and it is not possible + * anymore because the client received the server Finished + * message, the server rejected early data or the maximum + * number of allowed early data for the PSK in use has been + * reached. + * + * It may never have been possible and will never be possible + * for the SSL context \p ssl because the use of early data + * is disabled for that context or more generally the context + * is not suitably configured to enable early data or the first + * call to the function was done while the handshake was + * already completed. + * + * It is not possible to write early data for the SSL context + * \p ssl but this does not preclude for using it with + * mbedtls_ssl_write(), mbedtls_ssl_read() or + * mbedtls_ssl_handshake(). + * + * \note This function may write early data only if the SSL context + * has been configured for the handshake with a PSK for which + * early data is allowed. + * + * \note To maximize the number of early data that can be written in + * the course of the handshake, it is expected that this + * function starts the handshake for the SSL context \p ssl. + * But this is not mandatory. + * + * \note This function does not provide any information on whether + * the server has accepted or will accept early data or not. + * When it returns a positive value, it just means that it + * has written early data to the server. To know whether the + * server has accepted early data or not, you should call + * mbedtls_ssl_get_early_data_status() with the handshake + * completed. + */ +int mbedtls_ssl_write_early_data( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ); + +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 +/** + * \brief Get the status of the negotiation of the use of early data. + * + * \param ssl The SSL context to query + * + * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * from the server-side. + * + * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * prior to completion of the handshake. + * + * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT if the client has + * not indicated the use of early data to the server. + * + * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED if the client has + * indicated the use of early data and the server has accepted + * it. + * + * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED if the client has + * indicated the use of early data but the server has rejected + * it. In this situation, the client may want to re-send the + * early data it may have tried to send by calling + * mbedtls_ssl_write_early_data() as ordinary post-handshake + * application data by calling mbedtls_ssl_write(). + * + */ +int mbedtls_ssl_get_early_data_status( mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_CLI_C */ + +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /** * \brief Free referenced items in an SSL context and clear memory * diff --git a/thirdparty/mbedtls/include/mbedtls/ssl_ciphersuites.h b/thirdparty/mbedtls/include/mbedtls/ssl_ciphersuites.h index cd6ccbc90a3c92..b46116e0df1ad1 100644 --- a/thirdparty/mbedtls/include/mbedtls/ssl_ciphersuites.h +++ b/thirdparty/mbedtls/include/mbedtls/ssl_ciphersuites.h @@ -292,6 +292,11 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED #endif +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) +#define MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED +#endif + /* Key exchanges allowing client certificate requests */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ @@ -341,6 +346,11 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED #endif +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) || \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +#define MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED +#endif + /* Key exchanges using DHE */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) diff --git a/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h b/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h index 98fd2870790858..b8a8a246fe4942 100644 --- a/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h +++ b/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h @@ -34,6 +34,10 @@ #include "mbedtls/ssl.h" #include "mbedtls/cipher.h" +#if defined(MBEDTLS_HAVE_TIME) +#include "mbedtls/platform_time.h" +#endif + #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #endif @@ -56,7 +60,9 @@ typedef struct mbedtls_ssl_ticket_key { unsigned char MBEDTLS_PRIVATE(name)[MBEDTLS_SSL_TICKET_KEY_NAME_BYTES]; /*!< random key identifier */ - uint32_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ +#if defined(MBEDTLS_HAVE_TIME) + mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ +#endif #if !defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */ #else diff --git a/thirdparty/mbedtls/include/mbedtls/x509_crt.h b/thirdparty/mbedtls/include/mbedtls/x509_crt.h index aa45957061e38e..d2b7648c4123e3 100644 --- a/thirdparty/mbedtls/include/mbedtls/x509_crt.h +++ b/thirdparty/mbedtls/include/mbedtls/x509_crt.h @@ -24,6 +24,7 @@ #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" +#include "mbedtls/legacy_or_psa.h" #include "mbedtls/x509.h" #include "mbedtls/x509_crl.h" @@ -515,7 +516,7 @@ int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain, * mbedtls_x509_crt_init(). * \param buf The address of the readable buffer holding the DER encoded * certificate to use. On success, this buffer must be - * retained and not be changed for the liftetime of the + * retained and not be changed for the lifetime of the * CRT chain \p chain, that is, until \p chain is destroyed * through a call to mbedtls_x509_crt_free(). * \param buflen The size in Bytes of \p buf. @@ -1108,7 +1109,7 @@ int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen ); -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) /** * \brief Set the subjectKeyIdentifier extension for a CRT * Requires that mbedtls_x509write_crt_set_subject_key() has been @@ -1130,7 +1131,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED */ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */ /** * \brief Set the Key Usage Extension flags @@ -1144,6 +1145,19 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ); +/** + * \brief Set the Extended Key Usage Extension + * (e.g. MBEDTLS_OID_SERVER_AUTH) + * + * \param ctx CRT context to use + * \param exts extended key usage extensions to set, a sequence of + * MBEDTLS_ASN1_OID objects + * + * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + */ +int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, + const mbedtls_asn1_sequence *exts ); + /** * \brief Set the Netscape Cert Type flags * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) diff --git a/thirdparty/mbedtls/include/psa/crypto.h b/thirdparty/mbedtls/include/psa/crypto.h index 234594e97061b2..03181ed33e663a 100644 --- a/thirdparty/mbedtls/include/psa/crypto.h +++ b/thirdparty/mbedtls/include/psa/crypto.h @@ -525,7 +525,7 @@ psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key, * * This function destroys a key from both volatile * memory and, if applicable, non-volatile storage. Implementations shall - * make a best effort to ensure that that the key material cannot be recovered. + * make a best effort to ensure that the key material cannot be recovered. * * This function also erases any metadata such as policies and frees * resources associated with the key. @@ -545,7 +545,7 @@ psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key, * \retval #PSA_ERROR_INVALID_HANDLE * \p key is not a valid identifier nor \c 0. * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * There was an failure in communication with the cryptoprocessor. + * There was a failure in communication with the cryptoprocessor. * The key material may still be present in the cryptoprocessor. * \retval #PSA_ERROR_DATA_INVALID * This error is typically a result of either storage corruption on a @@ -3823,7 +3823,7 @@ psa_status_t psa_key_derivation_verify_bytes( * compares those bytes to an expected value, provided as key of type * #PSA_KEY_TYPE_PASSWORD_HASH. * If you view the key derivation's output as a stream of bytes, this - * function destructively reads the number of bytes corresponding the + * function destructively reads the number of bytes corresponding to the * length of the expected value from the stream before comparing them. * The operation's capacity decreases by the number of bytes read. * diff --git a/thirdparty/mbedtls/include/psa/crypto_compat.h b/thirdparty/mbedtls/include/psa/crypto_compat.h index 1d3253cb288bf9..89c13f1c10599d 100644 --- a/thirdparty/mbedtls/include/psa/crypto_compat.h +++ b/thirdparty/mbedtls/include/psa/crypto_compat.h @@ -44,7 +44,7 @@ typedef mbedtls_svc_key_id_t psa_key_handle_t; #define PSA_KEY_HANDLE_INIT MBEDTLS_SVC_KEY_ID_INIT -/** Check whether an handle is null. +/** Check whether a handle is null. * * \param handle Handle * diff --git a/thirdparty/mbedtls/include/psa/crypto_config.h b/thirdparty/mbedtls/include/psa/crypto_config.h index 991be96ef4fa45..5ab4fdef3a3448 100644 --- a/thirdparty/mbedtls/include/psa/crypto_config.h +++ b/thirdparty/mbedtls/include/psa/crypto_config.h @@ -65,6 +65,7 @@ #define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 +#define PSA_WANT_ALG_JPAKE 1 #define PSA_WANT_ALG_GCM 1 #define PSA_WANT_ALG_HKDF 1 #define PSA_WANT_ALG_HKDF_EXTRACT 1 @@ -88,6 +89,8 @@ #define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 + /* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_XTS 1 diff --git a/thirdparty/mbedtls/include/psa/crypto_extra.h b/thirdparty/mbedtls/include/psa/crypto_extra.h index 73da364bc637ce..33e2e77b999630 100644 --- a/thirdparty/mbedtls/include/psa/crypto_extra.h +++ b/thirdparty/mbedtls/include/psa/crypto_extra.h @@ -359,7 +359,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, */ #define PSA_KEY_TYPE_DSA_KEY_PAIR ((psa_key_type_t)0x7002) -/** Whether a key type is an DSA key (pair or public-only). */ +/** Whether a key type is a DSA key (pair or public-only). */ #define PSA_KEY_TYPE_IS_DSA(type) \ (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY) @@ -1287,7 +1287,7 @@ static void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite, * Implementation details can change in future versions without notice. */ typedef struct psa_pake_operation_s psa_pake_operation_t; -/** Return an initial value for an PAKE operation object. +/** Return an initial value for a PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init( void ); @@ -1760,7 +1760,16 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); * recognized, or the parameters are incompatible, * return 0. */ -#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) 0 +#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) \ + ( alg == PSA_ALG_JPAKE && \ + primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \ + PSA_ECC_FAMILY_SECP_R1, 256) ? \ + ( \ + output_step == PSA_PAKE_STEP_KEY_SHARE ? 65 : \ + output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 : \ + 32 \ + ) : \ + 0 ) /** A sufficient input buffer size for psa_pake_input(). * @@ -1781,7 +1790,16 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); * the input type or PAKE algorithm is not recognized, or * the parameters are incompatible, return 0. */ -#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) 0 +#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) \ + ( alg == PSA_ALG_JPAKE && \ + primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \ + PSA_ECC_FAMILY_SECP_R1, 256) ? \ + ( \ + input_step == PSA_PAKE_STEP_KEY_SHARE ? 65 : \ + input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 : \ + 32 \ + ) : \ + 0 ) /** Output buffer size for psa_pake_output() for any of the supported PAKE * algorithm and primitive suites and output step. @@ -1790,7 +1808,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); * * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p step). */ -#define PSA_PAKE_OUTPUT_MAX_SIZE 0 +#define PSA_PAKE_OUTPUT_MAX_SIZE 65 /** Input buffer size for psa_pake_input() for any of the supported PAKE * algorithm and primitive suites and input step. @@ -1799,7 +1817,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); * * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p step). */ -#define PSA_PAKE_INPUT_MAX_SIZE 0 +#define PSA_PAKE_INPUT_MAX_SIZE 65 /** Returns a suitable initializer for a PAKE cipher suite object of type * psa_pake_cipher_suite_t. @@ -1809,7 +1827,14 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, {0}} +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) +#define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, 0, 0, \ + NULL, 0 , \ + PSA_PAKE_ROLE_NONE, {0}, 0, 0, \ + {.dummy = 0}} +#else +#define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, {0}} +#endif struct psa_pake_cipher_suite_s { @@ -1879,14 +1904,37 @@ static inline void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite, cipher_suite->hash = hash; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#include +/* Note: the format for mbedtls_ecjpake_read/write function has an extra + * length byte for each step, plus an extra 3 bytes for ECParameters in the + * server's 2nd round. */ +#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ( ( 3 + 1 + 65 + 1 + 65 + 1 + 32 ) * 2 ) +#endif + struct psa_pake_operation_s { - psa_algorithm_t alg; + psa_algorithm_t MBEDTLS_PRIVATE(alg); + unsigned int MBEDTLS_PRIVATE(state); + unsigned int MBEDTLS_PRIVATE(sequence); +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + unsigned int MBEDTLS_PRIVATE(input_step); + unsigned int MBEDTLS_PRIVATE(output_step); + uint8_t* MBEDTLS_PRIVATE(password); + size_t MBEDTLS_PRIVATE(password_len); + psa_pake_role_t MBEDTLS_PRIVATE(role); + uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); + size_t MBEDTLS_PRIVATE(buffer_length); + size_t MBEDTLS_PRIVATE(buffer_offset); +#endif union { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + mbedtls_ecjpake_context ecjpake; +#endif /* Make the union non-empty even with no supported algorithms. */ uint8_t dummy; - } ctx; + } MBEDTLS_PRIVATE(ctx); }; static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init( void ) diff --git a/thirdparty/mbedtls/include/psa/crypto_platform.h b/thirdparty/mbedtls/include/psa/crypto_platform.h index 4787e44b6ce0ef..573b33c8561aaa 100644 --- a/thirdparty/mbedtls/include/psa/crypto_platform.h +++ b/thirdparty/mbedtls/include/psa/crypto_platform.h @@ -45,11 +45,6 @@ /* PSA requires several types which C99 provides in stdint.h. */ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) /* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA @@ -57,8 +52,8 @@ * * The function psa_its_identifier_of_slot() in psa_crypto_storage.c that * translates a key identifier to a key storage file name assumes that - * mbedtls_key_owner_id_t is an 32 bits integer. This function thus needs - * reworking if mbedtls_key_owner_id_t is not defined as a 32 bits integer + * mbedtls_key_owner_id_t is a 32-bit integer. This function thus needs + * reworking if mbedtls_key_owner_id_t is not defined as a 32-bit integer * here anymore. */ typedef int32_t mbedtls_key_owner_id_t; diff --git a/thirdparty/mbedtls/include/psa/crypto_se_driver.h b/thirdparty/mbedtls/include/psa/crypto_se_driver.h index 91a6d0beeb329c..225fb176355268 100644 --- a/thirdparty/mbedtls/include/psa/crypto_se_driver.h +++ b/thirdparty/mbedtls/include/psa/crypto_se_driver.h @@ -226,7 +226,7 @@ typedef psa_status_t (*psa_drv_se_mac_finish_t)(void *op_context, * operation by comparing the resulting MAC against a provided value * * \param[in,out] op_context A hardware-specific structure for the previously - * started MAC operation to be fiinished + * started MAC operation to be finished * \param[in] p_mac The MAC value against which the resulting MAC * will be compared against * \param[in] mac_length The size in bytes of the value stored in `p_mac` @@ -337,7 +337,7 @@ typedef struct { /** Function that completes a MAC operation with a verify check */ psa_drv_se_mac_finish_verify_t MBEDTLS_PRIVATE(p_finish_verify); - /** Function that aborts a previoustly started MAC operation + /** Function that aborts a previously started MAC operation */ psa_drv_se_mac_abort_t MBEDTLS_PRIVATE(p_abort); /** Function that performs a MAC operation in one call @@ -395,7 +395,7 @@ typedef psa_status_t (*psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_cont psa_encrypt_or_decrypt_t direction); /** \brief A function that sets the initialization vector (if - * necessary) for an secure element cipher operation + * necessary) for a secure element cipher operation * * Rationale: The `psa_se_cipher_*` operation in the PSA Cryptographic API has * two IV functions: one to set the IV, and one to generate it internally. The @@ -746,7 +746,7 @@ typedef psa_status_t (*psa_drv_se_aead_encrypt_t)(psa_drv_se_context_t *drv_cont size_t ciphertext_size, size_t *p_ciphertext_length); -/** A function that peforms a secure element authenticated decryption operation +/** A function that performs a secure element authenticated decryption operation * * \param[in,out] drv_context The driver context structure. * \param[in] key_slot Slot containing the key to use @@ -1157,7 +1157,7 @@ typedef struct { * * Different key derivation algorithms require a different number of inputs. * Instead of having an API that takes as input variable length arrays, which - * can be problemmatic to manage on embedded platforms, the inputs are passed + * can be problematic to manage on embedded platforms, the inputs are passed * to the driver via a function, `psa_drv_se_key_derivation_collateral`, that * is called multiple times with different `collateral_id`s. Thus, for a key * derivation algorithm that required 3 parameter inputs, the flow would look @@ -1271,7 +1271,7 @@ typedef struct { psa_drv_se_key_derivation_collateral_t MBEDTLS_PRIVATE(p_collateral); /** Function that performs a final key derivation step */ psa_drv_se_key_derivation_derive_t MBEDTLS_PRIVATE(p_derive); - /** Function that perforsm a final key derivation or agreement and + /** Function that performs a final key derivation or agreement and * exports the key */ psa_drv_se_key_derivation_export_t MBEDTLS_PRIVATE(p_export); } psa_drv_se_key_derivation_t; diff --git a/thirdparty/mbedtls/include/psa/crypto_sizes.h b/thirdparty/mbedtls/include/psa/crypto_sizes.h index 1024d6b918a1ba..b42b2df0d0a286 100644 --- a/thirdparty/mbedtls/include/psa/crypto_sizes.h +++ b/thirdparty/mbedtls/include/psa/crypto_sizes.h @@ -239,6 +239,15 @@ */ #define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128 +/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input, + * which is expected to work with P-256 curve only. */ +#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65 + +/* The size of a serialized K.X coordinate to be used in + * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256 + * curve. */ +#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32 + /** The maximum size of a block cipher. */ #define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16 @@ -708,7 +717,7 @@ (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11) /* Maximum size of the export encoding of an RSA key pair. - * Assumes thatthe public exponent is less than 2^32 and that the size + * Assumes that the public exponent is less than 2^32 and that the size * difference between the two primes is at most 1 bit. * * RSAPrivateKey ::= SEQUENCE { diff --git a/thirdparty/mbedtls/include/psa/crypto_struct.h b/thirdparty/mbedtls/include/psa/crypto_struct.h index 957b4c611372e0..afba32502228b5 100644 --- a/thirdparty/mbedtls/include/psa/crypto_struct.h +++ b/thirdparty/mbedtls/include/psa/crypto_struct.h @@ -202,6 +202,12 @@ typedef struct #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF || MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +typedef struct +{ + uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE]; +} psa_tls12_ecjpake_to_pms_t; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) @@ -266,6 +272,9 @@ struct psa_key_derivation_s #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf); +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms); #endif } MBEDTLS_PRIVATE(ctx); }; diff --git a/thirdparty/mbedtls/include/psa/crypto_types.h b/thirdparty/mbedtls/include/psa/crypto_types.h index e619cf537e2b74..af61aea9df5d49 100644 --- a/thirdparty/mbedtls/include/psa/crypto_types.h +++ b/thirdparty/mbedtls/include/psa/crypto_types.h @@ -105,7 +105,7 @@ typedef uint8_t psa_ecc_family_t; * Values of this type are generally constructed by macros called * `PSA_DH_FAMILY_xxx`. * - * The group identifier is required to create an Diffie-Hellman key using the + * The group identifier is required to create a Diffie-Hellman key using the * PSA_KEY_TYPE_DH_KEY_PAIR() or PSA_KEY_TYPE_DH_PUBLIC_KEY() * macros. * @@ -297,7 +297,7 @@ typedef psa_key_id_t mbedtls_svc_key_id_t; #else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ /* Implementation-specific: The Mbed Cryptography library can be built as - * part of a multi-client service that exposes the PSA Cryptograpy API in each + * part of a multi-client service that exposes the PSA Cryptography API in each * client and encodes the client identity in the key identifier argument of * functions such as psa_open_key(). */ diff --git a/thirdparty/mbedtls/include/psa/crypto_values.h b/thirdparty/mbedtls/include/psa/crypto_values.h index b3526aef47285e..c9c1ec05fd527c 100644 --- a/thirdparty/mbedtls/include/psa/crypto_values.h +++ b/thirdparty/mbedtls/include/psa/crypto_values.h @@ -1265,7 +1265,7 @@ */ #define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500) -/* In the encoding of a AEAD algorithm, the bits corresponding to +/* In the encoding of an AEAD algorithm, the bits corresponding to * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag. * The constants for default lengths follow this encoding. */ @@ -1400,9 +1400,11 @@ * This is the signature scheme defined by RFC 8017 * (PKCS#1: RSA Cryptography Specifications) under the name * RSASSA-PSS, with the message generation function MGF1, and with - * a salt length equal to the length of the hash. The specified - * hash algorithm is used to hash the input message, to create the - * salted hash, and for the mask generation. + * a salt length equal to the length of the hash, or the largest + * possible salt length for the algorithm and key size if that is + * smaller than the hash length. The specified hash algorithm is + * used to hash the input message, to create the salted hash, and + * for the mask generation. * * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_HASH(\p hash_alg) is true). @@ -2019,6 +2021,20 @@ #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \ (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) +/* The TLS 1.2 ECJPAKE-to-PMS KDF. It takes the shared secret K (an EC point + * in case of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2 + * will use to derive the session secret, as defined by step 2 of + * https://datatracker.ietf.org/doc/html/draft-cragie-tls-ecjpake-01#section-8.7. + * Uses PSA_ALG_SHA_256. + * This function takes a single input: + * #PSA_KEY_DERIVATION_INPUT_SECRET is the shared secret K from EC J-PAKE. + * The only supported curve is secp256r1 (the 256-bit curve in + * #PSA_ECC_FAMILY_SECP_R1), so the input must be exactly 65 bytes. + * The output has to be read as a single chunk of 32 bytes, defined as + * PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE. + */ +#define PSA_ALG_TLS12_ECJPAKE_TO_PMS ((psa_algorithm_t)0x08000609) + /* This flag indicates whether the key derivation algorithm is suitable for * use on low-entropy secrets such as password - these algorithms are also * known as key stretching or password hashing schemes. These are also the @@ -2561,7 +2577,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * This flag allows the key to be used for a MAC verification operation * or for an asymmetric signature verification operation, - * if otherwise permitted by by the key's type and policy. + * if otherwise permitted by the key's type and policy. * * For a key pair, this concerns the public key. */ @@ -2571,7 +2587,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * hash. * * This flag allows the key to be used for a key derivation operation or for - * a key agreement operation, if otherwise permitted by by the key's type and + * a key agreement operation, if otherwise permitted by the key's type and * policy. * * If this flag is present on all keys used in calls to @@ -2587,7 +2603,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * This flag allows the key to be used: * * This flag allows the key to be used in a key derivation operation, if - * otherwise permitted by by the key's type and policy. + * otherwise permitted by the key's type and policy. * * If this flag is present on all keys used in calls to * psa_key_derivation_input_key() for a key derivation operation, then it diff --git a/thirdparty/mbedtls/library/aes.c b/thirdparty/mbedtls/library/aes.c index bf5d43212968f9..319d9bb67e89fa 100644 --- a/thirdparty/mbedtls/library/aes.c +++ b/thirdparty/mbedtls/library/aes.c @@ -40,23 +40,10 @@ #include "aesni.h" #endif -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_AES_ALT) -/* Parameter validation macros based on platform_util.h */ -#define AES_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) -#define AES_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - #if defined(MBEDTLS_PADLOCK_C) && \ ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) static int aes_padlock_ace = -1; @@ -489,8 +476,6 @@ static void aes_gen_tables( void ) void mbedtls_aes_init( mbedtls_aes_context *ctx ) { - AES_VALIDATE( ctx != NULL ); - memset( ctx, 0, sizeof( mbedtls_aes_context ) ); } @@ -505,8 +490,6 @@ void mbedtls_aes_free( mbedtls_aes_context *ctx ) #if defined(MBEDTLS_CIPHER_MODE_XTS) void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) { - AES_VALIDATE( ctx != NULL ); - mbedtls_aes_init( &ctx->crypt ); mbedtls_aes_init( &ctx->tweak ); } @@ -531,9 +514,6 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, unsigned int i; uint32_t *RK; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( key != NULL ); - switch( keybits ) { case 128: ctx->nr = 10; break; @@ -550,19 +530,19 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, } #endif + ctx->rk_offset = 0; #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) if( aes_padlock_ace == -1 ) aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); if( aes_padlock_ace ) - ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); - else + ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf; #endif - ctx->rk = RK = ctx->buf; + RK = ctx->buf + ctx->rk_offset; #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) - return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); + return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) ); #endif for( i = 0; i < ( keybits >> 5 ); i++ ) @@ -649,20 +629,17 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, uint32_t *RK; uint32_t *SK; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( key != NULL ); - mbedtls_aes_init( &cty ); + ctx->rk_offset = 0; #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) if( aes_padlock_ace == -1 ) aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); if( aes_padlock_ace ) - ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); - else + ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf; #endif - ctx->rk = RK = ctx->buf; + RK = ctx->buf + ctx->rk_offset; /* Also checks keybits */ if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) @@ -673,13 +650,13 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) { - mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk, - (const unsigned char *) cty.rk, ctx->nr ); + mbedtls_aesni_inverse_key( (unsigned char *) RK, + (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr ); goto exit; } #endif - SK = cty.rk + cty.nr * 4; + SK = cty.buf + cty.rk_offset + cty.nr * 4; *RK++ = *SK++; *RK++ = *SK++; @@ -743,9 +720,6 @@ int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, const unsigned char *key1, *key2; unsigned int key1bits, key2bits; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( key != NULL ); - ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, &key2, &key2bits ); if( ret != 0 ) @@ -768,9 +742,6 @@ int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, const unsigned char *key1, *key2; unsigned int key1bits, key2bits; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( key != NULL ); - ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, &key2, &key2bits ); if( ret != 0 ) @@ -843,7 +814,7 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, unsigned char output[16] ) { int i; - uint32_t *RK = ctx->rk; + uint32_t *RK = ctx->buf + ctx->rk_offset; struct { uint32_t X[4]; @@ -907,7 +878,7 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, unsigned char output[16] ) { int i; - uint32_t *RK = ctx->rk; + uint32_t *RK = ctx->buf + ctx->rk_offset; struct { uint32_t X[4]; @@ -970,12 +941,8 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16] ) { - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( ctx->rk != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); - AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || - mode == MBEDTLS_AES_DECRYPT ); + if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT ) + return MBEDTLS_ERR_AES_BAD_INPUT_DATA; #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) @@ -1015,12 +982,8 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char temp[16]; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || - mode == MBEDTLS_AES_DECRYPT ); - AES_VALIDATE_RET( iv != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); + if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT ) + return MBEDTLS_ERR_AES_BAD_INPUT_DATA; if( length % 16 ) return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); @@ -1124,12 +1087,8 @@ int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, unsigned char prev_tweak[16]; unsigned char tmp[16]; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || - mode == MBEDTLS_AES_DECRYPT ); - AES_VALIDATE_RET( data_unit != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); + if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT ) + return MBEDTLS_ERR_AES_BAD_INPUT_DATA; /* Data units must be at least 16 bytes long. */ if( length < 16 ) @@ -1153,7 +1112,7 @@ int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, { /* We are on the last block in a decrypt operation that has * leftover bytes, so we need to use the next tweak for this block, - * and this tweak for the lefover bytes. Save the current tweak for + * and this tweak for the leftover bytes. Save the current tweak for * the leftovers and then update the current tweak for use on this, * the last full block. */ memcpy( prev_tweak, tweak, sizeof( tweak ) ); @@ -1233,13 +1192,8 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || - mode == MBEDTLS_AES_DECRYPT ); - AES_VALIDATE_RET( iv_off != NULL ); - AES_VALIDATE_RET( iv != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); + if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT ) + return MBEDTLS_ERR_AES_BAD_INPUT_DATA; n = *iv_off; @@ -1302,12 +1256,8 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, unsigned char c; unsigned char ov[17]; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || - mode == MBEDTLS_AES_DECRYPT ); - AES_VALIDATE_RET( iv != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); + if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT ) + return MBEDTLS_ERR_AES_BAD_INPUT_DATA; while( length-- ) { memcpy( ov, iv, 16 ); @@ -1346,12 +1296,6 @@ int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, int ret = 0; size_t n; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( iv_off != NULL ); - AES_VALIDATE_RET( iv != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); - n = *iv_off; if( n > 15 ) @@ -1393,13 +1337,6 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n; - AES_VALIDATE_RET( ctx != NULL ); - AES_VALIDATE_RET( nc_off != NULL ); - AES_VALIDATE_RET( nonce_counter != NULL ); - AES_VALIDATE_RET( stream_block != NULL ); - AES_VALIDATE_RET( input != NULL ); - AES_VALIDATE_RET( output != NULL ); - n = *nc_off; if ( n > 0x0F ) @@ -1753,7 +1690,8 @@ int mbedtls_aes_self_test( int verbose ) unsigned char key[32]; unsigned char buf[64]; const unsigned char *aes_tests; -#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) +#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_OFB) unsigned char iv[16]; #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) diff --git a/thirdparty/mbedtls/library/aesni.c b/thirdparty/mbedtls/library/aesni.c index be226c9c00ceff..87d818af711f26 100644 --- a/thirdparty/mbedtls/library/aesni.c +++ b/thirdparty/mbedtls/library/aesni.c @@ -127,7 +127,7 @@ int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx, "3: \n\t" "movdqu %%xmm0, (%4) \n\t" // export output : - : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output) + : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output) : "memory", "cc", "xmm0", "xmm1" ); diff --git a/thirdparty/mbedtls/library/aesni.h b/thirdparty/mbedtls/library/aesni.h index b6f72578332625..3359cfe94fab2f 100644 --- a/thirdparty/mbedtls/library/aesni.h +++ b/thirdparty/mbedtls/library/aesni.h @@ -34,8 +34,7 @@ #if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ ( defined(__amd64__) || defined(__x86_64__) ) && \ - ! defined(MBEDTLS_HAVE_X86_64) && \ - ! defined(__TINYC__) + ! defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 #endif diff --git a/thirdparty/mbedtls/library/aria.c b/thirdparty/mbedtls/library/aria.c index bc05c4a3196295..5e52eea91ecd7b 100644 --- a/thirdparty/mbedtls/library/aria.c +++ b/thirdparty/mbedtls/library/aria.c @@ -31,24 +31,12 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_ARIA_ALT) #include "mbedtls/platform_util.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Parameter validation macros */ #define ARIA_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) @@ -895,15 +883,17 @@ static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext }; #endif /* MBEDTLS_CIPHER_MODE_CFB */ -#define ARIA_SELF_TEST_IF_FAIL \ - { \ - if( verbose ) \ - mbedtls_printf( "failed\n" ); \ - goto exit; \ - } else { \ - if( verbose ) \ - mbedtls_printf( "passed\n" ); \ - } +#define ARIA_SELF_TEST_ASSERT( cond ) \ + do { \ + if( cond ) { \ + if( verbose ) \ + mbedtls_printf( "failed\n" ); \ + goto exit; \ + } else { \ + if( verbose ) \ + mbedtls_printf( "passed\n" ); \ + } \ + } while( 0 ) /* * Checkup routine @@ -937,16 +927,18 @@ int mbedtls_aria_self_test( int verbose ) mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); - if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( + memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) + != 0 ); /* test ECB decryption */ if( verbose ) mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); - if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( + memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) + != 0 ); } if( verbose ) mbedtls_printf( "\n" ); @@ -965,8 +957,8 @@ int mbedtls_aria_self_test( int verbose ) memset( buf, 0x55, sizeof( buf ) ); mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, aria_test2_pt, buf ); - if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_cbc_ct[i], 48 ) + != 0 ); /* Test CBC decryption */ if( verbose ) @@ -976,8 +968,7 @@ int mbedtls_aria_self_test( int verbose ) memset( buf, 0xAA, sizeof( buf ) ); mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, aria_test2_cbc_ct[i], buf ); - if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 ); } if( verbose ) mbedtls_printf( "\n" ); @@ -996,8 +987,7 @@ int mbedtls_aria_self_test( int verbose ) j = 0; mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, aria_test2_pt, buf ); - if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ); /* Test CFB decryption */ if( verbose ) @@ -1008,8 +998,7 @@ int mbedtls_aria_self_test( int verbose ) j = 0; mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, iv, aria_test2_cfb_ct[i], buf ); - if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 ); } if( verbose ) mbedtls_printf( "\n" ); @@ -1027,8 +1016,7 @@ int mbedtls_aria_self_test( int verbose ) j = 0; mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, aria_test2_pt, buf ); - if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ); /* Test CTR decryption */ if( verbose ) @@ -1039,8 +1027,7 @@ int mbedtls_aria_self_test( int verbose ) j = 0; mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, aria_test2_ctr_ct[i], buf ); - if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) - ARIA_SELF_TEST_IF_FAIL; + ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 ); } if( verbose ) mbedtls_printf( "\n" ); diff --git a/thirdparty/mbedtls/library/asn1parse.c b/thirdparty/mbedtls/library/asn1parse.c index 83c7c58a12f4ad..28a3b144bf0b59 100644 --- a/thirdparty/mbedtls/library/asn1parse.c +++ b/thirdparty/mbedtls/library/asn1parse.c @@ -31,13 +31,7 @@ #include "mbedtls/bignum.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif /* * ASN.1 DER decoding routines @@ -320,7 +314,6 @@ void mbedtls_asn1_sequence_free( mbedtls_asn1_sequence *seq ) while( seq != NULL ) { mbedtls_asn1_sequence *next = seq->next; - mbedtls_platform_zeroize( seq, sizeof( *seq ) ); mbedtls_free( seq ); seq = next; } @@ -438,6 +431,7 @@ int mbedtls_asn1_get_alg_null( unsigned char **p, return( 0 ); } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur ) { if( cur == NULL ) @@ -448,6 +442,7 @@ void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur ) mbedtls_platform_zeroize( cur, sizeof( mbedtls_asn1_named_data ) ); } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ) { @@ -456,11 +451,21 @@ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ) while( ( cur = *head ) != NULL ) { *head = cur->next; - mbedtls_asn1_free_named_data( cur ); + mbedtls_free( cur->oid.p ); + mbedtls_free( cur->val.p ); mbedtls_free( cur ); } } +void mbedtls_asn1_free_named_data_list_shallow( mbedtls_asn1_named_data *name ) +{ + for( mbedtls_asn1_named_data *next; name != NULL; name = next ) + { + next = name->next; + mbedtls_free( name ); + } +} + const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( const mbedtls_asn1_named_data *list, const char *oid, size_t len ) { diff --git a/thirdparty/mbedtls/library/asn1write.c b/thirdparty/mbedtls/library/asn1write.c index 053dbb669fbcdd..98c591d0bcbe1e 100644 --- a/thirdparty/mbedtls/library/asn1write.c +++ b/thirdparty/mbedtls/library/asn1write.c @@ -26,13 +26,7 @@ #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_t len ) { @@ -78,9 +72,11 @@ int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_ return( 4 ); } + int len_is_valid = 1; #if SIZE_MAX > 0xFFFFFFFF - if( len <= 0xFFFFFFFF ) + len_is_valid = ( len <= 0xFFFFFFFF ); #endif + if( len_is_valid ) { if( *p - start < 5 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); @@ -93,9 +89,7 @@ int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_ return( 5 ); } -#if SIZE_MAX > 0xFFFFFFFF return( MBEDTLS_ERR_ASN1_INVALID_LENGTH ); -#endif } int mbedtls_asn1_write_tag( unsigned char **p, const unsigned char *start, unsigned char tag ) diff --git a/thirdparty/mbedtls/library/base64.c b/thirdparty/mbedtls/library/base64.c index 83daa0bcc67f61..9021a041bb11b8 100644 --- a/thirdparty/mbedtls/library/base64.c +++ b/thirdparty/mbedtls/library/base64.c @@ -28,12 +28,7 @@ #if defined(MBEDTLS_SELF_TEST) #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ #define BASE64_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */ diff --git a/thirdparty/mbedtls/library/bignum.c b/thirdparty/mbedtls/library/bignum.c index 8717c8abc681ce..65708c9f3a0839 100644 --- a/thirdparty/mbedtls/library/bignum.c +++ b/thirdparty/mbedtls/library/bignum.c @@ -38,7 +38,7 @@ #if defined(MBEDTLS_BIGNUM_C) #include "mbedtls/bignum.h" -#include "bignum_internal.h" +#include "bignum_core.h" #include "bn_mul.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" @@ -47,34 +47,15 @@ #include #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_printf printf -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #define MPI_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA ) #define MPI_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */ -#define biL (ciL << 3) /* bits in limb */ -#define biH (ciL << 2) /* half limb size */ - #define MPI_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */ -/* - * Convert between bits/chars and number of limbs - * Divide first in order to avoid potential overflows - */ -#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) ) -#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) ) - /* Implementation that should never be optimized out by the compiler */ static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) { @@ -271,6 +252,17 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ) memcpy( Y, &T, sizeof( mbedtls_mpi ) ); } +static inline mbedtls_mpi_uint mpi_sint_abs( mbedtls_mpi_sint z ) +{ + if( z >= 0 ) + return( z ); + /* Take care to handle the most negative value (-2^(biL-1)) correctly. + * A naive -z would have undefined behavior. + * Write this in a way that makes popular compilers happy (GCC, Clang, + * MSVC). */ + return( (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z ); +} + /* * Set value from integer */ @@ -282,7 +274,7 @@ int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z ) MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) ); memset( X->p, 0, X->n * ciL ); - X->p[0] = ( z < 0 ) ? -z : z; + X->p[0] = mpi_sint_abs( z ); X->s = ( z < 0 ) ? -1 : 1; cleanup: @@ -303,10 +295,6 @@ int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos ) return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 ); } -/* Get a specific byte, without range checks. */ -#define GET_BYTE( X, i ) \ - ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff ) - /* * Set a bit to a specific value of 0 or 1 */ @@ -352,41 +340,12 @@ size_t mbedtls_mpi_lsb( const mbedtls_mpi *X ) return( 0 ); } -/* - * Count leading zero bits in a given integer - */ -static size_t mbedtls_clz( const mbedtls_mpi_uint x ) -{ - size_t j; - mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1); - - for( j = 0; j < biL; j++ ) - { - if( x & mask ) break; - - mask >>= 1; - } - - return j; -} - /* * Return the number of bits */ size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X ) { - size_t i, j; - - if( X->n == 0 ) - return( 0 ); - - for( i = X->n - 1; i > 0; i-- ) - if( X->p[i] != 0 ) - break; - - j = biL - mbedtls_clz( X->p[i] ); - - return( ( i * biL ) + j ); + return( mbedtls_mpi_core_bitlen( X->p, X->n ) ); } /* @@ -693,97 +652,6 @@ int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE } #endif /* MBEDTLS_FS_IO */ - -/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint - * into the storage form used by mbedtls_mpi. */ - -static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x ) -{ - uint8_t i; - unsigned char *x_ptr; - mbedtls_mpi_uint tmp = 0; - - for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ ) - { - tmp <<= CHAR_BIT; - tmp |= (mbedtls_mpi_uint) *x_ptr; - } - - return( tmp ); -} - -static mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x ) -{ -#if defined(__BYTE_ORDER__) - -/* Nothing to do on bigendian systems. */ -#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ ) - return( x ); -#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */ - -#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ ) - -/* For GCC and Clang, have builtins for byte swapping. */ -#if defined(__GNUC__) && defined(__GNUC_PREREQ) -#if __GNUC_PREREQ(4,3) -#define have_bswap -#endif -#endif - -#if defined(__clang__) && defined(__has_builtin) -#if __has_builtin(__builtin_bswap32) && \ - __has_builtin(__builtin_bswap64) -#define have_bswap -#endif -#endif - -#if defined(have_bswap) - /* The compiler is hopefully able to statically evaluate this! */ - switch( sizeof(mbedtls_mpi_uint) ) - { - case 4: - return( __builtin_bswap32(x) ); - case 8: - return( __builtin_bswap64(x) ); - } -#endif -#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */ -#endif /* __BYTE_ORDER__ */ - - /* Fall back to C-based reordering if we don't know the byte order - * or we couldn't use a compiler-specific builtin. */ - return( mpi_uint_bigendian_to_host_c( x ) ); -} - -static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs ) -{ - mbedtls_mpi_uint *cur_limb_left; - mbedtls_mpi_uint *cur_limb_right; - if( limbs == 0 ) - return; - - /* - * Traverse limbs and - * - adapt byte-order in each limb - * - swap the limbs themselves. - * For that, simultaneously traverse the limbs from left to right - * and from right to left, as long as the left index is not bigger - * than the right index (it's not a problem if limbs is odd and the - * indices coincide in the last iteration). - */ - for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 ); - cur_limb_left <= cur_limb_right; - cur_limb_left++, cur_limb_right-- ) - { - mbedtls_mpi_uint tmp; - /* Note that if cur_limb_left == cur_limb_right, - * this code effectively swaps the bytes only once. */ - tmp = mpi_uint_bigendian_to_host( *cur_limb_left ); - *cur_limb_left = mpi_uint_bigendian_to_host( *cur_limb_right ); - *cur_limb_right = tmp; - } -} - /* * Import X from unsigned binary data, little endian * @@ -794,14 +662,12 @@ int mbedtls_mpi_read_binary_le( mbedtls_mpi *X, const unsigned char *buf, size_t buflen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i; - size_t const limbs = CHARS_TO_LIMBS( buflen ); + const size_t limbs = CHARS_TO_LIMBS( buflen ); /* Ensure that target MPI has exactly the necessary number of limbs */ MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) ); - for( i = 0; i < buflen; i++ ) - X->p[i / ciL] |= ((mbedtls_mpi_uint) buf[i]) << ((i % ciL) << 3); + MBEDTLS_MPI_CHK( mbedtls_mpi_core_read_le( X->p, X->n, buf, buflen ) ); cleanup: @@ -822,9 +688,7 @@ int mbedtls_mpi_read_binary_le( mbedtls_mpi *X, int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t const limbs = CHARS_TO_LIMBS( buflen ); - size_t const overhead = ( limbs * ciL ) - buflen; - unsigned char *Xp; + const size_t limbs = CHARS_TO_LIMBS( buflen ); MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( buflen == 0 || buf != NULL ); @@ -832,15 +696,7 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t bu /* Ensure that target MPI has exactly the necessary number of limbs */ MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) ); - /* Avoid calling `memcpy` with NULL source or destination argument, - * even if buflen is 0. */ - if( buflen != 0 ) - { - Xp = (unsigned char*) X->p; - memcpy( Xp + overhead, buf, buflen ); - - mpi_bigendian_to_host( X->p, limbs ); - } + MBEDTLS_MPI_CHK( mbedtls_mpi_core_read_be( X->p, X->n, buf, buflen ) ); cleanup: @@ -858,37 +714,7 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t bu int mbedtls_mpi_write_binary_le( const mbedtls_mpi *X, unsigned char *buf, size_t buflen ) { - size_t stored_bytes = X->n * ciL; - size_t bytes_to_copy; - size_t i; - - if( stored_bytes < buflen ) - { - bytes_to_copy = stored_bytes; - } - else - { - bytes_to_copy = buflen; - - /* The output buffer is smaller than the allocated size of X. - * However X may fit if its leading bytes are zero. */ - for( i = bytes_to_copy; i < stored_bytes; i++ ) - { - if( GET_BYTE( X, i ) != 0 ) - return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); - } - } - - for( i = 0; i < bytes_to_copy; i++ ) - buf[i] = GET_BYTE( X, i ); - - if( stored_bytes < buflen ) - { - /* Write trailing 0 bytes */ - memset( buf + stored_bytes, 0, buflen - stored_bytes ); - } - - return( 0 ); + return( mbedtls_mpi_core_write_le( X->p, X->n, buf, buflen ) ); } /* @@ -897,44 +723,7 @@ int mbedtls_mpi_write_binary_le( const mbedtls_mpi *X, int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf, size_t buflen ) { - size_t stored_bytes; - size_t bytes_to_copy; - unsigned char *p; - size_t i; - - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( buflen == 0 || buf != NULL ); - - stored_bytes = X->n * ciL; - - if( stored_bytes < buflen ) - { - /* There is enough space in the output buffer. Write initial - * null bytes and record the position at which to start - * writing the significant bytes. In this case, the execution - * trace of this function does not depend on the value of the - * number. */ - bytes_to_copy = stored_bytes; - p = buf + buflen - stored_bytes; - memset( buf, 0, buflen - stored_bytes ); - } - else - { - /* The output buffer is smaller than the allocated size of X. - * However X may fit if its leading bytes are zero. */ - bytes_to_copy = buflen; - p = buf; - for( i = bytes_to_copy; i < stored_bytes; i++ ) - { - if( GET_BYTE( X, i ) != 0 ) - return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); - } - } - - for( i = 0; i < bytes_to_copy; i++ ) - p[bytes_to_copy - i - 1] = GET_BYTE( X, i ); - - return( 0 ); + return( mbedtls_mpi_core_write_be( X->p, X->n, buf, buflen ) ); } /* @@ -993,42 +782,9 @@ int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count ) */ int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count ) { - size_t i, v0, v1; - mbedtls_mpi_uint r0 = 0, r1; MPI_VALIDATE_RET( X != NULL ); - - v0 = count / biL; - v1 = count & (biL - 1); - - if( v0 > X->n || ( v0 == X->n && v1 > 0 ) ) - return mbedtls_mpi_lset( X, 0 ); - - /* - * shift by count / limb_size - */ - if( v0 > 0 ) - { - for( i = 0; i < X->n - v0; i++ ) - X->p[i] = X->p[i + v0]; - - for( ; i < X->n; i++ ) - X->p[i] = 0; - } - - /* - * shift by count % limb_size - */ - if( v1 > 0 ) - { - for( i = X->n; i > 0; i-- ) - { - r1 = X->p[i - 1] << (biL - v1); - X->p[i - 1] >>= v1; - X->p[i - 1] |= r0; - r0 = r1; - } - } - + if( X->n != 0 ) + mbedtls_mpi_core_shift_r( X->p, X->n, count ); return( 0 ); } @@ -1108,7 +864,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z ) mbedtls_mpi_uint p[1]; MPI_VALIDATE_RET( X != NULL ); - *p = ( z < 0 ) ? -z : z; + *p = mpi_sint_abs( z ); Y.s = ( z < 0 ) ? -1 : 1; Y.n = 1; Y.p = p; @@ -1122,8 +878,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z ) int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i, j; - mbedtls_mpi_uint *o, *p, c, tmp; + size_t j; MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); MPI_VALIDATE_RET( B != NULL ); @@ -1137,7 +892,7 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) ); /* - * X should always be positive as a result of unsigned additions. + * X must always be positive as a result of unsigned additions. */ X->s = 1; @@ -1145,29 +900,32 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi if( B->p[j - 1] != 0 ) break; + /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0 + * and B is 0 (of any size). */ + if( j == 0 ) + return( 0 ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) ); - o = B->p; p = X->p; c = 0; + /* j is the number of non-zero limbs of B. Add those to X. */ - /* - * tmp is used because it might happen that p == o - */ - for( i = 0; i < j; i++, o++, p++ ) - { - tmp= *o; - *p += c; c = ( *p < c ); - *p += tmp; c += ( *p < tmp ); - } + mbedtls_mpi_uint *p = X->p; + + mbedtls_mpi_uint c = mbedtls_mpi_core_add( p, p, B->p, j ); + + p += j; + + /* Now propagate any carry */ while( c != 0 ) { - if( i >= X->n ) + if( j >= X->n ) { - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) ); - p = X->p + i; + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j + 1 ) ); + p = X->p + j; } - *p += c; c = ( *p < c ); i++; p++; + *p += c; c = ( *p < c ); j++; p++; } cleanup: @@ -1175,40 +933,6 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return( ret ); } -/** - * Helper for mbedtls_mpi subtraction. - * - * Calculate l - r where l and r have the same size. - * This function operates modulo (2^ciL)^n and returns the carry - * (1 if there was a wraparound, i.e. if `l < r`, and 0 otherwise). - * - * d may be aliased to l or r. - * - * \param n Number of limbs of \p d, \p l and \p r. - * \param[out] d The result of the subtraction. - * \param[in] l The left operand. - * \param[in] r The right operand. - * - * \return 1 if `l < r`. - * 0 if `l >= r`. - */ -static mbedtls_mpi_uint mpi_sub_hlp( size_t n, - mbedtls_mpi_uint *d, - const mbedtls_mpi_uint *l, - const mbedtls_mpi_uint *r ) -{ - size_t i; - mbedtls_mpi_uint c = 0, t, z; - - for( i = 0; i < n; i++ ) - { - z = ( l[i] < c ); t = l[i] - c; - c = ( t < r[i] ) + z; d[i] = t - r[i]; - } - - return( c ); -} - /* * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10) */ @@ -1241,20 +965,18 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi if( X->n > A->n ) memset( X->p + A->n, 0, ( X->n - A->n ) * ciL ); - carry = mpi_sub_hlp( n, X->p, A->p, B->p ); + carry = mbedtls_mpi_core_sub( X->p, A->p, B->p, n ); if( carry != 0 ) { - /* Propagate the carry to the first nonzero limb of X. */ - for( ; n < X->n && X->p[n] == 0; n++ ) - --X->p[n]; - /* If we ran out of space for the carry, it means that the result - * is negative. */ - if( n == X->n ) + /* Propagate the carry through the rest of X. */ + carry = mbedtls_mpi_core_sub_int( X->p + n, X->p + n, carry, X->n - n ); + + /* If we have further carry/borrow, the result is negative. */ + if( carry != 0 ) { ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE; goto cleanup; } - --X->p[n]; } /* X should always be positive as a result of unsigned subtractions. */ @@ -1264,10 +986,12 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return( ret ); } -/* - * Signed addition: X = A + B +/* Common function for signed addition and subtraction. + * Calculate A + B * flip_B where flip_B is 1 or -1. */ -int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) +static int add_sub_mpi( mbedtls_mpi *X, + const mbedtls_mpi *A, const mbedtls_mpi *B, + int flip_B ) { int ret, s; MPI_VALIDATE_RET( X != NULL ); @@ -1275,16 +999,21 @@ int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi MPI_VALIDATE_RET( B != NULL ); s = A->s; - if( A->s * B->s < 0 ) + if( A->s * B->s * flip_B < 0 ) { - if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) + int cmp = mbedtls_mpi_cmp_abs( A, B ); + if( cmp >= 0 ) { MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) ); - X->s = s; + /* If |A| = |B|, the result is 0 and we must set the sign bit + * to +1 regardless of which of A or B was negative. Otherwise, + * since |A| > |B|, the sign is the sign of A. */ + X->s = cmp == 0 ? 1 : s; } else { MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) ); + /* Since |A| < |B|, the sign is the opposite of A. */ X->s = -s; } } @@ -1299,39 +1028,20 @@ int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi return( ret ); } +/* + * Signed addition: X = A + B + */ +int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) +{ + return( add_sub_mpi( X, A, B, 1 ) ); +} + /* * Signed subtraction: X = A - B */ int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) { - int ret, s; - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( A != NULL ); - MPI_VALIDATE_RET( B != NULL ); - - s = A->s; - if( A->s * B->s > 0 ) - { - if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) - { - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) ); - X->s = s; - } - else - { - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) ); - X->s = -s; - } - } - else - { - MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) ); - X->s = s; - } - -cleanup: - - return( ret ); + return( add_sub_mpi( X, A, B, -1 ) ); } /* @@ -1344,7 +1054,7 @@ int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -b : b; + p[0] = mpi_sint_abs( b ); B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1362,7 +1072,7 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -b : b; + p[0] = mpi_sint_abs( b ); B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1370,38 +1080,6 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint return( mbedtls_mpi_sub_mpi( X, A, &B ) ); } -mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *d, size_t d_len, - const mbedtls_mpi_uint *s, size_t s_len, - mbedtls_mpi_uint b ) -{ - mbedtls_mpi_uint c = 0; /* carry */ - size_t excess_len = d_len - s_len; - - size_t steps_x8 = s_len / 8; - size_t steps_x1 = s_len & 7; - - while( steps_x8-- ) - { - MULADDC_X8_INIT - MULADDC_X8_CORE - MULADDC_X8_STOP - } - - while( steps_x1-- ) - { - MULADDC_X1_INIT - MULADDC_X1_CORE - MULADDC_X1_STOP - } - - while( excess_len-- ) - { - *d += c; c = ( *d < c ); d++; - } - - return( c ); -} - /* * Baseline multiplication: X = A * B (HAC 14.12) */ @@ -1545,7 +1223,7 @@ static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1, /* * Normalize the divisor, d, and dividend, u0, u1 */ - s = mbedtls_clz( d ); + s = mbedtls_mpi_core_clz( d ); d = d << s; u1 = u1 << s; @@ -1732,7 +1410,7 @@ int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, mbedtls_mpi_uint p[1]; MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -b : b; + p[0] = mpi_sint_abs( b ); B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1825,21 +1503,9 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_ return( 0 ); } -/* - * Fast Montgomery initialization (thanks to Tom St Denis) - */ static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N ) { - mbedtls_mpi_uint x, m0 = N->p[0]; - unsigned int i; - - x = m0; - x += ( ( m0 + 2 ) & 4 ) << 1; - - for( i = biL; i >= 8; i /= 2 ) - x *= ( 2 - ( m0 * x ) ); - - *mm = ~x + 1; + *mm = mbedtls_mpi_core_montmul_init( N->p ); } /** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36) @@ -1853,7 +1519,7 @@ static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N ) * \param[in] B One of the numbers to multiply. * It must be nonzero and must not have more limbs than N * (B->n <= N->n). - * \param[in] N The modulo. N must be odd. + * \param[in] N The modulus. \p N must be odd. * \param mm The value calculated by `mpi_montg_init(&mm, N)`. * This is -N^-1 mod 2^ciL. * \param[in,out] T A bignum for temporary storage. @@ -1861,59 +1527,13 @@ static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N ) * (T->n >= 2 * N->n + 1). * Its initial content is unused and * its final content is indeterminate. - * Note that unlike the usual convention in the library - * for `const mbedtls_mpi*`, the content of T can change. + * It does not get reallocated. */ -static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm, - const mbedtls_mpi *T ) +static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, + const mbedtls_mpi *N, mbedtls_mpi_uint mm, + mbedtls_mpi *T ) { - size_t n, m; - mbedtls_mpi_uint *d; - - memset( T->p, 0, T->n * ciL ); - - d = T->p; - n = N->n; - m = ( B->n < n ) ? B->n : n; - - for( size_t i = 0; i < n; i++ ) - { - mbedtls_mpi_uint u0, u1; - - /* - * T = (T + u0*B + u1*N) / 2^biL - */ - u0 = A->p[i]; - u1 = ( d[0] + u0 * B->p[0] ) * mm; - - (void) mbedtls_mpi_core_mla( d, n + 2, - B->p, m, - u0 ); - (void) mbedtls_mpi_core_mla( d, n + 2, - N->p, n, - u1 ); - d++; - } - - /* At this point, d is either the desired result or the desired result - * plus N. We now potentially subtract N, avoiding leaking whether the - * subtraction is performed through side channels. */ - - /* Copy the n least significant limbs of d to A, so that - * A = d if d < N (recall that N has n limbs). */ - memcpy( A->p, d, n * ciL ); - /* If d >= N then we want to set A to d - N. To prevent timing attacks, - * do the calculation without using conditional tests. */ - /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */ - d[n] += 1; - d[n] -= mpi_sub_hlp( n, d, d, N->p ); - /* If d0 < N then d < (2^biL)^n - * so d[n] == 0 and we want to keep A as it is. - * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n - * so d[n] == 1 and we want to set A to the result of the subtraction - * which is d - (2^biL)^n, i.e. the n least significant limbs of d. - * This exactly corresponds to a conditional assignment. */ - mbedtls_ct_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] ); + mbedtls_mpi_core_montmul( A->p, A->p, B->p, B->n, N->p, N->n, mm, T->p ); } /* @@ -1922,7 +1542,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi * See mpi_montmul() regarding constraints and guarantees on the parameters. */ static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, - mbedtls_mpi_uint mm, const mbedtls_mpi *T ) + mbedtls_mpi_uint mm, mbedtls_mpi *T ) { mbedtls_mpi_uint z = 1; mbedtls_mpi U; @@ -1970,11 +1590,11 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi *prec_RR ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t wbits, wsize, one = 1; + size_t window_bitsize; size_t i, j, nblimbs; size_t bufsize, nbits; mbedtls_mpi_uint ei, mm, state; - mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; + mbedtls_mpi RR, T, W[ (size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; int neg; MPI_VALIDATE_RET( X != NULL ); @@ -2003,21 +1623,59 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, i = mbedtls_mpi_bitlen( E ); - wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 : + window_bitsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 : ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1; #if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) - if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) - wsize = MBEDTLS_MPI_WINDOW_SIZE; + if( window_bitsize > MBEDTLS_MPI_WINDOW_SIZE ) + window_bitsize = MBEDTLS_MPI_WINDOW_SIZE; #endif + const size_t w_table_used_size = (size_t) 1 << window_bitsize; + + /* + * This function is not constant-trace: its memory accesses depend on the + * exponent value. To defend against timing attacks, callers (such as RSA + * and DHM) should use exponent blinding. However this is not enough if the + * adversary can find the exponent in a single trace, so this function + * takes extra precautions against adversaries who can observe memory + * access patterns. + * + * This function performs a series of multiplications by table elements and + * squarings, and we want the prevent the adversary from finding out which + * table element was used, and from distinguishing between multiplications + * and squarings. Firstly, when multiplying by an element of the window + * W[i], we do a constant-trace table lookup to obfuscate i. This leaves + * squarings as having a different memory access patterns from other + * multiplications. So secondly, we put the accumulator X in the table as + * well, and also do a constant-trace table lookup to multiply by X. + * + * This way, all multiplications take the form of a lookup-and-multiply. + * The number of lookup-and-multiply operations inside each iteration of + * the main loop still depends on the bits of the exponent, but since the + * other operations in the loop don't have an easily recognizable memory + * trace, an adversary is unlikely to be able to observe the exact + * patterns. + * + * An adversary may still be able to recover the exponent if they can + * observe both memory accesses and branches. However, branch prediction + * exploitation typically requires many traces of execution over the same + * data, which is defeated by randomized blinding. + * + * To achieve this, we make a copy of X and we use the table entry in each + * calculation from this point on. + */ + const size_t x_index = 0; + mbedtls_mpi_init( &W[x_index] ); + mbedtls_mpi_copy( &W[x_index], X ); + j = N->n + 1; /* All W[i] and X must have at least N->n limbs for the mpi_montmul() * and mpi_montred() calls later. Here we ensure that W[1] and X are * large enough, and later we'll grow other W[i] to the same length. * They must not be shrunk midway through this function! */ - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[x_index], j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) ); @@ -2066,28 +1724,36 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, mpi_montmul( &W[1], &RR, N, mm, &T ); /* - * X = R^2 * R^-1 mod N = R mod N + * W[x_index] = R^2 * R^-1 mod N = R mod N */ - MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) ); - mpi_montred( X, N, mm, &T ); + MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) ); + mpi_montred( &W[x_index], N, mm, &T ); - if( wsize > 1 ) + + if( window_bitsize > 1 ) { /* - * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1) + * W[i] = W[1] ^ i + * + * The first bit of the sliding window is always 1 and therefore we + * only need to store the second half of the table. + * + * (There are two special elements in the table: W[0] for the + * accumulator/result and W[1] for A in Montgomery form. Both of these + * are already set at this point.) */ - j = one << ( wsize - 1 ); + j = w_table_used_size / 2; MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) ); - for( i = 0; i < wsize - 1; i++ ) + for( i = 0; i < window_bitsize - 1; i++ ) mpi_montmul( &W[j], &W[j], N, mm, &T ); /* * W[i] = W[i - 1] * W[1] */ - for( i = j + 1; i < ( one << wsize ); i++ ) + for( i = j + 1; i < w_table_used_size; i++ ) { MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) ); @@ -2099,7 +1765,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, nblimbs = E->n; bufsize = 0; nbits = 0; - wbits = 0; + size_t exponent_bits_in_window = 0; state = 0; while( 1 ) @@ -2127,9 +1793,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, if( ei == 0 && state == 1 ) { /* - * out of window, square X + * out of window, square W[x_index] */ - mpi_montmul( X, X, N, mm, &T ); + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); continue; } @@ -2139,25 +1806,30 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, state = 2; nbits++; - wbits |= ( ei << ( wsize - nbits ) ); + exponent_bits_in_window |= ( ei << ( window_bitsize - nbits ) ); - if( nbits == wsize ) + if( nbits == window_bitsize ) { /* - * X = X^wsize R^-1 mod N + * W[x_index] = W[x_index]^window_bitsize R^-1 mod N */ - for( i = 0; i < wsize; i++ ) - mpi_montmul( X, X, N, mm, &T ); + for( i = 0; i < window_bitsize; i++ ) + { + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, + x_index ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); + } /* - * X = X * W[wbits] R^-1 mod N + * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N */ - MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) ); - mpi_montmul( X, &WW, N, mm, &T ); + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, + exponent_bits_in_window ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); state--; nbits = 0; - wbits = 0; + exponent_bits_in_window = 0; } } @@ -2166,31 +1838,45 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, */ for( i = 0; i < nbits; i++ ) { - mpi_montmul( X, X, N, mm, &T ); + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); - wbits <<= 1; + exponent_bits_in_window <<= 1; - if( ( wbits & ( one << wsize ) ) != 0 ) - mpi_montmul( X, &W[1], N, mm, &T ); + if( ( exponent_bits_in_window & ( (size_t) 1 << window_bitsize ) ) != 0 ) + { + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, 1 ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); + } } /* - * X = A^E * R * R^-1 mod N = A^E mod N + * W[x_index] = A^E * R * R^-1 mod N = A^E mod N */ - mpi_montred( X, N, mm, &T ); + mpi_montred( &W[x_index], N, mm, &T ); if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 ) { - X->s = -1; - MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) ); + W[x_index].s = -1; + MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &W[x_index], N, &W[x_index] ) ); } + /* + * Load the result in the output variable. + */ + mbedtls_mpi_copy( X, &W[x_index] ); + cleanup: - for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ ) + /* The first bit of the sliding window is always 1 and therefore the first + * half of the table was unused. */ + for( i = w_table_used_size/2; i < w_table_used_size; i++ ) mbedtls_mpi_free( &W[i] ); - mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos ); + mbedtls_mpi_free( &W[x_index] ); + mbedtls_mpi_free( &W[1] ); + mbedtls_mpi_free( &T ); + mbedtls_mpi_free( &Apos ); mbedtls_mpi_free( &WW ); if( prec_RR == NULL || prec_RR->p == NULL ) @@ -2313,46 +1999,18 @@ int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B return( ret ); } -/* Fill X with n_bytes random bytes. - * X must already have room for those bytes. - * The ordering of the bytes returned from the RNG is suitable for - * deterministic ECDSA (see RFC 6979 §3.3 and mbedtls_mpi_random()). - * The size and sign of X are unchanged. - * n_bytes must not be 0. - */ -static int mpi_fill_random_internal( - mbedtls_mpi *X, size_t n_bytes, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const size_t limbs = CHARS_TO_LIMBS( n_bytes ); - const size_t overhead = ( limbs * ciL ) - n_bytes; - - if( X->n < limbs ) - return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); - - memset( X->p, 0, overhead ); - memset( (unsigned char *) X->p + limbs * ciL, 0, ( X->n - limbs ) * ciL ); - MBEDTLS_MPI_CHK( f_rng( p_rng, (unsigned char *) X->p + overhead, n_bytes ) ); - mpi_bigendian_to_host( X->p, limbs ); - -cleanup: - return( ret ); -} - /* * Fill X with size bytes of random. - * - * Use a temporary bytes representation to make sure the result is the same - * regardless of the platform endianness (useful when f_rng is actually - * deterministic, eg for tests). + * The bytes returned from the RNG are used in a specific order which + * is suitable for deterministic ECDSA (see the specification of + * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()). */ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t const limbs = CHARS_TO_LIMBS( size ); + const size_t limbs = CHARS_TO_LIMBS( size ); MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( f_rng != NULL ); @@ -2362,7 +2020,7 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, if( size == 0 ) return( 0 ); - ret = mpi_fill_random_internal( X, size, f_rng, p_rng ); + ret = mbedtls_mpi_core_fill_random( X->p, X->n, size, f_rng, p_rng ); cleanup: return( ret ); @@ -2424,7 +2082,9 @@ int mbedtls_mpi_random( mbedtls_mpi *X, */ do { - MBEDTLS_MPI_CHK( mpi_fill_random_internal( X, n_bytes, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_core_fill_random( X->p, X->n, + n_bytes, + f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, 8 * n_bytes - n_bits ) ); if( --count == 0 ) @@ -2803,7 +2463,7 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags, else { /* - * An necessary condition for Y and X = 2Y + 1 to be prime + * A necessary condition for Y and X = 2Y + 1 to be prime * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3). * Make sure it is satisfied, while keeping X = 3 mod 4 */ diff --git a/thirdparty/mbedtls/library/bignum_core.c b/thirdparty/mbedtls/library/bignum_core.c new file mode 100644 index 00000000000000..30fc6613008417 --- /dev/null +++ b/thirdparty/mbedtls/library/bignum_core.c @@ -0,0 +1,795 @@ +/* + * Core bignum functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) + +#include + +#include "mbedtls/error.h" +#include "mbedtls/platform_util.h" +#include "constant_time_internal.h" + +#include "mbedtls/platform.h" + +#include "bignum_core.h" +#include "bn_mul.h" +#include "constant_time_internal.h" + +size_t mbedtls_mpi_core_clz( mbedtls_mpi_uint a ) +{ + size_t j; + mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1); + + for( j = 0; j < biL; j++ ) + { + if( a & mask ) break; + + mask >>= 1; + } + + return( j ); +} + +size_t mbedtls_mpi_core_bitlen( const mbedtls_mpi_uint *A, size_t A_limbs ) +{ + size_t i, j; + + if( A_limbs == 0 ) + return( 0 ); + + for( i = A_limbs - 1; i > 0; i-- ) + if( A[i] != 0 ) + break; + + j = biL - mbedtls_mpi_core_clz( A[i] ); + + return( ( i * biL ) + j ); +} + +/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint + * into the storage form used by mbedtls_mpi. */ +static mbedtls_mpi_uint mpi_bigendian_to_host_c( mbedtls_mpi_uint a ) +{ + uint8_t i; + unsigned char *a_ptr; + mbedtls_mpi_uint tmp = 0; + + for( i = 0, a_ptr = (unsigned char *) &a; i < ciL; i++, a_ptr++ ) + { + tmp <<= CHAR_BIT; + tmp |= (mbedtls_mpi_uint) *a_ptr; + } + + return( tmp ); +} + +static mbedtls_mpi_uint mpi_bigendian_to_host( mbedtls_mpi_uint a ) +{ +#if defined(__BYTE_ORDER__) + +/* Nothing to do on bigendian systems. */ +#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ ) + return( a ); +#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */ + +#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ ) + +/* For GCC and Clang, have builtins for byte swapping. */ +#if defined(__GNUC__) && defined(__GNUC_PREREQ) +#if __GNUC_PREREQ(4,3) +#define have_bswap +#endif +#endif + +#if defined(__clang__) && defined(__has_builtin) +#if __has_builtin(__builtin_bswap32) && \ + __has_builtin(__builtin_bswap64) +#define have_bswap +#endif +#endif + +#if defined(have_bswap) + /* The compiler is hopefully able to statically evaluate this! */ + switch( sizeof(mbedtls_mpi_uint) ) + { + case 4: + return( __builtin_bswap32(a) ); + case 8: + return( __builtin_bswap64(a) ); + } +#endif +#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */ +#endif /* __BYTE_ORDER__ */ + + /* Fall back to C-based reordering if we don't know the byte order + * or we couldn't use a compiler-specific builtin. */ + return( mpi_bigendian_to_host_c( a ) ); +} + +void mbedtls_mpi_core_bigendian_to_host( mbedtls_mpi_uint *A, + size_t A_limbs ) +{ + mbedtls_mpi_uint *cur_limb_left; + mbedtls_mpi_uint *cur_limb_right; + if( A_limbs == 0 ) + return; + + /* + * Traverse limbs and + * - adapt byte-order in each limb + * - swap the limbs themselves. + * For that, simultaneously traverse the limbs from left to right + * and from right to left, as long as the left index is not bigger + * than the right index (it's not a problem if limbs is odd and the + * indices coincide in the last iteration). + */ + for( cur_limb_left = A, cur_limb_right = A + ( A_limbs - 1 ); + cur_limb_left <= cur_limb_right; + cur_limb_left++, cur_limb_right-- ) + { + mbedtls_mpi_uint tmp; + /* Note that if cur_limb_left == cur_limb_right, + * this code effectively swaps the bytes only once. */ + tmp = mpi_bigendian_to_host( *cur_limb_left ); + *cur_limb_left = mpi_bigendian_to_host( *cur_limb_right ); + *cur_limb_right = tmp; + } +} + +void mbedtls_mpi_core_cond_assign( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + size_t limbs, + unsigned char assign ) +{ + if( X == A ) + return; + + mbedtls_ct_mpi_uint_cond_assign( limbs, X, A, assign ); +} + +void mbedtls_mpi_core_cond_swap( mbedtls_mpi_uint *X, + mbedtls_mpi_uint *Y, + size_t limbs, + unsigned char swap ) +{ + if( X == Y ) + return; + + /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ + mbedtls_mpi_uint limb_mask = mbedtls_ct_mpi_uint_mask( swap ); + + for( size_t i = 0; i < limbs; i++ ) + { + mbedtls_mpi_uint tmp = X[i]; + X[i] = ( X[i] & ~limb_mask ) | ( Y[i] & limb_mask ); + Y[i] = ( Y[i] & ~limb_mask ) | ( tmp & limb_mask ); + } +} + +int mbedtls_mpi_core_read_le( mbedtls_mpi_uint *X, + size_t X_limbs, + const unsigned char *input, + size_t input_length ) +{ + const size_t limbs = CHARS_TO_LIMBS( input_length ); + + if( X_limbs < limbs ) + return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); + + if( X != NULL ) + { + memset( X, 0, X_limbs * ciL ); + + for( size_t i = 0; i < input_length; i++ ) + { + size_t offset = ( ( i % ciL ) << 3 ); + X[i / ciL] |= ( (mbedtls_mpi_uint) input[i] ) << offset; + } + } + + return( 0 ); +} + +int mbedtls_mpi_core_read_be( mbedtls_mpi_uint *X, + size_t X_limbs, + const unsigned char *input, + size_t input_length ) +{ + const size_t limbs = CHARS_TO_LIMBS( input_length ); + + if( X_limbs < limbs ) + return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); + + /* If X_limbs is 0, input_length must also be 0 (from previous test). + * Nothing to do. */ + if( X_limbs == 0 ) + return( 0 ); + + memset( X, 0, X_limbs * ciL ); + + /* memcpy() with (NULL, 0) is undefined behaviour */ + if( input_length != 0 ) + { + size_t overhead = ( X_limbs * ciL ) - input_length; + unsigned char *Xp = (unsigned char *) X; + memcpy( Xp + overhead, input, input_length ); + } + + mbedtls_mpi_core_bigendian_to_host( X, X_limbs ); + + return( 0 ); +} + +int mbedtls_mpi_core_write_le( const mbedtls_mpi_uint *A, + size_t A_limbs, + unsigned char *output, + size_t output_length ) +{ + size_t stored_bytes = A_limbs * ciL; + size_t bytes_to_copy; + + if( stored_bytes < output_length ) + { + bytes_to_copy = stored_bytes; + } + else + { + bytes_to_copy = output_length; + + /* The output buffer is smaller than the allocated size of A. + * However A may fit if its leading bytes are zero. */ + for( size_t i = bytes_to_copy; i < stored_bytes; i++ ) + { + if( GET_BYTE( A, i ) != 0 ) + return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); + } + } + + for( size_t i = 0; i < bytes_to_copy; i++ ) + output[i] = GET_BYTE( A, i ); + + if( stored_bytes < output_length ) + { + /* Write trailing 0 bytes */ + memset( output + stored_bytes, 0, output_length - stored_bytes ); + } + + return( 0 ); +} + +int mbedtls_mpi_core_write_be( const mbedtls_mpi_uint *X, + size_t X_limbs, + unsigned char *output, + size_t output_length ) +{ + size_t stored_bytes; + size_t bytes_to_copy; + unsigned char *p; + + stored_bytes = X_limbs * ciL; + + if( stored_bytes < output_length ) + { + /* There is enough space in the output buffer. Write initial + * null bytes and record the position at which to start + * writing the significant bytes. In this case, the execution + * trace of this function does not depend on the value of the + * number. */ + bytes_to_copy = stored_bytes; + p = output + output_length - stored_bytes; + memset( output, 0, output_length - stored_bytes ); + } + else + { + /* The output buffer is smaller than the allocated size of X. + * However X may fit if its leading bytes are zero. */ + bytes_to_copy = output_length; + p = output; + for( size_t i = bytes_to_copy; i < stored_bytes; i++ ) + { + if( GET_BYTE( X, i ) != 0 ) + return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL ); + } + } + + for( size_t i = 0; i < bytes_to_copy; i++ ) + p[bytes_to_copy - i - 1] = GET_BYTE( X, i ); + + return( 0 ); +} + +void mbedtls_mpi_core_shift_r( mbedtls_mpi_uint *X, size_t limbs, + size_t count ) +{ + size_t i, v0, v1; + mbedtls_mpi_uint r0 = 0, r1; + + v0 = count / biL; + v1 = count & (biL - 1); + + if( v0 > limbs || ( v0 == limbs && v1 > 0 ) ) + { + memset( X, 0, limbs * ciL ); + return; + } + + /* + * shift by count / limb_size + */ + if( v0 > 0 ) + { + for( i = 0; i < limbs - v0; i++ ) + X[i] = X[i + v0]; + + for( ; i < limbs; i++ ) + X[i] = 0; + } + + /* + * shift by count % limb_size + */ + if( v1 > 0 ) + { + for( i = limbs; i > 0; i-- ) + { + r1 = X[i - 1] << (biL - v1); + X[i - 1] >>= v1; + X[i - 1] |= r0; + r0 = r1; + } + } +} + +mbedtls_mpi_uint mbedtls_mpi_core_add( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t limbs ) +{ + mbedtls_mpi_uint c = 0; + + for( size_t i = 0; i < limbs; i++ ) + { + mbedtls_mpi_uint t = c + A[i]; + c = ( t < A[i] ); + t += B[i]; + c += ( t < B[i] ); + X[i] = t; + } + + return( c ); +} + +mbedtls_mpi_uint mbedtls_mpi_core_add_if( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + size_t limbs, + unsigned cond ) +{ + mbedtls_mpi_uint c = 0; + + /* all-bits 0 if cond is 0, all-bits 1 if cond is non-0 */ + const mbedtls_mpi_uint mask = mbedtls_ct_mpi_uint_mask( cond ); + + for( size_t i = 0; i < limbs; i++ ) + { + mbedtls_mpi_uint add = mask & A[i]; + mbedtls_mpi_uint t = c + X[i]; + c = ( t < X[i] ); + t += add; + c += ( t < add ); + X[i] = t; + } + + return( c ); +} + +mbedtls_mpi_uint mbedtls_mpi_core_sub( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t limbs ) +{ + mbedtls_mpi_uint c = 0; + + for( size_t i = 0; i < limbs; i++ ) + { + mbedtls_mpi_uint z = ( A[i] < c ); + mbedtls_mpi_uint t = A[i] - c; + c = ( t < B[i] ) + z; + X[i] = t - B[i]; + } + + return( c ); +} + +mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *d, size_t d_len, + const mbedtls_mpi_uint *s, size_t s_len, + mbedtls_mpi_uint b ) +{ + mbedtls_mpi_uint c = 0; /* carry */ + /* + * It is a documented precondition of this function that d_len >= s_len. + * If that's not the case, we swap these round: this turns what would be + * a buffer overflow into an incorrect result. + */ + if( d_len < s_len ) + s_len = d_len; + size_t excess_len = d_len - s_len; + size_t steps_x8 = s_len / 8; + size_t steps_x1 = s_len & 7; + + while( steps_x8-- ) + { + MULADDC_X8_INIT + MULADDC_X8_CORE + MULADDC_X8_STOP + } + + while( steps_x1-- ) + { + MULADDC_X1_INIT + MULADDC_X1_CORE + MULADDC_X1_STOP + } + + while( excess_len-- ) + { + *d += c; + c = ( *d < c ); + d++; + } + + return( c ); +} + +/* + * Fast Montgomery initialization (thanks to Tom St Denis). + */ +mbedtls_mpi_uint mbedtls_mpi_core_montmul_init( const mbedtls_mpi_uint *N ) +{ + mbedtls_mpi_uint x = N[0]; + + x += ( ( N[0] + 2 ) & 4 ) << 1; + + for( unsigned int i = biL; i >= 8; i /= 2 ) + x *= ( 2 - ( N[0] * x ) ); + + return( ~x + 1 ); +} + +void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t B_limbs, + const mbedtls_mpi_uint *N, + size_t AN_limbs, + mbedtls_mpi_uint mm, + mbedtls_mpi_uint *T ) +{ + memset( T, 0, ( 2 * AN_limbs + 1 ) * ciL ); + + for( size_t i = 0; i < AN_limbs; i++ ) + { + /* T = (T + u0*B + u1*N) / 2^biL */ + mbedtls_mpi_uint u0 = A[i]; + mbedtls_mpi_uint u1 = ( T[0] + u0 * B[0] ) * mm; + + (void) mbedtls_mpi_core_mla( T, AN_limbs + 2, B, B_limbs, u0 ); + (void) mbedtls_mpi_core_mla( T, AN_limbs + 2, N, AN_limbs, u1 ); + + T++; + } + + /* + * The result we want is (T >= N) ? T - N : T. + * + * For better constant-time properties in this function, we always do the + * subtraction, with the result in X. + * + * We also look to see if there was any carry in the final additions in the + * loop above. + */ + + mbedtls_mpi_uint carry = T[AN_limbs]; + mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub( X, T, N, AN_limbs ); + + /* + * Using R as the Montgomery radix (auxiliary modulus) i.e. 2^(biL*AN_limbs): + * + * T can be in one of 3 ranges: + * + * 1) T < N : (carry, borrow) = (0, 1): we want T + * 2) N <= T < R : (carry, borrow) = (0, 0): we want X + * 3) T >= R : (carry, borrow) = (1, 1): we want X + * + * and (carry, borrow) = (1, 0) can't happen. + * + * So the correct return value is already in X if (carry ^ borrow) = 0, + * but is in (the lower AN_limbs limbs of) T if (carry ^ borrow) = 1. + */ + mbedtls_ct_mpi_uint_cond_assign( AN_limbs, X, T, (unsigned char) ( carry ^ borrow ) ); +} + +int mbedtls_mpi_core_get_mont_r2_unsafe( mbedtls_mpi *X, + const mbedtls_mpi *N ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( X, N->n * 2 * biL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( X, X, N ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( X, N->n ) ); + +cleanup: + return( ret ); +} + +MBEDTLS_STATIC_TESTABLE +void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest, + const mbedtls_mpi_uint *table, + size_t limbs, + size_t count, + size_t index ) +{ + for( size_t i = 0; i < count; i++, table += limbs ) + { + unsigned char assign = mbedtls_ct_size_bool_eq( i, index ); + mbedtls_mpi_core_cond_assign( dest, table, limbs, assign ); + } +} + +/* Fill X with n_bytes random bytes. + * X must already have room for those bytes. + * The ordering of the bytes returned from the RNG is suitable for + * deterministic ECDSA (see RFC 6979 §3.3 and the specification of + * mbedtls_mpi_core_random()). + */ +int mbedtls_mpi_core_fill_random( + mbedtls_mpi_uint *X, size_t X_limbs, + size_t n_bytes, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const size_t limbs = CHARS_TO_LIMBS( n_bytes ); + const size_t overhead = ( limbs * ciL ) - n_bytes; + + if( X_limbs < limbs ) + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + + memset( X, 0, overhead ); + memset( (unsigned char *) X + limbs * ciL, 0, ( X_limbs - limbs ) * ciL ); + MBEDTLS_MPI_CHK( f_rng( p_rng, (unsigned char *) X + overhead, n_bytes ) ); + mbedtls_mpi_core_bigendian_to_host( X, limbs ); + +cleanup: + return( ret ); +} + +/* BEGIN MERGE SLOT 1 */ + +static size_t exp_mod_get_window_size( size_t Ebits ) +{ + size_t wsize = ( Ebits > 671 ) ? 6 : ( Ebits > 239 ) ? 5 : + ( Ebits > 79 ) ? 4 : 1; + +#if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) + if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) + wsize = MBEDTLS_MPI_WINDOW_SIZE; +#endif + + return( wsize ); +} + +size_t mbedtls_mpi_core_exp_mod_working_limbs( size_t AN_limbs, size_t E_limbs ) +{ + const size_t wsize = exp_mod_get_window_size( E_limbs * biL ); + const size_t welem = ( (size_t) 1 ) << wsize; + + /* How big does each part of the working memory pool need to be? */ + const size_t table_limbs = welem * AN_limbs; + const size_t select_limbs = AN_limbs; + const size_t temp_limbs = 2 * AN_limbs + 1; + + return( table_limbs + select_limbs + temp_limbs ); +} + +static void exp_mod_precompute_window( const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, + size_t AN_limbs, + mbedtls_mpi_uint mm, + const mbedtls_mpi_uint *RR, + size_t welem, + mbedtls_mpi_uint *Wtable, + mbedtls_mpi_uint *temp ) +{ + /* W[0] = 1 (in Montgomery presentation) */ + memset( Wtable, 0, AN_limbs * ciL ); + Wtable[0] = 1; + mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp ); + + /* W[1] = A (already in Montgomery presentation) */ + mbedtls_mpi_uint *W1 = Wtable + AN_limbs; + memcpy( W1, A, AN_limbs * ciL ); + + /* W[i+1] = W[i] * W[1], i >= 2 */ + mbedtls_mpi_uint *Wprev = W1; + for( size_t i = 2; i < welem; i++ ) + { + mbedtls_mpi_uint *Wcur = Wprev + AN_limbs; + mbedtls_mpi_core_montmul( Wcur, Wprev, W1, AN_limbs, N, AN_limbs, mm, temp ); + Wprev = Wcur; + } +} + +/* Exponentiation: X := A^E mod N. + * + * A must already be in Montgomery form. + * + * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero. + * + * RR must contain 2^{2*biL} mod N. + * + * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82 + * (The difference is that the body in our loop processes a single bit instead + * of a full window.) + */ +void mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, + size_t AN_limbs, + const mbedtls_mpi_uint *E, + size_t E_limbs, + const mbedtls_mpi_uint *RR, + mbedtls_mpi_uint *T ) +{ + const size_t wsize = exp_mod_get_window_size( E_limbs * biL ); + const size_t welem = ( (size_t) 1 ) << wsize; + + /* This is how we will use the temporary storage T, which must have space + * for table_limbs, select_limbs and (2 * AN_limbs + 1) for montmul. */ + const size_t table_limbs = welem * AN_limbs; + const size_t select_limbs = AN_limbs; + + /* Pointers to specific parts of the temporary working memory pool */ + mbedtls_mpi_uint *const Wtable = T; + mbedtls_mpi_uint *const Wselect = Wtable + table_limbs; + mbedtls_mpi_uint *const temp = Wselect + select_limbs; + + /* + * Window precomputation + */ + + const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init( N ); + + /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */ + exp_mod_precompute_window( A, N, AN_limbs, + mm, RR, + welem, Wtable, temp ); + + /* + * Fixed window exponentiation + */ + + /* X = 1 (in Montgomery presentation) initially */ + memcpy( X, Wtable, AN_limbs * ciL ); + + /* We'll process the bits of E from most significant + * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant + * (limb_index=0, E_bit_index=0). */ + size_t E_limb_index = E_limbs; + size_t E_bit_index = 0; + /* At any given time, window contains window_bits bits from E. + * window_bits can go up to wsize. */ + size_t window_bits = 0; + mbedtls_mpi_uint window = 0; + + do + { + /* Square */ + mbedtls_mpi_core_montmul( X, X, X, AN_limbs, N, AN_limbs, mm, temp ); + + /* Move to the next bit of the exponent */ + if( E_bit_index == 0 ) + { + --E_limb_index; + E_bit_index = biL - 1; + } + else + { + --E_bit_index; + } + /* Insert next exponent bit into window */ + ++window_bits; + window <<= 1; + window |= ( E[E_limb_index] >> E_bit_index ) & 1; + + /* Clear window if it's full. Also clear the window at the end, + * when we've finished processing the exponent. */ + if( window_bits == wsize || + ( E_bit_index == 0 && E_limb_index == 0 ) ) + { + /* Select Wtable[window] without leaking window through + * memory access patterns. */ + mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, + AN_limbs, welem, window ); + /* Multiply X by the selected element. */ + mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, + temp ); + window = 0; + window_bits = 0; + } + } + while( ! ( E_bit_index == 0 && E_limb_index == 0 ) ); +} + +/* END MERGE SLOT 1 */ + +/* BEGIN MERGE SLOT 2 */ + +/* END MERGE SLOT 2 */ + +/* BEGIN MERGE SLOT 3 */ + +mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + mbedtls_mpi_uint c, /* doubles as carry */ + size_t limbs ) +{ + for( size_t i = 0; i < limbs; i++ ) + { + mbedtls_mpi_uint s = A[i]; + mbedtls_mpi_uint t = s - c; + c = ( t > s ); + X[i] = t; + } + + return( c ); +} + +/* END MERGE SLOT 3 */ + +/* BEGIN MERGE SLOT 4 */ + +/* END MERGE SLOT 4 */ + +/* BEGIN MERGE SLOT 5 */ + +/* END MERGE SLOT 5 */ + +/* BEGIN MERGE SLOT 6 */ + +/* END MERGE SLOT 6 */ + +/* BEGIN MERGE SLOT 7 */ + +/* END MERGE SLOT 7 */ + +/* BEGIN MERGE SLOT 8 */ + +/* END MERGE SLOT 8 */ + +/* BEGIN MERGE SLOT 9 */ + +/* END MERGE SLOT 9 */ + +/* BEGIN MERGE SLOT 10 */ + +/* END MERGE SLOT 10 */ + +#endif /* MBEDTLS_BIGNUM_C */ diff --git a/thirdparty/mbedtls/library/bignum_core.h b/thirdparty/mbedtls/library/bignum_core.h new file mode 100644 index 00000000000000..add7fee329fbf1 --- /dev/null +++ b/thirdparty/mbedtls/library/bignum_core.h @@ -0,0 +1,602 @@ +/** + * Core bignum functions + * + * This interface should only be used by the legacy bignum module (bignum.h) + * and the modular bignum modules (bignum_mod.c, bignum_mod_raw.c). All other + * modules should use the high-level modular bignum interface (bignum_mod.h) + * or the legacy bignum interface (bignum.h). + * + * This module is about processing non-negative integers with a fixed upper + * bound that's of the form 2^n-1 where n is a multiple of #biL. + * These can be thought of integers written in base 2^#biL with a fixed + * number of digits. Digits in this base are called *limbs*. + * Many operations treat these numbers as the principal representation of + * a number modulo 2^n or a smaller bound. + * + * The functions in this module obey the following conventions unless + * explicitly indicated otherwise: + * + * - **Overflow**: some functions indicate overflow from the range + * [0, 2^n-1] by returning carry parameters, while others operate + * modulo and so cannot overflow. This should be clear from the function + * documentation. + * - **Bignum parameters**: Bignums are passed as pointers to an array of + * limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified: + * - Bignum parameters called \p A, \p B, ... are inputs, and are + * not modified by the function. + * - For operations modulo some number, the modulus is called \p N + * and is input-only. + * - Bignum parameters called \p X, \p Y are outputs or input-output. + * The initial content of output-only parameters is ignored. + * - Some functions use different names that reflect traditional + * naming of operands of certain operations (e.g. + * divisor/dividend/quotient/remainder). + * - \p T is a temporary storage area. The initial content of such + * parameter is ignored and the final content is unspecified. + * - **Bignum sizes**: bignum sizes are always expressed in limbs. + * Most functions work on bignums of a given size and take a single + * \p limbs parameter that applies to all parameters that are limb arrays. + * All bignum sizes must be at least 1 and must be significantly less than + * #SIZE_MAX. The behavior if a size is 0 is undefined. The behavior if the + * total size of all parameters overflows #SIZE_MAX is undefined. + * - **Parameter ordering**: for bignum parameters, outputs come before inputs. + * Temporaries come last. + * - **Aliasing**: in general, output bignums may be aliased to one or more + * inputs. As an exception, parameters that are documented as a modulus value + * may not be aliased to an output. Outputs may not be aliased to one another. + * Temporaries may not be aliased to any other parameter. + * - **Overlap**: apart from aliasing of limb array pointers (where two + * arguments are equal pointers), overlap is not supported and may result + * in undefined behavior. + * - **Error handling**: This is a low-level module. Functions generally do not + * try to protect against invalid arguments such as nonsensical sizes or + * null pointers. Note that some functions that operate on bignums of + * different sizes have constraints about their size, and violating those + * constraints may lead to buffer overflows. + * - **Modular representatives**: functions that operate modulo \p N expect + * all modular inputs to be in the range [0, \p N - 1] and guarantee outputs + * in the range [0, \p N - 1]. If an input is out of range, outputs are + * fully unspecified, though bignum values out of range should not cause + * buffer overflows (beware that this is not extensively tested). + */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_BIGNUM_CORE_H +#define MBEDTLS_BIGNUM_CORE_H + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) +#include "mbedtls/bignum.h" +#endif + +#define ciL ( sizeof(mbedtls_mpi_uint) ) /** chars in limb */ +#define biL ( ciL << 3 ) /** bits in limb */ +#define biH ( ciL << 2 ) /** half limb size */ + +/* + * Convert between bits/chars and number of limbs + * Divide first in order to avoid potential overflows + */ +#define BITS_TO_LIMBS(i) ( (i) / biL + ( (i) % biL != 0 ) ) +#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) ) +/* Get a specific byte, without range checks. */ +#define GET_BYTE( X, i ) \ + ( ( (X)[(i) / ciL] >> ( ( (i) % ciL ) * 8 ) ) & 0xff ) + +/** Count leading zero bits in a given integer. + * + * \param a Integer to count leading zero bits. + * + * \return The number of leading zero bits in \p a. + */ +size_t mbedtls_mpi_core_clz( mbedtls_mpi_uint a ); + +/** Return the minimum number of bits required to represent the value held + * in the MPI. + * + * \note This function returns 0 if all the limbs of \p A are 0. + * + * \param[in] A The address of the MPI. + * \param A_limbs The number of limbs of \p A. + * + * \return The number of bits in \p A. + */ +size_t mbedtls_mpi_core_bitlen( const mbedtls_mpi_uint *A, size_t A_limbs ); + +/** Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint + * into the storage form used by mbedtls_mpi. + * + * \param[in,out] A The address of the MPI. + * \param A_limbs The number of limbs of \p A. + */ +void mbedtls_mpi_core_bigendian_to_host( mbedtls_mpi_uint *A, + size_t A_limbs ); + +/** + * \brief Perform a safe conditional copy of an MPI which doesn't reveal + * whether assignment was done or not. + * + * \param[out] X The address of the destination MPI. + * This must be initialized. Must have enough limbs to + * store the full value of \p A. + * \param[in] A The address of the source MPI. This must be initialized. + * \param limbs The number of limbs of \p A. + * \param assign The condition deciding whether to perform the + * assignment or not. Must be either 0 or 1: + * * \c 1: Perform the assignment `X = A`. + * * \c 0: Keep the original value of \p X. + * + * \note This function avoids leaking any information about whether + * the assignment was done or not. + * + * \warning If \p assign is neither 0 nor 1, the result of this function + * is indeterminate, and the resulting value in \p X might be + * neither its original value nor the value in \p A. + */ +void mbedtls_mpi_core_cond_assign( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + size_t limbs, + unsigned char assign ); + +/** + * \brief Perform a safe conditional swap of two MPIs which doesn't reveal + * whether the swap was done or not. + * + * \param[in,out] X The address of the first MPI. + * This must be initialized. + * \param[in,out] Y The address of the second MPI. + * This must be initialized. + * \param limbs The number of limbs of \p X and \p Y. + * \param swap The condition deciding whether to perform + * the swap or not. Must be either 0 or 1: + * * \c 1: Swap the values of \p X and \p Y. + * * \c 0: Keep the original values of \p X and \p Y. + * + * \note This function avoids leaking any information about whether + * the swap was done or not. + * + * \warning If \p swap is neither 0 nor 1, the result of this function + * is indeterminate, and both \p X and \p Y might end up with + * values different to either of the original ones. + */ +void mbedtls_mpi_core_cond_swap( mbedtls_mpi_uint *X, + mbedtls_mpi_uint *Y, + size_t limbs, + unsigned char swap ); + +/** Import X from unsigned binary data, little-endian. + * + * The MPI needs to have enough limbs to store the full value (including any + * most significant zero bytes in the input). + * + * \param[out] X The address of the MPI. + * \param X_limbs The number of limbs of \p X. + * \param[in] input The input buffer to import from. + * \param input_length The length bytes of \p input. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't + * large enough to hold the value in \p input. + */ +int mbedtls_mpi_core_read_le( mbedtls_mpi_uint *X, + size_t X_limbs, + const unsigned char *input, + size_t input_length ); + +/** Import X from unsigned binary data, big-endian. + * + * The MPI needs to have enough limbs to store the full value (including any + * most significant zero bytes in the input). + * + * \param[out] X The address of the MPI. + * May only be #NULL if \X_limbs is 0 and \p input_length + * is 0. + * \param X_limbs The number of limbs of \p X. + * \param[in] input The input buffer to import from. + * May only be #NULL if \p input_length is 0. + * \param input_length The length in bytes of \p input. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't + * large enough to hold the value in \p input. + */ +int mbedtls_mpi_core_read_be( mbedtls_mpi_uint *X, + size_t X_limbs, + const unsigned char *input, + size_t input_length ); + +/** Export A into unsigned binary data, little-endian. + * + * \note If \p output is shorter than \p A the export is still successful if the + * value held in \p A fits in the buffer (that is, if enough of the most + * significant bytes of \p A are 0). + * + * \param[in] A The address of the MPI. + * \param A_limbs The number of limbs of \p A. + * \param[out] output The output buffer to export to. + * \param output_length The length in bytes of \p output. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't + * large enough to hold the value of \p A. + */ +int mbedtls_mpi_core_write_le( const mbedtls_mpi_uint *A, + size_t A_limbs, + unsigned char *output, + size_t output_length ); + +/** Export A into unsigned binary data, big-endian. + * + * \note If \p output is shorter than \p A the export is still successful if the + * value held in \p A fits in the buffer (that is, if enough of the most + * significant bytes of \p A are 0). + * + * \param[in] A The address of the MPI. + * \param A_limbs The number of limbs of \p A. + * \param[out] output The output buffer to export to. + * \param output_length The length in bytes of \p output. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't + * large enough to hold the value of \p A. + */ +int mbedtls_mpi_core_write_be( const mbedtls_mpi_uint *A, + size_t A_limbs, + unsigned char *output, + size_t output_length ); + +/** \brief Shift an MPI right in place by a number of bits. + * + * Shifting by more bits than there are bit positions + * in \p X is valid and results in setting \p X to 0. + * + * This function's execution time depends on the value + * of \p count (and of course \p limbs). + * + * \param[in,out] X The number to shift. + * \param limbs The number of limbs of \p X. This must be at least 1. + * \param count The number of bits to shift by. + */ +void mbedtls_mpi_core_shift_r( mbedtls_mpi_uint *X, size_t limbs, + size_t count ); + +/** + * \brief Add two fixed-size large unsigned integers, returning the carry. + * + * Calculates `A + B` where `A` and `B` have the same size. + * + * This function operates modulo `2^(biL*limbs)` and returns the carry + * (1 if there was a wraparound, and 0 otherwise). + * + * \p X may be aliased to \p A or \p B. + * + * \param[out] X The result of the addition. + * \param[in] A Little-endian presentation of the left operand. + * \param[in] B Little-endian presentation of the right operand. + * \param limbs Number of limbs of \p X, \p A and \p B. + * + * \return 1 if `A + B >= 2^(biL*limbs)`, 0 otherwise. + */ +mbedtls_mpi_uint mbedtls_mpi_core_add( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t limbs ); + +/** + * \brief Conditional addition of two fixed-size large unsigned integers, + * returning the carry. + * + * Functionally equivalent to + * + * ``` + * if( cond ) + * X += A; + * return carry; + * ``` + * + * This function operates modulo `2^(biL*limbs)`. + * + * \param[in,out] X The pointer to the (little-endian) array + * representing the bignum to accumulate onto. + * \param[in] A The pointer to the (little-endian) array + * representing the bignum to conditionally add + * to \p X. This may be aliased to \p X but may not + * overlap otherwise. + * \param limbs Number of limbs of \p X and \p A. + * \param cond Condition bit dictating whether addition should + * happen or not. This must be \c 0 or \c 1. + * + * \warning If \p cond is neither 0 nor 1, the result of this function + * is unspecified, and the resulting value in \p X might be + * neither its original value nor \p X + \p A. + * + * \return 1 if `X + cond * A >= 2^(biL*limbs)`, 0 otherwise. + */ +mbedtls_mpi_uint mbedtls_mpi_core_add_if( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + size_t limbs, + unsigned cond ); + +/** + * \brief Subtract two fixed-size large unsigned integers, returning the borrow. + * + * Calculate `A - B` where \p A and \p B have the same size. + * This function operates modulo `2^(biL*limbs)` and returns the carry + * (1 if there was a wraparound, i.e. if `A < B`, and 0 otherwise). + * + * \p X may be aliased to \p A or \p B, or even both, but may not overlap + * either otherwise. + * + * \param[out] X The result of the subtraction. + * \param[in] A Little-endian presentation of left operand. + * \param[in] B Little-endian presentation of right operand. + * \param limbs Number of limbs of \p X, \p A and \p B. + * + * \return 1 if `A < B`. + * 0 if `A >= B`. + */ +mbedtls_mpi_uint mbedtls_mpi_core_sub( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t limbs ); + +/** + * \brief Perform a fixed-size multiply accumulate operation: X += b * A + * + * \p X may be aliased to \p A (when \p X_limbs == \p A_limbs), but may not + * otherwise overlap. + * + * This function operates modulo `2^(biL*X_limbs)`. + * + * \param[in,out] X The pointer to the (little-endian) array + * representing the bignum to accumulate onto. + * \param X_limbs The number of limbs of \p X. This must be + * at least \p A_limbs. + * \param[in] A The pointer to the (little-endian) array + * representing the bignum to multiply with. + * This may be aliased to \p X but may not overlap + * otherwise. + * \param A_limbs The number of limbs of \p A. + * \param b X scalar to multiply with. + * + * \return The carry at the end of the operation. + */ +mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *X, size_t X_limbs, + const mbedtls_mpi_uint *A, size_t A_limbs, + mbedtls_mpi_uint b ); + +/** + * \brief Calculate initialisation value for fast Montgomery modular + * multiplication + * + * \param[in] N Little-endian presentation of the modulus. This must have + * at least one limb. + * + * \return The initialisation value for fast Montgomery modular multiplication + */ +mbedtls_mpi_uint mbedtls_mpi_core_montmul_init( const mbedtls_mpi_uint *N ); + +/** + * \brief Montgomery multiplication: X = A * B * R^-1 mod N (HAC 14.36) + * + * \p A and \p B must be in canonical form. That is, < \p N. + * + * \p X may be aliased to \p A or \p N, or even \p B (if \p AN_limbs == + * \p B_limbs) but may not overlap any parameters otherwise. + * + * \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may + * not alias \p N (since they must be in canonical form, they cannot == \p N). + * + * \param[out] X The destination MPI, as a little-endian array of + * length \p AN_limbs. + * On successful completion, X contains the result of + * the multiplication `A * B * R^-1` mod N where + * `R = 2^(biL*AN_limbs)`. + * \param[in] A Little-endian presentation of first operand. + * Must have the same number of limbs as \p N. + * \param[in] B Little-endian presentation of second operand. + * \param[in] B_limbs The number of limbs in \p B. + * Must be <= \p AN_limbs. + * \param[in] N Little-endian presentation of the modulus. + * This must be odd, and have exactly the same number + * of limbs as \p A. + * It may alias \p X, but must not alias or otherwise + * overlap any of the other parameters. + * \param[in] AN_limbs The number of limbs in \p X, \p A and \p N. + * \param mm The Montgomery constant for \p N: -N^-1 mod 2^biL. + * This can be calculated by `mbedtls_mpi_core_montmul_init()`. + * \param[in,out] T Temporary storage of size at least 2*AN_limbs+1 limbs. + * Its initial content is unused and + * its final content is indeterminate. + * It must not alias or otherwise overlap any of the + * other parameters. + */ +void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, size_t B_limbs, + const mbedtls_mpi_uint *N, size_t AN_limbs, + mbedtls_mpi_uint mm, mbedtls_mpi_uint *T ); + +/** + * \brief Calculate the square of the Montgomery constant. (Needed + * for conversion and operations in Montgomery form.) + * + * \param[out] X A pointer to the result of the calculation of + * the square of the Montgomery constant: + * 2^{2*n*biL} mod N. + * \param[in] N Little-endian presentation of the modulus, which must be odd. + * + * \return 0 if successful. + * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if there is not enough space + * to store the value of Montgomery constant squared. + * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p N modulus is zero. + * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p N modulus is negative. + */ +int mbedtls_mpi_core_get_mont_r2_unsafe( mbedtls_mpi *X, + const mbedtls_mpi *N ); + +#if defined(MBEDTLS_TEST_HOOKS) +/** + * Copy an MPI from a table without leaking the index. + * + * \param dest The destination buffer. This must point to a writable + * buffer of at least \p limbs limbs. + * \param table The address of the table. This must point to a readable + * array of \p count elements of \p limbs limbs each. + * \param limbs The number of limbs in each table entry. + * \param count The number of entries in \p table. + * \param index The (secret) table index to look up. This must be in the + * range `0 .. count-1`. + */ +void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest, + const mbedtls_mpi_uint *table, + size_t limbs, + size_t count, + size_t index ); +#endif /* MBEDTLS_TEST_HOOKS */ + +/** + * \brief Fill an integer with a number of random bytes. + * + * \param X The destination MPI. + * \param X_limbs The number of limbs of \p X. + * \param bytes The number of random bytes to generate. + * \param f_rng The RNG function to use. This must not be \c NULL. + * \param p_rng The RNG parameter to be passed to \p f_rng. This may be + * \c NULL if \p f_rng doesn't need a context argument. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p X does not have + * enough room for \p bytes bytes. + * \return A negative error code on RNG failure. + * + * \note The bytes obtained from the RNG are interpreted + * as a big-endian representation of an MPI; this can + * be relevant in applications like deterministic ECDSA. + */ +int mbedtls_mpi_core_fill_random( mbedtls_mpi_uint *X, size_t X_limbs, + size_t bytes, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + +/* BEGIN MERGE SLOT 1 */ + +/** + * \brief Returns the number of limbs of working memory required for + * a call to `mbedtls_mpi_core_exp_mod()`. + * + * \param AN_limbs The number of limbs in the input `A` and the modulus `N` + * (they must be the same size) that will be given to + * `mbedtls_mpi_core_exp_mod()`. + * \param E_limbs The number of limbs in the exponent `E` that will be given + * to `mbedtls_mpi_core_exp_mod()`. + * + * \return The number of limbs of working memory required by + * `mbedtls_mpi_core_exp_mod()`. + */ +size_t mbedtls_mpi_core_exp_mod_working_limbs( size_t AN_limbs, size_t E_limbs ); + +/** + * \brief Perform a modular exponentiation with secret exponent: + * X = A^E mod N, where \p A is already in Montgomery form. + * + * \param[out] X The destination MPI, as a little endian array of length + * \p AN_limbs. + * \param[in] A The base MPI, as a little endian array of length \p AN_limbs. + * Must be in Montgomery form. + * \param[in] N The modulus, as a little endian array of length \p AN_limbs. + * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR. + * \param[in] E The exponent, as a little endian array of length \p E_limbs. + * \param E_limbs The number of limbs in \p E. + * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little + * endian array of length \p AN_limbs. + * \param[in,out] T Temporary storage of at least the number of limbs returned + * by `mbedtls_mpi_core_exp_mod_working_limbs()`. + * Its initial content is unused and its final content is + * indeterminate. + * It must not alias or otherwise overlap any of the other + * parameters. + * It is up to the caller to zeroize \p T when it is no + * longer needed, and before freeing it if it was dynamically + * allocated. + */ +void mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, size_t AN_limbs, + const mbedtls_mpi_uint *E, size_t E_limbs, + const mbedtls_mpi_uint *RR, + mbedtls_mpi_uint *T ); + +/* END MERGE SLOT 1 */ + +/* BEGIN MERGE SLOT 2 */ + +/* END MERGE SLOT 2 */ + +/* BEGIN MERGE SLOT 3 */ + +/** + * \brief Subtract unsigned integer from known-size large unsigned integers. + * Return the borrow. + * + * \param[out] X The result of the subtraction. + * \param[in] A The left operand. + * \param b The unsigned scalar to subtract. + * \param limbs Number of limbs of \p X and \p A. + * + * \return 1 if `A < b`. + * 0 if `A >= b`. + */ +mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + mbedtls_mpi_uint b, + size_t limbs ); + +/* END MERGE SLOT 3 */ + +/* BEGIN MERGE SLOT 4 */ + +/* END MERGE SLOT 4 */ + +/* BEGIN MERGE SLOT 5 */ + +/* END MERGE SLOT 5 */ + +/* BEGIN MERGE SLOT 6 */ + +/* END MERGE SLOT 6 */ + +/* BEGIN MERGE SLOT 7 */ + +/* END MERGE SLOT 7 */ + +/* BEGIN MERGE SLOT 8 */ + +/* END MERGE SLOT 8 */ + +/* BEGIN MERGE SLOT 9 */ + +/* END MERGE SLOT 9 */ + +/* BEGIN MERGE SLOT 10 */ + +/* END MERGE SLOT 10 */ + +#endif /* MBEDTLS_BIGNUM_CORE_H */ diff --git a/thirdparty/mbedtls/library/bignum_internal.h b/thirdparty/mbedtls/library/bignum_internal.h deleted file mode 100644 index 8677dcf1f01fea..00000000000000 --- a/thirdparty/mbedtls/library/bignum_internal.h +++ /dev/null @@ -1,50 +0,0 @@ -/** - * Internal bignum functions - * - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef MBEDTLS_BIGNUM_INTERNAL_H -#define MBEDTLS_BIGNUM_INTERNAL_H - -#include "common.h" - -#if defined(MBEDTLS_BIGNUM_C) -#include "mbedtls/bignum.h" -#endif - -/** Perform a known-size multiply accumulate operation - * - * Add \p b * \p s to \p d. - * - * \param[in,out] d The pointer to the (little-endian) array - * representing the bignum to accumulate onto. - * \param d_len The number of limbs of \p d. This must be - * at least \p s_len. - * \param[in] s The pointer to the (little-endian) array - * representing the bignum to multiply with. - * This may be the same as \p d. Otherwise, - * it must be disjoint from \p d. - * \param s_len The number of limbs of \p s. - * \param b A scalar to multiply with. - * - * \return c The carry at the end of the operation. - */ -mbedtls_mpi_uint mbedtls_mpi_core_mla( mbedtls_mpi_uint *d, size_t d_len , - const mbedtls_mpi_uint *s, size_t s_len, - mbedtls_mpi_uint b ); - -#endif /* MBEDTLS_BIGNUM_INTERNAL_H */ diff --git a/thirdparty/mbedtls/library/bignum_mod.c b/thirdparty/mbedtls/library/bignum_mod.c new file mode 100644 index 00000000000000..7cf2fb22c95531 --- /dev/null +++ b/thirdparty/mbedtls/library/bignum_mod.c @@ -0,0 +1,288 @@ +/** + * Modular bignum functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) + +#include + +#include "mbedtls/platform_util.h" +#include "mbedtls/error.h" +#include "mbedtls/bignum.h" + +#include "mbedtls/platform.h" + +#include "bignum_core.h" +#include "bignum_mod.h" +#include "bignum_mod_raw.h" +#include "constant_time_internal.h" + +int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, + mbedtls_mpi_uint *p, + size_t p_limbs ) +{ + if( p_limbs != m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) ) + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + + r->limbs = m->limbs; + r->p = p; + + return( 0 ); +} + +void mbedtls_mpi_mod_residue_release( mbedtls_mpi_mod_residue *r ) +{ + if( r == NULL ) + return; + + r->limbs = 0; + r->p = NULL; +} + +void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ) +{ + if( m == NULL ) + return; + + m->p = NULL; + m->limbs = 0; + m->bits = 0; + m->int_rep = MBEDTLS_MPI_MOD_REP_INVALID; +} + +void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ) +{ + if( m == NULL ) + return; + + switch( m->int_rep ) + { + case MBEDTLS_MPI_MOD_REP_MONTGOMERY: + if (m->rep.mont.rr != NULL) + { + mbedtls_platform_zeroize( (mbedtls_mpi_uint *) m->rep.mont.rr, + m->limbs ); + mbedtls_free( (mbedtls_mpi_uint *)m->rep.mont.rr ); + m->rep.mont.rr = NULL; + } + m->rep.mont.mm = 0; + break; + case MBEDTLS_MPI_MOD_REP_OPT_RED: + mbedtls_free( m->rep.ored ); + break; + case MBEDTLS_MPI_MOD_REP_INVALID: + break; + } + + m->p = NULL; + m->limbs = 0; + m->bits = 0; + m->int_rep = MBEDTLS_MPI_MOD_REP_INVALID; +} + +static int set_mont_const_square( const mbedtls_mpi_uint **X, + const mbedtls_mpi_uint *A, + size_t limbs ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_mpi N; + mbedtls_mpi RR; + *X = NULL; + + mbedtls_mpi_init( &N ); + mbedtls_mpi_init( &RR ); + + if( A == NULL || limbs == 0 || limbs >= ( MBEDTLS_MPI_MAX_LIMBS / 2 ) - 2 ) + goto cleanup; + + if( mbedtls_mpi_grow( &N, limbs ) ) + goto cleanup; + + memcpy( N.p, A, sizeof(mbedtls_mpi_uint) * limbs ); + + ret = mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N); + + if( ret == 0 ) + { + *X = RR.p; + RR.p = NULL; + } + +cleanup: + mbedtls_mpi_free(&N); + mbedtls_mpi_free(&RR); + ret = ( ret != 0 ) ? MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED : 0; + return( ret ); +} + +int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m, + const mbedtls_mpi_uint *p, + size_t p_limbs, + mbedtls_mpi_mod_rep_selector int_rep ) +{ + int ret = 0; + + m->p = p; + m->limbs = p_limbs; + m->bits = mbedtls_mpi_core_bitlen( p, p_limbs ); + + switch( int_rep ) + { + case MBEDTLS_MPI_MOD_REP_MONTGOMERY: + m->int_rep = int_rep; + m->rep.mont.mm = mbedtls_mpi_core_montmul_init( m->p ); + ret = set_mont_const_square( &m->rep.mont.rr, m->p, m->limbs ); + break; + case MBEDTLS_MPI_MOD_REP_OPT_RED: + m->int_rep = int_rep; + m->rep.ored = NULL; + break; + default: + ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + goto exit; + } + +exit: + + if( ret != 0 ) + { + mbedtls_mpi_mod_modulus_free( m ); + } + + return( ret ); +} + +/* BEGIN MERGE SLOT 1 */ + +/* END MERGE SLOT 1 */ + +/* BEGIN MERGE SLOT 2 */ + +/* END MERGE SLOT 2 */ + +/* BEGIN MERGE SLOT 3 */ +int mbedtls_mpi_mod_sub( mbedtls_mpi_mod_residue *X, + const mbedtls_mpi_mod_residue *A, + const mbedtls_mpi_mod_residue *B, + const mbedtls_mpi_mod_modulus *N ) +{ + if( X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs ) + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + + mbedtls_mpi_mod_raw_sub( X->p, A->p, B->p, N ); + + return( 0 ); +} +/* END MERGE SLOT 3 */ + +/* BEGIN MERGE SLOT 4 */ + +/* END MERGE SLOT 4 */ + +/* BEGIN MERGE SLOT 5 */ + +/* END MERGE SLOT 5 */ + +/* BEGIN MERGE SLOT 6 */ + +/* END MERGE SLOT 6 */ + +/* BEGIN MERGE SLOT 7 */ +int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, + const unsigned char *buf, + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ) +{ + int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + + /* Do our best to check if r and m have been set up */ + if( r->limbs == 0 || m->limbs == 0 ) + goto cleanup; + if( r->limbs != m->limbs ) + goto cleanup; + + ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen, ext_rep ); + if( ret != 0 ) + goto cleanup; + + r->limbs = m->limbs; + + if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); + +cleanup: + return ( ret ); +} + +int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, + unsigned char *buf, + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ) +{ + int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + + /* Do our best to check if r and m have been set up */ + if( r->limbs == 0 || m->limbs == 0 ) + goto cleanup; + if( r->limbs != m->limbs ) + goto cleanup; + + if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + { + ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); + if( ret != 0 ) + goto cleanup; + } + + ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen, ext_rep ); + + if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + { + /* If this fails, the value of r is corrupted and we want to return + * this error (as opposed to the error code from the write above) to + * let the caller know. If it succeeds, we want to return the error + * code from write above. */ + int conv_ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); + if( ret == 0 ) + ret = conv_ret; + } + +cleanup: + + return ( ret ); +} +/* END MERGE SLOT 7 */ + +/* BEGIN MERGE SLOT 8 */ + +/* END MERGE SLOT 8 */ + +/* BEGIN MERGE SLOT 9 */ + +/* END MERGE SLOT 9 */ + +/* BEGIN MERGE SLOT 10 */ + +/* END MERGE SLOT 10 */ + +#endif /* MBEDTLS_BIGNUM_C */ diff --git a/thirdparty/mbedtls/library/bignum_mod.h b/thirdparty/mbedtls/library/bignum_mod.h new file mode 100644 index 00000000000000..0a8f4d3d0c2ee9 --- /dev/null +++ b/thirdparty/mbedtls/library/bignum_mod.h @@ -0,0 +1,290 @@ +/** + * Modular bignum functions + * + * This module implements operations on integers modulo some fixed modulus. + */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_BIGNUM_MOD_H +#define MBEDTLS_BIGNUM_MOD_H + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) +#include "mbedtls/bignum.h" +#endif + +/* Skip 1 as it is slightly easier to accidentally pass to functions. */ +typedef enum +{ + MBEDTLS_MPI_MOD_REP_INVALID = 0, + MBEDTLS_MPI_MOD_REP_MONTGOMERY = 2, + MBEDTLS_MPI_MOD_REP_OPT_RED +} mbedtls_mpi_mod_rep_selector; + +/* Make mbedtls_mpi_mod_rep_selector and mbedtls_mpi_mod_ext_rep disjoint to + * make it easier to catch when they are accidentally swapped. */ +typedef enum +{ + MBEDTLS_MPI_MOD_EXT_REP_INVALID = 0, + MBEDTLS_MPI_MOD_EXT_REP_LE = 8, + MBEDTLS_MPI_MOD_EXT_REP_BE +} mbedtls_mpi_mod_ext_rep; + +typedef struct +{ + mbedtls_mpi_uint *p; + size_t limbs; +} mbedtls_mpi_mod_residue; + +typedef struct { + mbedtls_mpi_uint const *rr; /* The residue for 2^{2*n*biL} mod N */ + mbedtls_mpi_uint mm; /* Montgomery const for -N^{-1} mod 2^{ciL} */ +} mbedtls_mpi_mont_struct; + +typedef void *mbedtls_mpi_opt_red_struct; + +typedef struct { + const mbedtls_mpi_uint *p; + size_t limbs; // number of limbs + size_t bits; // bitlen of p + mbedtls_mpi_mod_rep_selector int_rep; // selector to signal the active member of the union + union rep + { + mbedtls_mpi_mont_struct mont; + mbedtls_mpi_opt_red_struct ored; + } rep; +} mbedtls_mpi_mod_modulus; + +/** Setup a residue structure. + * + * The residue will be set up with the buffer \p p and modulus \p m. + * + * The memory pointed to by \p p will be used by the resulting residue structure. + * The value at the pointed-to memory will be the initial value of \p r and must + * hold a value that is less than the modulus. This value will be used as-is + * and interpreted according to the value of the `m->int_rep` field. + * + * The modulus \p m will be the modulus associated with \p r. The residue \p r + * should only be used in operations where the modulus is \p m. + * + * \param[out] r The address of the residue to setup. + * \param[in] m The address of the modulus related to \p r. + * \param[in] p The address of the limb array containing the value of \p r. + * The memory pointed to by \p p will be used by \p r and must + * not be modified in any way until after + * mbedtls_mpi_mod_residue_release() is called. The data + * pointed to by \p p must be less than the modulus (the value + * pointed to by `m->p`) and already in the representation + * indicated by `m->int_rep`. + * \param p_limbs The number of limbs of \p p. Must be the same as the number + * of limbs in the modulus \p m. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the + * limbs in \p m or if \p p is not less than \p m. + */ +int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, + mbedtls_mpi_uint *p, + size_t p_limbs ); + +/** Unbind elements of a residue structure. + * + * This function removes the reference to the limb array that was passed to + * mbedtls_mpi_mod_residue_setup() to make it safe to free or use again. + * + * This function invalidates \p r and it must not be used until after + * mbedtls_mpi_mod_residue_setup() is called on it again. + * + * \param[out] r The address of residue to release. + */ +void mbedtls_mpi_mod_residue_release( mbedtls_mpi_mod_residue *r ); + +/** Initialize a modulus structure. + * + * \param[out] m The address of the modulus structure to initialize. + */ +void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ); + +/** Setup a modulus structure. + * + * \param[out] m The address of the modulus structure to populate. + * \param[in] p The address of the limb array storing the value of \p m. + * The memory pointed to by \p p will be used by \p m and must + * not be modified in any way until after + * mbedtls_mpi_mod_modulus_free() is called. + * \param p_limbs The number of limbs of \p p. + * \param int_rep The internal representation to be used for residues + * associated with \p m (see #mbedtls_mpi_mod_rep_selector). + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p int_rep is invalid. + */ +int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m, + const mbedtls_mpi_uint *p, + size_t p_limbs, + mbedtls_mpi_mod_rep_selector int_rep ); + +/** Free elements of a modulus structure. + * + * This function frees any memory allocated by mbedtls_mpi_mod_modulus_setup(). + * + * \warning This function does not free the limb array passed to + * mbedtls_mpi_mod_modulus_setup() only removes the reference to it, + * making it safe to free or to use it again. + * + * \param[in,out] m The address of the modulus structure to free. + */ +void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); + +/* BEGIN MERGE SLOT 1 */ + +/* END MERGE SLOT 1 */ + +/* BEGIN MERGE SLOT 2 */ + +/* END MERGE SLOT 2 */ + +/* BEGIN MERGE SLOT 3 */ +/** + * \brief Perform a fixed-size modular subtraction. + * + * Calculate `A - B modulo N`. + * + * \p A, \p B and \p X must all have the same number of limbs as \p N. + * + * \p X may be aliased to \p A or \p B, or even both, but may not overlap + * either otherwise. + * + * \note This function does not check that \p A or \p B are in canonical + * form (that is, are < \p N) - that will have been done by + * mbedtls_mpi_mod_residue_setup(). + * + * \param[out] X The address of the result MPI. Must be initialized. + * Must have the same number of limbs as the modulus \p N. + * \param[in] A The address of the first MPI. + * \param[in] B The address of the second MPI. + * \param[in] N The address of the modulus. Used to perform a modulo + * operation on the result of the subtraction. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not + * have the correct number of limbs. + */ +int mbedtls_mpi_mod_sub( mbedtls_mpi_mod_residue *X, + const mbedtls_mpi_mod_residue *A, + const mbedtls_mpi_mod_residue *B, + const mbedtls_mpi_mod_modulus *N ); +/* END MERGE SLOT 3 */ + +/* BEGIN MERGE SLOT 4 */ + +/* END MERGE SLOT 4 */ + +/* BEGIN MERGE SLOT 5 */ + +/* END MERGE SLOT 5 */ + +/* BEGIN MERGE SLOT 6 */ + +/* END MERGE SLOT 6 */ + +/* BEGIN MERGE SLOT 7 */ +/** Read a residue from a byte buffer. + * + * The residue will be automatically converted to the internal representation + * based on the value of the `m->int_rep` field. + * + * The modulus \p m will be the modulus associated with \p r. The residue \p r + * should only be used in operations where the modulus is \p m or a modulus + * equivalent to \p m (in the sense that all their fields or memory pointed by + * their fields hold the same value). + * + * \param[out] r The address of the residue. It must have exactly the same + * number of limbs as the modulus \p m. + * \param[in] m The address of the modulus. + * \param[in] buf The input buffer to import from. + * \param buflen The length in bytes of \p buf. + * \param ext_rep The endianness of the number in the input buffer. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p r isn't + * large enough to hold the value in \p buf. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep + * is invalid or the value in the buffer is not less than \p m. + */ +int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, + const unsigned char *buf, + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ); + +/** Write a residue into a byte buffer. + * + * The modulus \p m must be the modulus associated with \p r (see + * mbedtls_mpi_mod_residue_setup() and mbedtls_mpi_mod_read()). + * + * The residue will be automatically converted from the internal representation + * based on the value of `m->int_rep` field. + * + * \warning If the buffer is smaller than `m->bits`, the number of + * leading zeroes is leaked through timing. If \p r is + * secret, the caller must ensure that \p buflen is at least + * (`m->bits`+7)/8. + * + * \param[in] r The address of the residue. It must have the same number of + * limbs as the modulus \p m. (\p r is an input parameter, but + * its value will be modified during execution and restored + * before the function returns.) + * \param[in] m The address of the modulus associated with \r. + * \param[out] buf The output buffer to export to. + * \param buflen The length in bytes of \p buf. + * \param ext_rep The endianness in which the number should be written into + * the output buffer. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't + * large enough to hold the value of \p r (without leading + * zeroes). + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid. + * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough + * memory for conversion. Can occur only for moduli with + * MBEDTLS_MPI_MOD_REP_MONTGOMERY. + */ +int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, + unsigned char *buf, + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ); +/* END MERGE SLOT 7 */ + +/* BEGIN MERGE SLOT 8 */ + +/* END MERGE SLOT 8 */ + +/* BEGIN MERGE SLOT 9 */ + +/* END MERGE SLOT 9 */ + +/* BEGIN MERGE SLOT 10 */ + +/* END MERGE SLOT 10 */ + +#endif /* MBEDTLS_BIGNUM_MOD_H */ diff --git a/thirdparty/mbedtls/library/bignum_mod_raw.c b/thirdparty/mbedtls/library/bignum_mod_raw.c new file mode 100644 index 00000000000000..22e56b7e636fef --- /dev/null +++ b/thirdparty/mbedtls/library/bignum_mod_raw.c @@ -0,0 +1,199 @@ +/* + * Low-level modular bignum functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) + +#include + +#include "mbedtls/error.h" +#include "mbedtls/platform_util.h" + +#include "mbedtls/platform.h" + +#include "bignum_core.h" +#include "bignum_mod_raw.h" +#include "bignum_mod.h" +#include "constant_time_internal.h" + +void mbedtls_mpi_mod_raw_cond_assign( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_mod_modulus *N, + unsigned char assign ) +{ + mbedtls_mpi_core_cond_assign( X, A, N->limbs, assign ); +} + +void mbedtls_mpi_mod_raw_cond_swap( mbedtls_mpi_uint *X, + mbedtls_mpi_uint *Y, + const mbedtls_mpi_mod_modulus *N, + unsigned char swap ) +{ + mbedtls_mpi_core_cond_swap( X, Y, N->limbs, swap ); +} + +int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m, + const unsigned char *input, + size_t input_length, + mbedtls_mpi_mod_ext_rep ext_rep ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + switch( ext_rep ) + { + case MBEDTLS_MPI_MOD_EXT_REP_LE: + ret = mbedtls_mpi_core_read_le( X, m->limbs, + input, input_length ); + break; + case MBEDTLS_MPI_MOD_EXT_REP_BE: + ret = mbedtls_mpi_core_read_be( X, m->limbs, + input, input_length ); + break; + default: + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + } + + if( ret != 0 ) + goto cleanup; + + if( !mbedtls_mpi_core_lt_ct( X, m->p, m->limbs ) ) + { + ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + goto cleanup; + } + +cleanup: + + return( ret ); +} + +int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, + const mbedtls_mpi_mod_modulus *m, + unsigned char *output, + size_t output_length, + mbedtls_mpi_mod_ext_rep ext_rep ) +{ + switch( ext_rep ) + { + case MBEDTLS_MPI_MOD_EXT_REP_LE: + return( mbedtls_mpi_core_write_le( A, m->limbs, + output, output_length ) ); + case MBEDTLS_MPI_MOD_EXT_REP_BE: + return( mbedtls_mpi_core_write_be( A, m->limbs, + output, output_length ) ); + default: + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + } +} + +/* BEGIN MERGE SLOT 1 */ + +/* END MERGE SLOT 1 */ + +/* BEGIN MERGE SLOT 2 */ + +void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + const mbedtls_mpi_mod_modulus *N ) +{ + mbedtls_mpi_uint c = mbedtls_mpi_core_sub( X, A, B, N->limbs ); + + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned) c ); +} + +/* END MERGE SLOT 2 */ + +/* BEGIN MERGE SLOT 3 */ + +/* END MERGE SLOT 3 */ + +/* BEGIN MERGE SLOT 4 */ + +/* END MERGE SLOT 4 */ + +/* BEGIN MERGE SLOT 5 */ +void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + const mbedtls_mpi_mod_modulus *N ) +{ + mbedtls_mpi_uint carry, borrow; + carry = mbedtls_mpi_core_add( X, A, B, N->limbs ); + borrow = mbedtls_mpi_core_sub( X, X, N->p, N->limbs ); + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned) ( carry ^ borrow ) ); +} +/* END MERGE SLOT 5 */ + +/* BEGIN MERGE SLOT 6 */ + +/* END MERGE SLOT 6 */ + +/* BEGIN MERGE SLOT 7 */ +int mbedtls_mpi_mod_raw_to_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ) +{ + mbedtls_mpi_uint *T; + const size_t t_limbs = m->limbs * 2 + 1; + + if( ( T = (mbedtls_mpi_uint *) mbedtls_calloc( t_limbs, ciL ) ) == NULL ) + return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); + + mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, m->limbs, m->p, m->limbs, + m->rep.mont.mm, T ); + + mbedtls_platform_zeroize( T, t_limbs * ciL ); + mbedtls_free( T ); + return( 0 ); +} + +int mbedtls_mpi_mod_raw_from_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ) +{ + const mbedtls_mpi_uint one = 1; + const size_t t_limbs = m->limbs * 2 + 1; + mbedtls_mpi_uint *T; + + if( ( T = (mbedtls_mpi_uint *) mbedtls_calloc( t_limbs, ciL ) ) == NULL ) + return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); + + mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs, + m->rep.mont.mm, T ); + + mbedtls_platform_zeroize( T, t_limbs * ciL ); + mbedtls_free( T ); + return( 0 ); +} +/* END MERGE SLOT 7 */ + +/* BEGIN MERGE SLOT 8 */ + +/* END MERGE SLOT 8 */ + +/* BEGIN MERGE SLOT 9 */ + +/* END MERGE SLOT 9 */ + +/* BEGIN MERGE SLOT 10 */ + +/* END MERGE SLOT 10 */ + +#endif /* MBEDTLS_BIGNUM_C */ diff --git a/thirdparty/mbedtls/library/bignum_mod_raw.h b/thirdparty/mbedtls/library/bignum_mod_raw.h new file mode 100644 index 00000000000000..d7b6dd115e6ec1 --- /dev/null +++ b/thirdparty/mbedtls/library/bignum_mod_raw.h @@ -0,0 +1,250 @@ +/** + * Low-level modular bignum functions + * + * This interface should only be used by the higher-level modular bignum + * module (bignum_mod.c) and the ECP module (ecp.c, ecp_curves.c). All other + * modules should use the high-level modular bignum interface (bignum_mod.h) + * or the legacy bignum interface (bignum.h). + * + * This is a low-level interface to operations on integers modulo which + * has no protection against passing invalid arguments such as arrays of + * the wrong size. The functions in bignum_mod.h provide a higher-level + * interface that includes protections against accidental misuse, at the + * expense of code size and sometimes more cumbersome memory management. + */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_BIGNUM_MOD_RAW_H +#define MBEDTLS_BIGNUM_MOD_RAW_H + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) +#include "mbedtls/bignum.h" +#endif + +#include "bignum_mod.h" + +/** + * \brief Perform a safe conditional copy of an MPI which doesn't reveal + * whether the assignment was done or not. + * + * The size to copy is determined by \p N. + * + * \param[out] X The address of the destination MPI. + * This must be initialized. Must have enough limbs to + * store the full value of \p A. + * \param[in] A The address of the source MPI. This must be initialized. + * \param[in] N The address of the modulus related to \p X and \p A. + * \param assign The condition deciding whether to perform the + * assignment or not. Must be either 0 or 1: + * * \c 1: Perform the assignment `X = A`. + * * \c 0: Keep the original value of \p X. + * + * \note This function avoids leaking any information about whether + * the assignment was done or not. + * + * \warning If \p assign is neither 0 nor 1, the result of this function + * is indeterminate, and the resulting value in \p X might be + * neither its original value nor the value in \p A. + */ +void mbedtls_mpi_mod_raw_cond_assign( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_mod_modulus *N, + unsigned char assign ); + +/** + * \brief Perform a safe conditional swap of two MPIs which doesn't reveal + * whether the swap was done or not. + * + * The size to swap is determined by \p N. + * + * \param[in,out] X The address of the first MPI. This must be initialized. + * \param[in,out] Y The address of the second MPI. This must be initialized. + * \param[in] N The address of the modulus related to \p X and \p Y. + * \param swap The condition deciding whether to perform + * the swap or not. Must be either 0 or 1: + * * \c 1: Swap the values of \p X and \p Y. + * * \c 0: Keep the original values of \p X and \p Y. + * + * \note This function avoids leaking any information about whether + * the swap was done or not. + * + * \warning If \p swap is neither 0 nor 1, the result of this function + * is indeterminate, and both \p X and \p Y might end up with + * values different to either of the original ones. + */ +void mbedtls_mpi_mod_raw_cond_swap( mbedtls_mpi_uint *X, + mbedtls_mpi_uint *Y, + const mbedtls_mpi_mod_modulus *N, + unsigned char swap ); + +/** Import X from unsigned binary data. + * + * The MPI needs to have enough limbs to store the full value (including any + * most significant zero bytes in the input). + * + * \param[out] X The address of the MPI. The size is determined by \p m. + * (In particular, it must have at least as many limbs as + * the modulus \p m.) + * \param[in] m The address of the modulus related to \p X. + * \param[in] input The input buffer to import from. + * \param input_length The length in bytes of \p input. + * \param ext_rep The endianness of the number in the input buffer. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't + * large enough to hold the value in \p input. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation + * of \p m is invalid or \p X is not less than \p m. + */ +int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m, + const unsigned char *input, + size_t input_length, + mbedtls_mpi_mod_ext_rep ext_rep ); + +/** Export A into unsigned binary data. + * + * \param[in] A The address of the MPI. The size is determined by \p m. + * (In particular, it must have at least as many limbs as + * the modulus \p m.) + * \param[in] m The address of the modulus related to \p A. + * \param[out] output The output buffer to export to. + * \param output_length The length in bytes of \p output. + * \param ext_rep The endianness in which the number should be written into the output buffer. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't + * large enough to hold the value of \p A. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation + * of \p m is invalid. + */ +int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, + const mbedtls_mpi_mod_modulus *m, + unsigned char *output, + size_t output_length, + mbedtls_mpi_mod_ext_rep ext_rep ); + +/* BEGIN MERGE SLOT 1 */ + +/* END MERGE SLOT 1 */ + +/* BEGIN MERGE SLOT 2 */ + +/** \brief Subtract two MPIs, returning the residue modulo the specified + * modulus. + * + * The size of the operation is determined by \p N. \p A and \p B must have + * the same number of limbs as \p N. + * + * \p X may be aliased to \p A or \p B, or even both, but may not overlap + * either otherwise. + * + * \param[out] X The address of the result MPI. + * This must be initialized. Must have enough limbs to + * store the full value of the result. + * \param[in] A The address of the first MPI. This must be initialized. + * \param[in] B The address of the second MPI. This must be initialized. + * \param[in] N The address of the modulus. Used to perform a modulo + * operation on the result of the subtraction. + */ +void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + const mbedtls_mpi_mod_modulus *N ); + +/* END MERGE SLOT 2 */ + +/* BEGIN MERGE SLOT 3 */ + +/* END MERGE SLOT 3 */ + +/* BEGIN MERGE SLOT 4 */ + +/* END MERGE SLOT 4 */ + +/* BEGIN MERGE SLOT 5 */ +/** + * \brief Perform a known-size modular addition. + * + * Calculate `A + B modulo N`. + * + * The number of limbs in each operand, and the result, is given by the + * modulus \p N. + * + * \p X may be aliased to \p A or \p B, or even both, but may not overlap + * either otherwise. + * + * \param[out] X The result of the modular addition. + * \param[in] A Little-endian presentation of the left operand. This + * must be smaller than \p N. + * \param[in] B Little-endian presentation of the right operand. This + * must be smaller than \p N. + * \param[in] N The address of the modulus. + */ +void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + const mbedtls_mpi_mod_modulus *N ); +/* END MERGE SLOT 5 */ + +/* BEGIN MERGE SLOT 6 */ + +/* END MERGE SLOT 6 */ + +/* BEGIN MERGE SLOT 7 */ +/** Convert an MPI into Montgomery form. + * + * \param X The address of the MPI. + * Must have the same number of limbs as \p m. + * \param m The address of the modulus, which gives the size of + * the base `R` = 2^(biL*m->limbs). + * + * \return \c 0 if successful. + */ +int mbedtls_mpi_mod_raw_to_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ); + +/** Convert an MPI back from Montgomery representation. + * + * \param X The address of the MPI. + * Must have the same number of limbs as \p m. + * \param m The address of the modulus, which gives the size of + * the base `R`= 2^(biL*m->limbs). + * + * \return \c 0 if successful. + */ +int mbedtls_mpi_mod_raw_from_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ); +/* END MERGE SLOT 7 */ + +/* BEGIN MERGE SLOT 8 */ + +/* END MERGE SLOT 8 */ + +/* BEGIN MERGE SLOT 9 */ + +/* END MERGE SLOT 9 */ + +/* BEGIN MERGE SLOT 10 */ + +/* END MERGE SLOT 10 */ + +#endif /* MBEDTLS_BIGNUM_MOD_RAW_H */ diff --git a/thirdparty/mbedtls/library/bn_mul.h b/thirdparty/mbedtls/library/bn_mul.h index 962d7a97b3181c..6b8106f9fe1827 100644 --- a/thirdparty/mbedtls/library/bn_mul.h +++ b/thirdparty/mbedtls/library/bn_mul.h @@ -90,13 +90,29 @@ #if defined(__GNUC__) && \ ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) +/* + * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a + * fixed reserved register when building as PIC, leading to errors + * like: bn_mul.h:46:13: error: PIC register clobbered by 'ebx' in 'asm' + * + * This is fixed by an improved register allocator in GCC 5+. From the + * release notes: + * Register allocation improvements: Reuse of the PIC hard register, + * instead of using a fixed register, was implemented on x86/x86-64 + * targets. This improves generated PIC code performance as more hard + * registers can be used. + */ +#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__) +#define MULADDC_CANNOT_USE_EBX +#endif + /* * Disable use of the i386 assembly code below if option -O0, to disable all * compiler optimisations, is passed, detected with __OPTIMIZE__ * This is done as the number of registers used in the assembly code doesn't * work with the -O0 option. */ -#if defined(__i386__) && defined(__OPTIMIZE__) +#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX) #define MULADDC_X1_INIT \ { mbedtls_mpi_uint t; \ @@ -566,10 +582,20 @@ "andi r7, r6, 0xffff \n\t" \ "bsrli r6, r6, 16 \n\t" -#define MULADDC_X1_CORE \ +#if(__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) +#define MULADDC_LHUI \ + "lhui r9, r3, 0 \n\t" \ + "addi r3, r3, 2 \n\t" \ + "lhui r8, r3, 0 \n\t" +#else +#define MULADDC_LHUI \ "lhui r8, r3, 0 \n\t" \ "addi r3, r3, 2 \n\t" \ - "lhui r9, r3, 0 \n\t" \ + "lhui r9, r3, 0 \n\t" +#endif + +#define MULADDC_X1_CORE \ + MULADDC_LHUI \ "addi r3, r3, 2 \n\t" \ "mul r10, r9, r6 \n\t" \ "mul r11, r8, r7 \n\t" \ @@ -717,10 +743,10 @@ #define MULADDC_X1_CORE \ ".p2align 2 \n\t" \ - "ldr.w %[a], [%[in]], #4 \n\t" \ - "ldr.w %[b], [%[acc]] \n\t" \ + "ldr %[a], [%[in]], #4 \n\t" \ + "ldr %[b], [%[acc]] \n\t" \ "umaal %[b], %[carry], %[scalar], %[a] \n\t" \ - "str.w %[b], [%[acc]], #4 \n\t" + "str %[b], [%[acc]], #4 \n\t" #define MULADDC_X1_STOP \ : [a] "=&r" (tmp_a), \ @@ -751,14 +777,14 @@ * 2 cycles, while subsequent loads/stores are single-cycle. */ #define MULADDC_X2_CORE \ ".p2align 2 \n\t" \ - "ldr.w %[a0], [%[in]], #+8 \n\t" \ - "ldr.w %[b0], [%[acc]], #+8 \n\t" \ - "ldr.w %[a1], [%[in], #-4] \n\t" \ - "ldr.w %[b1], [%[acc], #-4] \n\t" \ + "ldr %[a0], [%[in]], #+8 \n\t" \ + "ldr %[b0], [%[acc]], #+8 \n\t" \ + "ldr %[a1], [%[in], #-4] \n\t" \ + "ldr %[b1], [%[acc], #-4] \n\t" \ "umaal %[b0], %[carry], %[scalar], %[a0] \n\t" \ "umaal %[b1], %[carry], %[scalar], %[a1] \n\t" \ - "str.w %[b0], [%[acc], #-8] \n\t" \ - "str.w %[b1], [%[acc], #-4] \n\t" + "str %[b0], [%[acc], #-8] \n\t" \ + "str %[b1], [%[acc], #-4] \n\t" #define MULADDC_X2_STOP \ : [a0] "=&r" (tmp_a0), \ diff --git a/thirdparty/mbedtls/library/camellia.c b/thirdparty/mbedtls/library/camellia.c index 29d730ab5369bf..5dd6c56157b58f 100644 --- a/thirdparty/mbedtls/library/camellia.c +++ b/thirdparty/mbedtls/library/camellia.c @@ -32,23 +32,10 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_CAMELLIA_ALT) -/* Parameter validation macros */ -#define CAMELLIA_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA ) -#define CAMELLIA_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - static const unsigned char SIGMA_CHARS[6][8] = { { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b }, @@ -298,7 +285,6 @@ static void camellia_feistel( const uint32_t x[2], const uint32_t k[2], void mbedtls_camellia_init( mbedtls_camellia_context *ctx ) { - CAMELLIA_VALIDATE( ctx != NULL ); memset( ctx, 0, sizeof( mbedtls_camellia_context ) ); } @@ -325,9 +311,6 @@ int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, uint32_t KC[16]; uint32_t TK[20]; - CAMELLIA_VALIDATE_RET( ctx != NULL ); - CAMELLIA_VALIDATE_RET( key != NULL ); - RK = ctx->rk; memset( t, 0, 64 ); @@ -431,8 +414,6 @@ int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, mbedtls_camellia_context cty; uint32_t *RK; uint32_t *SK; - CAMELLIA_VALIDATE_RET( ctx != NULL ); - CAMELLIA_VALIDATE_RET( key != NULL ); mbedtls_camellia_init( &cty ); @@ -480,11 +461,8 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx, { int NR; uint32_t *RK, X[4]; - CAMELLIA_VALIDATE_RET( ctx != NULL ); - CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || - mode == MBEDTLS_CAMELLIA_DECRYPT ); - CAMELLIA_VALIDATE_RET( input != NULL ); - CAMELLIA_VALIDATE_RET( output != NULL ); + if( mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT ) + return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; ( (void) mode ); @@ -550,12 +528,8 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx, { int i; unsigned char temp[16]; - CAMELLIA_VALIDATE_RET( ctx != NULL ); - CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || - mode == MBEDTLS_CAMELLIA_DECRYPT ); - CAMELLIA_VALIDATE_RET( iv != NULL ); - CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); - CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); + if( mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT ) + return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; if( length % 16 ) return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH ); @@ -611,13 +585,8 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, { int c; size_t n; - CAMELLIA_VALIDATE_RET( ctx != NULL ); - CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT || - mode == MBEDTLS_CAMELLIA_DECRYPT ); - CAMELLIA_VALIDATE_RET( iv != NULL ); - CAMELLIA_VALIDATE_RET( iv_off != NULL ); - CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); - CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); + if( mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT ) + return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA; n = *iv_off; if( n >= 16 ) @@ -670,12 +639,6 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx, { int c, i; size_t n; - CAMELLIA_VALIDATE_RET( ctx != NULL ); - CAMELLIA_VALIDATE_RET( nonce_counter != NULL ); - CAMELLIA_VALIDATE_RET( stream_block != NULL ); - CAMELLIA_VALIDATE_RET( nc_off != NULL ); - CAMELLIA_VALIDATE_RET( length == 0 || input != NULL ); - CAMELLIA_VALIDATE_RET( length == 0 || output != NULL ); n = *nc_off; if( n >= 16 ) diff --git a/thirdparty/mbedtls/library/ccm.c b/thirdparty/mbedtls/library/ccm.c index 3edfba36695b60..675783e4cab76e 100644 --- a/thirdparty/mbedtls/library/ccm.c +++ b/thirdparty/mbedtls/library/ccm.c @@ -144,7 +144,7 @@ static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx) unsigned char i; size_t len_left, olen; - /* length calulcation can be done only after both + /* length calculation can be done only after both * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed */ if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET) ) diff --git a/thirdparty/mbedtls/library/chacha20.c b/thirdparty/mbedtls/library/chacha20.c index 658f0469017059..85d7461aac341c 100644 --- a/thirdparty/mbedtls/library/chacha20.c +++ b/thirdparty/mbedtls/library/chacha20.c @@ -32,28 +32,10 @@ #include #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_CHACHA20_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - -/* Parameter validation macros */ -#define CHACHA20_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ) -#define CHACHA20_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - #define ROTL32( value, amount ) \ ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) ) @@ -172,8 +154,6 @@ static void chacha20_block( const uint32_t initial_state[16], void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx ) { - CHACHA20_VALIDATE( ctx != NULL ); - mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) ); mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) ); @@ -192,9 +172,6 @@ void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx ) int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx, const unsigned char key[32] ) { - CHACHA20_VALIDATE_RET( ctx != NULL ); - CHACHA20_VALIDATE_RET( key != NULL ); - /* ChaCha20 constants - the string "expand 32-byte k" */ ctx->state[0] = 0x61707865; ctx->state[1] = 0x3320646e; @@ -218,9 +195,6 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, const unsigned char nonce[12], uint32_t counter ) { - CHACHA20_VALIDATE_RET( ctx != NULL ); - CHACHA20_VALIDATE_RET( nonce != NULL ); - /* Counter */ ctx->state[12] = counter; @@ -245,10 +219,6 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, size_t offset = 0U; size_t i; - CHACHA20_VALIDATE_RET( ctx != NULL ); - CHACHA20_VALIDATE_RET( size == 0 || input != NULL ); - CHACHA20_VALIDATE_RET( size == 0 || output != NULL ); - /* Use leftover keystream bytes, if available */ while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES ) { @@ -312,11 +282,6 @@ int mbedtls_chacha20_crypt( const unsigned char key[32], mbedtls_chacha20_context ctx; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - CHACHA20_VALIDATE_RET( key != NULL ); - CHACHA20_VALIDATE_RET( nonce != NULL ); - CHACHA20_VALIDATE_RET( data_len == 0 || input != NULL ); - CHACHA20_VALIDATE_RET( data_len == 0 || output != NULL ); - mbedtls_chacha20_init( &ctx ); ret = mbedtls_chacha20_setkey( &ctx, key ); diff --git a/thirdparty/mbedtls/library/chachapoly.c b/thirdparty/mbedtls/library/chachapoly.c index dc75b2030a480b..e283853a409241 100644 --- a/thirdparty/mbedtls/library/chachapoly.c +++ b/thirdparty/mbedtls/library/chachapoly.c @@ -28,23 +28,10 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_CHACHAPOLY_ALT) -/* Parameter validation macros */ -#define CHACHAPOLY_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ) -#define CHACHAPOLY_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - #define CHACHAPOLY_STATE_INIT ( 0 ) #define CHACHAPOLY_STATE_AAD ( 1 ) #define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */ @@ -91,8 +78,6 @@ static int chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx ) void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx ) { - CHACHAPOLY_VALIDATE( ctx != NULL ); - mbedtls_chacha20_init( &ctx->chacha20_ctx ); mbedtls_poly1305_init( &ctx->poly1305_ctx ); ctx->aad_len = 0U; @@ -118,8 +103,6 @@ int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx, const unsigned char key[32] ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( key != NULL ); ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key ); @@ -132,8 +115,6 @@ int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char poly1305_key[64]; - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( nonce != NULL ); /* Set counter = 0, will be update to 1 when generating Poly1305 key */ ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U ); @@ -170,9 +151,6 @@ int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx, const unsigned char *aad, size_t aad_len ) { - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL ); - if( ctx->state != CHACHAPOLY_STATE_AAD ) return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE ); @@ -187,9 +165,6 @@ int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx, unsigned char *output ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( len == 0 || input != NULL ); - CHACHAPOLY_VALIDATE_RET( len == 0 || output != NULL ); if( ( ctx->state != CHACHAPOLY_STATE_AAD ) && ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) ) @@ -237,8 +212,6 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char len_block[16]; - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( mac != NULL ); if( ctx->state == CHACHAPOLY_STATE_INIT ) { @@ -314,13 +287,6 @@ int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx, unsigned char *output, unsigned char tag[16] ) { - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( nonce != NULL ); - CHACHAPOLY_VALIDATE_RET( tag != NULL ); - CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL ); - CHACHAPOLY_VALIDATE_RET( length == 0 || input != NULL ); - CHACHAPOLY_VALIDATE_RET( length == 0 || output != NULL ); - return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT, length, nonce, aad, aad_len, input, output, tag ) ); @@ -339,12 +305,6 @@ int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx, unsigned char check_tag[16]; size_t i; int diff; - CHACHAPOLY_VALIDATE_RET( ctx != NULL ); - CHACHAPOLY_VALIDATE_RET( nonce != NULL ); - CHACHAPOLY_VALIDATE_RET( tag != NULL ); - CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL ); - CHACHAPOLY_VALIDATE_RET( length == 0 || input != NULL ); - CHACHAPOLY_VALIDATE_RET( length == 0 || output != NULL ); if( ( ret = chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce, diff --git a/thirdparty/mbedtls/library/check_crypto_config.h b/thirdparty/mbedtls/library/check_crypto_config.h index d7ad16a6170f8c..e60e6661620dda 100644 --- a/thirdparty/mbedtls/library/check_crypto_config.h +++ b/thirdparty/mbedtls/library/check_crypto_config.h @@ -88,4 +88,14 @@ #error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_USE_PSA_CRYPTO) && \ + !( defined(PSA_WANT_ALG_SHA_1) || defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_512) ) +#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" +#endif + +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) && \ + !defined(PSA_WANT_ALG_SHA_256) +#error "PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS defined, but not all prerequisites" +#endif + #endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */ diff --git a/thirdparty/mbedtls/library/cipher.c b/thirdparty/mbedtls/library/cipher.c index 0bac4ee993ab4c..dffe3adca407e4 100644 --- a/thirdparty/mbedtls/library/cipher.c +++ b/thirdparty/mbedtls/library/cipher.c @@ -63,17 +63,7 @@ #include "mbedtls/nist_kw.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif - -#define CIPHER_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) -#define CIPHER_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) static int supported_init = 0; @@ -143,7 +133,6 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ) { - CIPHER_VALIDATE( ctx != NULL ); memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); } @@ -193,7 +182,6 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ) int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ) { - CIPHER_VALIDATE_RET( ctx != NULL ); if( cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -257,10 +245,8 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, int key_bitlen, const mbedtls_operation_t operation ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( key != NULL ); - CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT || - operation == MBEDTLS_DECRYPT ); + if( operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT ) + return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -356,8 +342,6 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, { size_t actual_iv_size; - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -453,7 +437,6 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) { - CIPHER_VALIDATE_RET( ctx != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -475,8 +458,6 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -519,7 +500,7 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, } #endif - return( 0 ); + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ @@ -529,10 +510,6 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t block_size; - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -952,9 +929,6 @@ static int get_no_padding( unsigned char *input, size_t input_len, int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -1054,8 +1028,6 @@ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode ) { return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -1117,8 +1089,6 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, unsigned char *tag, size_t tag_len ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -1159,7 +1129,7 @@ int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, } #endif - return( 0 ); + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, @@ -1168,8 +1138,6 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, unsigned char check_tag[16]; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); if( ctx->cipher_info == NULL ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -1188,11 +1156,8 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ - /* Status to return on a non-authenticated algorithm. It would make sense - * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our - * unit tests assume 0. */ - ret = 0; + /* Status to return on a non-authenticated algorithm. */ + ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; #if defined(MBEDTLS_GCM_C) if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) @@ -1261,12 +1226,6 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t finish_olen; - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); - CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); - #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ctx->psa_enabled == 1 ) { @@ -1542,13 +1501,6 @@ int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, unsigned char *output, size_t output_len, size_t *olen, size_t tag_len ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); - CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); - CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); - #if defined(MBEDTLS_NIST_KW_C) if( #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1598,13 +1550,6 @@ int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, unsigned char *output, size_t output_len, size_t *olen, size_t tag_len ) { - CIPHER_VALIDATE_RET( ctx != NULL ); - CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); - CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); - CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); - CIPHER_VALIDATE_RET( output_len == 0 || output != NULL ); - CIPHER_VALIDATE_RET( olen != NULL ); - #if defined(MBEDTLS_NIST_KW_C) if( #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/thirdparty/mbedtls/library/cipher_wrap.c b/thirdparty/mbedtls/library/cipher_wrap.c index 7da7d9d5229fde..8e395b30144019 100644 --- a/thirdparty/mbedtls/library/cipher_wrap.c +++ b/thirdparty/mbedtls/library/cipher_wrap.c @@ -68,13 +68,7 @@ #include #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #if defined(MBEDTLS_GCM_C) /* shared by all GCM ciphers */ diff --git a/thirdparty/mbedtls/library/common.h b/thirdparty/mbedtls/library/common.h index a630fcc45682ff..25d5294e1ad96f 100644 --- a/thirdparty/mbedtls/library/common.h +++ b/thirdparty/mbedtls/library/common.h @@ -25,6 +25,7 @@ #include "mbedtls/build_info.h" +#include #include /** Helper to define a function as static except when building invasive tests. @@ -68,6 +69,44 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +/** Return an offset into a buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * (`p + n` has undefined behavior when `p` is null, even when `n == 0`. + * A null pointer is a valid buffer pointer when the size is 0, for example + * as the result of `malloc(0)` on some platforms.) + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline unsigned char *mbedtls_buffer_offset( + unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + +/** Return an offset into a read-only buffer. + * + * Similar to mbedtls_buffer_offset(), but for const pointers. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline const unsigned char *mbedtls_buffer_offset_const( + const unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + /** Byte Reading Macros * * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th diff --git a/thirdparty/mbedtls/library/constant_time.c b/thirdparty/mbedtls/library/constant_time.c index 47e9b02d6b2618..510304e32f3c17 100644 --- a/thirdparty/mbedtls/library/constant_time.c +++ b/thirdparty/mbedtls/library/constant_time.c @@ -30,6 +30,7 @@ #if defined(MBEDTLS_BIGNUM_C) #include "mbedtls/bignum.h" +#include "bignum_core.h" #endif #if defined(MBEDTLS_SSL_TLS_C) @@ -81,7 +82,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value ) #endif } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) size_t mbedtls_ct_size_mask( size_t value ) { @@ -97,7 +98,7 @@ size_t mbedtls_ct_size_mask( size_t value ) #endif } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) @@ -272,7 +273,7 @@ unsigned mbedtls_ct_uint_if( unsigned condition, * \note if1 and if0 must be either 1 or -1, otherwise the result * is undefined. * - * \param condition Condition to test. + * \param condition Condition to test; must be either 0 or 1. * \param if1 The first sign; must be either +1 or -1. * \param if0 The second sign; must be either +1 or -1. * @@ -404,7 +405,7 @@ static void mbedtls_ct_mem_move_to_left( void *start, #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) void mbedtls_ct_memcpy_if_eq( unsigned char *dest, const unsigned char *src, @@ -654,7 +655,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) @@ -678,21 +679,19 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, unsigned char assign ) { int ret = 0; - size_t i; - mbedtls_mpi_uint limb_mask; MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( Y != NULL ); /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ - limb_mask = mbedtls_ct_mpi_uint_mask( assign );; + mbedtls_mpi_uint limb_mask = mbedtls_ct_mpi_uint_mask( assign ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s ); - mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign ); + mbedtls_mpi_core_cond_assign( X->p, Y->p, Y->n, assign ); - for( i = Y->n; i < X->n; i++ ) + for( size_t i = Y->n; i < X->n; i++ ) X->p[i] &= ~limb_mask; cleanup: @@ -709,19 +708,14 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap ) { - int ret, s; - size_t i; - mbedtls_mpi_uint limb_mask; - mbedtls_mpi_uint tmp; + int ret = 0; + int s; MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( Y != NULL ); if( X == Y ) return( 0 ); - /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ - limb_mask = mbedtls_ct_mpi_uint_mask( swap ); - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); @@ -729,15 +723,53 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s ); Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s ); + mbedtls_mpi_core_cond_swap( X->p, Y->p, X->n, swap ); + +cleanup: + return( ret ); +} + +/* + * Compare unsigned values in constant time + */ +unsigned mbedtls_mpi_core_lt_ct( const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t limbs ) +{ + unsigned ret, cond, done; + + /* The value of any of these variables is either 0 or 1 for the rest of + * their scope. */ + ret = cond = done = 0; - for( i = 0; i < X->n; i++ ) + for( size_t i = limbs; i > 0; i-- ) { - tmp = X->p[i]; - X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask ); - Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask ); + /* + * If B[i - 1] < A[i - 1] then A < B is false and the result must + * remain 0. + * + * Again even if we can make a decision, we just mark the result and + * the fact that we are done and continue looping. + */ + cond = mbedtls_ct_mpi_uint_lt( B[i - 1], A[i - 1] ); + done |= cond; + + /* + * If A[i - 1] < B[i - 1] then A < B is true. + * + * Again even if we can make a decision, we just mark the result and + * the fact that we are done and continue looping. + */ + cond = mbedtls_ct_mpi_uint_lt( A[i - 1], B[i - 1] ); + ret |= cond & ( 1 - done ); + done |= cond; } -cleanup: + /* + * If all the limbs were equal, then the numbers are equal, A < B is false + * and leaving the result 0 is correct. + */ + return( ret ); } diff --git a/thirdparty/mbedtls/library/constant_time_internal.h b/thirdparty/mbedtls/library/constant_time_internal.h index 9466bc37899e86..1e4a3ab0be2a79 100644 --- a/thirdparty/mbedtls/library/constant_time_internal.h +++ b/thirdparty/mbedtls/library/constant_time_internal.h @@ -46,7 +46,7 @@ */ unsigned mbedtls_ct_uint_mask( unsigned value ); -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /** Turn a value into a mask: * - if \p value == 0, return the all-bits 0 mask, aka 0 @@ -61,7 +61,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value ); */ size_t mbedtls_ct_size_mask( size_t value ); -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) @@ -129,6 +129,24 @@ unsigned mbedtls_ct_size_bool_eq( size_t x, unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, const mbedtls_mpi_uint y ); +/** + * \brief Check if one unsigned MPI is less than another in constant + * time. + * + * \param A The left-hand MPI. This must point to an array of limbs + * with the same allocated length as \p B. + * \param B The right-hand MPI. This must point to an array of limbs + * with the same allocated length as \p A. + * \param limbs The number of limbs in \p A and \p B. + * This must not be 0. + * + * \return The result of the comparison: + * \c 1 if \p A is less than \p B. + * \c 0 if \p A is greater than or equal to \p B. + */ +unsigned mbedtls_mpi_core_lt_ct( const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + size_t limbs); #endif /* MBEDTLS_BIGNUM_C */ /** Choose between two integer values without branches. @@ -196,7 +214,7 @@ signed char mbedtls_ct_base64_dec_value( unsigned char c ); #endif /* MBEDTLS_BASE64_C */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /** Conditional memcpy without branches. * @@ -304,7 +322,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, unsigned char *output ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) diff --git a/thirdparty/mbedtls/library/ctr_drbg.c b/thirdparty/mbedtls/library/ctr_drbg.c index 43f490e8310ff9..71c48afd2850db 100644 --- a/thirdparty/mbedtls/library/ctr_drbg.c +++ b/thirdparty/mbedtls/library/ctr_drbg.c @@ -36,14 +36,7 @@ #include #endif -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ /* * CTR_DRBG context initialization @@ -51,6 +44,7 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ) { memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) ); + mbedtls_aes_init( &ctx->aes_ctx ); /* Indicate that the entropy nonce length is not set explicitly. * See mbedtls_ctr_drbg_set_nonce_len(). */ ctx->reseed_counter = -1; @@ -448,8 +442,6 @@ int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, mbedtls_mutex_init( &ctx->mutex ); #endif - mbedtls_aes_init( &ctx->aes_ctx ); - ctx->f_entropy = f_entropy; ctx->p_entropy = p_entropy; diff --git a/thirdparty/mbedtls/library/debug.c b/thirdparty/mbedtls/library/debug.c index 4c231e96130f3b..78ce9cedc6272a 100644 --- a/thirdparty/mbedtls/library/debug.c +++ b/thirdparty/mbedtls/library/debug.c @@ -21,16 +21,7 @@ #if defined(MBEDTLS_DEBUG_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#define mbedtls_time_t time_t -#define mbedtls_snprintf snprintf -#define mbedtls_vsnprintf vsnprintf -#endif #include "mbedtls/debug.h" #include "mbedtls/error.h" @@ -39,11 +30,6 @@ #include #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define DEBUG_BUF_SIZE 512 static int debug_threshold = 0; @@ -121,7 +107,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, /* * With non-blocking I/O and examples that just retry immediately, * the logs would be quickly flooded with WANT_READ, so ignore that. - * Don't ignore WANT_WRITE however, since is usually rare. + * Don't ignore WANT_WRITE however, since it is usually rare. */ if( ret == MBEDTLS_ERR_SSL_WANT_READ ) return; diff --git a/thirdparty/mbedtls/library/des.c b/thirdparty/mbedtls/library/des.c index 91d22b5d906f5f..65f5681cf1c216 100644 --- a/thirdparty/mbedtls/library/des.c +++ b/thirdparty/mbedtls/library/des.c @@ -33,14 +33,7 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_DES_ALT) diff --git a/thirdparty/mbedtls/library/dhm.c b/thirdparty/mbedtls/library/dhm.c index 1e95bdab039887..6ee54024286bef 100644 --- a/thirdparty/mbedtls/library/dhm.c +++ b/thirdparty/mbedtls/library/dhm.c @@ -43,23 +43,10 @@ #include "mbedtls/asn1.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_printf printf -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #if !defined(MBEDTLS_DHM_ALT) -#define DHM_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA ) -#define DHM_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - /* * helper to validate the mbedtls_mpi size and import it */ @@ -120,7 +107,6 @@ static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P ) void mbedtls_dhm_init( mbedtls_dhm_context *ctx ) { - DHM_VALIDATE( ctx != NULL ); memset( ctx, 0, sizeof( mbedtls_dhm_context ) ); } @@ -173,9 +159,6 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, const unsigned char *end ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - DHM_VALIDATE_RET( ctx != NULL ); - DHM_VALIDATE_RET( p != NULL && *p != NULL ); - DHM_VALIDATE_RET( end != NULL ); if( ( ret = dhm_read_bignum( &ctx->P, p, end ) ) != 0 || ( ret = dhm_read_bignum( &ctx->G, p, end ) ) != 0 || @@ -252,10 +235,6 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, int ret; size_t n1, n2, n3; unsigned char *p; - DHM_VALIDATE_RET( ctx != NULL ); - DHM_VALIDATE_RET( output != NULL ); - DHM_VALIDATE_RET( olen != NULL ); - DHM_VALIDATE_RET( f_rng != NULL ); ret = dhm_make_common( ctx, x_size, f_rng, p_rng ); if( ret != 0 ) @@ -300,9 +279,6 @@ int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, const mbedtls_mpi *G ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - DHM_VALIDATE_RET( ctx != NULL ); - DHM_VALIDATE_RET( P != NULL ); - DHM_VALIDATE_RET( G != NULL ); if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 || ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 ) @@ -320,8 +296,6 @@ int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx, const unsigned char *input, size_t ilen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - DHM_VALIDATE_RET( ctx != NULL ); - DHM_VALIDATE_RET( input != NULL ); if( ilen < 1 || ilen > mbedtls_dhm_get_len( ctx ) ) return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); @@ -341,9 +315,6 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, void *p_rng ) { int ret; - DHM_VALIDATE_RET( ctx != NULL ); - DHM_VALIDATE_RET( output != NULL ); - DHM_VALIDATE_RET( f_rng != NULL ); if( olen < 1 || olen > mbedtls_dhm_get_len( ctx ) ) return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); @@ -440,9 +411,6 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi GYb; - DHM_VALIDATE_RET( ctx != NULL ); - DHM_VALIDATE_RET( output != NULL ); - DHM_VALIDATE_RET( olen != NULL ); if( f_rng == NULL ) return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); @@ -518,9 +486,6 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, mbedtls_pem_context pem; #endif /* MBEDTLS_PEM_PARSE_C */ - DHM_VALIDATE_RET( dhm != NULL ); - DHM_VALIDATE_RET( dhmin != NULL ); - #if defined(MBEDTLS_PEM_PARSE_C) mbedtls_pem_init( &pem ); @@ -667,8 +632,6 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n; unsigned char *buf; - DHM_VALIDATE_RET( dhm != NULL ); - DHM_VALIDATE_RET( path != NULL ); if( ( ret = load_file( path, &buf, &n ) ) != 0 ) return( ret ); diff --git a/thirdparty/mbedtls/library/ecdh.c b/thirdparty/mbedtls/library/ecdh.c index cc1340c923712f..c9c2e06bd10fea 100644 --- a/thirdparty/mbedtls/library/ecdh.c +++ b/thirdparty/mbedtls/library/ecdh.c @@ -34,12 +34,6 @@ #include -/* Parameter validation macros based on platform_util.h */ -#define ECDH_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) -#define ECDH_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed; #endif @@ -77,10 +71,12 @@ static int ecdh_gen_public_restartable( mbedtls_ecp_group *grp, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* If multiplication is in progress, we already generated a privkey */ + int restarting = 0; #if defined(MBEDTLS_ECP_RESTARTABLE) - if( rs_ctx == NULL || rs_ctx->rsm == NULL ) + restarting = ( rs_ctx != NULL && rs_ctx->rsm != NULL ); #endif + /* If multiplication is in progress, we already generated a privkey */ + if( !restarting ) MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, Q, d, &grp->G, @@ -97,10 +93,6 @@ int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECDH_VALIDATE_RET( grp != NULL ); - ECDH_VALIDATE_RET( d != NULL ); - ECDH_VALIDATE_RET( Q != NULL ); - ECDH_VALIDATE_RET( f_rng != NULL ); return( ecdh_gen_public_restartable( grp, d, Q, f_rng, p_rng, NULL ) ); } #endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */ @@ -146,10 +138,6 @@ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECDH_VALIDATE_RET( grp != NULL ); - ECDH_VALIDATE_RET( Q != NULL ); - ECDH_VALIDATE_RET( d != NULL ); - ECDH_VALIDATE_RET( z != NULL ); return( ecdh_compute_shared_restartable( grp, z, Q, d, f_rng, p_rng, NULL ) ); } @@ -173,8 +161,6 @@ static void ecdh_init_internal( mbedtls_ecdh_context_mbed *ctx ) */ void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ) { - ECDH_VALIDATE( ctx != NULL ); - #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) ecdh_init_internal( ctx ); mbedtls_ecp_point_init( &ctx->Vi ); @@ -210,8 +196,6 @@ static int ecdh_setup_internal( mbedtls_ecdh_context_mbed *ctx, */ int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id ) { - ECDH_VALIDATE_RET( ctx != NULL ); - #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) return( ecdh_setup_internal( ctx, grp_id ) ); #else @@ -253,8 +237,6 @@ static void ecdh_free_internal( mbedtls_ecdh_context_mbed *ctx ) */ void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx ) { - ECDH_VALIDATE( ctx != NULL ); - ctx->restart_enabled = 1; } #endif @@ -357,11 +339,6 @@ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, void *p_rng ) { int restart_enabled = 0; - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( olen != NULL ); - ECDH_VALIDATE_RET( buf != NULL ); - ECDH_VALIDATE_RET( f_rng != NULL ); - #if defined(MBEDTLS_ECP_RESTARTABLE) restart_enabled = ctx->restart_enabled; #else @@ -411,11 +388,6 @@ int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecp_group_id grp_id; - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( buf != NULL ); - ECDH_VALIDATE_RET( *buf != NULL ); - ECDH_VALIDATE_RET( end != NULL ); - if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, end - *buf ) ) != 0 ) return( ret ); @@ -471,10 +443,8 @@ int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, mbedtls_ecdh_side side ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( key != NULL ); - ECDH_VALIDATE_RET( side == MBEDTLS_ECDH_OURS || - side == MBEDTLS_ECDH_THEIRS ); + if( side != MBEDTLS_ECDH_OURS && side != MBEDTLS_ECDH_THEIRS ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); if( mbedtls_ecdh_grp_id( ctx ) == MBEDTLS_ECP_DP_NONE ) { @@ -563,11 +533,6 @@ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, void *p_rng ) { int restart_enabled = 0; - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( olen != NULL ); - ECDH_VALIDATE_RET( buf != NULL ); - ECDH_VALIDATE_RET( f_rng != NULL ); - #if defined(MBEDTLS_ECP_RESTARTABLE) restart_enabled = ctx->restart_enabled; #endif @@ -616,9 +581,6 @@ static int ecdh_read_public_internal( mbedtls_ecdh_context_mbed *ctx, int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t blen ) { - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( buf != NULL ); - #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) return( ecdh_read_public_internal( ctx, buf, blen ) ); #else @@ -697,10 +659,6 @@ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, void *p_rng ) { int restart_enabled = 0; - ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( olen != NULL ); - ECDH_VALIDATE_RET( buf != NULL ); - #if defined(MBEDTLS_ECP_RESTARTABLE) restart_enabled = ctx->restart_enabled; #endif diff --git a/thirdparty/mbedtls/library/ecdsa.c b/thirdparty/mbedtls/library/ecdsa.c index 0b612ce8afd0e1..c58e33155fc824 100644 --- a/thirdparty/mbedtls/library/ecdsa.c +++ b/thirdparty/mbedtls/library/ecdsa.c @@ -36,23 +36,11 @@ #include "mbedtls/hmac_drbg.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -/* Parameter validation macros based on platform_util.h */ -#define ECDSA_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) -#define ECDSA_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - #if defined(MBEDTLS_ECP_RESTARTABLE) /* @@ -404,13 +392,6 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECDSA_VALIDATE_RET( grp != NULL ); - ECDSA_VALIDATE_RET( r != NULL ); - ECDSA_VALIDATE_RET( s != NULL ); - ECDSA_VALIDATE_RET( d != NULL ); - ECDSA_VALIDATE_RET( f_rng != NULL ); - ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); - /* Use the same RNG for both blinding and ephemeral key generation */ return( ecdsa_sign_restartable( grp, r, s, d, buf, blen, f_rng, p_rng, f_rng, p_rng, NULL ) ); @@ -503,13 +484,6 @@ int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, size_t), void *p_rng_blind ) { - ECDSA_VALIDATE_RET( grp != NULL ); - ECDSA_VALIDATE_RET( r != NULL ); - ECDSA_VALIDATE_RET( s != NULL ); - ECDSA_VALIDATE_RET( d != NULL ); - ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); - ECDSA_VALIDATE_RET( f_rng_blind != NULL ); - return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, f_rng_blind, p_rng_blind, NULL ) ); } @@ -634,12 +608,6 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, const mbedtls_mpi *r, const mbedtls_mpi *s) { - ECDSA_VALIDATE_RET( grp != NULL ); - ECDSA_VALIDATE_RET( Q != NULL ); - ECDSA_VALIDATE_RET( r != NULL ); - ECDSA_VALIDATE_RET( s != NULL ); - ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); - return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) ); } #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */ @@ -685,11 +653,6 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi r, s; - ECDSA_VALIDATE_RET( ctx != NULL ); - ECDSA_VALIDATE_RET( hash != NULL ); - ECDSA_VALIDATE_RET( sig != NULL ); - ECDSA_VALIDATE_RET( slen != NULL ); - if( f_rng == NULL ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); @@ -735,10 +698,6 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECDSA_VALIDATE_RET( ctx != NULL ); - ECDSA_VALIDATE_RET( hash != NULL ); - ECDSA_VALIDATE_RET( sig != NULL ); - ECDSA_VALIDATE_RET( slen != NULL ); return( mbedtls_ecdsa_write_signature_restartable( ctx, md_alg, hash, hlen, sig, sig_size, slen, f_rng, p_rng, NULL ) ); @@ -751,9 +710,6 @@ int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, const unsigned char *hash, size_t hlen, const unsigned char *sig, size_t slen ) { - ECDSA_VALIDATE_RET( ctx != NULL ); - ECDSA_VALIDATE_RET( hash != NULL ); - ECDSA_VALIDATE_RET( sig != NULL ); return( mbedtls_ecdsa_read_signature_restartable( ctx, hash, hlen, sig, slen, NULL ) ); } @@ -771,10 +727,6 @@ int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx, const unsigned char *end = sig + slen; size_t len; mbedtls_mpi r, s; - ECDSA_VALIDATE_RET( ctx != NULL ); - ECDSA_VALIDATE_RET( hash != NULL ); - ECDSA_VALIDATE_RET( sig != NULL ); - mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s ); @@ -831,9 +783,6 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret = 0; - ECDSA_VALIDATE_RET( ctx != NULL ); - ECDSA_VALIDATE_RET( f_rng != NULL ); - ret = mbedtls_ecp_group_load( &ctx->grp, gid ); if( ret != 0 ) return( ret ); @@ -849,9 +798,6 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECDSA_VALIDATE_RET( ctx != NULL ); - ECDSA_VALIDATE_RET( key != NULL ); - if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 || ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 || ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ) @@ -867,8 +813,6 @@ int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_ke */ void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ) { - ECDSA_VALIDATE( ctx != NULL ); - mbedtls_ecp_keypair_init( ctx ); } @@ -889,8 +833,6 @@ void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ) */ void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx ) { - ECDSA_VALIDATE( ctx != NULL ); - mbedtls_ecp_restart_init( &ctx->ecp ); ctx->ver = NULL; diff --git a/thirdparty/mbedtls/library/ecjpake.c b/thirdparty/mbedtls/library/ecjpake.c index d467a6540afbd7..289255a13e03f7 100644 --- a/thirdparty/mbedtls/library/ecjpake.c +++ b/thirdparty/mbedtls/library/ecjpake.c @@ -30,16 +30,19 @@ #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +/* We use MD first if it's available (for compatibility reasons) + * and "fall back" to PSA otherwise (which needs psa_crypto_init()). */ +#if !defined(MBEDTLS_MD_C) +#include "psa/crypto.h" +#include "mbedtls/psa_util.h" +#endif /* !MBEDTLS_MD_C */ + +#include "hash_info.h" + #include #if !defined(MBEDTLS_ECJPAKE_ALT) -/* Parameter validation macros based on platform_util.h */ -#define ECJPAKE_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) -#define ECJPAKE_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - /* * Convert a mbedtls_ecjpake_role to identifier string */ @@ -51,14 +54,34 @@ static const char * const ecjpake_id[] = { #define ID_MINE ( ecjpake_id[ ctx->role ] ) #define ID_PEER ( ecjpake_id[ 1 - ctx->role ] ) +/** + * Helper to Compute a hash from md_type + */ +static int mbedtls_ecjpake_compute_hash( mbedtls_md_type_t md_type, + const unsigned char *input, size_t ilen, + unsigned char *output ) +{ +#if defined(MBEDTLS_MD_C) + return( mbedtls_md( mbedtls_md_info_from_type( md_type ), + input, ilen, output ) ); +#else + psa_algorithm_t alg = mbedtls_psa_translate_md( md_type ); + psa_status_t status; + size_t out_size = PSA_HASH_LENGTH( alg ); + size_t out_len; + + status = psa_hash_compute( alg, input, ilen, output, out_size, &out_len ); + + return( mbedtls_md_error_from_psa( status ) ); +#endif /* !MBEDTLS_MD_C */ +} + /* * Initialize context */ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ) { - ECJPAKE_VALIDATE( ctx != NULL ); - - ctx->md_info = NULL; + ctx->md_type = MBEDTLS_MD_NONE; mbedtls_ecp_group_init( &ctx->grp ); ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED; @@ -81,7 +104,7 @@ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) if( ctx == NULL ) return; - ctx->md_info = NULL; + ctx->md_type = MBEDTLS_MD_NONE; mbedtls_ecp_group_free( &ctx->grp ); mbedtls_ecp_point_free( &ctx->Xm1 ); @@ -107,15 +130,20 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECJPAKE_VALIDATE_RET( ctx != NULL ); - ECJPAKE_VALIDATE_RET( role == MBEDTLS_ECJPAKE_CLIENT || - role == MBEDTLS_ECJPAKE_SERVER ); - ECJPAKE_VALIDATE_RET( secret != NULL || len == 0 ); + if( role != MBEDTLS_ECJPAKE_CLIENT && role != MBEDTLS_ECJPAKE_SERVER ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); ctx->role = role; - if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL ) +#if defined(MBEDTLS_MD_C) + if( ( mbedtls_md_info_from_type( hash ) ) == NULL ) return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); +#else + if( mbedtls_psa_translate_md( hash ) == MBEDTLS_MD_NONE ) + return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); +#endif + + ctx->md_type = hash; MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, curve ) ); @@ -147,9 +175,7 @@ int mbedtls_ecjpake_set_point_format( mbedtls_ecjpake_context *ctx, */ int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx ) { - ECJPAKE_VALIDATE_RET( ctx != NULL ); - - if( ctx->md_info == NULL || + if( ctx->md_type == MBEDTLS_MD_NONE || ctx->grp.id == MBEDTLS_ECP_DP_NONE || ctx->s.p == NULL ) { @@ -196,7 +222,7 @@ static int ecjpake_write_len_point( unsigned char **p, /* * Compute hash for ZKP (7.4.2.2.2.1) */ -static int ecjpake_hash( const mbedtls_md_info_t *md_info, +static int ecjpake_hash( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -210,7 +236,7 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, unsigned char *p = buf; const unsigned char *end = buf + sizeof( buf ); const size_t id_len = strlen( id ); - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; /* Write things to temporary buffer */ MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, G ) ); @@ -230,11 +256,12 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, p += id_len; /* Compute hash */ - MBEDTLS_MPI_CHK( mbedtls_md( md_info, buf, p - buf, hash ) ); + MBEDTLS_MPI_CHK( mbedtls_ecjpake_compute_hash( md_type, + buf, p - buf, hash ) ); /* Turn it into an integer mod n */ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash, - mbedtls_md_get_size( md_info ) ) ); + mbedtls_hash_info_get_size( md_type ) ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( h, h, &grp->N ) ); cleanup: @@ -244,7 +271,7 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, /* * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3) */ -static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, +static int ecjpake_zkp_read( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -294,7 +321,7 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, /* * Verification */ - MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( ecjpake_hash( md_type, grp, pf, G, &V, X, id, &h ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp, &VV, &h, X, &r, G ) ); @@ -316,7 +343,7 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, /* * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2) */ -static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, +static int ecjpake_zkp_write( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -344,7 +371,7 @@ static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, /* Compute signature */ MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, &v, &V, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( ecjpake_hash( md_type, grp, pf, G, &V, X, id, &h ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */ @@ -377,7 +404,7 @@ static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof * Output: verified public key X */ -static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, +static int ecjpake_kkp_read( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -404,7 +431,7 @@ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, goto cleanup; } - MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, pf, G, X, id, p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_type, grp, pf, G, X, id, p, end ) ); cleanup: return( ret ); @@ -414,7 +441,7 @@ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, * Generate an ECJPAKEKeyKP * Output: the serialized structure, plus private/public key pair */ -static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info, +static int ecjpake_kkp_write( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -440,7 +467,7 @@ static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info, *p += len; /* Generate and write proof */ - MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, pf, G, x, X, id, + MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_type, grp, pf, G, x, X, id, p, end, f_rng, p_rng ) ); cleanup: @@ -451,7 +478,7 @@ static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info, * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs * Outputs: verified peer public keys Xa, Xb */ -static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, +static int ecjpake_kkpp_read( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -470,8 +497,8 @@ static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, * ECJPAKEKeyKP ecjpake_key_kp_pair_list[2]; * } ECJPAKEKeyKPPairList; */ - MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xa, id, &p, end ) ); - MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xb, id, &p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_type, grp, pf, G, Xa, id, &p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_type, grp, pf, G, Xb, id, &p, end ) ); if( p != end ) ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; @@ -484,7 +511,7 @@ static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, * Generate a ECJPAKEKeyKPPairList * Outputs: the serialized structure, plus two private/public key pairs */ -static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, +static int ecjpake_kkpp_write( const mbedtls_md_type_t md_type, const mbedtls_ecp_group *grp, const int pf, const mbedtls_ecp_point *G, @@ -503,9 +530,9 @@ static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, unsigned char *p = buf; const unsigned char *end = buf + len; - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm1, Xa, id, + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_type, grp, pf, G, xm1, Xa, id, &p, end, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm2, Xb, id, + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_type, grp, pf, G, xm2, Xb, id, &p, end, f_rng, p_rng ) ); *olen = p - buf; @@ -521,10 +548,7 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ) { - ECJPAKE_VALIDATE_RET( ctx != NULL ); - ECJPAKE_VALIDATE_RET( buf != NULL ); - - return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, ctx->point_format, + return( ecjpake_kkpp_read( ctx->md_type, &ctx->grp, ctx->point_format, &ctx->grp.G, &ctx->Xp1, &ctx->Xp2, ID_PEER, buf, len ) ); @@ -538,12 +562,7 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECJPAKE_VALIDATE_RET( ctx != NULL ); - ECJPAKE_VALIDATE_RET( buf != NULL ); - ECJPAKE_VALIDATE_RET( olen != NULL ); - ECJPAKE_VALIDATE_RET( f_rng != NULL ); - - return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, ctx->point_format, + return( ecjpake_kkpp_write( ctx->md_type, &ctx->grp, ctx->point_format, &ctx->grp.G, &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2, ID_MINE, buf, len, olen, f_rng, p_rng ) ); @@ -585,9 +604,6 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, mbedtls_ecp_group grp; mbedtls_ecp_point G; /* C: GB, S: GA */ - ECJPAKE_VALIDATE_RET( ctx != NULL ); - ECJPAKE_VALIDATE_RET( buf != NULL ); - mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &G ); @@ -616,7 +632,7 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, } } - MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, + MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_type, &ctx->grp, ctx->point_format, &G, &ctx->Xp, ID_PEER, &p, end ) ); @@ -680,11 +696,6 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, const unsigned char *end = buf + len; size_t ec_len; - ECJPAKE_VALIDATE_RET( ctx != NULL ); - ECJPAKE_VALIDATE_RET( buf != NULL ); - ECJPAKE_VALIDATE_RET( olen != NULL ); - ECJPAKE_VALIDATE_RET( f_rng != NULL ); - mbedtls_ecp_point_init( &G ); mbedtls_ecp_point_init( &Xm ); mbedtls_mpi_init( &xm ); @@ -731,7 +742,7 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, ctx->point_format, &ec_len, p, end - p ) ); p += ec_len; - MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, + MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_type, &ctx->grp, ctx->point_format, &G, &xm, &Xm, ID_MINE, &p, end, f_rng, p_rng ) ); @@ -749,27 +760,14 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, /* * Derive PMS (7.4.2.7 / 7.4.2.8) */ -int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, - unsigned char *buf, size_t len, size_t *olen, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) +static int mbedtls_ecjpake_derive_k( mbedtls_ecjpake_context *ctx, + mbedtls_ecp_point *K, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_ecp_point K; mbedtls_mpi m_xm2_s, one; - unsigned char kx[MBEDTLS_ECP_MAX_BYTES]; - size_t x_bytes; - - ECJPAKE_VALIDATE_RET( ctx != NULL ); - ECJPAKE_VALIDATE_RET( buf != NULL ); - ECJPAKE_VALIDATE_RET( olen != NULL ); - ECJPAKE_VALIDATE_RET( f_rng != NULL ); - *olen = mbedtls_md_get_size( ctx->md_info ); - if( len < *olen ) - return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); - - mbedtls_ecp_point_init( &K ); mbedtls_mpi_init( &m_xm2_s ); mbedtls_mpi_init( &one ); @@ -782,21 +780,72 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, */ MBEDTLS_MPI_CHK( ecjpake_mul_secret( &m_xm2_s, -1, &ctx->xm2, &ctx->s, &ctx->grp.N, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K, + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, K, &one, &ctx->Xp, &m_xm2_s, &ctx->Xp2 ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K, + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, K, &ctx->xm2, K, f_rng, p_rng ) ); +cleanup: + mbedtls_mpi_free( &m_xm2_s ); + mbedtls_mpi_free( &one ); + + return( ret ); +} + +int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ecp_point K; + unsigned char kx[MBEDTLS_ECP_MAX_BYTES]; + size_t x_bytes; + + *olen = mbedtls_hash_info_get_size( ctx->md_type ); + if( len < *olen ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + mbedtls_ecp_point_init( &K ); + + ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng); + if( ret ) + goto cleanup; + /* PMS = SHA-256( K.X ) */ x_bytes = ( ctx->grp.pbits + 7 ) / 8; MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &K.X, kx, x_bytes ) ); - MBEDTLS_MPI_CHK( mbedtls_md( ctx->md_info, kx, x_bytes, buf ) ); + MBEDTLS_MPI_CHK( mbedtls_ecjpake_compute_hash( ctx->md_type, + kx, x_bytes, buf ) ); + +cleanup: + mbedtls_ecp_point_free( &K ); + + return( ret ); +} + +int mbedtls_ecjpake_write_shared_key( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ecp_point K; + + mbedtls_ecp_point_init( &K ); + + ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng); + if( ret ) + goto cleanup; + + ret = mbedtls_ecp_point_write_binary( &ctx->grp, &K, ctx->point_format, + olen, buf, len ); + if( ret != 0 ) + goto cleanup; cleanup: mbedtls_ecp_point_free( &K ); - mbedtls_mpi_free( &m_xm2_s ); - mbedtls_mpi_free( &one ); return( ret ); } @@ -808,12 +857,7 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, #if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif #if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ !defined(MBEDTLS_SHA256_C) @@ -951,6 +995,15 @@ static const unsigned char ecjpake_test_cli_two[] = { 0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c }; +static const unsigned char ecjpake_test_shared_key[] = { + 0x04, 0x01, 0xab, 0xe9, 0xf2, 0xc7, 0x3a, 0x99, 0x14, 0xcb, 0x1f, 0x80, + 0xfb, 0x9d, 0xdb, 0x7e, 0x00, 0x12, 0xa8, 0x9c, 0x2f, 0x39, 0x27, 0x79, + 0xf9, 0x64, 0x40, 0x14, 0x75, 0xea, 0xc1, 0x31, 0x28, 0x43, 0x8f, 0xe1, + 0x12, 0x41, 0xd6, 0xc1, 0xe5, 0x5f, 0x7b, 0x80, 0x88, 0x94, 0xc9, 0xc0, + 0x27, 0xa3, 0x34, 0x41, 0xf5, 0xcb, 0xa1, 0xfe, 0x6c, 0xc7, 0xe6, 0x12, + 0x17, 0xc3, 0xde, 0x27, 0xb4, +}; + static const unsigned char ecjpake_test_pms[] = { 0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7, 0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9, @@ -1137,6 +1190,13 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( len == sizeof( ecjpake_test_pms ) ); TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 ); + /* Server derives K as unsigned binary data */ + TEST_ASSERT( mbedtls_ecjpake_write_shared_key( &srv, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( len == sizeof( ecjpake_test_shared_key ) ); + TEST_ASSERT( memcmp( buf, ecjpake_test_shared_key, len ) == 0 ); + memset( buf, 0, len ); /* Avoid interferences with next step */ /* Client derives PMS */ @@ -1146,6 +1206,13 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( len == sizeof( ecjpake_test_pms ) ); TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 ); + /* Client derives K as unsigned binary data */ + TEST_ASSERT( mbedtls_ecjpake_write_shared_key( &cli, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( len == sizeof( ecjpake_test_shared_key ) ); + TEST_ASSERT( memcmp( buf, ecjpake_test_shared_key, len ) == 0 ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); #endif /* ! MBEDTLS_ECJPAKE_ALT */ diff --git a/thirdparty/mbedtls/library/ecp.c b/thirdparty/mbedtls/library/ecp.c index 67c46f2c30a326..cd7d5543c3de88 100644 --- a/thirdparty/mbedtls/library/ecp.c +++ b/thirdparty/mbedtls/library/ecp.c @@ -84,29 +84,10 @@ #if !defined(MBEDTLS_ECP_ALT) -/* Parameter validation macros based on platform_util.h */ -#define ECP_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) -#define ECP_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_printf printf -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "ecp_internal_alt.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_SELF_TEST) /* * Counts of point addition and doubling, and field multiplications. @@ -242,7 +223,6 @@ static void ecp_restart_ma_free( mbedtls_ecp_restart_muladd_ctx *ctx ) */ void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx ) { - ECP_VALIDATE( ctx != NULL ); ctx->ops_done = 0; ctx->depth = 0; ctx->rsm = NULL; @@ -273,8 +253,6 @@ int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp, mbedtls_ecp_restart_ctx *rs_ctx, unsigned ops ) { - ECP_VALIDATE_RET( grp != NULL ); - if( rs_ctx != NULL && ecp_max_ops != 0 ) { /* scale depending on curve size: the chosen reference is 256-bit, @@ -525,8 +503,6 @@ mbedtls_ecp_curve_type mbedtls_ecp_get_type( const mbedtls_ecp_group *grp ) */ void mbedtls_ecp_point_init( mbedtls_ecp_point *pt ) { - ECP_VALIDATE( pt != NULL ); - mbedtls_mpi_init( &pt->X ); mbedtls_mpi_init( &pt->Y ); mbedtls_mpi_init( &pt->Z ); @@ -537,8 +513,6 @@ void mbedtls_ecp_point_init( mbedtls_ecp_point *pt ) */ void mbedtls_ecp_group_init( mbedtls_ecp_group *grp ) { - ECP_VALIDATE( grp != NULL ); - grp->id = MBEDTLS_ECP_DP_NONE; mbedtls_mpi_init( &grp->P ); mbedtls_mpi_init( &grp->A ); @@ -561,8 +535,6 @@ void mbedtls_ecp_group_init( mbedtls_ecp_group *grp ) */ void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key ) { - ECP_VALIDATE( key != NULL ); - mbedtls_ecp_group_init( &key->grp ); mbedtls_mpi_init( &key->d ); mbedtls_ecp_point_init( &key->Q ); @@ -641,9 +613,6 @@ void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key ) int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECP_VALIDATE_RET( P != NULL ); - ECP_VALIDATE_RET( Q != NULL ); - MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->X, &Q->X ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Y, &Q->Y ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Z, &Q->Z ) ); @@ -657,9 +626,6 @@ int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q ) */ int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src ) { - ECP_VALIDATE_RET( dst != NULL ); - ECP_VALIDATE_RET( src != NULL ); - return( mbedtls_ecp_group_load( dst, src->id ) ); } @@ -669,8 +635,6 @@ int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECP_VALIDATE_RET( pt != NULL ); - MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->X , 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Y , 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z , 0 ) ); @@ -684,8 +648,6 @@ int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt ) */ int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ) { - ECP_VALIDATE_RET( pt != NULL ); - return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 ); } @@ -695,9 +657,6 @@ int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ) int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q ) { - ECP_VALIDATE_RET( P != NULL ); - ECP_VALIDATE_RET( Q != NULL ); - if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 && mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 && mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 ) @@ -715,10 +674,6 @@ int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix, const char *x, const char *y ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECP_VALIDATE_RET( P != NULL ); - ECP_VALIDATE_RET( x != NULL ); - ECP_VALIDATE_RET( y != NULL ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->X, radix, x ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->Y, radix, y ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) ); @@ -737,12 +692,9 @@ int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, { int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; size_t plen; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( P != NULL ); - ECP_VALIDATE_RET( olen != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED || - format == MBEDTLS_ECP_PF_COMPRESSED ); + if( format != MBEDTLS_ECP_PF_UNCOMPRESSED && + format != MBEDTLS_ECP_PF_COMPRESSED ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); plen = mbedtls_mpi_size( &grp->P ); @@ -811,10 +763,6 @@ int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, { int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; size_t plen; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( pt != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - if( ilen < 1 ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); @@ -876,11 +824,6 @@ int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, { unsigned char data_len; const unsigned char *buf_start; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( pt != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( *buf != NULL ); - /* * We must have at least two bytes (1 for length, at least one for data) */ @@ -911,12 +854,9 @@ int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp unsigned char *buf, size_t blen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( pt != NULL ); - ECP_VALIDATE_RET( olen != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED || - format == MBEDTLS_ECP_PF_COMPRESSED ); + if( format != MBEDTLS_ECP_PF_UNCOMPRESSED && + format != MBEDTLS_ECP_PF_COMPRESSED ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); /* * buffer length must be at least one, for our length byte @@ -945,10 +885,6 @@ int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecp_group_id grp_id; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( *buf != NULL ); - if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, len ) ) != 0 ) return( ret ); @@ -964,10 +900,6 @@ int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp, { uint16_t tls_id; const mbedtls_ecp_curve_info *curve_info; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( *buf != NULL ); - /* * We expect at least three bytes (see below) */ @@ -1002,10 +934,6 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen, unsigned char *buf, size_t blen ) { const mbedtls_ecp_curve_info *curve_info; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( olen != NULL ); - if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); @@ -2346,12 +2274,14 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, mbedtls_free( T ); } - /* don't free R while in progress in case R == P */ + /* prevent caller from using invalid value */ + int should_free_R = ( ret != 0 ); #if defined(MBEDTLS_ECP_RESTARTABLE) - if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) + /* don't free R while in progress in case R == P */ + if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) + should_free_R = 0; #endif - /* prevent caller from using invalid value */ - if( ret != 0 ) + if( should_free_R ) mbedtls_ecp_point_free( R ); ECP_RS_LEAVE( rsm ); @@ -2526,7 +2456,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) ); /* Loop invariant: R = result so far, RP = R + P */ - i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */ + i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */ while( i-- > 0 ) { b = mbedtls_mpi_get_bit( m, i ); @@ -2596,10 +2526,12 @@ static int ecp_mul_restartable_internal( mbedtls_ecp_group *grp, mbedtls_ecp_poi MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) ); #endif /* MBEDTLS_ECP_INTERNAL_ALT */ + int restarting = 0; #if defined(MBEDTLS_ECP_RESTARTABLE) - /* skip argument check when restarting */ - if( rs_ctx == NULL || rs_ctx->rsm == NULL ) + restarting = ( rs_ctx != NULL && rs_ctx->rsm != NULL ); #endif + /* skip argument check when restarting */ + if( !restarting ) { /* check_privkey is free */ MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_CHK ); @@ -2642,11 +2574,6 @@ int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, mbedtls_ecp_restart_ctx *rs_ctx ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( R != NULL ); - ECP_VALIDATE_RET( m != NULL ); - ECP_VALIDATE_RET( P != NULL ); - if( f_rng == NULL ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); @@ -2660,10 +2587,6 @@ int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, const mbedtls_mpi *m, const mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( R != NULL ); - ECP_VALIDATE_RET( m != NULL ); - ECP_VALIDATE_RET( P != NULL ); return( mbedtls_ecp_mul_restartable( grp, R, m, P, f_rng, p_rng, NULL ) ); } @@ -2734,14 +2657,17 @@ static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp, if( mbedtls_mpi_cmp_int( m, 0 ) == 0 ) { + MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_set_zero( R ) ); } else if( mbedtls_mpi_cmp_int( m, 1 ) == 0 ) { + MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) ); } else if( mbedtls_mpi_cmp_int( m, -1 ) == 0 ) { + MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) ); MPI_ECP_NEG( &R->Y ); } @@ -2775,13 +2701,6 @@ int mbedtls_ecp_muladd_restartable( #if defined(MBEDTLS_ECP_INTERNAL_ALT) char is_grp_capable = 0; #endif - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( R != NULL ); - ECP_VALIDATE_RET( m != NULL ); - ECP_VALIDATE_RET( P != NULL ); - ECP_VALIDATE_RET( n != NULL ); - ECP_VALIDATE_RET( Q != NULL ); - if( mbedtls_ecp_get_type( grp ) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS ) return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); @@ -2867,12 +2786,6 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, const mbedtls_mpi *m, const mbedtls_ecp_point *P, const mbedtls_mpi *n, const mbedtls_ecp_point *Q ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( R != NULL ); - ECP_VALIDATE_RET( m != NULL ); - ECP_VALIDATE_RET( P != NULL ); - ECP_VALIDATE_RET( n != NULL ); - ECP_VALIDATE_RET( Q != NULL ); return( mbedtls_ecp_muladd_restartable( grp, R, m, P, n, Q, NULL ) ); } #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ @@ -2996,9 +2909,6 @@ static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( pt != NULL ); - /* Must use affine coordinates */ if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 ) return( MBEDTLS_ERR_ECP_INVALID_KEY ); @@ -3020,9 +2930,6 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( d != NULL ); - #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY ) { @@ -3112,10 +3019,6 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( d != NULL ); - ECP_VALIDATE_RET( f_rng != NULL ); - #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY ) return( mbedtls_ecp_gen_privkey_mx( grp->nbits, d, f_rng, p_rng ) ); @@ -3139,12 +3042,6 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( d != NULL ); - ECP_VALIDATE_RET( G != NULL ); - ECP_VALIDATE_RET( Q != NULL ); - ECP_VALIDATE_RET( f_rng != NULL ); - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) ); @@ -3160,11 +3057,6 @@ int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ECP_VALIDATE_RET( grp != NULL ); - ECP_VALIDATE_RET( d != NULL ); - ECP_VALIDATE_RET( Q != NULL ); - ECP_VALIDATE_RET( f_rng != NULL ); - return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) ); } @@ -3175,9 +3067,6 @@ int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ECP_VALIDATE_RET( key != NULL ); - ECP_VALIDATE_RET( f_rng != NULL ); - if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 ) return( ret ); @@ -3194,9 +3083,6 @@ int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, { int ret = 0; - ECP_VALIDATE_RET( key != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 ) return( ret ); @@ -3277,9 +3163,6 @@ int mbedtls_ecp_write_key( mbedtls_ecp_keypair *key, { int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; - ECP_VALIDATE_RET( key != NULL ); - ECP_VALIDATE_RET( buf != NULL ); - #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY ) { @@ -3320,9 +3203,6 @@ int mbedtls_ecp_check_pub_priv( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecp_point Q; mbedtls_ecp_group grp; - ECP_VALIDATE_RET( pub != NULL ); - ECP_VALIDATE_RET( prv != NULL ); - if( pub->grp.id == MBEDTLS_ECP_DP_NONE || pub->grp.id != prv->grp.id || mbedtls_mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) || diff --git a/thirdparty/mbedtls/library/ecp_curves.c b/thirdparty/mbedtls/library/ecp_curves.c index 51956cd5b74130..5cd2828f734aae 100644 --- a/thirdparty/mbedtls/library/ecp_curves.c +++ b/thirdparty/mbedtls/library/ecp_curves.c @@ -26,7 +26,7 @@ #include "mbedtls/error.h" #include "bn_mul.h" -#include "bignum_internal.h" +#include "bignum_core.h" #include "ecp_invasive.h" #include @@ -39,11 +39,6 @@ #define ECP_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} #define ECP_MPI_INIT_ARRAY(x) \ @@ -4969,9 +4964,6 @@ static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry ) #define ADD( j ) add32( &cur, A( j ), &c ); #define SUB( j ) sub32( &cur, A( j ), &c ); -#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */ -#define biL (ciL << 3) /* bits in limb */ - /* * Helpers for the main 'loop' */ diff --git a/thirdparty/mbedtls/library/entropy.c b/thirdparty/mbedtls/library/entropy.c index 08c5bd7d16dec8..1e0d9d3281bf64 100644 --- a/thirdparty/mbedtls/library/entropy.c +++ b/thirdparty/mbedtls/library/entropy.c @@ -32,18 +32,9 @@ #include #endif -#if defined(MBEDTLS_ENTROPY_NV_SEED) #include "mbedtls/platform.h" -#endif -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #define ENTROPY_MAX_LOOP 256 /**< Maximum amount to loop before error */ diff --git a/thirdparty/mbedtls/library/entropy_poll.c b/thirdparty/mbedtls/library/entropy_poll.c index 2ae57fdc09a5a4..2df9bbec9d245f 100644 --- a/thirdparty/mbedtls/library/entropy_poll.c +++ b/thirdparty/mbedtls/library/entropy_poll.c @@ -35,9 +35,7 @@ #if defined(MBEDTLS_TIMING_C) #include "mbedtls/timing.h" #endif -#if defined(MBEDTLS_ENTROPY_NV_SEED) || !defined(HAVE_SYSCTL_ARND) #include "mbedtls/platform.h" -#endif #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY) diff --git a/thirdparty/mbedtls/library/error.c b/thirdparty/mbedtls/library/error.c index f992d5249c6275..3ab1cd6e89e512 100644 --- a/thirdparty/mbedtls/library/error.c +++ b/thirdparty/mbedtls/library/error.c @@ -25,11 +25,7 @@ #if defined(MBEDTLS_ERROR_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_snprintf snprintf -#endif #include #include @@ -114,6 +110,10 @@ #include "mbedtls/hmac_drbg.h" #endif +#if defined(MBEDTLS_LMS_C) +#include "mbedtls/lms.h" +#endif + #if defined(MBEDTLS_MD_C) #include "mbedtls/md.h" #endif @@ -142,6 +142,10 @@ #include "mbedtls/pkcs5.h" #endif +#if defined(MBEDTLS_PKCS7_C) +#include "mbedtls/pkcs7.h" +#endif + #if defined(MBEDTLS_POLY1305_C) #include "mbedtls/poly1305.h" #endif @@ -336,6 +340,33 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "PKCS5 - Given private key password does not allow for correct decryption" ); #endif /* MBEDTLS_PKCS5_C */ +#if defined(MBEDTLS_PKCS7_C) + case -(MBEDTLS_ERR_PKCS7_INVALID_FORMAT): + return( "PKCS7 - The format is invalid, e.g. different type expected" ); + case -(MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE): + return( "PKCS7 - Unavailable feature, e.g. anything other than signed data" ); + case -(MBEDTLS_ERR_PKCS7_INVALID_VERSION): + return( "PKCS7 - The PKCS7 version element is invalid or cannot be parsed" ); + case -(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO): + return( "PKCS7 - The PKCS7 content info invalid or cannot be parsed" ); + case -(MBEDTLS_ERR_PKCS7_INVALID_ALG): + return( "PKCS7 - The algorithm tag or value is invalid or cannot be parsed" ); + case -(MBEDTLS_ERR_PKCS7_INVALID_CERT): + return( "PKCS7 - The certificate tag or value is invalid or cannot be parsed" ); + case -(MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE): + return( "PKCS7 - Error parsing the signature" ); + case -(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO): + return( "PKCS7 - Error parsing the signer's info" ); + case -(MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA): + return( "PKCS7 - Input invalid" ); + case -(MBEDTLS_ERR_PKCS7_ALLOC_FAILED): + return( "PKCS7 - Allocation of memory failed" ); + case -(MBEDTLS_ERR_PKCS7_VERIFY_FAIL): + return( "PKCS7 - Verification Failed" ); + case -(MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID): + return( "PKCS7 - The PKCS7 date issued/expired dates are invalid" ); +#endif /* MBEDTLS_PKCS7_C */ + #if defined(MBEDTLS_RSA_C) case -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA): return( "RSA - Bad input parameters to function" ); @@ -394,6 +425,12 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "SSL - The peer notified us that the connection is going to be closed" ); case -(MBEDTLS_ERR_SSL_BAD_CERTIFICATE): return( "SSL - Processing of the Certificate handshake message failed" ); + case -(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET): + return( "SSL - * Received NewSessionTicket Post Handshake Message. This error code is experimental and may be changed or removed without notice" ); + case -(MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA): + return( "SSL - Not possible to read early data" ); + case -(MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA): + return( "SSL - Not possible to write early data" ); case -(MBEDTLS_ERR_SSL_ALLOC_FAILED): return( "SSL - Memory allocation failed" ); case -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED): @@ -665,6 +702,19 @@ const char * mbedtls_low_level_strerr( int error_code ) return( "HMAC_DRBG - The entropy source failed" ); #endif /* MBEDTLS_HMAC_DRBG_C */ +#if defined(MBEDTLS_LMS_C) + case -(MBEDTLS_ERR_LMS_BAD_INPUT_DATA): + return( "LMS - Bad data has been input to an LMS function" ); + case -(MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS): + return( "LMS - Specified LMS key has utilised all of its private keys" ); + case -(MBEDTLS_ERR_LMS_VERIFY_FAILED): + return( "LMS - LMS signature verification failed" ); + case -(MBEDTLS_ERR_LMS_ALLOC_FAILED): + return( "LMS - LMS failed to allocate space for a private key" ); + case -(MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL): + return( "LMS - Input/output buffer is too small to contain requited data" ); +#endif /* MBEDTLS_LMS_C */ + #if defined(MBEDTLS_NET_C) case -(MBEDTLS_ERR_NET_SOCKET_FAILED): return( "NET - Failed to open a socket" ); @@ -804,7 +854,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #else /* MBEDTLS_ERROR_C */ /* - * Provide an non-function in case MBEDTLS_ERROR_C is not defined + * Provide a dummy implementation when MBEDTLS_ERROR_C is not defined */ void mbedtls_strerror( int ret, char *buf, size_t buflen ) { diff --git a/thirdparty/mbedtls/library/gcm.c b/thirdparty/mbedtls/library/gcm.c index 6d07f8787f22ed..f004a73c75bfb1 100644 --- a/thirdparty/mbedtls/library/gcm.c +++ b/thirdparty/mbedtls/library/gcm.c @@ -32,6 +32,7 @@ #if defined(MBEDTLS_GCM_C) #include "mbedtls/gcm.h" +#include "mbedtls/platform.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" @@ -41,29 +42,13 @@ #include "aesni.h" #endif -#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) -#include "mbedtls/aes.h" -#include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ - #if !defined(MBEDTLS_GCM_ALT) -/* Parameter validation macros */ -#define GCM_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) -#define GCM_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - /* * Initialize a context */ void mbedtls_gcm_init( mbedtls_gcm_context *ctx ) { - GCM_VALIDATE( ctx != NULL ); memset( ctx, 0, sizeof( mbedtls_gcm_context ) ); } @@ -143,9 +128,8 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_cipher_info_t *cipher_info; - GCM_VALIDATE_RET( ctx != NULL ); - GCM_VALIDATE_RET( key != NULL ); - GCM_VALIDATE_RET( keybits == 128 || keybits == 192 || keybits == 256 ); + if( keybits != 128 && keybits != 192 && keybits != 256 ) + return MBEDTLS_ERR_GCM_BAD_INPUT; cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB ); @@ -256,9 +240,6 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, size_t use_len, olen = 0; uint64_t iv_bits; - GCM_VALIDATE_RET( ctx != NULL ); - GCM_VALIDATE_RET( iv != NULL ); - /* IV is limited to 2^64 bits, so 2^61 bytes */ /* IV is not allowed to be zero length */ if( iv_len == 0 || (uint64_t) iv_len >> 61 != 0 ) @@ -334,8 +315,6 @@ int mbedtls_gcm_update_ad( mbedtls_gcm_context *ctx, const unsigned char *p; size_t use_len, i, offset; - GCM_VALIDATE_RET( add_len == 0 || add != NULL ); - /* IV is limited to 2^64 bits, so 2^61 bytes */ if( (uint64_t) add_len >> 61 != 0 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); @@ -434,7 +413,6 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, if( output_size < input_length ) return( MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL ); - GCM_VALIDATE_RET( output_length != NULL ); *output_length = input_length; /* Exit early if input_length==0 so that we don't do any pointer arithmetic @@ -444,10 +422,6 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, if( input_length == 0 ) return( 0 ); - GCM_VALIDATE_RET( ctx != NULL ); - GCM_VALIDATE_RET( input != NULL ); - GCM_VALIDATE_RET( output != NULL ); - if( output > input && (size_t) ( output - input ) < input_length ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); @@ -519,9 +493,6 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, uint64_t orig_len; uint64_t orig_add_len; - GCM_VALIDATE_RET( ctx != NULL ); - GCM_VALIDATE_RET( tag != NULL ); - /* We never pass any output in finish(). The output parameter exists only * for the sake of alternative implementations. */ (void) output; @@ -580,13 +551,6 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t olen; - GCM_VALIDATE_RET( ctx != NULL ); - GCM_VALIDATE_RET( iv != NULL ); - GCM_VALIDATE_RET( add_len == 0 || add != NULL ); - GCM_VALIDATE_RET( length == 0 || input != NULL ); - GCM_VALIDATE_RET( length == 0 || output != NULL ); - GCM_VALIDATE_RET( tag != NULL ); - if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len ) ) != 0 ) return( ret ); @@ -619,13 +583,6 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx, size_t i; int diff; - GCM_VALIDATE_RET( ctx != NULL ); - GCM_VALIDATE_RET( iv != NULL ); - GCM_VALIDATE_RET( add_len == 0 || add != NULL ); - GCM_VALIDATE_RET( tag != NULL ); - GCM_VALIDATE_RET( length == 0 || input != NULL ); - GCM_VALIDATE_RET( length == 0 || output != NULL ); - if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length, iv, iv_len, add, add_len, input, output, tag_len, check_tag ) ) != 0 ) diff --git a/thirdparty/mbedtls/library/hash_info.c b/thirdparty/mbedtls/library/hash_info.c new file mode 100644 index 00000000000000..cd7d70e821e8c9 --- /dev/null +++ b/thirdparty/mbedtls/library/hash_info.c @@ -0,0 +1,127 @@ +/* + * Hash information that's independent from the crypto implementation. + * + * (See the corresponding header file for usage notes.) + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "hash_info.h" +#include "mbedtls/legacy_or_psa.h" +#include "mbedtls/error.h" + +typedef struct +{ + psa_algorithm_t psa_alg; + mbedtls_md_type_t md_type; + unsigned char size; + unsigned char block_size; +} hash_entry; + +static const hash_entry hash_table[] = { +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_MD5, MBEDTLS_MD_MD5, 16, 64 }, +#endif +#if defined(MBEDTLS_HAS_ALG_RIPEMD160_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_RIPEMD160, MBEDTLS_MD_RIPEMD160, 20, 64 }, +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_SHA_1, MBEDTLS_MD_SHA1, 20, 64 }, +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_SHA_224, MBEDTLS_MD_SHA224, 28, 64 }, +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_SHA_256, MBEDTLS_MD_SHA256, 32, 64 }, +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_SHA_384, MBEDTLS_MD_SHA384, 48, 128 }, +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA) + { PSA_ALG_SHA_512, MBEDTLS_MD_SHA512, 64, 128 }, +#endif + { PSA_ALG_NONE, MBEDTLS_MD_NONE, 0, 0 }, +}; + +/* Get size from MD type */ +unsigned char mbedtls_hash_info_get_size( mbedtls_md_type_t md_type ) +{ + const hash_entry *entry = hash_table; + while( entry->md_type != MBEDTLS_MD_NONE && + entry->md_type != md_type ) + { + entry++; + } + + return entry->size; +} + +/* Get block size from MD type */ +unsigned char mbedtls_hash_info_get_block_size( mbedtls_md_type_t md_type ) +{ + const hash_entry *entry = hash_table; + while( entry->md_type != MBEDTLS_MD_NONE && + entry->md_type != md_type ) + { + entry++; + } + + return entry->block_size; +} + +/* Get PSA from MD */ +psa_algorithm_t mbedtls_hash_info_psa_from_md( mbedtls_md_type_t md_type ) +{ + const hash_entry *entry = hash_table; + while( entry->md_type != MBEDTLS_MD_NONE && + entry->md_type != md_type ) + { + entry++; + } + + return entry->psa_alg; +} + +/* Get MD from PSA */ +mbedtls_md_type_t mbedtls_hash_info_md_from_psa( psa_algorithm_t psa_alg ) +{ + const hash_entry *entry = hash_table; + while( entry->md_type != MBEDTLS_MD_NONE && + entry->psa_alg != psa_alg ) + { + entry++; + } + + return entry->md_type; +} + +int mbedtls_md_error_from_psa( psa_status_t status ) +{ + switch( status ) + { + case PSA_SUCCESS: + return( 0 ); + case PSA_ERROR_NOT_SUPPORTED: + return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); + case PSA_ERROR_INVALID_ARGUMENT: + return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); + case PSA_ERROR_INSUFFICIENT_MEMORY: + return( MBEDTLS_ERR_MD_ALLOC_FAILED ); + default: + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); + } +} diff --git a/thirdparty/mbedtls/library/hash_info.h b/thirdparty/mbedtls/library/hash_info.h new file mode 100644 index 00000000000000..1b7b46cda44f4a --- /dev/null +++ b/thirdparty/mbedtls/library/hash_info.h @@ -0,0 +1,99 @@ +/** + * Hash information that's independent from the crypto implementation. + * + * This can be used by: + * - code based on PSA + * - code based on the legacy API + * - code based on either of them depending on MBEDTLS_USE_PSA_CRYPTO + * - code based on either of them depending on what's available + * + * Note: this internal module will go away when everything becomes based on + * PSA Crypto; it is a helper for the transition while hash algorithms are + * still represented using mbedtls_md_type_t in most places even when PSA is + * used for the actual crypto computations. + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef MBEDTLS_HASH_INFO_H +#define MBEDTLS_HASH_INFO_H + +#include "common.h" + +#include "mbedtls/md.h" +#include "psa/crypto.h" + +/** \def MBEDTLS_HASH_MAX_SIZE + * + * Maximum size of a hash based on configuration. + */ +#if defined(MBEDTLS_MD_C) && ( \ + !defined(MBEDTLS_PSA_CRYPTO_C) || \ + MBEDTLS_MD_MAX_SIZE >= PSA_HASH_MAX_SIZE ) +#define MBEDTLS_HASH_MAX_SIZE MBEDTLS_MD_MAX_SIZE +#elif defined(MBEDTLS_PSA_CRYPTO_C) && ( \ + !defined(MBEDTLS_MD_C) || \ + PSA_HASH_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE ) +#define MBEDTLS_HASH_MAX_SIZE PSA_HASH_MAX_SIZE +#endif + +/** Get the output length of the given hash type from its MD type. + * + * \note To get the output length from the PSA alg, use \c PSA_HASH_LENGTH(). + * + * \param md_type The hash MD type. + * + * \return The output length in bytes, or 0 if not known. + */ +unsigned char mbedtls_hash_info_get_size( mbedtls_md_type_t md_type ); + +/** Get the block size of the given hash type from its MD type. + * + * \note To get the output length from the PSA alg, use + * \c PSA_HASH_BLOCK_LENGTH(). + * + * \param md_type The hash MD type. + * + * \return The block size in bytes, or 0 if not known. + */ +unsigned char mbedtls_hash_info_get_block_size( mbedtls_md_type_t md_type ); + +/** Get the PSA alg from the MD type. + * + * \param md_type The hash MD type. + * + * \return The corresponding PSA algorithm identifier, + * or PSA_ALG_NONE if not known. + */ +psa_algorithm_t mbedtls_hash_info_psa_from_md( mbedtls_md_type_t md_type ); + +/** Get the MD type alg from the PSA algorithm identifier. + * + * \param psa_alg The PSA hash algorithm. + * + * \return The corresponding MD type, + * or MBEDTLS_MD_NONE if not known. + */ +mbedtls_md_type_t mbedtls_hash_info_md_from_psa( psa_algorithm_t psa_alg ); + +/** Convert PSA status to MD error code. + * + * \param status PSA status. + * + * \return The corresponding MD error code, + */ +int mbedtls_md_error_from_psa( psa_status_t status ); + +#endif /* MBEDTLS_HASH_INFO_H */ diff --git a/thirdparty/mbedtls/library/hmac_drbg.c b/thirdparty/mbedtls/library/hmac_drbg.c index 8b13a860f7e51d..6bc679dd25735f 100644 --- a/thirdparty/mbedtls/library/hmac_drbg.c +++ b/thirdparty/mbedtls/library/hmac_drbg.c @@ -37,14 +37,7 @@ #include #endif -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_SELF_TEST */ -#endif /* MBEDTLS_PLATFORM_C */ /* * HMAC_DRBG context initialization diff --git a/thirdparty/mbedtls/library/lmots.c b/thirdparty/mbedtls/library/lmots.c new file mode 100644 index 00000000000000..788063c549bb55 --- /dev/null +++ b/thirdparty/mbedtls/library/lmots.c @@ -0,0 +1,826 @@ +/* + * The LM-OTS one-time public-key signature scheme + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * The following sources were referenced in the design of this implementation + * of the LM-OTS algorithm: + * + * [1] IETF RFC8554 + * D. McGrew, M. Curcio, S.Fluhrer + * https://datatracker.ietf.org/doc/html/rfc8554 + * + * [2] NIST Special Publication 800-208 + * David A. Cooper et. al. + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf + */ + +#include "common.h" + +#if defined(MBEDTLS_LMS_C) + +#include + +#include "lmots.h" + +#include "mbedtls/lms.h" +#include "mbedtls/platform_util.h" +#include "mbedtls/error.h" + +#include "psa/crypto.h" + +#define PUBLIC_KEY_TYPE_OFFSET (0) +#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \ + MBEDTLS_LMOTS_TYPE_LEN) +#define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \ + MBEDTLS_LMOTS_I_KEY_ID_LEN) +#define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \ + MBEDTLS_LMOTS_Q_LEAF_ID_LEN) + +/* We only support parameter sets that use 8-bit digits, as it does not require + * translation logic between digits and bytes */ +#define W_WINTERNITZ_PARAMETER (8u) +#define CHECKSUM_LEN (2) +#define I_DIGIT_IDX_LEN (2) +#define J_HASH_IDX_LEN (1) +#define D_CONST_LEN (2) + +#define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u) + +#define D_CONST_LEN (2) +static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = {0x80, 0x80}; +static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = {0x81, 0x81}; + +#if defined(MBEDTLS_TEST_HOOKS) +int( *mbedtls_lmots_sign_private_key_invalidated_hook )( unsigned char * ) = NULL; +#endif /* defined(MBEDTLS_TEST_HOOKS) */ + +void mbedtls_lms_unsigned_int_to_network_bytes( unsigned int val, size_t len, + unsigned char *bytes ) +{ + size_t idx; + + for ( idx = 0; idx < len; idx++ ) + { + bytes[idx] = ( val >> ( ( len - 1 - idx ) * 8 ) ) & 0xFF; + } +} + +unsigned int mbedtls_lms_network_bytes_to_unsigned_int( size_t len, + const unsigned char *bytes ) +{ + size_t idx; + unsigned int val = 0; + + for ( idx = 0; idx < len; idx++ ) + { + val |= ( ( unsigned int )bytes[idx] ) << (8 * ( len - 1 - idx ) ); + } + + return ( val ); +} + +/* Calculate the checksum digits that are appended to the end of the LMOTS digit + * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of + * the checksum algorithm. + * + * params The LMOTS parameter set, I and q values which + * describe the key being used. + * + * digest The digit string to create the digest from. As + * this does not contain a checksum, it is the same + * size as a hash output. + */ +static unsigned short lmots_checksum_calculate( const mbedtls_lmots_parameters_t *params, + const unsigned char* digest ) +{ + size_t idx; + unsigned sum = 0; + + for ( idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++ ) + { + sum += DIGIT_MAX_VALUE - digest[idx]; + } + + return ( sum ); +} + +/* Create the string of digest digits (in the base determined by the Winternitz + * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST + * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm + * 4b step 3) for details. + * + * params The LMOTS parameter set, I and q values which + * describe the key being used. + * + * msg The message that will be hashed to create the + * digest. + * + * msg_size The size of the message. + * + * C_random_value The random value that will be combined with the + * message digest. This is always the same size as a + * hash output for whichever hash algorithm is + * determined by the parameter set. + * + * output An output containing the digit string (+ + * checksum) of length P digits (in the case of + * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of + * size P bytes). + */ +static int create_digit_array_with_checksum( const mbedtls_lmots_parameters_t *params, + const unsigned char *msg, + size_t msg_len, + const unsigned char *C_random_value, + unsigned char *out ) +{ + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_hash_len; + unsigned short checksum; + + status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, params->I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, params->q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, C_random_value, + MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, msg, msg_len ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_finish( &op, out, + MBEDTLS_LMOTS_N_HASH_LEN(params->type), + &output_hash_len ); + if( status != PSA_SUCCESS ) + goto exit; + + checksum = lmots_checksum_calculate( params, out ); + mbedtls_lms_unsigned_int_to_network_bytes( checksum, CHECKSUM_LEN, + out + MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); + +exit: + psa_hash_abort( &op ); + + return( mbedtls_lms_error_from_psa( status ) ); +} + +/* Hash each element of the string of digits (+ checksum), producing a hash + * output for each element. This is used in several places (by varying the + * hash_idx_min/max_values) in order to calculate a public key from a private + * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554 + * Algorithm 3 step 5), and to calculate a public key candidate from a + * signature and message (RFC8554 Algorithm 4b step 3). + * + * params The LMOTS parameter set, I and q values which + * describe the key being used. + * + * x_digit_array The array of digits (of size P, 34 in the case of + * MBEDTLS_LMOTS_SHA256_N32_W8). + * + * hash_idx_min_values An array of the starting values of the j iterator + * for each of the members of the digit array. If + * this value in NULL, then all iterators will start + * at 0. + * + * hash_idx_max_values An array of the upper bound values of the j + * iterator for each of the members of the digit + * array. If this value in NULL, then iterator is + * bounded to be less than 2^w - 1 (255 in the case + * of MBEDTLS_LMOTS_SHA256_N32_W8) + * + * output An array containing a hash output for each member + * of the digit string P. In the case of + * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 * + * 34. + */ +static int hash_digit_array( const mbedtls_lmots_parameters_t *params, + const unsigned char *x_digit_array, + const unsigned char *hash_idx_min_values, + const unsigned char *hash_idx_max_values, + unsigned char *output ) +{ + unsigned int i_digit_idx; + unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN]; + unsigned int j_hash_idx; + unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN]; + unsigned int j_hash_idx_min; + unsigned int j_hash_idx_max; + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_hash_len; + unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + + for ( i_digit_idx = 0; + i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type); + i_digit_idx++ ) + { + + memcpy( tmp_hash, + &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], + MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); + + j_hash_idx_min = hash_idx_min_values != NULL ? + hash_idx_min_values[i_digit_idx] : 0; + j_hash_idx_max = hash_idx_max_values != NULL ? + hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE; + + for ( j_hash_idx = j_hash_idx_min; + j_hash_idx < j_hash_idx_max; + j_hash_idx++ ) + { + status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, + params->I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, + params->q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + mbedtls_lms_unsigned_int_to_network_bytes( i_digit_idx, + I_DIGIT_IDX_LEN, + i_digit_idx_bytes ); + status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + mbedtls_lms_unsigned_int_to_network_bytes( j_hash_idx, + J_HASH_IDX_LEN, + j_hash_idx_bytes ); + status = psa_hash_update( &op, j_hash_idx_bytes, J_HASH_IDX_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, tmp_hash, + MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_finish( &op, tmp_hash, sizeof( tmp_hash ), + &output_hash_len ); + if( status != PSA_SUCCESS ) + goto exit; + + psa_hash_abort( &op ); + } + + memcpy( &output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)], + tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); + } + +exit: + psa_hash_abort( &op ); + mbedtls_platform_zeroize( tmp_hash, sizeof( tmp_hash ) ); + + return( mbedtls_lms_error_from_psa( status ) ); +} + +/* Combine the hashes of the digit array into a public key. This is used in + * in order to calculate a public key from a private key (RFC8554 Algorithm 1 + * step 4), and to calculate a public key candidate from a signature and message + * (RFC8554 Algorithm 4b step 3). + * + * params The LMOTS parameter set, I and q values which describe + * the key being used. + * y_hashed_digits The array of hashes, one hash for each digit of the + * symbol array (which is of size P, 34 in the case of + * MBEDTLS_LMOTS_SHA256_N32_W8) + * + * pub_key The output public key (or candidate public key in + * case this is being run as part of signature + * verification), in the form of a hash output. + */ +static int public_key_from_hashed_digit_array( const mbedtls_lmots_parameters_t *params, + const unsigned char *y_hashed_digits, + unsigned char *pub_key ) +{ + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_hash_len; + + status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, + params->I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, params->q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, y_hashed_digits, + MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) * + MBEDTLS_LMOTS_N_HASH_LEN(params->type) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_finish( &op, pub_key, + MBEDTLS_LMOTS_N_HASH_LEN(params->type), + &output_hash_len ); + if( status != PSA_SUCCESS ) + +exit: + psa_hash_abort( &op ); + + return( mbedtls_lms_error_from_psa( status ) ); +} + +int mbedtls_lms_error_from_psa( psa_status_t status ) +{ + switch( status ) + { + case PSA_SUCCESS: + return( 0 ); + case PSA_ERROR_HARDWARE_FAILURE: + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); + case PSA_ERROR_NOT_SUPPORTED: + return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ); + case PSA_ERROR_BUFFER_TOO_SMALL: + return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); + case PSA_ERROR_INVALID_ARGUMENT: + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + default: + return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); + } +} + +void mbedtls_lmots_public_init( mbedtls_lmots_public_t *ctx ) +{ + memset( ctx, 0, sizeof( *ctx ) ) ; +} + +void mbedtls_lmots_public_free( mbedtls_lmots_public_t *ctx ) +{ + mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ) ; +} + +int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx, + const unsigned char *key, size_t key_len ) +{ + if( key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ctx->params.type = + mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, + key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); + + if( key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + memcpy( ctx->params.I_key_identifier, + key + PUBLIC_KEY_I_KEY_ID_OFFSET, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + + memcpy( ctx->params.q_leaf_identifier, + key + PUBLIC_KEY_Q_LEAF_ID_OFFSET, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); + + memcpy( ctx->public_key, + key + PUBLIC_KEY_KEY_HASH_OFFSET, + MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); + + ctx->have_public_key = 1; + + return( 0 ); +} + +int mbedtls_lmots_export_public_key( const mbedtls_lmots_public_t *ctx, + unsigned char *key, size_t key_size, + size_t *key_len ) +{ + if( key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); + } + + if( ! ctx->have_public_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type, + MBEDTLS_LMOTS_TYPE_LEN, + key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); + + memcpy( key + PUBLIC_KEY_I_KEY_ID_OFFSET, + ctx->params.I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + + memcpy( key + PUBLIC_KEY_Q_LEAF_ID_OFFSET, + ctx->params.q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); + + memcpy( key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key, + MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); + + if( key_len != NULL ) + { + *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type); + } + + return( 0 ); +} + +int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params, + const unsigned char *msg, + size_t msg_size, + const unsigned char *sig, + size_t sig_size, + unsigned char *out, + size_t out_size, + size_t *out_len ) +{ + unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; + unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( msg == NULL && msg_size != 0 ) + { + return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) || + out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type) ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ret = create_digit_array_with_checksum( params, msg, msg_size, + sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, + tmp_digit_array ); + if( ret ) + { + return ( ret ); + } + + ret = hash_digit_array( params, + sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type), + tmp_digit_array, NULL, ( unsigned char * )y_hashed_digits ); + if( ret ) + { + return ( ret ); + } + + ret = public_key_from_hashed_digit_array( params, + ( unsigned char * )y_hashed_digits, + out ); + if( ret ) + { + return ( ret ); + } + + if( out_len != NULL ) + { + *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type); + } + + return( 0 ); +} + +int mbedtls_lmots_verify( const mbedtls_lmots_public_t *ctx, + const unsigned char *msg, size_t msg_size, + const unsigned char *sig, size_t sig_size ) +{ + unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( msg == NULL && msg_size != 0 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( !ctx->have_public_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, + sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + ret = mbedtls_lmots_calculate_public_key_candidate( &ctx->params, + msg, msg_size, sig, sig_size, + Kc_public_key_candidate, + MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), + NULL ); + if( ret ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + if( memcmp( &Kc_public_key_candidate, ctx->public_key, + sizeof( ctx->public_key ) ) ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + return( 0 ); +} + +#if defined(MBEDTLS_LMS_PRIVATE) + +void mbedtls_lmots_private_init( mbedtls_lmots_private_t *ctx ) +{ + memset( ctx, 0, sizeof( *ctx ) ) ; +} + +void mbedtls_lmots_private_free( mbedtls_lmots_private_t *ctx ) +{ + mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ) ; +} + +int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx, + mbedtls_lmots_algorithm_type_t type, + const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], + uint32_t q_leaf_identifier, + const unsigned char *seed, + size_t seed_size ) +{ + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_hash_len; + unsigned int i_digit_idx; + unsigned char i_digit_idx_bytes[2]; + unsigned char const_bytes[1]; + + if( ctx->have_private_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( type != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ctx->params.type = type; + + memcpy( ctx->params.I_key_identifier, + I_key_identifier, + sizeof( ctx->params.I_key_identifier ) ); + + mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN, + ctx->params.q_leaf_identifier ); + + mbedtls_lms_unsigned_int_to_network_bytes( 0xFF, sizeof( const_bytes ), + const_bytes ); + + for ( i_digit_idx = 0; + i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type); + i_digit_idx++ ) + { + status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, + ctx->params.I_key_identifier, + sizeof( ctx->params.I_key_identifier ) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, + ctx->params.q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + mbedtls_lms_unsigned_int_to_network_bytes( i_digit_idx, I_DIGIT_IDX_LEN, + i_digit_idx_bytes ); + status = psa_hash_update( &op, i_digit_idx_bytes, I_DIGIT_IDX_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, const_bytes, sizeof( const_bytes ) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, seed, seed_size ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_finish( &op, + ctx->private_key[i_digit_idx], + MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type), + &output_hash_len ); + if( status != PSA_SUCCESS ) + goto exit; + + psa_hash_abort( &op ); + } + + ctx->have_private_key = 1; + +exit: + psa_hash_abort( &op ); + + return ( mbedtls_lms_error_from_psa( status ) ); +} + +int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx, + const mbedtls_lmots_private_t *priv_ctx ) +{ + unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + /* Check that a private key is loaded */ + if( !priv_ctx->have_private_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ret = hash_digit_array( &priv_ctx->params, + ( unsigned char * )priv_ctx->private_key, NULL, + NULL, ( unsigned char * )y_hashed_digits ); + if( ret ) + { + goto exit; + } + + ret = public_key_from_hashed_digit_array( &priv_ctx->params, + ( unsigned char * )y_hashed_digits, + ctx->public_key ); + if( ret ) + { + goto exit; + } + + memcpy( &ctx->params, &priv_ctx->params, + sizeof( ctx->params ) ); + + ctx->have_public_key = 1; + +exit: + mbedtls_platform_zeroize( y_hashed_digits, sizeof( y_hashed_digits ) ); + + return( ret ); +} + +int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng, const unsigned char *msg, size_t msg_size, + unsigned char *sig, size_t sig_size, size_t* sig_len ) +{ + unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX]; + /* Create a temporary buffer to prepare the signature in. This allows us to + * finish creating a signature (ensuring the process doesn't fail), and then + * erase the private key **before** writing any data into the sig parameter + * buffer. If data were directly written into the sig buffer, it might leak + * a partial signature on failure, which effectively compromises the private + * key. + */ + unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( msg == NULL && msg_size != 0 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); + } + + /* Check that a private key is loaded */ + if( !ctx->have_private_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ret = f_rng( p_rng, tmp_c_random, + MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); + if( ret ) + { + return( ret ); + } + + ret = create_digit_array_with_checksum( &ctx->params, + msg, msg_size, + tmp_c_random, + tmp_digit_array ); + if( ret ) + { + goto exit; + } + + ret = hash_digit_array( &ctx->params, ( unsigned char * )ctx->private_key, + NULL, tmp_digit_array, ( unsigned char * )tmp_sig ); + if( ret ) + { + goto exit; + } + + mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type, + MBEDTLS_LMOTS_TYPE_LEN, + sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ); + + /* Test hook to check if sig is being written to before we invalidate the + * private key. + */ +#if defined(MBEDTLS_TEST_HOOKS) + if( mbedtls_lmots_sign_private_key_invalidated_hook != NULL ) + { + ret = ( *mbedtls_lmots_sign_private_key_invalidated_hook )( sig ); + if( ret != 0 ) + return( ret ); + } +#endif /* defined(MBEDTLS_TEST_HOOKS) */ + + /* We've got a valid signature now, so it's time to make sure the private + * key can't be reused. + */ + ctx->have_private_key = 0; + mbedtls_platform_zeroize( ctx->private_key, + sizeof( ctx->private_key ) ); + + memcpy( sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random, + MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type) ); + + memcpy( sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig, + MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type) + * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type) ); + + if( sig_len != NULL ) + { + *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type); + } + + ret = 0; + +exit: + mbedtls_platform_zeroize( tmp_digit_array, sizeof( tmp_digit_array ) ); + mbedtls_platform_zeroize( tmp_sig, sizeof( tmp_sig ) ); + + return ( ret ); +} + +#endif /* defined(MBEDTLS_LMS_PRIVATE) */ +#endif /* defined(MBEDTLS_LMS_C) */ diff --git a/thirdparty/mbedtls/library/lmots.h b/thirdparty/mbedtls/library/lmots.h new file mode 100644 index 00000000000000..022dcf3d48fe78 --- /dev/null +++ b/thirdparty/mbedtls/library/lmots.h @@ -0,0 +1,322 @@ +/** + * \file lmots.h + * + * \brief This file provides an API for the LM-OTS post-quantum-safe one-time + * public-key signature scheme as defined in RFC8554 and NIST.SP.200-208. + * This implementation currently only supports a single parameter set + * MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_LMOTS_H +#define MBEDTLS_LMOTS_H + +#include "mbedtls/build_info.h" + +#include "psa/crypto.h" + +#include "mbedtls/lms.h" + +#include +#include + + +#define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \ + MBEDTLS_LMOTS_I_KEY_ID_LEN + \ + MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \ + MBEDTLS_LMOTS_N_HASH_LEN(type)) + +#define MBEDTLS_LMOTS_SIG_TYPE_OFFSET (0) +#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \ + MBEDTLS_LMOTS_TYPE_LEN) +#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \ + MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type)) + +#ifdef __cplusplus +extern "C" { +#endif + + +#if defined(MBEDTLS_TEST_HOOKS) +extern int( *mbedtls_lmots_sign_private_key_invalidated_hook )( unsigned char * ); +#endif /* defined(MBEDTLS_TEST_HOOKS) */ + +/** + * \brief This function converts an unsigned int into a + * network-byte-order (big endian) string. + * + * \param val The unsigned integer value + * \param len The length of the string. + * \param bytes The string to output into. + */ +void mbedtls_lms_unsigned_int_to_network_bytes( unsigned int val, size_t len, + unsigned char *bytes ); + +/** + * \brief This function converts a network-byte-order + * (big endian) string into an unsigned integer. + * + * \param len The length of the string. + * \param bytes The string. + * + * \return The corresponding LMS error code. + */ +unsigned int mbedtls_lms_network_bytes_to_unsigned_int( size_t len, + const unsigned char *bytes ); + +/** + * \brief This function converts a \ref psa_status_t to a + * low-level LMS error code. + * + * \param status The psa_status_t to convert + * + * \return The corresponding LMS error code. + */ +int mbedtls_lms_error_from_psa( psa_status_t status ); + + +/** + * \brief This function initializes a public LMOTS context + * + * \param ctx The uninitialized LMOTS context that will then be + * initialized. + */ +void mbedtls_lmots_public_init( mbedtls_lmots_public_t *ctx ); + +/** + * \brief This function uninitializes a public LMOTS context + * + * \param ctx The initialized LMOTS context that will then be + * uninitialized. + */ +void mbedtls_lmots_public_free( mbedtls_lmots_public_t *ctx ); + +/** + * \brief This function imports an LMOTS public key into a + * LMOTS context. + * + * \note Before this function is called, the context must + * have been initialized. + * + * \note See IETF RFC8554 for details of the encoding of + * this public key. + * + * \param ctx The initialized LMOTS context store the key in. + * \param key The buffer from which the key will be read. + * #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read + * from this. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_import_public_key( mbedtls_lmots_public_t *ctx, + const unsigned char *key, size_t key_size ); + +/** + * \brief This function exports an LMOTS public key from a + * LMOTS context that already contains a public key. + * + * \note Before this function is called, the context must + * have been initialized and the context must contain + * a public key. + * + * \note See IETF RFC8554 for details of the encoding of + * this public key. + * + * \param ctx The initialized LMOTS context that contains the + * public key. + * \param key The buffer into which the key will be output. Must + * be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_export_public_key( const mbedtls_lmots_public_t *ctx, + unsigned char *key, size_t key_size, + size_t *key_len ); + +/** + * \brief This function creates a candidate public key from + * an LMOTS signature. This can then be compared to + * the real public key to determine the validity of + * the signature. + * + * \note This function is exposed publicly to be used in LMS + * signature verification, it is expected that + * mbedtls_lmots_verify will be used for LMOTS + * signature verification. + * + * \param params The LMOTS parameter set, q and I values as an + * mbedtls_lmots_parameters_t struct. + * \param msg The buffer from which the message will be read. + * \param msg_size The size of the message that will be read. + * \param sig The buffer from which the signature will be read. + * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from + * this. + * \param out The buffer where the candidate public key will be + * stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN + * bytes in size. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_calculate_public_key_candidate( const mbedtls_lmots_parameters_t *params, + const unsigned char *msg, + size_t msg_size, + const unsigned char *sig, + size_t sig_size, + unsigned char *out, + size_t out_size, + size_t *out_len ); + +/** + * \brief This function verifies a LMOTS signature, using a + * LMOTS context that contains a public key. + * + * \warning This function is **not intended for use in + * production**, due to as-yet unsolved problems with + * handling stateful keys. The API for this function + * may change considerably in future versions. + * + * \note Before this function is called, the context must + * have been initialized and must contain a public key + * (either by import or calculation from a private + * key). + * + * \param ctx The initialized LMOTS context from which the public + * key will be read. + * \param msg The buffer from which the message will be read. + * \param msg_size The size of the message that will be read. + * \param sig The buf from which the signature will be read. + * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from + * this. + * + * \return \c 0 on successful verification. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_verify( const mbedtls_lmots_public_t *ctx, + const unsigned char *msg, + size_t msg_size, const unsigned char *sig, + size_t sig_size ); + +#if defined(MBEDTLS_LMS_PRIVATE) + +/** + * \brief This function initializes a private LMOTS context + * + * \param ctx The uninitialized LMOTS context that will then be + * initialized. + */ +void mbedtls_lmots_private_init( mbedtls_lmots_private_t *ctx ); + +/** + * \brief This function uninitializes a private LMOTS context + * + * \param ctx The initialized LMOTS context that will then be + * uninitialized. + */ +void mbedtls_lmots_private_free( mbedtls_lmots_private_t *ctx ); + +/** + * \brief This function calculates an LMOTS private key, and + * stores in into an LMOTS context. + * + * \warning This function is **not intended for use in + * production**, due to as-yet unsolved problems with + * handling stateful keys. The API for this function + * may change considerably in future versions. + * + * \note The seed must have at least 256 bits of entropy. + * + * \param ctx The initialized LMOTS context to generate the key + * into. + * \param I_key_identifier The key identifier of the key, as a 16-byte string. + * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is + * not being used as part of an LMS key, this should + * be set to 0. + * \param seed The seed used to deterministically generate the + * key. + * \param seed_size The length of the seed. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_generate_private_key( mbedtls_lmots_private_t *ctx, + mbedtls_lmots_algorithm_type_t type, + const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], + uint32_t q_leaf_identifier, + const unsigned char *seed, + size_t seed_size ); + +/** + * \brief This function generates an LMOTS public key from a + * LMOTS context that already contains a private key. + * + * \note Before this function is called, the context must + * have been initialized and the context must contain + * a private key. + * + * \param ctx The initialized LMOTS context to generate the key + * from and store it into. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_calculate_public_key( mbedtls_lmots_public_t *ctx, + const mbedtls_lmots_private_t *priv_ctx ); + +/** + * \brief This function creates a LMOTS signature, using a + * LMOTS context that contains a private key. + * + * \note Before this function is called, the context must + * have been initialized and must contain a private + * key. + * + * \note LMOTS private keys can only be used once, otherwise + * attackers may be able to create forged signatures. + * If the signing operation is successful, the private + * key in the context will be erased, and no further + * signing will be possible until another private key + * is loaded + * + * \param ctx The initialized LMOTS context from which the + * private key will be read. + * \param f_rng The RNG function to be used for signature + * generation. + * \param p_rng The RNG context to be passed to f_rng + * \param msg The buffer from which the message will be read. + * \param msg_size The size of the message that will be read. + * \param sig The buf into which the signature will be stored. + * Must be at least #MBEDTLS_LMOTS_SIG_LEN in size. + * + * \return \c 0 on success. + * \return A non-zero error code on failure. + */ +int mbedtls_lmots_sign( mbedtls_lmots_private_t *ctx, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng, const unsigned char *msg, size_t msg_size, + unsigned char *sig, size_t sig_size, size_t* sig_len ); + +#endif /* defined(MBEDTLS_LMS_PRIVATE) */ + +#ifdef __cplusplus +} +#endif + +#endif /* MBEDTLS_LMOTS_H */ diff --git a/thirdparty/mbedtls/library/lms.c b/thirdparty/mbedtls/library/lms.c new file mode 100644 index 00000000000000..46ea567f2f24ec --- /dev/null +++ b/thirdparty/mbedtls/library/lms.c @@ -0,0 +1,789 @@ +/* + * The LMS stateful-hash public-key signature scheme + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * The following sources were referenced in the design of this implementation + * of the LMS algorithm: + * + * [1] IETF RFC8554 + * D. McGrew, M. Curcio, S.Fluhrer + * https://datatracker.ietf.org/doc/html/rfc8554 + * + * [2] NIST Special Publication 800-208 + * David A. Cooper et. al. + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf + */ + +#include "common.h" + +#if defined(MBEDTLS_LMS_C) + +#include + +#include "lmots.h" + +#include "psa/crypto.h" + +#include "mbedtls/lms.h" +#include "mbedtls/error.h" +#include "mbedtls/platform_util.h" + +#include "mbedtls/platform.h" + +#define SIG_Q_LEAF_ID_OFFSET (0) +#define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \ + MBEDTLS_LMOTS_Q_LEAF_ID_LEN) +#define SIG_TYPE_OFFSET(otstype) (SIG_OTS_SIG_OFFSET + \ + MBEDTLS_LMOTS_SIG_LEN(otstype)) +#define SIG_PATH_OFFSET(otstype) (SIG_TYPE_OFFSET(otstype) + \ + MBEDTLS_LMS_TYPE_LEN) + +#define PUBLIC_KEY_TYPE_OFFSET (0) +#define PUBLIC_KEY_OTSTYPE_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \ + MBEDTLS_LMS_TYPE_LEN) +#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_OTSTYPE_OFFSET + \ + MBEDTLS_LMOTS_TYPE_LEN) +#define PUBLIC_KEY_ROOT_NODE_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \ + MBEDTLS_LMOTS_I_KEY_ID_LEN) + + +/* Currently only support H=10 */ +#define H_TREE_HEIGHT_MAX 10 +#define MERKLE_TREE_NODE_AM_MAX (1u << (H_TREE_HEIGHT_MAX + 1u)) +#define MERKLE_TREE_NODE_AM(type) (1u << (MBEDTLS_LMS_H_TREE_HEIGHT(type) + 1u)) +#define MERKLE_TREE_LEAF_NODE_AM(type) (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type)) +#define MERKLE_TREE_INTERNAL_NODE_AM(type) (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type)) + +#define D_CONST_LEN (2) +static const unsigned char D_LEAF_CONSTANT_BYTES[D_CONST_LEN] = {0x82, 0x82}; +static const unsigned char D_INTR_CONSTANT_BYTES[D_CONST_LEN] = {0x83, 0x83}; + + +/* Calculate the value of a leaf node of the Merkle tree (which is a hash of a + * public key and some other parameters like the leaf index). This function + * implements RFC8554 section 5.3, in the case where r >= 2^h. + * + * params The LMS parameter set, the underlying LMOTS + * parameter set, and I value which describe the key + * being used. + * + * pub_key The public key of the private whose index + * corresponds to the index of this leaf node. This + * is a hash output. + * + * r_node_idx The index of this node in the Merkle tree. Note + * that the root node of the Merkle tree is + * 1-indexed. + * + * out The output node value, which is a hash output. + */ +static int create_merkle_leaf_value( const mbedtls_lms_parameters_t *params, + unsigned char *pub_key, + unsigned int r_node_idx, + unsigned char *out ) +{ + psa_hash_operation_t op; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_hash_len; + unsigned char r_node_idx_bytes[4]; + + op = psa_hash_operation_init( ); + status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, params->I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + mbedtls_lms_unsigned_int_to_network_bytes( r_node_idx, 4, r_node_idx_bytes ); + status = psa_hash_update( &op, r_node_idx_bytes, 4 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, D_LEAF_CONSTANT_BYTES, D_CONST_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, pub_key, + MBEDTLS_LMOTS_N_HASH_LEN(params->otstype) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_finish( &op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type), + &output_hash_len ); + if( status != PSA_SUCCESS ) + goto exit; + +exit: + psa_hash_abort( &op ); + + return ( mbedtls_lms_error_from_psa( status ) ); +} + +/* Calculate the value of an internal node of the Merkle tree (which is a hash + * of a public key and some other parameters like the node index). This function + * implements RFC8554 section 5.3, in the case where r < 2^h. + * + * params The LMS parameter set, the underlying LMOTS + * parameter set, and I value which describe the key + * being used. + * + * left_node The value of the child of this node which is on + * the left-hand side. As with all nodes on the + * Merkle tree, this is a hash output. + * + * right_node The value of the child of this node which is on + * the right-hand side. As with all nodes on the + * Merkle tree, this is a hash output. + * + * r_node_idx The index of this node in the Merkle tree. Note + * that the root node of the Merkle tree is + * 1-indexed. + * + * out The output node value, which is a hash output. + */ +static int create_merkle_internal_value( const mbedtls_lms_parameters_t *params, + const unsigned char *left_node, + const unsigned char *right_node, + unsigned int r_node_idx, + unsigned char *out ) +{ + psa_hash_operation_t op; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_hash_len; + unsigned char r_node_idx_bytes[4]; + + op = psa_hash_operation_init( ); + status = psa_hash_setup( &op, PSA_ALG_SHA_256 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, params->I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + mbedtls_lms_unsigned_int_to_network_bytes( r_node_idx, 4, r_node_idx_bytes ); + status = psa_hash_update( &op, r_node_idx_bytes, 4 ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, D_INTR_CONSTANT_BYTES, D_CONST_LEN ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, left_node, + MBEDTLS_LMS_M_NODE_BYTES(params->type) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_update( &op, right_node, + MBEDTLS_LMS_M_NODE_BYTES(params->type) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_hash_finish( &op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type), + &output_hash_len ); + if( status != PSA_SUCCESS ) + goto exit; + +exit: + psa_hash_abort( &op ); + + return( mbedtls_lms_error_from_psa( status ) ); +} + +void mbedtls_lms_public_init( mbedtls_lms_public_t *ctx ) +{ + memset( ctx, 0, sizeof( *ctx ) ) ; +} + +void mbedtls_lms_public_free( mbedtls_lms_public_t *ctx ) +{ + mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ); +} + +int mbedtls_lms_import_public_key( mbedtls_lms_public_t *ctx, + const unsigned char *key, size_t key_size ) +{ + mbedtls_lms_algorithm_type_t type; + mbedtls_lmots_algorithm_type_t otstype; + + type = mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMS_TYPE_LEN, + key + PUBLIC_KEY_TYPE_OFFSET ); + if( type != MBEDTLS_LMS_SHA256_M32_H10 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + ctx->params.type = type; + + if( key_size != MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + otstype = mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, + key + PUBLIC_KEY_OTSTYPE_OFFSET ); + if( otstype != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + ctx->params.otstype = otstype; + + memcpy( ctx->params.I_key_identifier, + key + PUBLIC_KEY_I_KEY_ID_OFFSET, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + memcpy( ctx->T_1_pub_key, key + PUBLIC_KEY_ROOT_NODE_OFFSET, + MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) ); + + ctx->have_public_key = 1; + + return( 0 ); +} + +int mbedtls_lms_export_public_key( const mbedtls_lms_public_t *ctx, + unsigned char *key, + size_t key_size, size_t *key_len ) +{ + if( key_size < MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); + } + + if( ! ctx->have_public_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + mbedtls_lms_unsigned_int_to_network_bytes( + ctx->params.type, + MBEDTLS_LMS_TYPE_LEN, key + PUBLIC_KEY_TYPE_OFFSET ); + mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.otstype, + MBEDTLS_LMOTS_TYPE_LEN, + key + PUBLIC_KEY_OTSTYPE_OFFSET ); + memcpy( key + PUBLIC_KEY_I_KEY_ID_OFFSET, + ctx->params.I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + memcpy( key +PUBLIC_KEY_ROOT_NODE_OFFSET, + ctx->T_1_pub_key, + MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) ); + + if( key_len != NULL ) + { + *key_len = MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type); + } + + return( 0 ); +} + +int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx, + const unsigned char *msg, size_t msg_size, + const unsigned char *sig, size_t sig_size ) +{ + unsigned int q_leaf_identifier; + unsigned char Kc_candidate_ots_pub_key[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; + unsigned char Tc_candidate_root_node[MBEDTLS_LMS_M_NODE_BYTES_MAX]; + unsigned int height; + unsigned int curr_node_id; + unsigned int parent_node_id; + const unsigned char* left_node; + const unsigned char* right_node; + mbedtls_lmots_parameters_t ots_params; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( ! ctx->have_public_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( ctx->params.type + != MBEDTLS_LMS_SHA256_M32_H10 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( ctx->params.otstype + != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + if( sig_size < SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_TYPE_LEN ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN, + sig + SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_SIG_TYPE_OFFSET ) + != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + if( sig_size < SIG_TYPE_OFFSET(ctx->params.otstype) + MBEDTLS_LMS_TYPE_LEN ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMS_TYPE_LEN, + sig + SIG_TYPE_OFFSET(ctx->params.otstype)) + != MBEDTLS_LMS_SHA256_M32_H10 ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + + q_leaf_identifier = mbedtls_lms_network_bytes_to_unsigned_int( + MBEDTLS_LMOTS_Q_LEAF_ID_LEN, sig + SIG_Q_LEAF_ID_OFFSET ); + + if( q_leaf_identifier >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + memcpy( ots_params.I_key_identifier, + ctx->params.I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN, + ots_params.q_leaf_identifier ); + ots_params.type = ctx->params.otstype; + + ret = mbedtls_lmots_calculate_public_key_candidate( &ots_params, msg, + msg_size, sig + SIG_OTS_SIG_OFFSET, + MBEDTLS_LMOTS_SIG_LEN(ctx->params.otstype), Kc_candidate_ots_pub_key, + sizeof( Kc_candidate_ots_pub_key ), NULL ); + if( ret != 0 ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + create_merkle_leaf_value( + &ctx->params, + Kc_candidate_ots_pub_key, + MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier, + Tc_candidate_root_node ); + + curr_node_id = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + + q_leaf_identifier; + + for( height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type); + height++ ) + { + parent_node_id = curr_node_id / 2; + + /* Left/right node ordering matters for the hash */ + if( curr_node_id & 1 ) + { + left_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) + + height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type); + right_node = Tc_candidate_root_node; + } + else + { + left_node = Tc_candidate_root_node; + right_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) + + height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type); + } + + create_merkle_internal_value( &ctx->params, left_node, right_node, + parent_node_id, Tc_candidate_root_node); + + curr_node_id /= 2; + } + + if( memcmp( Tc_candidate_root_node, ctx->T_1_pub_key, + MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)) ) + { + return( MBEDTLS_ERR_LMS_VERIFY_FAILED ); + } + + return( 0 ); +} + +#if defined(MBEDTLS_LMS_PRIVATE) + +/* Calculate a full Merkle tree based on a private key. This function + * implements RFC8554 section 5.3, and is used to generate a public key (as the + * public key is the root node of the Merkle tree). + * + * ctx The LMS private context, containing a parameter + * set and private key material consisting of both + * public and private OTS. + * + * tree The output tree, which is 2^(H + 1) hash outputs. + * In the case of H=10 we have 2048 tree nodes (of + * which 1024 of them are leaf nodes). Note that + * because the Merkle tree root is 1-indexed, the 0 + * index tree node is never used. + */ +static int calculate_merkle_tree( const mbedtls_lms_private_t *ctx, + unsigned char *tree ) +{ + unsigned int priv_key_idx; + unsigned int r_node_idx; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + /* First create the leaf nodes, in ascending order */ + for( priv_key_idx = 0; + priv_key_idx < MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type); + priv_key_idx++ ) + { + r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + priv_key_idx; + + ret = create_merkle_leaf_value( &ctx->params, + ctx->ots_public_keys[priv_key_idx].public_key, r_node_idx, + &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)] ); + if( ret != 0 ) + { + return( ret ); + } + } + + /* Then the internal nodes, in reverse order so that we can guarantee the + * parent has been created */ + for( r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) - 1; + r_node_idx > 0; + r_node_idx-- ) + { + ret = create_merkle_internal_value( &ctx->params, + &tree[( r_node_idx * 2 ) * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)], + &tree[( r_node_idx * 2 + 1 ) * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)], + r_node_idx, + &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)] ); + if( ret != 0 ) + { + return( ret ); + } + } + + return( 0 ); +} + +/* Calculate a path from a leaf node of the Merkle tree to the root of the tree, + * and return the full path. This function implements RFC8554 section 5.4.1, as + * the Merkle path is the main component of an LMS signature. + * + * ctx The LMS private context, containing a parameter + * set and private key material consisting of both + * public and private OTS. + * + * leaf_node_id Which leaf node to calculate the path from. + * + * path The output path, which is H hash outputs. + */ +static int get_merkle_path( mbedtls_lms_private_t *ctx, + unsigned int leaf_node_id, + unsigned char *path ) +{ + unsigned char tree[MERKLE_TREE_NODE_AM_MAX][MBEDTLS_LMS_M_NODE_BYTES_MAX]; + unsigned int curr_node_id = leaf_node_id; + unsigned int adjacent_node_id; + unsigned int height; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = calculate_merkle_tree( ctx, ( unsigned char * )tree ); + if( ret != 0 ) + { + goto exit; + } + + for( height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type); + height++ ) + { + adjacent_node_id = curr_node_id ^ 1; + + memcpy( &path[height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)], + &tree[adjacent_node_id], + MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) ); + + curr_node_id >>=1; + } + + ret = 0; + +exit: + mbedtls_platform_zeroize( tree, sizeof( tree ) ); + + return( ret ); +} + +void mbedtls_lms_private_init( mbedtls_lms_private_t *ctx ) +{ + memset( ctx, 0, sizeof( *ctx ) ) ; +} + +void mbedtls_lms_private_free( mbedtls_lms_private_t *ctx ) +{ + unsigned int idx; + + if( ctx->have_private_key ) + { + if( ctx->ots_private_keys != NULL ) + { + for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ ) + { + mbedtls_lmots_private_free( &ctx->ots_private_keys[idx] ); + } + } + + if( ctx->ots_public_keys != NULL ) + { + for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ ) + { + mbedtls_lmots_public_free( &ctx->ots_public_keys[idx] ); + } + } + + mbedtls_free( ctx->ots_private_keys ); + mbedtls_free( ctx->ots_public_keys ); + } + + mbedtls_platform_zeroize( ctx, sizeof( *ctx ) ); +} + + +int mbedtls_lms_generate_private_key( mbedtls_lms_private_t *ctx, + mbedtls_lms_algorithm_type_t type, + mbedtls_lmots_algorithm_type_t otstype, + int (*f_rng)(void *, unsigned char *, size_t), + void* p_rng, const unsigned char *seed, + size_t seed_size ) +{ + unsigned int idx = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( type != MBEDTLS_LMS_SHA256_M32_H10 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( otstype != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( ctx->have_private_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ctx->params.type = type; + ctx->params.otstype = otstype; + ctx->have_private_key = 1; + + ret = f_rng( p_rng, + ctx->params.I_key_identifier, + MBEDTLS_LMOTS_I_KEY_ID_LEN ); + if( ret != 0 ) + { + goto exit; + } + + /* Requires a cast to size_t to avoid an implicit cast warning on certain + * platforms (particularly Windows) */ + ctx->ots_private_keys = mbedtls_calloc( ( size_t )MERKLE_TREE_LEAF_NODE_AM(ctx->params.type), + sizeof( *ctx->ots_private_keys ) ); + if( ctx->ots_private_keys == NULL ) + { + ret = MBEDTLS_ERR_LMS_ALLOC_FAILED; + goto exit; + } + + /* Requires a cast to size_t to avoid an implicit cast warning on certain + * platforms (particularly Windows) */ + ctx->ots_public_keys = mbedtls_calloc( ( size_t )MERKLE_TREE_LEAF_NODE_AM(ctx->params.type), + sizeof( *ctx->ots_public_keys ) ); + if( ctx->ots_public_keys == NULL ) + { + ret = MBEDTLS_ERR_LMS_ALLOC_FAILED; + goto exit; + } + + for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ ) + { + mbedtls_lmots_private_init( &ctx->ots_private_keys[idx] ); + mbedtls_lmots_public_init( &ctx->ots_public_keys[idx] ); + } + + + for( idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++ ) + { + ret = mbedtls_lmots_generate_private_key( &ctx->ots_private_keys[idx], + otstype, + ctx->params.I_key_identifier, + idx, seed, seed_size ); + if( ret != 0 ) + goto exit; + + ret = mbedtls_lmots_calculate_public_key( &ctx->ots_public_keys[idx], + &ctx->ots_private_keys[idx] ); + if( ret != 0 ) + goto exit; + } + + ctx->q_next_usable_key = 0; + +exit: + if( ret != 0 ) + { + mbedtls_lms_private_free(ctx); + } + + return( ret ); +} + +int mbedtls_lms_calculate_public_key( mbedtls_lms_public_t *ctx, + const mbedtls_lms_private_t *priv_ctx ) +{ + unsigned char tree[MERKLE_TREE_NODE_AM_MAX][MBEDTLS_LMS_M_NODE_BYTES_MAX]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( ! priv_ctx->have_private_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( priv_ctx->params.type + != MBEDTLS_LMS_SHA256_M32_H10 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( priv_ctx->params.otstype + != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + memcpy( &ctx->params, &priv_ctx->params, + sizeof( mbedtls_lmots_parameters_t ) ); + + ret = calculate_merkle_tree( priv_ctx, ( unsigned char * )tree ); + if( ret != 0 ) + { + goto exit; + } + + /* Root node is always at position 1, due to 1-based indexing */ + memcpy( ctx->T_1_pub_key, &tree[1], + MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type) ); + + ctx->have_public_key = 1; + + ret = 0; + +exit: + mbedtls_platform_zeroize( tree, sizeof( tree ) ); + + return( ret ); +} + + +int mbedtls_lms_sign( mbedtls_lms_private_t *ctx, + int (*f_rng)(void *, unsigned char *, size_t), + void* p_rng, const unsigned char *msg, + unsigned int msg_size, unsigned char *sig, size_t sig_size, + size_t *sig_len ) +{ + uint32_t q_leaf_identifier; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( ! ctx->have_private_key ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( sig_size < MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) ) + { + return( MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL ); + } + + if( ctx->params.type != MBEDTLS_LMS_SHA256_M32_H10 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( ctx->params.otstype + != MBEDTLS_LMOTS_SHA256_N32_W8 ) + { + return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + if( ctx->q_next_usable_key >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type) ) + { + return( MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS ); + } + + + q_leaf_identifier = ctx->q_next_usable_key; + /* This new value must _always_ be written back to the disk before the + * signature is returned. + */ + ctx->q_next_usable_key += 1; + + if ( MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) + < SIG_OTS_SIG_OFFSET ) + { + return ( MBEDTLS_ERR_LMS_BAD_INPUT_DATA ); + } + + ret = mbedtls_lmots_sign( &ctx->ots_private_keys[q_leaf_identifier], + f_rng, p_rng, msg, msg_size, + sig + SIG_OTS_SIG_OFFSET, + MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) - SIG_OTS_SIG_OFFSET, + NULL ); + if( ret != 0 ) + { + return( ret ); + } + + mbedtls_lms_unsigned_int_to_network_bytes( ctx->params.type, + MBEDTLS_LMS_TYPE_LEN, + sig + SIG_TYPE_OFFSET(ctx->params.otstype) ); + mbedtls_lms_unsigned_int_to_network_bytes( q_leaf_identifier, + MBEDTLS_LMOTS_Q_LEAF_ID_LEN, + sig + SIG_Q_LEAF_ID_OFFSET ); + + ret = get_merkle_path( ctx, + MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier, + sig + SIG_PATH_OFFSET(ctx->params.otstype) ); + if( ret != 0 ) + { + return( ret ); + } + + if( sig_len != NULL ) + { + *sig_len = MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype); + } + + + return( 0 ); +} + +#endif /* defined(MBEDTLS_LMS_PRIVATE) */ +#endif /* defined(MBEDTLS_LMS_C) */ diff --git a/thirdparty/mbedtls/library/md.c b/thirdparty/mbedtls/library/md.c index a387da50a97ed8..8efcf105b4d171 100644 --- a/thirdparty/mbedtls/library/md.c +++ b/thirdparty/mbedtls/library/md.c @@ -36,13 +36,7 @@ #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include diff --git a/thirdparty/mbedtls/library/md5.c b/thirdparty/mbedtls/library/md5.c index a9bbcb488b88dc..f7a225c1d3cb77 100644 --- a/thirdparty/mbedtls/library/md5.c +++ b/thirdparty/mbedtls/library/md5.c @@ -32,14 +32,7 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_MD5_ALT) diff --git a/thirdparty/mbedtls/library/mps_reader.c b/thirdparty/mbedtls/library/mps_reader.c index 36958b46b8ea74..df97b6cd1fc40b 100644 --- a/thirdparty/mbedtls/library/mps_reader.c +++ b/thirdparty/mbedtls/library/mps_reader.c @@ -29,11 +29,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_MPS_ENABLE_TRACE) static int mbedtls_mps_trace_id = MBEDTLS_MPS_TRACE_BIT_READER; #endif /* MBEDTLS_MPS_ENABLE_TRACE */ @@ -535,7 +530,7 @@ int mbedtls_mps_reader_reclaim( mbedtls_mps_reader *rd, * of the accumulator. */ memmove( acc, acc + acc_backup_offset, acc_backup_len ); - /* Copy uncmmitted parts of the current fragment to the + /* Copy uncommitted parts of the current fragment to the * accumulator. */ memcpy( acc + acc_backup_len, frag + frag_backup_offset, frag_backup_len ); diff --git a/thirdparty/mbedtls/library/mps_trace.h b/thirdparty/mbedtls/library/mps_trace.h index 7c2360118aacd0..820a1b66c2afe3 100644 --- a/thirdparty/mbedtls/library/mps_trace.h +++ b/thirdparty/mbedtls/library/mps_trace.h @@ -30,13 +30,7 @@ #include "mps_common.h" #include "mps_trace.h" -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#define mbedtls_vsnprintf vsnprintf -#endif /* MBEDTLS_PLATFORM_C */ #if defined(MBEDTLS_MPS_ENABLE_TRACE) diff --git a/thirdparty/mbedtls/library/net_sockets.c b/thirdparty/mbedtls/library/net_sockets.c index d1700f3bbff721..637b9f8d8e09af 100644 --- a/thirdparty/mbedtls/library/net_sockets.c +++ b/thirdparty/mbedtls/library/net_sockets.c @@ -37,11 +37,7 @@ #error "This module only works on Unix and Windows, see MBEDTLS_NET_C in mbedtls_config.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#endif #include "mbedtls/net_sockets.h" #include "mbedtls/error.h" diff --git a/thirdparty/mbedtls/library/nist_kw.c b/thirdparty/mbedtls/library/nist_kw.c index 1aea0b634575ef..495c23d06a2e84 100644 --- a/thirdparty/mbedtls/library/nist_kw.c +++ b/thirdparty/mbedtls/library/nist_kw.c @@ -39,14 +39,7 @@ #include #include -#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ #if !defined(MBEDTLS_NIST_KW_ALT) diff --git a/thirdparty/mbedtls/library/oid.c b/thirdparty/mbedtls/library/oid.c index f70ceea566bde6..aa5f69c66fdacb 100644 --- a/thirdparty/mbedtls/library/oid.c +++ b/thirdparty/mbedtls/library/oid.c @@ -27,14 +27,12 @@ #include "mbedtls/rsa.h" #include "mbedtls/error.h" +#include "mbedtls/legacy_or_psa.h" + #include #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_snprintf snprintf -#endif /* * Macro to automatically add the size of #define'd OIDs @@ -327,7 +325,6 @@ FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, certificate_policies, oid_certi FN_OID_GET_ATTR1(mbedtls_oid_get_certificate_policies, mbedtls_oid_descriptor_t, certificate_policies, const char *, description) #endif /* MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_MD_C) /* * For SignatureAlgorithmIdentifier */ @@ -340,80 +337,80 @@ typedef struct { static const oid_sig_alg_t oid_sig_alg[] = { #if defined(MBEDTLS_RSA_C) -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5" ), MBEDTLS_MD_MD5, MBEDTLS_PK_RSA, }, -#endif /* MBEDTLS_MD5_C */ -#if defined(MBEDTLS_SHA1_C) +#endif /* MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA1, "sha-1WithRSAEncryption", "RSA with SHA1" ), MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA, }, -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA224_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA224, "sha224WithRSAEncryption", "RSA with SHA-224" ), MBEDTLS_MD_SHA224, MBEDTLS_PK_RSA, }, -#endif -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA256, "sha256WithRSAEncryption", "RSA with SHA-256" ), MBEDTLS_MD_SHA256, MBEDTLS_PK_RSA, }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA384, "sha384WithRSAEncryption", "RSA with SHA-384" ), MBEDTLS_MD_SHA384, MBEDTLS_PK_RSA, }, -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA512, "sha512WithRSAEncryption", "RSA with SHA-512" ), MBEDTLS_MD_SHA512, MBEDTLS_PK_RSA, }, -#endif /* MBEDTLS_SHA512_C */ -#if defined(MBEDTLS_SHA1_C) +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_RSA_SHA_OBS, "sha-1WithRSAEncryption", "RSA with SHA1" ), MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA, }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */ #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_ECDSA_C) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA1, "ecdsa-with-SHA1", "ECDSA with SHA1" ), MBEDTLS_MD_SHA1, MBEDTLS_PK_ECDSA, }, -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA224_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA224, "ecdsa-with-SHA224", "ECDSA with SHA224" ), MBEDTLS_MD_SHA224, MBEDTLS_PK_ECDSA, }, #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA256, "ecdsa-with-SHA256", "ECDSA with SHA256" ), MBEDTLS_MD_SHA256, MBEDTLS_PK_ECDSA, }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA384, "ecdsa-with-SHA384", "ECDSA with SHA384" ), MBEDTLS_MD_SHA384, MBEDTLS_PK_ECDSA, }, -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA512, "ecdsa-with-SHA512", "ECDSA with SHA512" ), MBEDTLS_MD_SHA512, MBEDTLS_PK_ECDSA, }, -#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA */ #endif /* MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_RSA_C) { @@ -435,7 +432,6 @@ FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc, oid_sig_alg_t, sig_alg FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg, oid_sig_alg_t, sig_alg, mbedtls_md_type_t, md_alg, mbedtls_pk_type_t, pk_alg) FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, mbedtls_pk_type_t, pk_alg, mbedtls_md_type_t, md_alg) -#endif /* MBEDTLS_MD_C */ /* * For PublicKeyInfo (PKCS1, RFC 5480) @@ -586,7 +582,6 @@ FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg) FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg, oid_cipher_alg_t, cipher_alg, mbedtls_cipher_type_t, cipher_alg) #endif /* MBEDTLS_CIPHER_C */ -#if defined(MBEDTLS_MD_C) /* * For digestAlgorithm */ @@ -597,48 +592,48 @@ typedef struct { static const oid_md_alg_t oid_md_alg[] = { -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_MD5, "id-md5", "MD5" ), MBEDTLS_MD_MD5, }, -#endif /* MBEDTLS_MD5_C */ -#if defined(MBEDTLS_SHA1_C) +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA1, "id-sha1", "SHA-1" ), MBEDTLS_MD_SHA1, }, -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA224_C) +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA224, "id-sha224", "SHA-224" ), MBEDTLS_MD_SHA224, }, #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA256, "id-sha256", "SHA-256" ), MBEDTLS_MD_SHA256, }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA384, "id-sha384", "SHA-384" ), MBEDTLS_MD_SHA384, }, -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA512, "id-sha512", "SHA-512" ), MBEDTLS_MD_SHA512, }, -#endif /* MBEDTLS_SHA512_C */ -#if defined(MBEDTLS_RIPEMD160_C) +#endif +#if defined(MBEDTLS_HAS_ALG_RIPEMD160_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160" ), MBEDTLS_MD_RIPEMD160, }, -#endif /* MBEDTLS_RIPEMD160_C */ +#endif { NULL_OID_DESCRIPTOR, MBEDTLS_MD_NONE, @@ -659,36 +654,36 @@ typedef struct { static const oid_md_hmac_t oid_md_hmac[] = { -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA1, "hmacSHA1", "HMAC-SHA-1" ), MBEDTLS_MD_SHA1, }, -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA224_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA224, "hmacSHA224", "HMAC-SHA-224" ), MBEDTLS_MD_SHA224, }, #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA256, "hmacSHA256", "HMAC-SHA-256" ), MBEDTLS_MD_SHA256, }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA384, "hmacSHA384", "HMAC-SHA-384" ), MBEDTLS_MD_SHA384, }, -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA) { OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA512, "hmacSHA512", "HMAC-SHA-512" ), MBEDTLS_MD_SHA512, }, -#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA */ { NULL_OID_DESCRIPTOR, MBEDTLS_MD_NONE, @@ -697,7 +692,6 @@ static const oid_md_hmac_t oid_md_hmac[] = FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac) FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac) -#endif /* MBEDTLS_MD_C */ #if defined(MBEDTLS_PKCS12_C) /* diff --git a/thirdparty/mbedtls/library/padlock.c b/thirdparty/mbedtls/library/padlock.c index b8ba1058a8b84a..a1287759e6387c 100644 --- a/thirdparty/mbedtls/library/padlock.c +++ b/thirdparty/mbedtls/library/padlock.c @@ -82,7 +82,11 @@ int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx, uint32_t *ctrl; unsigned char buf[256]; - rk = ctx->rk; + rk = ctx->buf + ctx->rk_offset; + + if( ( (long) rk & 15 ) != 0 ) + return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED ); + blk = MBEDTLS_PADLOCK_ALIGN16( buf ); memcpy( blk, input, 16 ); @@ -125,11 +129,13 @@ int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx, uint32_t *ctrl; unsigned char buf[256]; + rk = ctx->buf + ctx->rk_offset; + if( ( (long) input & 15 ) != 0 || - ( (long) output & 15 ) != 0 ) + ( (long) output & 15 ) != 0 || + ( (long) rk & 15 ) != 0 ) return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED ); - rk = ctx->rk; iw = MBEDTLS_PADLOCK_ALIGN16( buf ); memcpy( iw, iv, 16 ); diff --git a/thirdparty/mbedtls/library/pem.c b/thirdparty/mbedtls/library/pem.c index 1b40e5e5585e76..e8abba13c83d62 100644 --- a/thirdparty/mbedtls/library/pem.c +++ b/thirdparty/mbedtls/library/pem.c @@ -29,25 +29,33 @@ #include "mbedtls/cipher.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "hash_info.h" #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free + +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "psa/crypto.h" #endif +#include "mbedtls/legacy_or_psa.h" + +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + defined(MBEDTLS_CIPHER_MODE_CBC) && \ + ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) +#define PEM_RFC1421 +#endif /* MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA && + MBEDTLS_CIPHER_MODE_CBC && + ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ + #if defined(MBEDTLS_PEM_PARSE_C) void mbedtls_pem_init( mbedtls_pem_context *ctx ) { memset( ctx, 0, sizeof( mbedtls_pem_context ) ); } -#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) +#if defined(PEM_RFC1421) /* * Read a 16-byte hex string and convert it to binary */ @@ -73,6 +81,7 @@ static int pem_get_iv( const unsigned char *s, unsigned char *iv, return( 0 ); } +#if defined(MBEDTLS_MD5_C) static int pem_pbkdf1( unsigned char *key, size_t keylen, unsigned char *iv, const unsigned char *pwd, size_t pwdlen ) @@ -130,6 +139,84 @@ static int pem_pbkdf1( unsigned char *key, size_t keylen, return( ret ); } +#else +static int pem_pbkdf1( unsigned char *key, size_t keylen, + unsigned char *iv, + const unsigned char *pwd, size_t pwdlen ) +{ + unsigned char md5sum[16]; + psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; + size_t output_length = 0; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + + if( ( status = psa_hash_setup( &operation, PSA_ALG_MD5 ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_update( &operation, pwd, pwdlen ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_update( &operation, iv, 8 ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_finish( &operation, md5sum, + PSA_HASH_LENGTH( PSA_ALG_MD5 ), + &output_length ) ) != PSA_SUCCESS ) + { + goto exit; + } + + if( ( status = psa_hash_abort( &operation ) ) != PSA_SUCCESS ) + goto exit; + + /* + * key[ 0..15] = MD5(pwd || IV) + */ + if( keylen <= 16 ) + { + memcpy( key, md5sum, keylen ); + goto exit; + } + + memcpy( key, md5sum, 16 ); + + /* + * key[16..23] = MD5(key[ 0..15] || pwd || IV]) + */ + if( ( status = psa_hash_setup( &operation, PSA_ALG_MD5 ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_update( &operation, md5sum, 16 ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_update( &operation, pwd, pwdlen ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_update( &operation, iv, 8 ) ) != PSA_SUCCESS ) + goto exit; + + if( ( status = psa_hash_finish( &operation, md5sum, + PSA_HASH_LENGTH( PSA_ALG_MD5 ), + &output_length ) ) != PSA_SUCCESS ) + { + goto exit; + } + + if( ( status = psa_hash_abort( &operation ) ) != PSA_SUCCESS ) + goto exit; + + size_t use_len = 16; + if( keylen < 32 ) + use_len = keylen - 16; + + memcpy( key + 16, md5sum, use_len ); + +exit: + mbedtls_platform_zeroize( md5sum, 16 ); + + return( mbedtls_md_error_from_psa ( status ) ); +} +#endif /* MBEDTLS_MD5_C */ #if defined(MBEDTLS_DES_C) /* @@ -219,8 +306,7 @@ static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, } #endif /* MBEDTLS_AES_C */ -#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ +#endif /* PEM_RFC1421 */ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer, const unsigned char *data, const unsigned char *pwd, @@ -230,15 +316,13 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const size_t len; unsigned char *buf; const unsigned char *s1, *s2, *end; -#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) +#if defined(PEM_RFC1421) unsigned char pem_iv[16]; mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE; #else ((void) pwd); ((void) pwdlen); -#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ +#endif /* PEM_RFC1421 */ if( ctx == NULL ) return( MBEDTLS_ERR_PEM_BAD_INPUT_DATA ); @@ -270,8 +354,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 ) { -#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) +#if defined(PEM_RFC1421) enc++; s1 += 22; @@ -333,8 +416,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const else return( MBEDTLS_ERR_PEM_INVALID_DATA ); #else return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE ); -#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ +#endif /* PEM_RFC1421 */ } if( s1 >= s2 ) @@ -357,8 +439,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const if( enc != 0 ) { -#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) +#if defined(PEM_RFC1421) if( pwd == NULL ) { mbedtls_platform_zeroize( buf, len ); @@ -406,8 +487,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const mbedtls_platform_zeroize( buf, len ); mbedtls_free( buf ); return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE ); -#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ +#endif /* PEM_RFC1421 */ } ctx->buf = buf; diff --git a/thirdparty/mbedtls/library/pk.c b/thirdparty/mbedtls/library/pk.c index 1eab65a27633f7..8dc19ef99b7893 100644 --- a/thirdparty/mbedtls/library/pk.c +++ b/thirdparty/mbedtls/library/pk.c @@ -24,6 +24,8 @@ #include "pk_wrap.h" #include "pkwrite.h" +#include "hash_info.h" + #include "mbedtls/platform_util.h" #include "mbedtls/error.h" @@ -44,19 +46,11 @@ #include #include -/* Parameter validation macros based on platform_util.h */ -#define PK_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA ) -#define PK_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - /* * Initialise a mbedtls_pk_context */ void mbedtls_pk_init( mbedtls_pk_context *ctx ) { - PK_VALIDATE( ctx != NULL ); - ctx->pk_info = NULL; ctx->pk_ctx = NULL; } @@ -81,7 +75,6 @@ void mbedtls_pk_free( mbedtls_pk_context *ctx ) */ void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx ) { - PK_VALIDATE( ctx != NULL ); ctx->pk_info = NULL; ctx->rs_ctx = NULL; } @@ -135,7 +128,6 @@ const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type ) */ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info ) { - PK_VALIDATE_RET( ctx != NULL ); if( info == NULL || ctx->pk_info != NULL ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -198,7 +190,6 @@ int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key, mbedtls_rsa_alt_context *rsa_alt; const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info; - PK_VALIDATE_RET( ctx != NULL ); if( ctx->pk_info != NULL ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -358,15 +349,14 @@ int mbedtls_pk_can_do_ext( const mbedtls_pk_context *ctx, psa_algorithm_t alg, */ static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len ) { - const mbedtls_md_info_t *md_info; - if( *hash_len != 0 ) return( 0 ); - if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) + *hash_len = mbedtls_hash_info_get_size( md_alg ); + + if( *hash_len == 0 ) return( -1 ); - *hash_len = mbedtls_md_get_size( md_info ); return( 0 ); } @@ -403,10 +393,8 @@ int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx, const unsigned char *sig, size_t sig_len, mbedtls_pk_restart_ctx *rs_ctx ) { - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) || - hash != NULL ); - PK_VALIDATE_RET( sig != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL ) + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; if( ctx->pk_info == NULL || pk_hashlen_helper( md_alg, &hash_len ) != 0 ) @@ -461,10 +449,8 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ) { - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) || - hash != NULL ); - PK_VALIDATE_RET( sig != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL ) + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; if( ctx->pk_info == NULL ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -508,7 +494,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, psa_status_t status = PSA_ERROR_DATA_CORRUPT; psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT; - psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); + psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg ); mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_algorithm_t psa_sig_alg = @@ -587,13 +573,10 @@ int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, mbedtls_pk_restart_ctx *rs_ctx ) { - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) || - hash != NULL ); - PK_VALIDATE_RET( sig != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL ) + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - if( ctx->pk_info == NULL || - pk_hashlen_helper( md_alg, &hash_len ) != 0 ) + if( ctx->pk_info == NULL || pk_hashlen_helper( md_alg, &hash_len ) != 0 ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) @@ -673,7 +656,7 @@ int mbedtls_pk_sign_ext( mbedtls_pk_type_t pk_type, } #if defined(MBEDTLS_RSA_C) - psa_md_alg = mbedtls_psa_translate_md( md_alg ); + psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg ); if( psa_md_alg == 0 ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -706,11 +689,6 @@ int mbedtls_pk_decrypt( mbedtls_pk_context *ctx, unsigned char *output, size_t *olen, size_t osize, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( input != NULL || ilen == 0 ); - PK_VALIDATE_RET( output != NULL || osize == 0 ); - PK_VALIDATE_RET( olen != NULL ); - if( ctx->pk_info == NULL ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -729,11 +707,6 @@ int mbedtls_pk_encrypt( mbedtls_pk_context *ctx, unsigned char *output, size_t *olen, size_t osize, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( input != NULL || ilen == 0 ); - PK_VALIDATE_RET( output != NULL || osize == 0 ); - PK_VALIDATE_RET( olen != NULL ); - if( ctx->pk_info == NULL ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -752,9 +725,6 @@ int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - PK_VALIDATE_RET( pub != NULL ); - PK_VALIDATE_RET( prv != NULL ); - if( pub->pk_info == NULL || prv->pk_info == NULL ) { @@ -799,7 +769,6 @@ size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx ) */ int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items ) { - PK_VALIDATE_RET( ctx != NULL ); if( ctx->pk_info == NULL ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); diff --git a/thirdparty/mbedtls/library/pk_wrap.c b/thirdparty/mbedtls/library/pk_wrap.c index e234a8de3014f8..5de8fa65f718dd 100644 --- a/thirdparty/mbedtls/library/pk_wrap.c +++ b/thirdparty/mbedtls/library/pk_wrap.c @@ -52,15 +52,10 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" #include "mbedtls/asn1.h" +#include "hash_info.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include #include @@ -179,7 +174,7 @@ static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, int key_len; unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; psa_algorithm_t psa_alg_md = - PSA_ALG_RSA_PKCS1V15_SIGN( mbedtls_psa_translate_md( md_alg ) ); + PSA_ALG_RSA_PKCS1V15_SIGN( mbedtls_hash_info_psa_from_md( md_alg ) ); size_t rsa_len = mbedtls_rsa_get_len( rsa ); #if SIZE_MAX > UINT_MAX @@ -328,7 +323,7 @@ static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, ((void) p_rng); psa_algorithm_t psa_md_alg; - psa_md_alg = mbedtls_psa_translate_md( md_alg ); + psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg ); if( psa_md_alg == 0 ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -1168,7 +1163,7 @@ static int ecdsa_sign_wrap( void *ctx_arg, mbedtls_md_type_t md_alg, unsigned char buf[MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES]; unsigned char *p; psa_algorithm_t psa_sig_md = - PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); + PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); size_t curve_bits; psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); @@ -1469,7 +1464,7 @@ static void *pk_opaque_alloc_wrap( void ) { void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_svc_key_id_t ) ); - /* no _init() function to call, an calloc() already zeroized */ + /* no _init() function to call, as calloc() already zeroized */ return( ctx ); } @@ -1542,12 +1537,12 @@ static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, #if defined(MBEDTLS_ECDSA_C) if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) ) - alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); + alg = PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); else #endif /* MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_RSA_C) if( PSA_KEY_TYPE_IS_RSA( type ) ) - alg = PSA_ALG_RSA_PKCS1V15_SIGN( mbedtls_psa_translate_md( md_alg ) ); + alg = PSA_ALG_RSA_PKCS1V15_SIGN( mbedtls_hash_info_psa_from_md( md_alg ) ); else #endif /* MBEDTLS_RSA_C */ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); diff --git a/thirdparty/mbedtls/library/pkcs12.c b/thirdparty/mbedtls/library/pkcs12.c index e725a97cc2bd86..f33507987b68fb 100644 --- a/thirdparty/mbedtls/library/pkcs12.c +++ b/thirdparty/mbedtls/library/pkcs12.c @@ -39,6 +39,9 @@ #include "mbedtls/des.h" #endif +#include "hash_info.h" +#include "mbedtls/psa_util.h" + #if defined(MBEDTLS_ASN1_PARSE_C) static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params, @@ -209,6 +212,108 @@ static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, } } + +static int calculate_hashes( mbedtls_md_type_t md_type, int iterations, + unsigned char *diversifier, unsigned char *salt_block, + unsigned char *pwd_block, unsigned char *hash_output, int use_salt, + int use_password, size_t hlen, size_t v ) +{ +#if defined(MBEDTLS_MD_C) + int ret = -1; + size_t i; + const mbedtls_md_info_t *md_info; + mbedtls_md_context_t md_ctx; + md_info = mbedtls_md_info_from_type( md_type ); + if( md_info == NULL ) + return ( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); + + mbedtls_md_init( &md_ctx ); + + if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) + return ( ret ); + // Calculate hash( diversifier || salt_block || pwd_block ) + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) + goto exit; + + if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) + goto exit; + + if( use_salt != 0 ) + { + if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 ) + goto exit; + } + + if( use_password != 0 ) + { + if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 ) + goto exit; + } + + if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) + goto exit; + + // Perform remaining ( iterations - 1 ) recursive hash calculations + for( i = 1; i < (size_t) iterations; i++ ) + { + if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) + != 0 ) + goto exit; + } + +exit: + mbedtls_md_free( &md_ctx ); + return ret; +#else + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_algorithm_t alg = mbedtls_psa_translate_md( md_type ); + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t status_abort = PSA_ERROR_CORRUPTION_DETECTED; + size_t i, out_len, out_size = PSA_HASH_LENGTH( alg ); + + if( alg == PSA_ALG_NONE ) + return ( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); + + if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS ) + goto exit; + + // Calculate hash( diversifier || salt_block || pwd_block ) + if( ( status = psa_hash_update( &op, diversifier, v ) ) != PSA_SUCCESS ) + goto exit; + + if( use_salt != 0 ) + { + if( ( status = psa_hash_update( &op, salt_block, v ) ) != PSA_SUCCESS ) + goto exit; + } + + if( use_password != 0 ) + { + if( ( status = psa_hash_update( &op, pwd_block, v ) ) != PSA_SUCCESS ) + goto exit; + } + + if( ( status = psa_hash_finish( &op, hash_output, out_size, &out_len ) ) + != PSA_SUCCESS ) + goto exit; + + // Perform remaining ( iterations - 1 ) recursive hash calculations + for( i = 1; i < (size_t) iterations; i++ ) + { + if( ( status = psa_hash_compute( alg, hash_output, hlen, hash_output, + out_size, &out_len ) ) != PSA_SUCCESS ) + goto exit; + } + +exit: + status_abort = psa_hash_abort( &op ); + if( status == PSA_SUCCESS ) + status = status_abort; + return ( mbedtls_md_error_from_psa( status ) ); +#endif /* !MBEDTLS_MD_C */ +} + + int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, const unsigned char *pwd, size_t pwdlen, const unsigned char *salt, size_t saltlen, @@ -219,7 +324,7 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, unsigned char diversifier[128]; unsigned char salt_block[128], pwd_block[128], hash_block[128] = {0}; - unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; + unsigned char hash_output[MBEDTLS_HASH_MAX_SIZE]; unsigned char *p; unsigned char c; int use_password = 0; @@ -227,9 +332,6 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, size_t hlen, use_len, v, i; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - // This version only allows max of 64 bytes of password or salt if( datalen > 128 || pwdlen > 64 || saltlen > 64 ) return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); @@ -243,15 +345,7 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, use_password = ( pwd && pwdlen != 0 ); use_salt = ( salt && saltlen != 0 ); - md_info = mbedtls_md_info_from_type( md_type ); - if( md_info == NULL ) - return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); - - mbedtls_md_init( &md_ctx ); - - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - return( ret ); - hlen = mbedtls_md_get_size( md_info ); + hlen = mbedtls_hash_info_get_size( md_type ); if( hlen <= 32 ) v = 64; @@ -273,33 +367,11 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, p = data; while( datalen > 0 ) { - // Calculate hash( diversifier || salt_block || pwd_block ) - if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) - goto exit; - - if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) - goto exit; - - if( use_salt != 0 ) + if( calculate_hashes( md_type, iterations, diversifier, salt_block, + pwd_block, hash_output, use_salt, use_password, hlen, + v ) != 0 ) { - if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v )) != 0 ) - goto exit; - } - - if( use_password != 0) - { - if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v )) != 0 ) - goto exit; - } - - if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) goto exit; - - // Perform remaining ( iterations - 1 ) recursive hash calculations - for( i = 1; i < (size_t) iterations; i++ ) - { - if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 ) - goto exit; } use_len = ( datalen > hlen ) ? hlen : datalen; @@ -351,8 +423,6 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, mbedtls_platform_zeroize( hash_block, sizeof( hash_block ) ); mbedtls_platform_zeroize( hash_output, sizeof( hash_output ) ); - mbedtls_md_free( &md_ctx ); - return( ret ); } diff --git a/thirdparty/mbedtls/library/pkcs5.c b/thirdparty/mbedtls/library/pkcs5.c index 2b014d91c87c15..ac5945a11435d8 100644 --- a/thirdparty/mbedtls/library/pkcs5.c +++ b/thirdparty/mbedtls/library/pkcs5.c @@ -42,12 +42,10 @@ #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif + +#include "hash_info.h" +#include "mbedtls/psa_util.h" #if defined(MBEDTLS_ASN1_PARSE_C) static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params, @@ -118,9 +116,7 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1; unsigned char key[32], iv[32]; size_t olen = 0; - const mbedtls_md_info_t *md_info; const mbedtls_cipher_info_t *cipher_info; - mbedtls_md_context_t md_ctx; mbedtls_cipher_type_t cipher_alg; mbedtls_cipher_context_t cipher_ctx; @@ -153,10 +149,6 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, return( ret ); } - md_info = mbedtls_md_info_from_type( md_type ); - if( md_info == NULL ) - return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); - if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid, &enc_scheme_params ) ) != 0 ) { @@ -182,16 +174,13 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT ); } - mbedtls_md_init( &md_ctx ); mbedtls_cipher_init( &cipher_ctx ); memcpy( iv, enc_scheme_params.p, enc_scheme_params.len ); - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - goto exit; - - if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len, - iterations, keylen, key ) ) != 0 ) + if( ( ret = mbedtls_pkcs5_pbkdf2_hmac_ext( md_type, pwd, pwdlen, salt.p, + salt.len, iterations, keylen, + key ) ) != 0 ) { goto exit; } @@ -208,18 +197,18 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode, ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH; exit: - mbedtls_md_free( &md_ctx ); mbedtls_cipher_free( &cipher_ctx ); return( ret ); } #endif /* MBEDTLS_ASN1_PARSE_C */ -int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, - const unsigned char *password, - size_t plen, const unsigned char *salt, size_t slen, - unsigned int iteration_count, - uint32_t key_length, unsigned char *output ) +#if defined(MBEDTLS_MD_C) +static int pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, + const unsigned char *password, + size_t plen, const unsigned char *salt, size_t slen, + unsigned int iteration_count, + uint32_t key_length, unsigned char *output ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int j; @@ -297,9 +286,149 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, return( ret ); } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, + const unsigned char *password, + size_t plen, const unsigned char *salt, size_t slen, + unsigned int iteration_count, + uint32_t key_length, unsigned char *output ) +{ + return( pkcs5_pbkdf2_hmac( ctx, password, plen, salt, slen, iteration_count, + key_length, output ) ); +} +#endif +#endif /* MBEDTLS_MD_C */ + +int mbedtls_pkcs5_pbkdf2_hmac_ext( mbedtls_md_type_t md_alg, + const unsigned char *password, + size_t plen, const unsigned char *salt, size_t slen, + unsigned int iteration_count, + uint32_t key_length, unsigned char *output ) +{ +#if defined(MBEDTLS_MD_C) + mbedtls_md_context_t md_ctx; + const mbedtls_md_info_t *md_info = NULL; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE ); + + mbedtls_md_init( &md_ctx ); + + if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) + goto exit; + ret = pkcs5_pbkdf2_hmac( &md_ctx, password, plen, salt, slen, + iteration_count, key_length, output ); +exit: + mbedtls_md_free( &md_ctx ); + return( ret ); +#else + int j; + unsigned int i; + unsigned char md1[PSA_HASH_MAX_SIZE]; + unsigned char work[PSA_HASH_MAX_SIZE]; + const unsigned char md_size = mbedtls_hash_info_get_size( md_alg ); + psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; + + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t status_destruction = PSA_ERROR_CORRUPTION_DETECTED; + size_t use_len, out_len; + unsigned char *out_p = output; + unsigned char counter[4]; + mbedtls_svc_key_id_t psa_hmac_key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + const psa_algorithm_t alg = PSA_ALG_HMAC( mbedtls_hash_info_psa_from_md( md_alg ) ); + const size_t out_size = PSA_MAC_LENGTH( PSA_KEY_TYPE_HMAC, 0, alg ); + + memset( counter, 0, sizeof( counter ) ); + counter[3] = 1; + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC ); + + if( key_length == 0 ) + return 0; + if( ( status = psa_import_key( &attributes, + password, plen, + &psa_hmac_key ) ) != PSA_SUCCESS ) + { + return MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA; + } + +#if UINT_MAX > 0xFFFFFFFF + if( iteration_count > 0xFFFFFFFF ) + return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA ); +#endif + + while( key_length ) + { + status = psa_mac_sign_setup( &operation, psa_hmac_key, + PSA_ALG_HMAC( alg ) ); + if( status != PSA_SUCCESS ) + goto cleanup; + // U1 ends up in work + if( ( status = psa_mac_update( &operation, salt, slen ) ) != PSA_SUCCESS ) + goto cleanup; + + if( ( status = psa_mac_update( &operation, counter, sizeof( counter ) ) ) != PSA_SUCCESS ) + goto cleanup; + + if( ( status = psa_mac_sign_finish( &operation, work, out_size, &out_len ) ) + != PSA_SUCCESS ) + goto cleanup; + + memcpy( md1, work, out_len ); + + for( i = 1; i < iteration_count; i++ ) + { + // U2 ends up in md1 + // + status = psa_mac_sign_setup( &operation, psa_hmac_key, + PSA_ALG_HMAC( alg ) ); + if( status != PSA_SUCCESS ) + goto cleanup; + if( ( status = psa_mac_update( &operation, md1, md_size ) ) != PSA_SUCCESS ) + goto cleanup; + if( ( status = psa_mac_sign_finish( &operation, md1, out_size, &out_len ) ) != PSA_SUCCESS ) + goto cleanup; + + // U1 xor U2 + // + for( j = 0; j < md_size; j++ ) + work[j] ^= md1[j]; + } + + use_len = ( key_length < md_size ) ? key_length : md_size; + memcpy( out_p, work, use_len ); + + key_length -= (uint32_t) use_len; + out_p += use_len; + + for( i = 4; i > 0; i-- ) + if( ++counter[i - 1] != 0 ) + break; + } + +cleanup: + /* Zeroise buffers to clear sensitive data from memory. */ + mbedtls_platform_zeroize( work, PSA_HASH_MAX_SIZE ); + mbedtls_platform_zeroize( md1, PSA_HASH_MAX_SIZE ); + status_destruction = psa_destroy_key( psa_hmac_key ); + if( status == PSA_SUCCESS && status_destruction != PSA_SUCCESS ) + status = status_destruction; + status_destruction = psa_mac_abort( &operation ); + if( status == PSA_SUCCESS && status_destruction != PSA_SUCCESS ) + status = status_destruction; + + return( mbedtls_md_error_from_psa( status ) ); +#endif /* !MBEDTLS_MD_C */ +} + #if defined(MBEDTLS_SELF_TEST) -#if !defined(MBEDTLS_SHA1_C) +#if !defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA) int mbedtls_pkcs5_self_test( int verbose ) { if( verbose != 0 ) @@ -362,32 +491,15 @@ static const unsigned char result_key_test_data[MAX_TESTS][32] = int mbedtls_pkcs5_self_test( int verbose ) { - mbedtls_md_context_t sha1_ctx; - const mbedtls_md_info_t *info_sha1; int ret, i; unsigned char key[64]; - mbedtls_md_init( &sha1_ctx ); - - info_sha1 = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ); - if( info_sha1 == NULL ) - { - ret = 1; - goto exit; - } - - if( ( ret = mbedtls_md_setup( &sha1_ctx, info_sha1, 1 ) ) != 0 ) - { - ret = 1; - goto exit; - } - for( i = 0; i < MAX_TESTS; i++ ) { if( verbose != 0 ) mbedtls_printf( " PBKDF2 (SHA1) #%d: ", i ); - ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password_test_data[i], + ret = mbedtls_pkcs5_pbkdf2_hmac_ext( MBEDTLS_MD_SHA1, password_test_data[i], plen_test_data[i], salt_test_data[i], slen_test_data[i], it_cnt_test_data[i], key_len_test_data[i], key ); @@ -409,11 +521,9 @@ int mbedtls_pkcs5_self_test( int verbose ) mbedtls_printf( "\n" ); exit: - mbedtls_md_free( &sha1_ctx ); - return( ret ); } -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA */ #endif /* MBEDTLS_SELF_TEST */ diff --git a/thirdparty/mbedtls/library/pkcs7.c b/thirdparty/mbedtls/library/pkcs7.c new file mode 100644 index 00000000000000..9100980f68a225 --- /dev/null +++ b/thirdparty/mbedtls/library/pkcs7.c @@ -0,0 +1,728 @@ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "common.h" + +#include "mbedtls/build_info.h" +#if defined(MBEDTLS_PKCS7_C) +#include "mbedtls/pkcs7.h" +#include "mbedtls/x509.h" +#include "mbedtls/asn1.h" +#include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" +#include "mbedtls/oid.h" +#include "mbedtls/error.h" + +#include +#include +#include +#if defined(MBEDTLS_FS_IO) +#include +#include +#endif + +#include "mbedtls/platform.h" +#include "mbedtls/platform_util.h" + +#if defined(MBEDTLS_HAVE_TIME) +#include "mbedtls/platform_time.h" +#endif +#if defined(MBEDTLS_HAVE_TIME_DATE) +#include +#endif + +/** + * Initializes the pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) +{ + memset( pkcs7, 0, sizeof( *pkcs7 ) ); +} + +static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, + size_t *len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ); + if( ret != 0 ) + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); + } + + return( ret ); +} + +/** + * version Version + * Version ::= INTEGER + **/ +static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_asn1_get_int( p, end, ver ); + if( ret != 0 ) + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_VERSION, ret ); + + /* If version != 1, return invalid version */ + if( *ver != MBEDTLS_PKCS7_SUPPORTED_VERSION ) + ret = MBEDTLS_ERR_PKCS7_INVALID_VERSION; + + return( ret ); +} + +/** + * ContentInfo ::= SEQUENCE { + * contentType ContentType, + * content + * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } + **/ +static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *pkcs7 ) +{ + size_t len = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *start = *p; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) { + *p = start; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ) ); + } + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); + if( ret != 0 ) { + *p = start; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ) ); + } + + pkcs7->tag = MBEDTLS_ASN1_OID; + pkcs7->len = len; + pkcs7->p = *p; + *p += len; + + return( ret ); +} + +/** + * DigestAlgorithmIdentifier ::= AlgorithmIdentifier + * + * This is from x509.h + **/ +static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, + mbedtls_x509_buf *alg ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); + + return( ret ); +} + +/** + * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier + **/ +static int pkcs7_get_digest_algorithm_set( unsigned char **p, + unsigned char *end, + mbedtls_x509_buf *alg ) +{ + size_t len = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if( ret != 0 ) + { + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ) ); + } + + end = *p + len; + + ret = mbedtls_asn1_get_alg_null( p, end, alg ); + if( ret != 0 ) + { + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ) ); + } + + /** For now, it assumes there is only one digest algorithm specified **/ + if ( *p != end ) + return( MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); + + return( 0 ); +} + +/** + * certificates :: SET OF ExtendedCertificateOrCertificate, + * ExtendedCertificateOrCertificate ::= CHOICE { + * certificate Certificate -- x509, + * extendedCertificate[0] IMPLICIT ExtendedCertificate } + * Return number of certificates added to the signed data, + * 0 or higher is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, + mbedtls_x509_crt *certs ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len1 = 0; + size_t len2 = 0; + unsigned char *end_set, *end_cert, *start; + + if( ( ret = mbedtls_asn1_get_tag( p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + { + if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) + return( 0 ); + else + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ) ); + } + start = *p; + end_set = *p + len1; + + ret = mbedtls_asn1_get_tag( p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + { + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CERT, ret ) ); + } + + end_cert = *p + len2; + + /* + * This is to verify that there is only one signer certificate. It seems it is + * not easy to differentiate between the chain vs different signer's certificate. + * So, we support only the root certificate and the single signer. + * The behaviour would be improved with addition of multiple signer support. + */ + if ( end_cert != end_set ) + { + return( MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); + } + + *p = start; + if( ( ret = mbedtls_x509_crt_parse_der( certs, *p, len1 ) ) < 0 ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + } + + *p = *p + len1; + + /* + * Since in this version we strictly support single certificate, and reaching + * here implies we have parsed successfully, we return 1. + */ + return( 1 ); +} + +/** + * EncryptedDigest ::= OCTET STRING + **/ +static int pkcs7_get_signature( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *signature ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING ); + if( ret != 0 ) + return( ret ); + + signature->tag = MBEDTLS_ASN1_OCTET_STRING; + signature->len = len; + signature->p = *p; + + *p = *p + len; + + return( 0 ); +} + +static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if( signer == NULL ) + return; + + name_cur = signer->issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_free( name_prv ); + } + signer->issuer.next = NULL; +} + +/** + * SignerInfo ::= SEQUENCE { + * version Version; + * issuerAndSerialNumber IssuerAndSerialNumber, + * digestAlgorithm DigestAlgorithmIdentifier, + * authenticatedAttributes + * [0] IMPLICIT Attributes OPTIONAL, + * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, + * encryptedDigest EncryptedDigest, + * unauthenticatedAttributes + * [1] IMPLICIT Attributes OPTIONAL, + * Returns 0 if the signerInfo is valid. + * Return negative error code for failure. + * Structure must not contain vales for authenticatedAttributes + * and unauthenticatedAttributes. + **/ +static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signer ) +{ + unsigned char *end_signer; + int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + + asn1_ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; + + end_signer = *p + len; + + ret = pkcs7_get_version( p, end_signer, &signer->version ); + if( ret != 0 ) + goto out; + + asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; + + /* Parsing IssuerAndSerialNumber */ + signer->issuer_raw.p = *p; + + asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; + + ret = mbedtls_x509_get_name( p, *p + len, &signer->issuer ); + if( ret != 0 ) + goto out; + + signer->issuer_raw.len = *p - signer->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_signer, &signer->serial ); + if( ret != 0 ) + goto out; + + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->alg_identifier ); + if( ret != 0 ) + goto out; + + /* Assume authenticatedAttributes is nonexistent */ + + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); + if( ret != 0 ) + goto out; + + ret = pkcs7_get_signature( p, end_signer, &signer->sig ); + if( ret != 0 ) + goto out; + + /* Do not permit any unauthenticated attributes */ + if( *p != end_signer ) + ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; + +out: + if( asn1_ret != 0 || ret != 0 ) + { + pkcs7_free_signer_info( signer ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, + asn1_ret ); + } + + return( ret ); +} + +/** + * SignerInfos ::= SET of SignerInfo + * Return number of signers added to the signed data, + * 0 or higher is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signers_set ) +{ + unsigned char *end_set; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int count = 0; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if( ret != 0 ) + { + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret ) ); + } + + /* Detect zero signers */ + if( len == 0 ) + { + return( 0 ); + } + + end_set = *p + len; + + ret = pkcs7_get_signer_info( p, end_set, signers_set ); + if( ret != 0 ) + return( ret ); + count++; + + mbedtls_pkcs7_signer_info *prev = signers_set; + while( *p != end_set ) + { + mbedtls_pkcs7_signer_info *signer = + mbedtls_calloc( 1, sizeof( mbedtls_pkcs7_signer_info ) ); + if( !signer ) + { + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto cleanup; + } + + ret = pkcs7_get_signer_info( p, end_set, signer ); + if( ret != 0 ) { + mbedtls_free( signer ); + goto cleanup; + } + prev->next = signer; + prev = signer; + count++; + } + + return( count ); + +cleanup: + pkcs7_free_signer_info( signers_set ); + mbedtls_pkcs7_signer_info *signer = signers_set->next; + while( signer != NULL ) + { + prev = signer; + signer = signer->next; + pkcs7_free_signer_info( prev ); + mbedtls_free( prev ); + } + signers_set->next = NULL; + return( ret ); +} + +/** + * SignedData ::= SEQUENCE { + * version Version, + * digestAlgorithms DigestAlgorithmIdentifiers, + * contentInfo ContentInfo, + * certificates + * [0] IMPLICIT ExtendedCertificatesAndCertificates + * OPTIONAL, + * crls + * [0] IMPLICIT CertificateRevocationLists OPTIONAL, + * signerInfos SignerInfos } + */ +static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, + mbedtls_pkcs7_signed_data *signed_data ) +{ + unsigned char *p = buf; + unsigned char *end = buf + buflen; + unsigned char *end_set; + size_t len = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_type_t md_alg; + + ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + { + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ) ); + } + + end_set = p + len; + + /* Get version of signed data */ + ret = pkcs7_get_version( &p, end_set, &signed_data->version ); + if( ret != 0 ) + return( ret ); + + /* Get digest algorithm */ + ret = pkcs7_get_digest_algorithm_set( &p, end_set, + &signed_data->digest_alg_identifiers ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + } + + /* Do not expect any content */ + ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid ); + if( ret != 0 ) + return( ret ); + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ); + } + + /* Look for certificates, there may or may not be any */ + mbedtls_x509_crt_init( &signed_data->certs ); + ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); + if( ret < 0 ) + return( ret ); + + signed_data->no_of_certs = ret; + + /* + * Currently CRLs are not supported. If CRL exist, the parsing will fail + * at next step of getting signers info and return error as invalid + * signer info. + */ + + signed_data->no_of_crls = 0; + + /* Get signers info */ + ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers ); + if( ret < 0 ) + return( ret ); + + signed_data->no_of_signers = ret; + + /* Don't permit trailing data */ + if ( p != end ) + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT ); + + return( 0 ); +} + +int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, + const size_t buflen ) +{ + unsigned char *p; + unsigned char *end; + size_t len = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int isoidset = 0; + + if( pkcs7 == NULL ) + { + return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + } + + /* make an internal copy of the buffer for parsing */ + pkcs7->raw.p = p = mbedtls_calloc( 1, buflen ); + if( pkcs7->raw.p == NULL ) + { + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto out; + } + memcpy( p, buf, buflen ); + pkcs7->raw.len = buflen; + end = p + buflen; + + ret = pkcs7_get_content_info_type( &p, end, &pkcs7->content_type_oid ); + if( ret != 0 ) + { + len = buflen; + goto try_data; + } + + if( ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) ) + { + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + goto out; + } + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid ) ) + { + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + goto out; + } + + isoidset = 1; + + ret = pkcs7_get_next_content_len( &p, end, &len ); + if( ret != 0 ) + goto out; + +try_data: + ret = pkcs7_get_signed_data( p, len, &pkcs7->signed_data ); + if ( ret != 0 ) + goto out; + + if ( !isoidset ) + { + pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID; + pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS7_SIGNED_DATA ); + pkcs7->content_type_oid.p = (unsigned char *)MBEDTLS_OID_PKCS7_SIGNED_DATA; + } + + ret = MBEDTLS_PKCS7_SIGNED_DATA; + +out: + if ( ret < 0 ) + mbedtls_pkcs7_free( pkcs7 ); + + return( ret ); +} + +static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen, + const int is_data_hash ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *hash; + mbedtls_pk_context pk_cxt = cert->pk; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + mbedtls_pkcs7_signer_info *signer; + + if( pkcs7->signed_data.no_of_signers == 0 ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + } + + if( mbedtls_x509_time_is_past( &cert->valid_to ) || + mbedtls_x509_time_is_future( &cert->valid_from )) + { + return( MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID ); + } + + /* + * Potential TODOs + * Currently we iterate over all signers and return success if any of them + * verify. + * + * However, we could make this better by checking against the certificate's + * identification and SignerIdentifier fields first. That would also allow + * us to distinguish between 'no signature for key' and 'signature for key + * failed to validate'. + * + * We could also cache hashes by md, so if there are several sigs all using + * the same algo we don't recalculate the hash each time. + */ + for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) + { + ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); + if( ret != 0 ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + continue; + } + + md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + continue; + } + + hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); + if( hash == NULL ) { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + /* BEGIN must free hash before jumping out */ + if( is_data_hash ) + { + if( datalen != mbedtls_md_get_size( md_info )) + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + else + memcpy(hash, data, datalen); + } + else + { + ret = mbedtls_md( md_info, data, datalen, hash ); + } + if( ret != 0 ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + mbedtls_free( hash ); + continue; + } + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, + mbedtls_md_get_size( md_info ), + signer->sig.p, signer->sig.len ); + mbedtls_free( hash ); + /* END must free hash before jumping out */ + + if( ret == 0 ) + break; + } + + return( ret ); +} +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ) +{ + return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, data, datalen, 0 ) ); +} + +int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *hash, + size_t hashlen ) +{ + return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, hash, hashlen, 1 ) ); +} + +/* + * Unallocate all pkcs7 data + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) +{ + mbedtls_pkcs7_signer_info *signer_cur; + mbedtls_pkcs7_signer_info *signer_prev; + + if( pkcs7 == NULL || pkcs7->raw.p == NULL ) + return; + + mbedtls_free( pkcs7->raw.p ); + + mbedtls_x509_crt_free( &pkcs7->signed_data.certs ); + mbedtls_x509_crl_free( &pkcs7->signed_data.crl ); + + signer_cur = pkcs7->signed_data.signers.next; + pkcs7_free_signer_info( &pkcs7->signed_data.signers ); + while( signer_cur != NULL ) + { + signer_prev = signer_cur; + signer_cur = signer_prev->next; + pkcs7_free_signer_info( signer_prev ); + mbedtls_free( signer_prev ); + } + + pkcs7->raw.p = NULL; +} + +#endif diff --git a/thirdparty/mbedtls/library/pkparse.c b/thirdparty/mbedtls/library/pkparse.c index 73d59a6bbe9828..b9826378d4a91a 100644 --- a/thirdparty/mbedtls/library/pkparse.c +++ b/thirdparty/mbedtls/library/pkparse.c @@ -48,19 +48,7 @@ #include "mbedtls/pkcs12.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif - -/* Parameter validation macros based on platform_util.h */ -#define PK_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA ) -#define PK_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) #if defined(MBEDTLS_FS_IO) /* @@ -75,10 +63,6 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) FILE *f; long size; - PK_VALIDATE_RET( path != NULL ); - PK_VALIDATE_RET( buf != NULL ); - PK_VALIDATE_RET( n != NULL ); - if( ( f = fopen( path, "rb" ) ) == NULL ) return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); @@ -133,9 +117,6 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, size_t n; unsigned char *buf; - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( path != NULL ); - if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) return( ret ); @@ -160,9 +141,6 @@ int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path ) size_t n; unsigned char *buf; - PK_VALIDATE_RET( ctx != NULL ); - PK_VALIDATE_RET( path != NULL ); - if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) return( ret ); @@ -620,11 +598,6 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end, mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; const mbedtls_pk_info_t *pk_info; - PK_VALIDATE_RET( p != NULL ); - PK_VALIDATE_RET( *p != NULL ); - PK_VALIDATE_RET( end != NULL ); - PK_VALIDATE_RET( pk != NULL ); - if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) { @@ -1217,10 +1190,8 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, mbedtls_pem_context pem; #endif - PK_VALIDATE_RET( pk != NULL ); if( keylen == 0 ) return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); - PK_VALIDATE_RET( key != NULL ); #if defined(MBEDTLS_PEM_PARSE_C) mbedtls_pem_init( &pem ); @@ -1436,10 +1407,8 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, mbedtls_pem_context pem; #endif - PK_VALIDATE_RET( ctx != NULL ); if( keylen == 0 ) return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); - PK_VALIDATE_RET( key != NULL || keylen == 0 ); #if defined(MBEDTLS_PEM_PARSE_C) mbedtls_pem_init( &pem ); diff --git a/thirdparty/mbedtls/library/pkwrite.c b/thirdparty/mbedtls/library/pkwrite.c index 8b99340507e5c6..f699a2726b473f 100644 --- a/thirdparty/mbedtls/library/pkwrite.c +++ b/thirdparty/mbedtls/library/pkwrite.c @@ -51,19 +51,7 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif - -/* Parameter validation macros based on platform_util.h */ -#define PK_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA ) -#define PK_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) #if defined(MBEDTLS_RSA_C) /* @@ -182,11 +170,6 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; - PK_VALIDATE_RET( p != NULL ); - PK_VALIDATE_RET( *p != NULL ); - PK_VALIDATE_RET( start != NULL ); - PK_VALIDATE_RET( key != NULL ); - #if defined(MBEDTLS_RSA_C) if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA ) MBEDTLS_ASN1_CHK_ADD( len, pk_write_rsa_pubkey( p, start, mbedtls_pk_rsa( *key ) ) ); @@ -233,10 +216,8 @@ int mbedtls_pk_write_pubkey_der( const mbedtls_pk_context *key, unsigned char *b mbedtls_pk_type_t pk_type; const char *oid; - PK_VALIDATE_RET( key != NULL ); if( size == 0 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - PK_VALIDATE_RET( buf != NULL ); c = buf + size; @@ -333,10 +314,8 @@ int mbedtls_pk_write_key_der( const mbedtls_pk_context *key, unsigned char *buf, unsigned char *c; size_t len = 0; - PK_VALIDATE_RET( key != NULL ); if( size == 0 ) return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - PK_VALIDATE_RET( buf != NULL ); c = buf + size; @@ -500,9 +479,6 @@ int mbedtls_pk_write_pubkey_pem( const mbedtls_pk_context *key, unsigned char *b unsigned char output_buf[PUB_DER_MAX_BYTES]; size_t olen = 0; - PK_VALIDATE_RET( key != NULL ); - PK_VALIDATE_RET( buf != NULL || size == 0 ); - if( ( ret = mbedtls_pk_write_pubkey_der( key, output_buf, sizeof(output_buf) ) ) < 0 ) { @@ -526,9 +502,6 @@ int mbedtls_pk_write_key_pem( const mbedtls_pk_context *key, unsigned char *buf, const char *begin, *end; size_t olen = 0; - PK_VALIDATE_RET( key != NULL ); - PK_VALIDATE_RET( buf != NULL || size == 0 ); - if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 ) return( ret ); diff --git a/thirdparty/mbedtls/library/poly1305.c b/thirdparty/mbedtls/library/poly1305.c index 7375a0c5728fd4..4d0cdee25762fa 100644 --- a/thirdparty/mbedtls/library/poly1305.c +++ b/thirdparty/mbedtls/library/poly1305.c @@ -28,28 +28,10 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_POLY1305_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - -/* Parameter validation macros */ -#define POLY1305_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ) -#define POLY1305_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - #define POLY1305_BLOCK_SIZE_BYTES ( 16U ) /* @@ -258,8 +240,6 @@ static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx, void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx ) { - POLY1305_VALIDATE( ctx != NULL ); - mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); } @@ -274,9 +254,6 @@ void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx ) int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx, const unsigned char key[32] ) { - POLY1305_VALIDATE_RET( ctx != NULL ); - POLY1305_VALIDATE_RET( key != NULL ); - /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */ ctx->r[0] = MBEDTLS_GET_UINT32_LE( key, 0 ) & 0x0FFFFFFFU; ctx->r[1] = MBEDTLS_GET_UINT32_LE( key, 4 ) & 0x0FFFFFFCU; @@ -310,8 +287,6 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, size_t remaining = ilen; size_t queue_free_len; size_t nblocks; - POLY1305_VALIDATE_RET( ctx != NULL ); - POLY1305_VALIDATE_RET( ilen == 0 || input != NULL ); if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) ) { @@ -369,9 +344,6 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx, unsigned char mac[16] ) { - POLY1305_VALIDATE_RET( ctx != NULL ); - POLY1305_VALIDATE_RET( mac != NULL ); - /* Process any leftover data */ if( ctx->queue_len > 0U ) { @@ -400,9 +372,6 @@ int mbedtls_poly1305_mac( const unsigned char key[32], { mbedtls_poly1305_context ctx; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - POLY1305_VALIDATE_RET( key != NULL ); - POLY1305_VALIDATE_RET( mac != NULL ); - POLY1305_VALIDATE_RET( ilen == 0 || input != NULL ); mbedtls_poly1305_init( &ctx ); diff --git a/thirdparty/mbedtls/library/psa_crypto.c b/thirdparty/mbedtls/library/psa_crypto.c index b0116ddfb4c9f2..cb5791fc781697 100644 --- a/thirdparty/mbedtls/library/psa_crypto.c +++ b/thirdparty/mbedtls/library/psa_crypto.c @@ -52,10 +52,6 @@ #include #include #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/aes.h" #include "mbedtls/asn1.h" @@ -445,6 +441,8 @@ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, case PSA_KEY_TYPE_RAW_DATA: case PSA_KEY_TYPE_HMAC: case PSA_KEY_TYPE_DERIVE: + case PSA_KEY_TYPE_PASSWORD: + case PSA_KEY_TYPE_PASSWORD_HASH: break; #if defined(PSA_WANT_KEY_TYPE_AES) case PSA_KEY_TYPE_AES: @@ -879,20 +877,7 @@ static psa_status_t psa_restrict_key_policy( return( PSA_SUCCESS ); } -/** Get the description of a key given its identifier and policy constraints - * and lock it. - * - * The key must have allow all the usage flags set in \p usage. If \p alg is - * nonzero, the key must allow operations with this algorithm. If \p alg is - * zero, the algorithm is not checked. - * - * In case of a persistent key, the function loads the description of the key - * into a key slot if not already done. - * - * On success, the returned key slot is locked. It is the responsibility of - * the caller to unlock the key slot when it does not access it anymore. - */ -static psa_status_t psa_get_and_lock_key_slot_with_policy( +psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, psa_key_usage_t usage, @@ -3469,8 +3454,8 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, local_iv, default_iv_length, input, input_length, - output + default_iv_length, output_size - default_iv_length, - output_length ); + mbedtls_buffer_offset( output, default_iv_length ), + output_size - default_iv_length, output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); @@ -3590,6 +3575,7 @@ static psa_status_t psa_aead_check_nonce_length( psa_algorithm_t alg, break; #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ default: + (void) nonce_length; return( PSA_ERROR_NOT_SUPPORTED ); } @@ -3706,39 +3692,34 @@ psa_status_t psa_aead_decrypt( mbedtls_svc_key_id_t key, return( status ); } -static psa_status_t psa_validate_tag_length( psa_aead_operation_t *operation, - psa_algorithm_t alg ) { - uint8_t tag_len = 0; - if( psa_driver_get_tag_len( operation, &tag_len ) != PSA_SUCCESS ) - { - return( PSA_ERROR_INVALID_ARGUMENT ); - } +static psa_status_t psa_validate_tag_length( psa_algorithm_t alg ) { + const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg ); switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) +#if defined(PSA_WANT_ALG_CCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ): /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/ if( tag_len < 4 || tag_len > 16 || tag_len % 2 ) return( PSA_ERROR_INVALID_ARGUMENT ); break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ +#endif /* PSA_WANT_ALG_CCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) +#if defined(PSA_WANT_ALG_GCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ): /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */ if( tag_len != 4 && tag_len != 8 && ( tag_len < 12 || tag_len > 16 ) ) return( PSA_ERROR_INVALID_ARGUMENT ); break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#endif /* PSA_WANT_ALG_GCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) +#if defined(PSA_WANT_ALG_CHACHA20_POLY1305) case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ): /* We only support the default tag length. */ if( tag_len != 16 ) return( PSA_ERROR_INVALID_ARGUMENT ); break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ +#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ default: (void) tag_len; @@ -3789,6 +3770,9 @@ static psa_status_t psa_aead_setup( psa_aead_operation_t *operation, .core = slot->attr }; + if( ( status = psa_validate_tag_length( alg ) ) != PSA_SUCCESS ) + goto exit; + if( is_encrypt ) status = psa_driver_wrapper_aead_encrypt_setup( operation, &attributes, @@ -3804,9 +3788,6 @@ static psa_status_t psa_aead_setup( psa_aead_operation_t *operation, if( status != PSA_SUCCESS ) goto exit; - if( ( status = psa_validate_tag_length( operation, alg ) ) != PSA_SUCCESS ) - goto exit; - operation->key_type = psa_get_key_type( &attributes ); exit: @@ -4243,7 +4224,8 @@ psa_status_t psa_aead_abort( psa_aead_operation_t *operation ) #if defined(BUILTIN_ALG_ANY_HKDF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) #define AT_LEAST_ONE_BUILTIN_KDF #endif /* At least one builtin KDF */ @@ -4350,6 +4332,14 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation else #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + mbedtls_platform_zeroize( operation->ctx.tls12_ecjpake_to_pms.data, + sizeof( operation->ctx.tls12_ecjpake_to_pms.data ) ); + } + else +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */ { status = PSA_ERROR_BAD_STATE; } @@ -4631,6 +4621,31 @@ static psa_status_t psa_key_derivation_tls12_prf_read( #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read( + psa_tls12_ecjpake_to_pms_t *ecjpake, + uint8_t *output, + size_t output_length ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_size = 0; + + if( output_length != 32 ) + return ( PSA_ERROR_INVALID_ARGUMENT ); + + status = psa_hash_compute( PSA_ALG_SHA_256, ecjpake->data, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length, + &output_size ); + if( status != PSA_SUCCESS ) + return ( status ); + + if( output_size != output_length ) + return ( PSA_ERROR_GENERIC_ERROR ); + + return ( PSA_SUCCESS ); +} +#endif + psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation, uint8_t *output, @@ -4685,6 +4700,15 @@ psa_status_t psa_key_derivation_output_bytes( else #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + status = psa_key_derivation_tls12_ecjpake_to_pms_read( + &operation->ctx.tls12_ecjpake_to_pms, output, output_length ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ + { (void) kdf_alg; return( PSA_ERROR_BAD_STATE ); @@ -5076,6 +5100,10 @@ static int is_kdf_alg_supported( psa_algorithm_t kdf_alg ) #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) return( 1 ); +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + return( 1 ); #endif return( 0 ); } @@ -5100,19 +5128,26 @@ static psa_status_t psa_key_derivation_setup_kdf( if( ! is_kdf_alg_supported( kdf_alg ) ) return( PSA_ERROR_NOT_SUPPORTED ); - /* All currently supported key derivation algorithms are based on a - * hash algorithm. */ + /* All currently supported key derivation algorithms (apart from + * ecjpake to pms) are based on a hash algorithm. */ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg ); size_t hash_size = PSA_HASH_LENGTH( hash_alg ); - if( hash_size == 0 ) - return( PSA_ERROR_NOT_SUPPORTED ); + if( kdf_alg != PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + if( hash_size == 0 ) + return( PSA_ERROR_NOT_SUPPORTED ); - /* Make sure that hash_alg is a supported hash algorithm. Otherwise - * we might fail later, which is somewhat unfriendly and potentially - * risk-prone. */ - psa_status_t status = psa_hash_try_support( hash_alg ); - if( status != PSA_SUCCESS ) - return( status ); + /* Make sure that hash_alg is a supported hash algorithm. Otherwise + * we might fail later, which is somewhat unfriendly and potentially + * risk-prone. */ + psa_status_t status = psa_hash_try_support( hash_alg ); + if( status != PSA_SUCCESS ) + return( status ); + } + else + { + hash_size = PSA_HASH_LENGTH( PSA_ALG_SHA_256 ); + } if( ( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) && @@ -5120,11 +5155,14 @@ static psa_status_t psa_key_derivation_setup_kdf( { return( PSA_ERROR_NOT_SUPPORTED ); } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) - if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) ) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) || + ( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) ) operation->capacity = hash_size; else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || + MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ operation->capacity = 255 * hash_size; return( PSA_SUCCESS ); } @@ -5513,6 +5551,29 @@ static psa_status_t psa_tls12_prf_psk_to_ms_input( } #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +static psa_status_t psa_tls12_ecjpake_to_pms_input( + psa_tls12_ecjpake_to_pms_t *ecjpake, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) +{ + if( data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE || + step != PSA_KEY_DERIVATION_INPUT_SECRET ) + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + /* Check if the passed point is in an uncompressed form */ + if( data[0] != 0x04 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */ + memcpy( ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE ); + + return( PSA_SUCCESS ); +} +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ /** Check whether the given key type is acceptable for the given * input step of a key derivation. * @@ -5591,6 +5652,14 @@ static psa_status_t psa_key_derivation_input_internal( } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + status = psa_tls12_ecjpake_to_pms_input( + &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ { /* This can't happen unless the operation object was not initialized */ (void) data; @@ -5654,96 +5723,31 @@ psa_status_t psa_key_derivation_input_key( /* Key agreement */ /****************************************************************/ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) -static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key, +psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, size_t peer_key_length, - const mbedtls_ecp_keypair *our_key, uint8_t *shared_secret, size_t shared_secret_size, size_t *shared_secret_length ) -{ - mbedtls_ecp_keypair *their_key = NULL; - mbedtls_ecdh_context ecdh; - psa_status_t status; - size_t bits = 0; - psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( our_key->grp.id, &bits ); - mbedtls_ecdh_init( &ecdh ); - - status = mbedtls_psa_ecp_load_representation( - PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve), - bits, - peer_key, - peer_key_length, - &their_key ); - if( status != PSA_SUCCESS ) - goto exit; - - status = mbedtls_to_psa_error( - mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ) ); - if( status != PSA_SUCCESS ) - goto exit; - status = mbedtls_to_psa_error( - mbedtls_ecdh_get_params( &ecdh, our_key, MBEDTLS_ECDH_OURS ) ); - if( status != PSA_SUCCESS ) - goto exit; - - status = mbedtls_to_psa_error( - mbedtls_ecdh_calc_secret( &ecdh, - shared_secret_length, - shared_secret, shared_secret_size, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE ) ); - if( status != PSA_SUCCESS ) - goto exit; - if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length ) - status = PSA_ERROR_CORRUPTION_DETECTED; - -exit: - if( status != PSA_SUCCESS ) - mbedtls_platform_zeroize( shared_secret, shared_secret_size ); - mbedtls_ecdh_free( &ecdh ); - mbedtls_ecp_keypair_free( their_key ); - mbedtls_free( their_key ); - - return( status ); -} -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ - -#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES - -static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, - psa_key_slot_t *private_key, - const uint8_t *peer_key, - size_t peer_key_length, - uint8_t *shared_secret, - size_t shared_secret_size, - size_t *shared_secret_length ) { switch( alg ) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) case PSA_ALG_ECDH: - if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); - mbedtls_ecp_keypair *ecp = NULL; - psa_status_t status = mbedtls_psa_ecp_load_representation( - private_key->attr.type, - private_key->attr.bits, - private_key->key.data, - private_key->key.bytes, - &ecp ); - if( status != PSA_SUCCESS ) - return( status ); - status = psa_key_agreement_ecdh( peer_key, peer_key_length, - ecp, - shared_secret, shared_secret_size, - shared_secret_length ); - mbedtls_ecp_keypair_free( ecp ); - mbedtls_free( ecp ); - return( status ); + return( mbedtls_psa_key_agreement_ecdh( attributes, key_buffer, + key_buffer_size, alg, + peer_key, peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ default: - (void) private_key; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; (void) peer_key; (void) peer_key_length; (void) shared_secret; @@ -5753,6 +5757,36 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, } } +/** Internal function for raw key agreement + * Calls the driver wrapper which will hand off key agreement task + * to the driver's implementation if a driver is present. + * Fallback specified in the driver wrapper is built-in raw key agreement + * (psa_key_agreement_raw_builtin). + */ +static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, + psa_key_slot_t *private_key, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ) +{ + if( !PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) ) + return( PSA_ERROR_NOT_SUPPORTED ); + + psa_key_attributes_t attributes = { + .core = private_key->attr + }; + + return( psa_driver_wrapper_key_agreement( &attributes, + private_key->key.data, + private_key->key.bytes, alg, + peer_key, peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ) ); +} + /* Note that if this function fails, you must call psa_key_derivation_abort() * to potentially free embedded data structures and wipe confidential data. */ @@ -5763,7 +5797,7 @@ static psa_status_t psa_key_agreement_internal( psa_key_derivation_operation_t * size_t peer_key_length ) { psa_status_t status; - uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE]; + uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE]; size_t shared_secret_length = 0; psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE( operation->alg ); @@ -5964,7 +5998,7 @@ psa_status_t psa_generate_random( uint8_t *output, if( status != PSA_SUCCESS ) return( status ); /* Breaking up a request into smaller chunks is currently not supported - * for the extrernal RNG interface. */ + * for the external RNG interface. */ if( output_length != output_size ) return( PSA_ERROR_INSUFFICIENT_ENTROPY ); return( PSA_SUCCESS ); diff --git a/thirdparty/mbedtls/library/psa_crypto_aead.c b/thirdparty/mbedtls/library/psa_crypto_aead.c index 714d950a149494..730ef9555c2e97 100644 --- a/thirdparty/mbedtls/library/psa_crypto_aead.c +++ b/thirdparty/mbedtls/library/psa_crypto_aead.c @@ -24,13 +24,10 @@ #include "psa_crypto_aead.h" #include "psa_crypto_core.h" +#include "psa_crypto_cipher.h" #include #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/ccm.h" #include "mbedtls/chachapoly.h" @@ -49,7 +46,6 @@ static psa_status_t psa_aead_setup( size_t key_bits; const mbedtls_cipher_info_t *cipher_info; mbedtls_cipher_id_t cipher_id; - size_t full_tag_length = 0; ( void ) key_buffer_size; @@ -66,7 +62,6 @@ static psa_status_t psa_aead_setup( #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ): operation->alg = PSA_ALG_CCM; - full_tag_length = 16; /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16. * The call to mbedtls_ccm_encrypt_and_tag or * mbedtls_ccm_auth_decrypt will validate the tag length. */ @@ -85,7 +80,6 @@ static psa_status_t psa_aead_setup( #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ): operation->alg = PSA_ALG_GCM; - full_tag_length = 16; /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. * The call to mbedtls_gcm_crypt_and_tag or * mbedtls_gcm_auth_decrypt will validate the tag length. */ @@ -104,7 +98,6 @@ static psa_status_t psa_aead_setup( #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ): operation->alg = PSA_ALG_CHACHA20_POLY1305; - full_tag_length = 16; /* We only support the default tag length. */ if( alg != PSA_ALG_CHACHA20_POLY1305 ) return( PSA_ERROR_NOT_SUPPORTED ); @@ -124,16 +117,9 @@ static psa_status_t psa_aead_setup( return( PSA_ERROR_NOT_SUPPORTED ); } - if( PSA_AEAD_TAG_LENGTH( attributes->core.type, - key_bits, alg ) - > full_tag_length ) - return( PSA_ERROR_INVALID_ARGUMENT ); - operation->key_type = psa_get_key_type( attributes ); - operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type, - key_bits, - alg ); + operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH( alg ); return( PSA_SUCCESS ); } diff --git a/thirdparty/mbedtls/library/psa_crypto_cipher.c b/thirdparty/mbedtls/library/psa_crypto_cipher.c index fafe68b07772f8..91a0e3b30d8001 100644 --- a/thirdparty/mbedtls/library/psa_crypto_cipher.c +++ b/thirdparty/mbedtls/library/psa_crypto_cipher.c @@ -22,7 +22,7 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) -#include +#include "psa_crypto_cipher.h" #include "psa_crypto_core.h" #include "psa_crypto_random_impl.h" @@ -516,10 +516,10 @@ psa_status_t mbedtls_psa_cipher_encrypt( if( status != PSA_SUCCESS ) goto exit; - status = mbedtls_psa_cipher_finish( &operation, - output + update_output_length, - output_size - update_output_length, - &finish_output_length ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, update_output_length ), + output_size - update_output_length, &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; @@ -563,17 +563,20 @@ psa_status_t mbedtls_psa_cipher_decrypt( goto exit; } - status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length, - input_length - operation.iv_length, - output, output_size, &olength ); + status = mbedtls_psa_cipher_update( + &operation, + mbedtls_buffer_offset_const( input, operation.iv_length ), + input_length - operation.iv_length, + output, output_size, &olength ); if( status != PSA_SUCCESS ) goto exit; accumulated_length = olength; - status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, - &olength ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, accumulated_length ), + output_size - accumulated_length, &olength ); if( status != PSA_SUCCESS ) goto exit; diff --git a/thirdparty/mbedtls/library/psa_crypto_cipher.h b/thirdparty/mbedtls/library/psa_crypto_cipher.h index fae98473c48efb..3bd5360cdac8db 100644 --- a/thirdparty/mbedtls/library/psa_crypto_cipher.h +++ b/thirdparty/mbedtls/library/psa_crypto_cipher.h @@ -1,5 +1,5 @@ /* - * PSA cipher driver entry points + * PSA cipher driver entry points and associated auxiliary functions */ /* * Copyright The Mbed TLS Contributors diff --git a/thirdparty/mbedtls/library/psa_crypto_client.c b/thirdparty/mbedtls/library/psa_crypto_client.c index 629feb7dfaf301..ab79086346ca15 100644 --- a/thirdparty/mbedtls/library/psa_crypto_client.c +++ b/thirdparty/mbedtls/library/psa_crypto_client.c @@ -25,10 +25,6 @@ #include #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif void psa_reset_key_attributes( psa_key_attributes_t *attributes ) { diff --git a/thirdparty/mbedtls/library/psa_crypto_core.h b/thirdparty/mbedtls/library/psa_crypto_core.h index 8c91b04d03c177..614cad1f493609 100644 --- a/thirdparty/mbedtls/library/psa_crypto_core.h +++ b/thirdparty/mbedtls/library/psa_crypto_core.h @@ -183,6 +183,24 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number( } #endif +/** Get the description of a key given its identifier and policy constraints + * and lock it. + * + * The key must have allow all the usage flags set in \p usage. If \p alg is + * nonzero, the key must allow operations with this algorithm. If \p alg is + * zero, the algorithm is not checked. + * + * In case of a persistent key, the function loads the description of the key + * into a key slot if not already done. + * + * On success, the returned key slot is locked. It is the responsibility of + * the caller to unlock the key slot when it does not access it anymore. + */ +psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, + psa_key_slot_t **p_slot, + psa_key_usage_t usage, + psa_algorithm_t alg ); + /** Completely wipe a slot in memory, including its policy. * * Persistent storage is not affected. @@ -246,22 +264,6 @@ psa_status_t psa_copy_key_material_into_slot( psa_key_slot_t *slot, */ psa_status_t mbedtls_to_psa_error( int ret ); -/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier - * as well as the PSA type and size of the key to be used with the cipher - * algorithm. - * - * \param alg PSA cipher algorithm identifier - * \param key_type PSA key type - * \param key_bits Size of the key in bits - * \param[out] cipher_id Mbed TLS cipher algorithm identifier - * - * \return The Mbed TLS cipher information of the cipher algorithm. - * \c NULL if the PSA cipher algorithm is not supported. - */ -const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( - psa_algorithm_t alg, psa_key_type_t key_type, size_t key_bits, - mbedtls_cipher_id_t *cipher_id ); - /** Import a key in binary format. * * \note The signature of this function is that of a PSA driver @@ -547,4 +549,62 @@ psa_status_t psa_verify_hash_builtin( */ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ); + +/** Perform a key agreement and return the raw shared secret, using + built-in raw key agreement functions. + * + * \note The signature of this function is that of a PSA driver + * key_agreement entry point. This function behaves as a key_agreement + * entry point as defined in the PSA driver interface specification for + * transparent drivers. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the private key + * context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in + * bytes. + * \param[in] alg A key agreement algorithm that is + * compatible with the type of the key. + * \param[in] peer_key The buffer containing the key context + * of the peer's public key. + * \param[in] peer_key_length Size of the \p peer_key buffer in + * bytes. + * \param[out] shared_secret The buffer to which the shared secret + * is to be written. + * \param[in] shared_secret_size Size of the \p shared_secret buffer in + * bytes. + * \param[out] shared_secret_length On success, the number of bytes that make + * up the returned shared secret. + * \retval #PSA_SUCCESS + * Success. Shared secret successfully calculated. + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p alg is not a key agreement algorithm, or + * \p private_key is not compatible with \p alg, + * or \p peer_key is not valid for \p alg or not compatible with + * \p private_key. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p shared_secret_size is too small + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not a supported key agreement algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + */ +psa_status_t psa_key_agreement_raw_builtin( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ); + #endif /* PSA_CRYPTO_CORE_H */ diff --git a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.c b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.c index a5ae6a29e465ac..1981941390d8d8 100644 --- a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.c +++ b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.c @@ -1,7 +1,7 @@ /* * Functions to delegate cryptographic operations to an available * and appropriate accelerator. - * Warning: This file will be auto-generated in the future. + * Warning: This file is now auto-generated. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -19,6 +19,8 @@ * limitations under the License. */ + +/* BEGIN-common headers */ #include "common.h" #include "psa_crypto_aead.h" #include "psa_crypto_cipher.h" @@ -29,34 +31,39 @@ #include "psa_crypto_rsa.h" #include "mbedtls/platform.h" +/* END-common headers */ #if defined(MBEDTLS_PSA_CRYPTO_C) +/* BEGIN-driver headers */ #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) - -/* Include test driver definition when running tests */ +/* Headers for mbedtls_test opaque driver */ #if defined(PSA_CRYPTO_DRIVER_TEST) -#ifndef PSA_CRYPTO_DRIVER_PRESENT -#define PSA_CRYPTO_DRIVER_PRESENT -#endif -#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT -#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT +#include "test/drivers/test_driver.h" + #endif +/* Headers for mbedtls_test transparent driver */ +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "test/drivers/test_driver.h" -#endif /* PSA_CRYPTO_DRIVER_TEST */ -/* Repeat above block for each JSON-declared driver during autogeneration */ +#endif + #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ +/* END-driver headers */ /* Auto-generated values depending on which drivers are registered. * ID 0 is reserved for unallocated operations. * ID 1 is reserved for the Mbed TLS software driver. */ +/* BEGIN-driver id definition */ #define PSA_CRYPTO_MBED_TLS_DRIVER_ID (1) +#define MBEDTLS_TEST_OPAQUE_DRIVER_ID (2) +#define MBEDTLS_TEST_TRANSPARENT_DRIVER_ID (3) -#if defined(PSA_CRYPTO_DRIVER_TEST) -#define PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID (2) -#define PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID (3) -#endif /* PSA_CRYPTO_DRIVER_TEST */ +/* END-driver id */ + +/* BEGIN-Common Macro definitions */ + +/* END-Common Macro definitions */ /* Support the 'old' SE interface when asked to */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -592,6 +599,7 @@ psa_status_t psa_driver_wrapper_import_key( size_t *key_buffer_length, size_t *bits ) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime( attributes ) ); @@ -631,17 +639,25 @@ psa_status_t psa_driver_wrapper_import_key( /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - status = mbedtls_test_transparent_import_key( - attributes, - data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ); - /* Declared with fallback == true */ + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + status = mbedtls_test_transparent_import_key + (attributes, + data, + data_length, + key_buffer, + key_buffer_size, + key_buffer_length, + bits + ); + if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif + + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + /* Fell through, meaning no accelerator supports this operation */ return( psa_import_key_into_slot( attributes, data, data_length, @@ -649,14 +665,21 @@ psa_status_t psa_driver_wrapper_import_key( key_buffer_length, bits ) ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TEST_DRIVER_LOCATION: - return( mbedtls_test_opaque_import_key( - attributes, - data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + case 0x7fffff: + return( mbedtls_test_opaque_import_key + (attributes, + data, + data_length, + key_buffer, + key_buffer_size, + key_buffer_length, + bits + )); +#endif + + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void)status; @@ -671,6 +694,7 @@ psa_status_t psa_driver_wrapper_export_key( uint8_t *data, size_t data_size, size_t *data_length ) { + psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime( attributes ) ); @@ -707,20 +731,26 @@ psa_status_t psa_driver_wrapper_export_key( /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TEST_DRIVER_LOCATION: - return( mbedtls_test_opaque_export_key( attributes, - key_buffer, - key_buffer_size, - data, - data_size, - data_length ) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + case 0x7fffff: + return( mbedtls_test_opaque_export_key + (attributes, + key_buffer, + key_buffer_size, + data, + data_size, + data_length + )); +#endif + + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: /* Key is declared with a lifetime not known to us */ return( status ); } + } psa_status_t psa_driver_wrapper_export_public_key( @@ -729,6 +759,7 @@ psa_status_t psa_driver_wrapper_export_public_key( uint8_t *data, size_t data_size, size_t *data_length ) { + psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime( attributes ) ); @@ -759,18 +790,22 @@ psa_status_t psa_driver_wrapper_export_public_key( /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - status = mbedtls_test_transparent_export_public_key( - attributes, - key_buffer, - key_buffer_size, - data, - data_size, - data_length ); - /* Declared with fallback == true */ + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + status = mbedtls_test_transparent_export_public_key + (attributes, + key_buffer, + key_buffer_size, + data, + data_size, + data_length + ); + if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif + + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ /* Fell through, meaning no accelerator supports this operation */ return( psa_export_public_key_internal( attributes, @@ -782,20 +817,26 @@ psa_status_t psa_driver_wrapper_export_public_key( /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TEST_DRIVER_LOCATION: - return( mbedtls_test_opaque_export_public_key( attributes, - key_buffer, - key_buffer_size, - data, - data_size, - data_length ) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + case 0x7fffff: + return( mbedtls_test_opaque_export_public_key + (attributes, + key_buffer, + key_buffer_size, + data, + data_size, + data_length + )); +#endif + + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: /* Key is declared with a lifetime not known to us */ return( status ); } + } psa_status_t psa_driver_wrapper_get_builtin_key( @@ -803,15 +844,24 @@ psa_status_t psa_driver_wrapper_get_builtin_key( psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { + psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); switch( location ) { #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TEST_DRIVER_LOCATION: - return( mbedtls_test_opaque_get_builtin_key( - slot_number, - attributes, - key_buffer, key_buffer_size, key_buffer_length ) ); + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + case 0x7fffff: + return( mbedtls_test_opaque_get_builtin_key + (slot_number, + attributes, + key_buffer, + key_buffer_size, + key_buffer_length + )); +#endif + + #endif /* PSA_CRYPTO_DRIVER_TEST */ default: (void) slot_number; @@ -820,6 +870,7 @@ psa_status_t psa_driver_wrapper_get_builtin_key( (void) key_buffer_length; return( PSA_ERROR_DOES_NOT_EXIST ); } + } psa_status_t psa_driver_wrapper_copy_key( @@ -828,6 +879,7 @@ psa_status_t psa_driver_wrapper_copy_key( uint8_t *target_key_buffer, size_t target_key_buffer_size, size_t *target_key_buffer_length ) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); @@ -846,14 +898,20 @@ psa_status_t psa_driver_wrapper_copy_key( switch( location ) { #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TEST_DRIVER_LOCATION: - return( mbedtls_test_opaque_copy_key( attributes, source_key, - source_key_length, - target_key_buffer, - target_key_buffer_size, - target_key_buffer_length) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ + +#if (defined(PSA_CRYPTO_DRIVER_TEST) ) + case 0x7fffff: + return( mbedtls_test_opaque_copy_key + (attributes, + source_key, + source_key_length, + target_key_buffer, + target_key_buffer_size, + target_key_buffer_length + )); +#endif + + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void)source_key; @@ -864,6 +922,7 @@ psa_status_t psa_driver_wrapper_copy_key( status = PSA_ERROR_INVALID_ARGUMENT; } return( status ); + } /* @@ -1068,7 +1127,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( alg ); /* Declared with fallback == true */ if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); @@ -1100,7 +1159,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( alg ); if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ @@ -1141,7 +1200,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( alg ); /* Declared with fallback == true */ if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); @@ -1172,7 +1231,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( alg ); if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ @@ -1204,12 +1263,12 @@ psa_status_t psa_driver_wrapper_cipher_set_iv( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_cipher_set_iv( &operation->ctx.transparent_test_driver_ctx, iv, iv_length ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_cipher_set_iv( &operation->ctx.opaque_test_driver_ctx, iv, iv_length ) ); @@ -1245,13 +1304,13 @@ psa_status_t psa_driver_wrapper_cipher_update( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_cipher_update( &operation->ctx.transparent_test_driver_ctx, input, input_length, output, output_size, output_length ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_cipher_update( &operation->ctx.opaque_test_driver_ctx, input, input_length, @@ -1287,12 +1346,12 @@ psa_status_t psa_driver_wrapper_cipher_finish( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_cipher_finish( &operation->ctx.transparent_test_driver_ctx, output, output_size, output_length ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_cipher_finish( &operation->ctx.opaque_test_driver_ctx, output, output_size, output_length ) ); @@ -1321,7 +1380,7 @@ psa_status_t psa_driver_wrapper_cipher_abort( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: status = mbedtls_test_transparent_cipher_abort( &operation->ctx.transparent_test_driver_ctx ); mbedtls_platform_zeroize( @@ -1329,7 +1388,7 @@ psa_status_t psa_driver_wrapper_cipher_abort( sizeof( operation->ctx.transparent_test_driver_ctx ) ); return( status ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: status = mbedtls_test_opaque_cipher_abort( &operation->ctx.opaque_test_driver_ctx ); mbedtls_platform_zeroize( @@ -1394,7 +1453,7 @@ psa_status_t psa_driver_wrapper_hash_setup( status = mbedtls_test_transparent_hash_setup( &operation->ctx.test_driver_ctx, alg ); if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); @@ -1429,8 +1488,8 @@ psa_status_t psa_driver_wrapper_hash_clone( &target_operation->ctx.mbedtls_ctx ) ); #endif #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: - target_operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + target_operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; return( mbedtls_test_transparent_hash_clone( &source_operation->ctx.test_driver_ctx, &target_operation->ctx.test_driver_ctx ) ); @@ -1454,7 +1513,7 @@ psa_status_t psa_driver_wrapper_hash_update( input, input_length ) ); #endif #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_hash_update( &operation->ctx.test_driver_ctx, input, input_length ) ); @@ -1480,7 +1539,7 @@ psa_status_t psa_driver_wrapper_hash_finish( hash, hash_size, hash_length ) ); #endif #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_hash_finish( &operation->ctx.test_driver_ctx, hash, hash_size, hash_length ) ); @@ -1503,7 +1562,7 @@ psa_status_t psa_driver_wrapper_hash_abort( return( mbedtls_psa_hash_abort( &operation->ctx.mbedtls_ctx ) ); #endif #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_hash_abort( &operation->ctx.test_driver_ctx ) ); #endif @@ -1616,22 +1675,6 @@ psa_status_t psa_driver_wrapper_aead_decrypt( } } -psa_status_t psa_driver_get_tag_len( psa_aead_operation_t *operation, - uint8_t *tag_len ) -{ - if( operation == NULL || tag_len == NULL ) - return( PSA_ERROR_INVALID_ARGUMENT ); - -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - *tag_len = operation->ctx.transparent_test_driver_ctx.tag_length; - return ( PSA_SUCCESS ); -#endif -#endif - *tag_len = operation->ctx.mbedtls_ctx.tag_length; - return ( PSA_SUCCESS ); -} - psa_status_t psa_driver_wrapper_aead_encrypt_setup( psa_aead_operation_t *operation, const psa_key_attributes_t *attributes, @@ -1650,7 +1693,7 @@ psa_status_t psa_driver_wrapper_aead_encrypt_setup( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; status = mbedtls_test_transparent_aead_encrypt_setup( &operation->ctx.transparent_test_driver_ctx, attributes, key_buffer, key_buffer_size, @@ -1698,7 +1741,7 @@ psa_status_t psa_driver_wrapper_aead_decrypt_setup( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; status = mbedtls_test_transparent_aead_decrypt_setup( &operation->ctx.transparent_test_driver_ctx, attributes, @@ -1747,7 +1790,7 @@ psa_status_t psa_driver_wrapper_aead_set_nonce( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_set_nonce( &operation->ctx.transparent_test_driver_ctx, nonce, nonce_length ) ); @@ -1781,7 +1824,7 @@ psa_status_t psa_driver_wrapper_aead_set_lengths( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_set_lengths( &operation->ctx.transparent_test_driver_ctx, ad_length, plaintext_length ) ); @@ -1815,7 +1858,7 @@ psa_status_t psa_driver_wrapper_aead_update_ad( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_update_ad( &operation->ctx.transparent_test_driver_ctx, input, input_length ) ); @@ -1853,7 +1896,7 @@ psa_status_t psa_driver_wrapper_aead_update( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_update( &operation->ctx.transparent_test_driver_ctx, input, input_length, output, output_size, @@ -1897,7 +1940,7 @@ psa_status_t psa_driver_wrapper_aead_finish( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_finish( &operation->ctx.transparent_test_driver_ctx, ciphertext, ciphertext_size, @@ -1961,7 +2004,7 @@ psa_status_t psa_driver_wrapper_aead_verify( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_verify( &operation->ctx.transparent_test_driver_ctx, plaintext, plaintext_size, @@ -1995,7 +2038,7 @@ psa_status_t psa_driver_wrapper_aead_abort( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_aead_abort( &operation->ctx.transparent_test_driver_ctx ) ); @@ -2104,7 +2147,7 @@ psa_status_t psa_driver_wrapper_mac_sign_setup( alg ); /* Declared with fallback == true */ if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); @@ -2135,7 +2178,7 @@ psa_status_t psa_driver_wrapper_mac_sign_setup( alg ); if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ @@ -2176,7 +2219,7 @@ psa_status_t psa_driver_wrapper_mac_verify_setup( alg ); /* Declared with fallback == true */ if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); @@ -2207,7 +2250,7 @@ psa_status_t psa_driver_wrapper_mac_verify_setup( alg ); if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID; + operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ @@ -2238,12 +2281,12 @@ psa_status_t psa_driver_wrapper_mac_update( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_mac_update( &operation->ctx.transparent_test_driver_ctx, input, input_length ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_mac_update( &operation->ctx.opaque_test_driver_ctx, input, input_length ) ); @@ -2272,12 +2315,12 @@ psa_status_t psa_driver_wrapper_mac_sign_finish( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_mac_sign_finish( &operation->ctx.transparent_test_driver_ctx, mac, mac_size, mac_length ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_mac_sign_finish( &operation->ctx.opaque_test_driver_ctx, mac, mac_size, mac_length ) ); @@ -2306,12 +2349,12 @@ psa_status_t psa_driver_wrapper_mac_verify_finish( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_mac_verify_finish( &operation->ctx.transparent_test_driver_ctx, mac, mac_length ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_mac_verify_finish( &operation->ctx.opaque_test_driver_ctx, mac, mac_length ) ); @@ -2336,10 +2379,10 @@ psa_status_t psa_driver_wrapper_mac_abort( #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_mac_abort( &operation->ctx.transparent_test_driver_ctx ) ); - case PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID: + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_mac_abort( &operation->ctx.opaque_test_driver_ctx ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ @@ -2468,4 +2511,72 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( } } +psa_status_t psa_driver_wrapper_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length + ) + { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + + switch( location ) + { + case PSA_KEY_LOCATION_LOCAL_STORAGE: + /* Key is stored in the slot in export representation, so + * cycle through all known transparent accelerators */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + status = + mbedtls_test_transparent_key_agreement( attributes, + key_buffer, key_buffer_size, alg, peer_key, + peer_key_length, shared_secret, shared_secret_size, + shared_secret_length ); + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + /* Software Fallback */ + status = psa_key_agreement_raw_builtin( attributes, + key_buffer, + key_buffer_size, + alg, + peer_key, + peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ); + return( status ); +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case PSA_CRYPTO_TEST_DRIVER_LOCATION: + return( mbedtls_test_opaque_key_agreement( attributes, + key_buffer, key_buffer_size, alg, peer_key, + peer_key_length, shared_secret, shared_secret_size, + shared_secret_length ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + default: + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) peer_key; + (void) peer_key_length; + (void) shared_secret; + (void) shared_secret_size; + (void) shared_secret_length; + return( PSA_ERROR_NOT_SUPPORTED ); + + } + } + #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h index 12c649da37f236..a19d7ecaefaf4e 100644 --- a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h +++ b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h @@ -226,10 +226,6 @@ psa_status_t psa_driver_wrapper_aead_decrypt( const uint8_t *ciphertext, size_t ciphertext_length, uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length ); -psa_status_t psa_driver_get_tag_len( - psa_aead_operation_t *operation, - uint8_t *tag_len ); - psa_status_t psa_driver_wrapper_aead_encrypt_setup( psa_aead_operation_t *operation, const psa_key_attributes_t *attributes, @@ -361,6 +357,20 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( size_t output_size, size_t *output_length ); +/* + * Raw Key Agreement + */ +psa_status_t psa_driver_wrapper_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ); + #endif /* PSA_CRYPTO_DRIVER_WRAPPERS_H */ /* End of automatically generated file. */ diff --git a/thirdparty/mbedtls/library/psa_crypto_ecp.c b/thirdparty/mbedtls/library/psa_crypto_ecp.c index db6682c6dce8a3..537a74840edbb6 100644 --- a/thirdparty/mbedtls/library/psa_crypto_ecp.c +++ b/thirdparty/mbedtls/library/psa_crypto_ecp.c @@ -26,17 +26,14 @@ #include "psa_crypto_core.h" #include "psa_crypto_ecp.h" #include "psa_crypto_random_impl.h" -#include "psa_crypto_hash.h" +#include "hash_info.h" #include #include #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include +#include #include #include @@ -367,8 +364,7 @@ psa_status_t mbedtls_psa_ecdsa_sign_hash( { #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg ); - mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info ); + mbedtls_md_type_t md_alg = mbedtls_hash_info_md_from_psa( hash_alg ); MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det_ext( &ecp->grp, &r, &s, &ecp->d, hash, @@ -469,4 +465,76 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ +/****************************************************************/ +/* ECDH Key Agreement */ +/****************************************************************/ + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +psa_status_t mbedtls_psa_key_agreement_ecdh( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length, + uint8_t *shared_secret, size_t shared_secret_size, + size_t *shared_secret_length ) +{ + psa_status_t status; + if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( attributes->core.type ) || + ! PSA_ALG_IS_ECDH(alg) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + mbedtls_ecp_keypair *ecp = NULL; + status = mbedtls_psa_ecp_load_representation( + attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &ecp ); + if( status != PSA_SUCCESS ) + return( status ); + mbedtls_ecp_keypair *their_key = NULL; + mbedtls_ecdh_context ecdh; + size_t bits = 0; + psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( ecp->grp.id, &bits ); + mbedtls_ecdh_init( &ecdh ); + + status = mbedtls_psa_ecp_load_representation( + PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve), + bits, + peer_key, + peer_key_length, + &their_key ); + if( status != PSA_SUCCESS ) + goto exit; + + status = mbedtls_to_psa_error( + mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ) ); + if( status != PSA_SUCCESS ) + goto exit; + status = mbedtls_to_psa_error( + mbedtls_ecdh_get_params( &ecdh, ecp, MBEDTLS_ECDH_OURS ) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = mbedtls_to_psa_error( + mbedtls_ecdh_calc_secret( &ecdh, + shared_secret_length, + shared_secret, shared_secret_size, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE ) ); + if( status != PSA_SUCCESS ) + goto exit; + if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length ) + status = PSA_ERROR_CORRUPTION_DETECTED; +exit: + if( status != PSA_SUCCESS ) + mbedtls_platform_zeroize( shared_secret, shared_secret_size ); + mbedtls_ecdh_free( &ecdh ); + mbedtls_ecp_keypair_free( their_key ); + mbedtls_free( their_key ); + mbedtls_ecp_keypair_free( ecp ); + mbedtls_free( ecp ); + return( status ); +} +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ + + #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/thirdparty/mbedtls/library/psa_crypto_ecp.h b/thirdparty/mbedtls/library/psa_crypto_ecp.h index 429c062719b3d4..386e87aa9f6fd9 100644 --- a/thirdparty/mbedtls/library/psa_crypto_ecp.h +++ b/thirdparty/mbedtls/library/psa_crypto_ecp.h @@ -218,4 +218,53 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length ); + + +/** Perform a key agreement and return the raw ECDH shared secret. + * + * \note The signature of this function is that of a PSA driver + * key_agreement entry point. This function behaves as a key_agreement + * entry point as defined in the PSA driver interface specification for + * transparent drivers. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the private key + * context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in + * bytes. + * \param[in] alg A key agreement algorithm that is + * compatible with the type of the key. + * \param[in] peer_key The buffer containing the key context + * of the peer's public key. + * \param[in] peer_key_length Size of the \p peer_key buffer in + * bytes. + * \param[out] shared_secret The buffer to which the shared secret + * is to be written. + * \param[in] shared_secret_size Size of the \p shared_secret buffer in + * bytes. + * \param[out] shared_secret_length On success, the number of bytes that make + * up the returned shared secret. + * \retval #PSA_SUCCESS + * Success. Shared secret successfully calculated. + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p alg is not a key agreement algorithm, or + * \p private_key is not compatible with \p alg, + * or \p peer_key is not valid for \p alg or not compatible with + * \p private_key. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p shared_secret_size is too small + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not a supported key agreement algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_CORRUPTION_DETECTED + */ +psa_status_t mbedtls_psa_key_agreement_ecdh( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length, + uint8_t *shared_secret, size_t shared_secret_size, + size_t *shared_secret_length ); #endif /* PSA_CRYPTO_ECP_H */ diff --git a/thirdparty/mbedtls/library/psa_crypto_hash.c b/thirdparty/mbedtls/library/psa_crypto_hash.c index 536c6c1188ddeb..a20c13fc3dcdd4 100644 --- a/thirdparty/mbedtls/library/psa_crypto_hash.c +++ b/thirdparty/mbedtls/library/psa_crypto_hash.c @@ -29,51 +29,6 @@ #include #include -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) -const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ) -{ - switch( alg ) - { -#if defined(MBEDTLS_MD5_C) - case PSA_ALG_MD5: - return( &mbedtls_md5_info ); -#endif -#if defined(MBEDTLS_RIPEMD160_C) - case PSA_ALG_RIPEMD160: - return( &mbedtls_ripemd160_info ); -#endif -#if defined(MBEDTLS_SHA1_C) - case PSA_ALG_SHA_1: - return( &mbedtls_sha1_info ); -#endif -#if defined(MBEDTLS_SHA224_C) - case PSA_ALG_SHA_224: - return( &mbedtls_sha224_info ); -#endif -#if defined(MBEDTLS_SHA256_C) - case PSA_ALG_SHA_256: - return( &mbedtls_sha256_info ); -#endif -#if defined(MBEDTLS_SHA384_C) - case PSA_ALG_SHA_384: - return( &mbedtls_sha384_info ); -#endif -#if defined(MBEDTLS_SHA512_C) - case PSA_ALG_SHA_512: - return( &mbedtls_sha512_info ); -#endif - default: - return( NULL ); - } -} -#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || - * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || - * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || - * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ - #if defined(MBEDTLS_PSA_BUILTIN_HASH) psa_status_t mbedtls_psa_hash_abort( mbedtls_psa_hash_operation_t *operation ) diff --git a/thirdparty/mbedtls/library/psa_crypto_hash.h b/thirdparty/mbedtls/library/psa_crypto_hash.h index 3bcea59b76c9e8..053da0bf54e750 100644 --- a/thirdparty/mbedtls/library/psa_crypto_hash.h +++ b/thirdparty/mbedtls/library/psa_crypto_hash.h @@ -25,15 +25,6 @@ #include "md_wrap.h" -/** Get Mbed TLS MD information of a hash algorithm given its PSA identifier - * - * \param[in] alg PSA hash algorithm identifier - * - * \return The Mbed TLS MD information of the hash algorithm. \c NULL if the - * PSA hash algorithm is not supported. - */ -const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ); - /** Calculate the hash (digest) of a message using Mbed TLS routines. * * \note The signature of this function is that of a PSA driver hash_compute diff --git a/thirdparty/mbedtls/library/psa_crypto_mac.c b/thirdparty/mbedtls/library/psa_crypto_mac.c index dcf065a672651e..d771e23e1b2d5b 100644 --- a/thirdparty/mbedtls/library/psa_crypto_mac.c +++ b/thirdparty/mbedtls/library/psa_crypto_mac.c @@ -24,6 +24,7 @@ #include #include "psa_crypto_core.h" +#include "psa_crypto_cipher.h" #include "psa_crypto_mac.h" #include diff --git a/thirdparty/mbedtls/library/psa_crypto_pake.c b/thirdparty/mbedtls/library/psa_crypto_pake.c new file mode 100644 index 00000000000000..da66dae7da7fa4 --- /dev/null +++ b/thirdparty/mbedtls/library/psa_crypto_pake.c @@ -0,0 +1,938 @@ +/* + * PSA PAKE layer on top of Mbed TLS software crypto + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "common.h" + +#if defined(MBEDTLS_PSA_CRYPTO_C) + +#include +#include "psa_crypto_core.h" +#include "psa_crypto_slot_management.h" + +#include +#include + +#include +#include +#include + +/* + * State sequence: + * + * psa_pake_setup() + * | + * |-- In any order: + * | | psa_pake_set_password_key() + * | | psa_pake_set_user() + * | | psa_pake_set_peer() + * | | psa_pake_set_role() + * | + * |--- In any order: (First round input before or after first round output) + * | | + * | |------ In Order + * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) + * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) + * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) + * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) + * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) + * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) + * | | + * | |------ In Order: + * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) + * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) + * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) + * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) + * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) + * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) + * | + * |--- In any order: (Second round input before or after second round output) + * | | + * | |------ In Order + * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE) + * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC) + * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF) + * | | + * | |------ In Order: + * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE) + * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC) + * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF) + * | + * psa_pake_get_implicit_key() + * psa_pake_abort() + */ + +enum psa_pake_step +{ + PSA_PAKE_STEP_INVALID = 0, + PSA_PAKE_STEP_X1_X2 = 1, + PSA_PAKE_STEP_X2S = 2, + PSA_PAKE_STEP_DERIVE = 3, +}; + +enum psa_pake_state +{ + PSA_PAKE_STATE_INVALID = 0, + PSA_PAKE_STATE_SETUP = 1, + PSA_PAKE_STATE_READY = 2, + PSA_PAKE_OUTPUT_X1_X2 = 3, + PSA_PAKE_OUTPUT_X2S = 4, + PSA_PAKE_INPUT_X1_X2 = 5, + PSA_PAKE_INPUT_X4S = 6, +}; + +/* + * The first PAKE step shares the same sequences of the second PAKE step + * but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs. + * It's simpler to share the same sequences numbers of the first + * set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs in both PAKE steps. + * + * State sequence with step, state & sequence enums: + * => Input & Output Step = PSA_PAKE_STEP_INVALID + * => state = PSA_PAKE_STATE_INVALID + * psa_pake_setup() + * => Input & Output Step = PSA_PAKE_STEP_X1_X2 + * => state = PSA_PAKE_STATE_SETUP + * => sequence = PSA_PAKE_SEQ_INVALID + * | + * |--- In any order: (First round input before or after first round output) + * | | First call of psa_pake_output() or psa_pake_input() sets + * | | state = PSA_PAKE_STATE_READY + * | | + * | |------ In Order: => state = PSA_PAKE_OUTPUT_X1_X2 + * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE + * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC + * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF + * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE + * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC + * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF + * | | | => state = PSA_PAKE_STATE_READY + * | | | => sequence = PSA_PAKE_SEQ_INVALID + * | | | => Output Step = PSA_PAKE_STEP_X2S + * | | + * | |------ In Order: => state = PSA_PAKE_INPUT_X1_X2 + * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE + * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC + * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF + * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE + * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC + * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF + * | | | => state = PSA_PAKE_STATE_READY + * | | | => sequence = PSA_PAKE_SEQ_INVALID + * | | | => Output Step = PSA_PAKE_INPUT_X4S + * | + * |--- In any order: (Second round input before or after second round output) + * | | + * | |------ In Order: => state = PSA_PAKE_OUTPUT_X2S + * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE + * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC + * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF + * | | | => state = PSA_PAKE_STATE_READY + * | | | => sequence = PSA_PAKE_SEQ_INVALID + * | | | => Output Step = PSA_PAKE_STEP_DERIVE + * | | + * | |------ In Order: => state = PSA_PAKE_INPUT_X4S + * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE + * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC + * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF + * | | | => state = PSA_PAKE_STATE_READY + * | | | => sequence = PSA_PAKE_SEQ_INVALID + * | | | => Output Step = PSA_PAKE_STEP_DERIVE + * | + * psa_pake_get_implicit_key() + * => Input & Output Step = PSA_PAKE_STEP_INVALID + */ +enum psa_pake_sequence +{ + PSA_PAKE_SEQ_INVALID = 0, + PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ + PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ + PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */ + PSA_PAKE_X2_STEP_KEY_SHARE = 4, + PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, + PSA_PAKE_X2_STEP_ZK_PROOF = 6, + PSA_PAKE_SEQ_END = 7, +}; + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +static psa_status_t mbedtls_ecjpake_to_psa_error( int ret ) +{ + switch( ret ) + { + case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: + case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: + case MBEDTLS_ERR_ECP_INVALID_KEY: + case MBEDTLS_ERR_ECP_VERIFY_FAILED: + return( PSA_ERROR_DATA_INVALID ); + case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL: + case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: + return( PSA_ERROR_BUFFER_TOO_SMALL ); + case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: + return( PSA_ERROR_NOT_SUPPORTED ); + case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: + return( PSA_ERROR_CORRUPTION_DETECTED ); + default: + return( PSA_ERROR_GENERIC_ERROR ); + } +} +#endif + +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) +psa_status_t psa_pake_setup( psa_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + /* A context must be freshly initialized before it can be set up. */ + if( operation->alg != PSA_ALG_NONE ) + { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + if( cipher_suite == NULL || + PSA_ALG_IS_PAKE(cipher_suite->algorithm ) == 0 || + ( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && + cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH ) || + PSA_ALG_IS_HASH( cipher_suite->hash ) == 0 ) + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if( cipher_suite->algorithm == PSA_ALG_JPAKE ) + { + if( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC || + cipher_suite->family != PSA_ECC_FAMILY_SECP_R1 || + cipher_suite->bits != 256 || + cipher_suite->hash != PSA_ALG_SHA_256 ) + { + status = PSA_ERROR_NOT_SUPPORTED; + goto error; + } + + operation->alg = cipher_suite->algorithm; + + mbedtls_ecjpake_init( &operation->ctx.ecjpake ); + + operation->state = PSA_PAKE_STATE_SETUP; + operation->sequence = PSA_PAKE_SEQ_INVALID; + operation->input_step = PSA_PAKE_STEP_X1_X2; + operation->output_step = PSA_PAKE_STEP_X1_X2; + + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); + operation->buffer_length = 0; + operation->buffer_offset = 0; + + return( PSA_SUCCESS ); + } + else +#endif + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort( operation ); + return status; +} + +psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_attributes_t attributes = psa_key_attributes_init(); + psa_key_type_t type; + psa_key_usage_t usage; + psa_key_slot_t *slot = NULL; + + if( operation->alg == PSA_ALG_NONE || + operation->state != PSA_PAKE_STATE_SETUP ) + { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + status = psa_get_key_attributes( password, &attributes ); + if( status != PSA_SUCCESS ) + goto error; + + type = psa_get_key_type( &attributes ); + usage = psa_get_key_usage_flags( &attributes ); + + psa_reset_key_attributes( &attributes ); + + if( type != PSA_KEY_TYPE_PASSWORD && + type != PSA_KEY_TYPE_PASSWORD_HASH ) + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + + if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) { + status = PSA_ERROR_NOT_PERMITTED; + goto error; + } + + if( operation->password != NULL ) + return( PSA_ERROR_BAD_STATE ); + + status = psa_get_and_lock_key_slot_with_policy( password, &slot, + PSA_KEY_USAGE_DERIVE, + PSA_ALG_JPAKE ); + if( status != PSA_SUCCESS ) + return( status ); + + operation->password = mbedtls_calloc( 1, slot->key.bytes ); + if( operation->password == NULL ) + { + psa_unlock_key_slot( slot ); + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + } + memcpy( operation->password, slot->key.data, slot->key.bytes ); + operation->password_len = slot->key.bytes; + + status = psa_unlock_key_slot( slot ); + if( status != PSA_SUCCESS ) + return( status ); + + return( PSA_SUCCESS ); + +error: + psa_pake_abort(operation); + return( status ); +} + +psa_status_t psa_pake_set_user( psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( operation->alg == PSA_ALG_NONE || + operation->state != PSA_PAKE_STATE_SETUP ) + { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + if( user_id_len == 0 || user_id == NULL ) + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort(operation); + return( status ); +} + +psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( operation->alg == PSA_ALG_NONE || + operation->state != PSA_PAKE_STATE_SETUP ) + { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + if( peer_id_len == 0 || peer_id == NULL ) + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort(operation); + return( status ); +} + +psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, + psa_pake_role_t role ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( operation->alg == PSA_ALG_NONE || + operation->state != PSA_PAKE_STATE_SETUP ) + { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + if( role != PSA_PAKE_ROLE_NONE && + role != PSA_PAKE_ROLE_FIRST && + role != PSA_PAKE_ROLE_SECOND && + role != PSA_PAKE_ROLE_CLIENT && + role != PSA_PAKE_ROLE_SERVER ) + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if( operation->alg == PSA_ALG_JPAKE ) + { + if( role != PSA_PAKE_ROLE_CLIENT && + role != PSA_PAKE_ROLE_SERVER ) + return( PSA_ERROR_NOT_SUPPORTED ); + + operation->role = role; + + return( PSA_SUCCESS ); + } + else +#endif + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort(operation); + return( status ); +} + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ecjpake_role role; + + if( operation->role == PSA_PAKE_ROLE_CLIENT ) + role = MBEDTLS_ECJPAKE_CLIENT; + else if( operation->role == PSA_PAKE_ROLE_SERVER ) + role = MBEDTLS_ECJPAKE_SERVER; + else + return( PSA_ERROR_BAD_STATE ); + + if( operation->password_len == 0 ) + return( PSA_ERROR_BAD_STATE ); + + ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake, + role, + MBEDTLS_MD_SHA256, + MBEDTLS_ECP_DP_SECP256R1, + operation->password, + operation->password_len ); + + mbedtls_platform_zeroize( operation->password, operation->password_len ); + mbedtls_free( operation->password ); + operation->password = NULL; + operation->password_len = 0; + + if( ret != 0 ) + return( mbedtls_ecjpake_to_psa_error( ret ) ); + + operation->state = PSA_PAKE_STATE_READY; + + return( PSA_SUCCESS ); +} +#endif + +static psa_status_t psa_pake_output_internal( + psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t length; + + if( operation->alg == PSA_ALG_NONE || + operation->state == PSA_PAKE_STATE_INVALID ) + return( PSA_ERROR_BAD_STATE ); + + if( output == NULL || output_size == 0 || output_length == NULL ) + return( PSA_ERROR_INVALID_ARGUMENT ); + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + /* + * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different + * handling of output sequencing. + * + * The MbedTLS JPAKE API outputs the whole X1+X2 and X2S steps data + * at once, on the other side the PSA CRYPTO PAKE api requires + * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be + * retrieved in sequence. + * + * In order to achieve API compatibility, the whole X1+X2 or X2S steps + * data is stored in an intermediate buffer at first step output call, + * and data is sliced down by parsing the ECPoint records in order + * to return the right parts on each step. + */ + if( operation->alg == PSA_ALG_JPAKE ) + { + if( step != PSA_PAKE_STEP_KEY_SHARE && + step != PSA_PAKE_STEP_ZK_PUBLIC && + step != PSA_PAKE_STEP_ZK_PROOF ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( operation->state == PSA_PAKE_STATE_SETUP ) { + status = psa_pake_ecjpake_setup( operation ); + if( status != PSA_SUCCESS ) + return( status ); + } + + if( operation->state != PSA_PAKE_STATE_READY && + operation->state != PSA_PAKE_OUTPUT_X1_X2 && + operation->state != PSA_PAKE_OUTPUT_X2S ) + { + return( PSA_ERROR_BAD_STATE ); + } + + if( operation->state == PSA_PAKE_STATE_READY ) + { + if( step != PSA_PAKE_STEP_KEY_SHARE ) + return( PSA_ERROR_BAD_STATE ); + + switch( operation->output_step ) + { + case PSA_PAKE_STEP_X1_X2: + operation->state = PSA_PAKE_OUTPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + operation->state = PSA_PAKE_OUTPUT_X2S; + break; + default: + return( PSA_ERROR_BAD_STATE ); + } + + operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch( operation->sequence ) + { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if( step != PSA_PAKE_STEP_KEY_SHARE ) + return( PSA_ERROR_BAD_STATE ); + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if( step != PSA_PAKE_STEP_ZK_PUBLIC ) + return( PSA_ERROR_BAD_STATE ); + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if( step != PSA_PAKE_STEP_ZK_PROOF ) + return( PSA_ERROR_BAD_STATE ); + break; + + default: + return( PSA_ERROR_BAD_STATE ); + } + + /* Initialize & write round on KEY_SHARE sequences */ + if( operation->state == PSA_PAKE_OUTPUT_X1_X2 && + operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE ) + { + ret = mbedtls_ecjpake_write_round_one( &operation->ctx.ecjpake, + operation->buffer, + MBEDTLS_PSA_PAKE_BUFFER_SIZE, + &operation->buffer_length, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE ); + if( ret != 0 ) + return( mbedtls_ecjpake_to_psa_error( ret ) ); + + operation->buffer_offset = 0; + } + else if( operation->state == PSA_PAKE_OUTPUT_X2S && + operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE ) + { + ret = mbedtls_ecjpake_write_round_two( &operation->ctx.ecjpake, + operation->buffer, + MBEDTLS_PSA_PAKE_BUFFER_SIZE, + &operation->buffer_length, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE ); + if( ret != 0 ) + return( mbedtls_ecjpake_to_psa_error( ret ) ); + + operation->buffer_offset = 0; + } + + /* + * mbedtls_ecjpake_write_round_xxx() outputs thing in the format + * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is + * that the data for each step is prepended with a length byte, and + * then they're concatenated. Additionally, the server's second round + * output is prepended with a 3-bytes ECParameters structure. + * + * In PSA, we output each step separately, and don't prepend the + * output with a length byte, even less a curve identifier, as that + * information is already available. + */ + if( operation->state == PSA_PAKE_OUTPUT_X2S && + operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + operation->role == PSA_PAKE_ROLE_SERVER ) + { + /* Skip ECParameters, with is 3 bytes (RFC 8422) */ + operation->buffer_offset += 3; + } + + /* Read the length byte then move past it to the data */ + length = operation->buffer[operation->buffer_offset]; + operation->buffer_offset += 1; + + if( operation->buffer_offset + length > operation->buffer_length ) + return( PSA_ERROR_DATA_CORRUPT ); + + if( output_size < length ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + memcpy( output, + operation->buffer + operation->buffer_offset, + length ); + *output_length = length; + + operation->buffer_offset += length; + + /* Reset buffer after ZK_PROOF sequence */ + if( ( operation->state == PSA_PAKE_OUTPUT_X1_X2 && + operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) || + ( operation->state == PSA_PAKE_OUTPUT_X2S && + operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) ) + { + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); + operation->buffer_length = 0; + operation->buffer_offset = 0; + + operation->state = PSA_PAKE_STATE_READY; + operation->output_step++; + operation->sequence = PSA_PAKE_SEQ_INVALID; + } + else + operation->sequence++; + + return( PSA_SUCCESS ); + } + else +#endif + return( PSA_ERROR_NOT_SUPPORTED ); +} + +psa_status_t psa_pake_output( psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length ) +{ + psa_status_t status = psa_pake_output_internal( + operation, step, output, output_size, output_length ); + + if( status != PSA_SUCCESS ) + psa_pake_abort( operation ); + + return( status ); +} + +static psa_status_t psa_pake_input_internal( + psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( operation->alg == PSA_ALG_NONE || + operation->state == PSA_PAKE_STATE_INVALID ) + return( PSA_ERROR_BAD_STATE ); + + if( input == NULL || input_length == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + /* + * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different + * handling of input sequencing. + * + * The MbedTLS JPAKE API takes the whole X1+X2 or X4S steps data + * at once as input, on the other side the PSA CRYPTO PAKE api requires + * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be + * given in sequence. + * + * In order to achieve API compatibility, each X1+X2 or X4S step data + * is stored sequentially in an intermediate buffer and given to the + * MbedTLS JPAKE API on the last step. + * + * This causes any input error to be only detected on the last step. + */ + if( operation->alg == PSA_ALG_JPAKE ) + { + if( step != PSA_PAKE_STEP_KEY_SHARE && + step != PSA_PAKE_STEP_ZK_PUBLIC && + step != PSA_PAKE_STEP_ZK_PROOF ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256 ); + if( input_length > (size_t) PSA_PAKE_INPUT_SIZE( PSA_ALG_JPAKE, prim, step ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( operation->state == PSA_PAKE_STATE_SETUP ) + { + status = psa_pake_ecjpake_setup( operation ); + if( status != PSA_SUCCESS ) + return( status ); + } + + if( operation->state != PSA_PAKE_STATE_READY && + operation->state != PSA_PAKE_INPUT_X1_X2 && + operation->state != PSA_PAKE_INPUT_X4S ) + { + return( PSA_ERROR_BAD_STATE ); + } + + if( operation->state == PSA_PAKE_STATE_READY ) + { + if( step != PSA_PAKE_STEP_KEY_SHARE ) + return( PSA_ERROR_BAD_STATE ); + + switch( operation->input_step ) + { + case PSA_PAKE_STEP_X1_X2: + operation->state = PSA_PAKE_INPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + operation->state = PSA_PAKE_INPUT_X4S; + break; + default: + return( PSA_ERROR_BAD_STATE ); + } + + operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch( operation->sequence ) + { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if( step != PSA_PAKE_STEP_KEY_SHARE ) + return( PSA_ERROR_BAD_STATE ); + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if( step != PSA_PAKE_STEP_ZK_PUBLIC ) + return( PSA_ERROR_BAD_STATE ); + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if( step != PSA_PAKE_STEP_ZK_PROOF ) + return( PSA_ERROR_BAD_STATE ); + break; + + default: + return( PSA_ERROR_BAD_STATE ); + } + + /* + * Copy input to local buffer and format it as the Mbed TLS API + * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. + * The summary is that the data for each step is prepended with a + * length byte, and then they're concatenated. Additionally, the + * server's second round output is prepended with a 3-bytes + * ECParameters structure - which means we have to prepend that when + * we're a client. + */ + if( operation->state == PSA_PAKE_INPUT_X4S && + operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + operation->role == PSA_PAKE_ROLE_CLIENT ) + { + /* We only support secp256r1. */ + /* This is the ECParameters structure defined by RFC 8422. */ + unsigned char ecparameters[3] = { + 3, /* named_curve */ + 0, 23 /* secp256r1 */ + }; + memcpy( operation->buffer + operation->buffer_length, + ecparameters, sizeof( ecparameters ) ); + operation->buffer_length += sizeof( ecparameters ); + } + + /* Write the length byte */ + operation->buffer[operation->buffer_length] = (uint8_t) input_length; + operation->buffer_length += 1; + + /* Finally copy the data */ + memcpy( operation->buffer + operation->buffer_length, + input, input_length ); + operation->buffer_length += input_length; + + /* Load buffer at each last round ZK_PROOF */ + if( operation->state == PSA_PAKE_INPUT_X1_X2 && + operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) + { + ret = mbedtls_ecjpake_read_round_one( &operation->ctx.ecjpake, + operation->buffer, + operation->buffer_length ); + + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); + operation->buffer_length = 0; + + if( ret != 0 ) + return( mbedtls_ecjpake_to_psa_error( ret ) ); + } + else if( operation->state == PSA_PAKE_INPUT_X4S && + operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) + { + ret = mbedtls_ecjpake_read_round_two( &operation->ctx.ecjpake, + operation->buffer, + operation->buffer_length ); + + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); + operation->buffer_length = 0; + + if( ret != 0 ) + return( mbedtls_ecjpake_to_psa_error( ret ) ); + } + + if( ( operation->state == PSA_PAKE_INPUT_X1_X2 && + operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) || + ( operation->state == PSA_PAKE_INPUT_X4S && + operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) ) + { + operation->state = PSA_PAKE_STATE_READY; + operation->input_step++; + operation->sequence = PSA_PAKE_SEQ_INVALID; + } + else + operation->sequence++; + + return( PSA_SUCCESS ); + } + else +#endif + return( PSA_ERROR_NOT_SUPPORTED ); +} + +psa_status_t psa_pake_input( psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length ) +{ + psa_status_t status = psa_pake_input_internal( + operation, step, input, input_length ); + + if( status != PSA_SUCCESS ) + psa_pake_abort( operation ); + + return( status ); +} + +psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( operation->alg == PSA_ALG_NONE || + operation->state != PSA_PAKE_STATE_READY || + operation->input_step != PSA_PAKE_STEP_DERIVE || + operation->output_step != PSA_PAKE_STEP_DERIVE ) + { + status = PSA_ERROR_BAD_STATE; + goto error; + } + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if( operation->alg == PSA_ALG_JPAKE ) + { + ret = mbedtls_ecjpake_write_shared_key( &operation->ctx.ecjpake, + operation->buffer, + MBEDTLS_PSA_PAKE_BUFFER_SIZE, + &operation->buffer_length, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE ); + if( ret != 0) + { + psa_pake_abort( operation ); + return( mbedtls_ecjpake_to_psa_error( ret ) ); + } + + status = psa_key_derivation_input_bytes( output, + PSA_KEY_DERIVATION_INPUT_SECRET, + operation->buffer, + operation->buffer_length ); + + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); + + psa_pake_abort( operation ); + + return( status ); + } + else +#endif + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_key_derivation_abort( output ); + psa_pake_abort( operation ); + + return( status ); +} + +psa_status_t psa_pake_abort(psa_pake_operation_t * operation) +{ + if( operation->alg == PSA_ALG_NONE ) + { + return( PSA_SUCCESS ); + } + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if( operation->alg == PSA_ALG_JPAKE ) + { + operation->input_step = PSA_PAKE_STEP_INVALID; + operation->output_step = PSA_PAKE_STEP_INVALID; + if( operation->password_len > 0 ) + mbedtls_platform_zeroize( operation->password, operation->password_len ); + mbedtls_free( operation->password ); + operation->password = NULL; + operation->password_len = 0; + operation->role = PSA_PAKE_ROLE_NONE; + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); + operation->buffer_length = 0; + operation->buffer_offset = 0; + mbedtls_ecjpake_free( &operation->ctx.ecjpake ); + } +#endif + + operation->alg = PSA_ALG_NONE; + operation->state = PSA_PAKE_STATE_INVALID; + operation->sequence = PSA_PAKE_SEQ_INVALID; + + return( PSA_SUCCESS ); +} + +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/thirdparty/mbedtls/library/psa_crypto_rsa.c b/thirdparty/mbedtls/library/psa_crypto_rsa.c index 68f4bf16dca07e..f1b9809d8bc1f5 100644 --- a/thirdparty/mbedtls/library/psa_crypto_rsa.c +++ b/thirdparty/mbedtls/library/psa_crypto_rsa.c @@ -32,15 +32,12 @@ #include #include #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include #include #include #include "pk_wrap.h" +#include "hash_info.h" #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \ @@ -326,8 +323,7 @@ static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg, mbedtls_md_type_t *md_alg ) { psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg ); - *md_alg = mbedtls_md_get_type( md_info ); + *md_alg = mbedtls_hash_info_md_from_psa( hash_alg ); /* The Mbed TLS RSA module uses an unsigned int for hash length * parameters. Validate that it fits so that we don't risk an @@ -340,9 +336,9 @@ static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg, /* For signatures using a hash, the hash length must be correct. */ if( alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW ) { - if( md_info == NULL ) + if( *md_alg == MBEDTLS_MD_NONE ) return( PSA_ERROR_NOT_SUPPORTED ); - if( mbedtls_md_get_size( md_info ) != hash_length ) + if( mbedtls_hash_info_get_size( *md_alg ) != hash_length ) return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -543,8 +539,7 @@ static int psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg, mbedtls_rsa_context *rsa ) { psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH( alg ); - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg ); - mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info ); + mbedtls_md_type_t md_alg = mbedtls_hash_info_md_from_psa( hash_alg ); return( mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ) ); } diff --git a/thirdparty/mbedtls/library/psa_crypto_se.c b/thirdparty/mbedtls/library/psa_crypto_se.c index 56678d6a90e599..87d2634e7382f9 100644 --- a/thirdparty/mbedtls/library/psa_crypto_se.c +++ b/thirdparty/mbedtls/library/psa_crypto_se.c @@ -38,10 +38,6 @@ #endif #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif diff --git a/thirdparty/mbedtls/library/psa_crypto_se.h b/thirdparty/mbedtls/library/psa_crypto_se.h index 549dfb69e20c16..693c3ead513a58 100644 --- a/thirdparty/mbedtls/library/psa_crypto_se.h +++ b/thirdparty/mbedtls/library/psa_crypto_se.h @@ -139,7 +139,7 @@ psa_status_t psa_find_se_slot_for_key( psa_se_drv_table_entry_t *driver, psa_key_slot_number_t *slot_number ); -/** Destoy a key in a secure element. +/** Destroy a key in a secure element. * * This function calls the relevant driver method to destroy a key * and updates the driver's persistent data. diff --git a/thirdparty/mbedtls/library/psa_crypto_slot_management.c b/thirdparty/mbedtls/library/psa_crypto_slot_management.c index a18350ee117f51..9dceaac6d4595d 100644 --- a/thirdparty/mbedtls/library/psa_crypto_slot_management.c +++ b/thirdparty/mbedtls/library/psa_crypto_slot_management.c @@ -34,12 +34,7 @@ #include #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) ) diff --git a/thirdparty/mbedtls/library/psa_crypto_storage.c b/thirdparty/mbedtls/library/psa_crypto_storage.c index db7786d6c781e5..3186a36855d4eb 100644 --- a/thirdparty/mbedtls/library/psa_crypto_storage.c +++ b/thirdparty/mbedtls/library/psa_crypto_storage.c @@ -36,13 +36,7 @@ #include "psa/internal_trusted_storage.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif diff --git a/thirdparty/mbedtls/library/psa_its_file.c b/thirdparty/mbedtls/library/psa_its_file.c index b7c2e6b0406372..a35ac2494df753 100644 --- a/thirdparty/mbedtls/library/psa_its_file.c +++ b/thirdparty/mbedtls/library/psa_its_file.c @@ -22,11 +22,7 @@ #if defined(MBEDTLS_PSA_ITS_FILE_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_snprintf snprintf -#endif #if defined(_WIN32) #include diff --git a/thirdparty/mbedtls/library/ripemd160.c b/thirdparty/mbedtls/library/ripemd160.c index 41d838722627a4..6212cb2572df09 100644 --- a/thirdparty/mbedtls/library/ripemd160.c +++ b/thirdparty/mbedtls/library/ripemd160.c @@ -33,14 +33,7 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if !defined(MBEDTLS_RIPEMD160_ALT) diff --git a/thirdparty/mbedtls/library/rsa.c b/thirdparty/mbedtls/library/rsa.c index e95768f1ddc885..ae9e68b91ac89c 100644 --- a/thirdparty/mbedtls/library/rsa.c +++ b/thirdparty/mbedtls/library/rsa.c @@ -46,6 +46,7 @@ #include "mbedtls/error.h" #include "constant_time_internal.h" #include "mbedtls/constant_time.h" +#include "hash_info.h" #include @@ -53,30 +54,25 @@ #include #endif -#if defined(MBEDTLS_PLATFORM_C) +/* We use MD first if it's available (for compatibility reasons) + * and "fall back" to PSA otherwise (which needs psa_crypto_init()). */ +#if defined(MBEDTLS_PKCS1_V21) +#if !defined(MBEDTLS_MD_C) +#include "psa/crypto.h" +#include "mbedtls/psa_util.h" +#endif /* MBEDTLS_MD_C */ +#endif /* MBEDTLS_PKCS1_V21 */ + #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #if !defined(MBEDTLS_RSA_ALT) -/* Parameter validation macros */ -#define RSA_VALIDATE_RET( cond ) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) -#define RSA_VALIDATE( cond ) \ - MBEDTLS_INTERNAL_VALIDATE( cond ) - int mbedtls_rsa_import( mbedtls_rsa_context *ctx, const mbedtls_mpi *N, const mbedtls_mpi *P, const mbedtls_mpi *Q, const mbedtls_mpi *D, const mbedtls_mpi *E ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - RSA_VALIDATE_RET( ctx != NULL ); if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) || ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) || @@ -101,7 +97,6 @@ int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, unsigned char const *E, size_t E_len ) { int ret = 0; - RSA_VALIDATE_RET( ctx != NULL ); if( N != NULL ) { @@ -231,8 +226,6 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) #endif int n_missing, pq_missing, d_missing, is_pub, is_priv; - RSA_VALIDATE_RET( ctx != NULL ); - have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 ); have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 ); have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); @@ -335,7 +328,6 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, { int ret = 0; int is_priv; - RSA_VALIDATE_RET( ctx != NULL ); /* Check if key is private or public */ is_priv = @@ -380,7 +372,6 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int is_priv; - RSA_VALIDATE_RET( ctx != NULL ); /* Check if key is private or public */ is_priv = @@ -424,7 +415,6 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int is_priv; - RSA_VALIDATE_RET( ctx != NULL ); /* Check if key is private or public */ is_priv = @@ -461,8 +451,6 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, */ void mbedtls_rsa_init( mbedtls_rsa_context *ctx ) { - RSA_VALIDATE( ctx != NULL ); - memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); ctx->padding = MBEDTLS_RSA_PKCS_V15; @@ -497,15 +485,15 @@ int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, return( MBEDTLS_ERR_RSA_INVALID_PADDING ); } +#if defined(MBEDTLS_PKCS1_V21) if( ( padding == MBEDTLS_RSA_PKCS_V21 ) && ( hash_id != MBEDTLS_MD_NONE ) ) { - const mbedtls_md_info_t *md_info; - - md_info = mbedtls_md_info_from_type( hash_id ); - if( md_info == NULL ) + /* Just make sure this hash is supported in this build. */ + if( mbedtls_hash_info_psa_from_md( hash_id ) == PSA_ALG_NONE ) return( MBEDTLS_ERR_RSA_INVALID_PADDING ); } +#endif /* MBEDTLS_PKCS1_V21 */ ctx->padding = padding; ctx->hash_id = hash_id; @@ -539,8 +527,6 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi H, G, L; int prime_quality = 0; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( f_rng != NULL ); /* * If the modulus is 1024 bit long or shorter, then the security strength of @@ -653,8 +639,6 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, */ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) { - RSA_VALIDATE_RET( ctx != NULL ); - if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 ) return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); @@ -678,8 +662,6 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) */ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) { - RSA_VALIDATE_RET( ctx != NULL ); - if( mbedtls_rsa_check_pubkey( ctx ) != 0 || rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 ) { @@ -709,9 +691,6 @@ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ) { - RSA_VALIDATE_RET( pub != NULL ); - RSA_VALIDATE_RET( prv != NULL ); - if( mbedtls_rsa_check_pubkey( pub ) != 0 || mbedtls_rsa_check_privkey( prv ) != 0 ) { @@ -737,9 +716,6 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t olen; mbedtls_mpi T; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( input != NULL ); - RSA_VALIDATE_RET( output != NULL ); if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -907,10 +883,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * checked result; should be the same in the end. */ mbedtls_mpi I, C; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( input != NULL ); - RSA_VALIDATE_RET( output != NULL ); - if( f_rng == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1092,22 +1064,42 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * \param dlen length of destination buffer * \param src source of the mask generation * \param slen length of the source buffer - * \param md_ctx message digest context to use + * \param md_alg message digest to use */ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, - size_t slen, mbedtls_md_context_t *md_ctx ) + size_t slen, mbedtls_md_type_t md_alg ) { - unsigned char mask[MBEDTLS_MD_MAX_SIZE]; unsigned char counter[4]; unsigned char *p; unsigned int hlen; size_t i, use_len; + unsigned char mask[MBEDTLS_HASH_MAX_SIZE]; +#if defined(MBEDTLS_MD_C) int ret = 0; + const mbedtls_md_info_t *md_info; + mbedtls_md_context_t md_ctx; - memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); - memset( counter, 0, 4 ); + mbedtls_md_init( &md_ctx ); + md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_ctx->md_info ); + mbedtls_md_init( &md_ctx ); + if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) + goto exit; + + hlen = mbedtls_md_get_size( md_info ); +#else + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg ); + psa_status_t status = PSA_SUCCESS; + size_t out_len; + + hlen = PSA_HASH_LENGTH( alg ); +#endif + + memset( mask, 0, sizeof( mask ) ); + memset( counter, 0, 4 ); /* Generate and apply dbMask */ p = dst; @@ -1118,14 +1110,26 @@ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, if( dlen < hlen ) use_len = dlen; - if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) +#if defined(MBEDTLS_MD_C) + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) + if( ( ret = mbedtls_md_update( &md_ctx, src, slen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) + if( ( ret = mbedtls_md_update( &md_ctx, counter, 4 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) + if( ( ret = mbedtls_md_finish( &md_ctx, mask ) ) != 0 ) goto exit; +#else + if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS ) + goto exit; + if( ( status = psa_hash_update( &op, src, slen ) ) != PSA_SUCCESS ) + goto exit; + if( ( status = psa_hash_update( &op, counter, 4 ) ) != PSA_SUCCESS ) + goto exit; + status = psa_hash_finish( &op, mask, sizeof( mask ), &out_len ); + if( status != PSA_SUCCESS ) + goto exit; +#endif for( i = 0; i < use_len; ++i ) *p++ ^= mask[i]; @@ -1137,8 +1141,115 @@ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, exit: mbedtls_platform_zeroize( mask, sizeof( mask ) ); +#if defined(MBEDTLS_MD_C) + mbedtls_md_free( &md_ctx ); return( ret ); +#else + psa_hash_abort( &op ); + + return( mbedtls_md_error_from_psa( status ) ); +#endif +} + +/** + * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6. + * + * \param hash the input hash + * \param hlen length of the input hash + * \param salt the input salt + * \param slen length of the input salt + * \param out the output buffer - must be large enough for \p md_alg + * \param md_alg message digest to use + */ +static int hash_mprime( const unsigned char *hash, size_t hlen, + const unsigned char *salt, size_t slen, + unsigned char *out, mbedtls_md_type_t md_alg ) +{ + const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; + +#if defined(MBEDTLS_MD_C) + mbedtls_md_context_t md_ctx; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + mbedtls_md_init( &md_ctx ); + if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, zeros, sizeof( zeros ) ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, hash, hlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( &md_ctx, out ) ) != 0 ) + goto exit; + +exit: + mbedtls_md_free( &md_ctx ); + + return( ret ); +#else + psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; + psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg ); + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED ; + size_t out_size = PSA_HASH_LENGTH( alg ); + size_t out_len; + + if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS ) + goto exit; + if( ( status = psa_hash_update( &op, zeros, sizeof( zeros ) ) ) != PSA_SUCCESS ) + goto exit; + if( ( status = psa_hash_update( &op, hash, hlen ) ) != PSA_SUCCESS ) + goto exit; + if( ( status = psa_hash_update( &op, salt, slen ) ) != PSA_SUCCESS ) + goto exit; + status = psa_hash_finish( &op, out, out_size, &out_len ); + if( status != PSA_SUCCESS ) + goto exit; + +exit: + psa_hash_abort( &op ); + + return( mbedtls_md_error_from_psa( status ) ); +#endif /* !MBEDTLS_MD_C */ +} + +/** + * Compute a hash. + * + * \param md_alg algorithm to use + * \param input input message to hash + * \param ilen input length + * \param output the output buffer - must be large enough for \p md_alg + */ +static int compute_hash( mbedtls_md_type_t md_alg, + const unsigned char *input, size_t ilen, + unsigned char *output ) +{ +#if defined(MBEDTLS_MD_C) + const mbedtls_md_info_t *md_info; + + md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + return( mbedtls_md( md_info, input, ilen, output ) ); +#else + psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg ); + psa_status_t status; + size_t out_size = PSA_HASH_LENGTH( alg ); + size_t out_len; + + status = psa_hash_compute( alg, input, ilen, output, out_size, &out_len ); + + return( mbedtls_md_error_from_psa( status ) ); +#endif /* !MBEDTLS_MD_C */ } #endif /* MBEDTLS_PKCS1_V21 */ @@ -1158,23 +1269,15 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = output; unsigned int hlen; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( output != NULL ); - RSA_VALIDATE_RET( ilen == 0 || input != NULL ); - RSA_VALIDATE_RET( label_len == 0 || label != NULL ); if( f_rng == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); - if( md_info == NULL ) + hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id ); + if( hlen == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); olen = ctx->len; - hlen = mbedtls_md_get_size( md_info ); /* first comparison checks for overflow */ if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) @@ -1191,7 +1294,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, p += hlen; /* Construct DB */ - if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) + ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id, label, label_len, p ); + if( ret != 0 ) return( ret ); p += hlen; p += olen - 2 * hlen - 2 - ilen; @@ -1199,24 +1303,14 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, if( ilen != 0 ) memcpy( p, input, ilen ); - mbedtls_md_init( &md_ctx ); - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - goto exit; - /* maskedDB: Apply dbMask to DB */ if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, - &md_ctx ) ) != 0 ) - goto exit; + ctx->hash_id ) ) != 0 ) + return( ret ); /* maskedSeed: Apply seedMask to seed */ if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, - &md_ctx ) ) != 0 ) - goto exit; - -exit: - mbedtls_md_free( &md_ctx ); - - if( ret != 0 ) + ctx->hash_id ) ) != 0 ) return( ret ); return( mbedtls_rsa_public( ctx, output, output ) ); @@ -1237,10 +1331,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = output; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( output != NULL ); - RSA_VALIDATE_RET( ilen == 0 || input != NULL ); - olen = ctx->len; /* first comparison checks for overflow */ @@ -1289,10 +1379,6 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, const unsigned char *input, unsigned char *output ) { - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( output != NULL ); - RSA_VALIDATE_RET( ilen == 0 || input != NULL ); - switch( ctx->padding ) { #if defined(MBEDTLS_PKCS1_V15) @@ -1329,16 +1415,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, size_t ilen, i, pad_len; unsigned char *p, bad, pad_done; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; - unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; + unsigned char lhash[MBEDTLS_HASH_MAX_SIZE]; unsigned int hlen; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); - RSA_VALIDATE_RET( label_len == 0 || label != NULL ); - RSA_VALIDATE_RET( input != NULL ); - RSA_VALIDATE_RET( olen != NULL ); /* * Parameters sanity checks @@ -1351,12 +1429,10 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, if( ilen < 16 || ilen > sizeof( buf ) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); - if( md_info == NULL ) + hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id ); + if( hlen == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_info ); - // checking for integer underflow if( 2 * hlen + 2 > ilen ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1372,28 +1448,20 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, /* * Unmask data and generate lHash */ - mbedtls_md_init( &md_ctx ); - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - goto cleanup; - } - /* seed: Apply seedMask to maskedSeed */ if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, - &md_ctx ) ) != 0 || + ctx->hash_id ) ) != 0 || /* DB: Apply dbMask to maskedDB */ ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, - &md_ctx ) ) != 0 ) + ctx->hash_id ) ) != 0 ) { - mbedtls_md_free( &md_ctx ); goto cleanup; } - mbedtls_md_free( &md_ctx ); - /* Generate lHash */ - if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) + ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id, + label, label_len, lhash ); + if( ret != 0 ) goto cleanup; /* @@ -1470,11 +1538,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, size_t ilen; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); - RSA_VALIDATE_RET( input != NULL ); - RSA_VALIDATE_RET( olen != NULL ); - ilen = ctx->len; if( ctx->padding != MBEDTLS_RSA_PKCS_V15 ) @@ -1509,11 +1572,6 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, unsigned char *output, size_t output_max_len) { - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); - RSA_VALIDATE_RET( input != NULL ); - RSA_VALIDATE_RET( olen != NULL ); - switch( ctx->padding ) { #if defined(MBEDTLS_PKCS1_V15) @@ -1550,13 +1608,9 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, size_t slen, min_slen, hlen, offset = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t msb; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); - RSA_VALIDATE_RET( sig != NULL ); + + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; if( ctx->padding != MBEDTLS_RSA_PKCS_V21 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1569,20 +1623,18 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, if( md_alg != MBEDTLS_MD_NONE ) { /* Gather length of hash to sign */ - md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) + size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg ); + if( exp_hashlen == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if( hashlen != mbedtls_md_get_size( md_info ) ) + if( hashlen != exp_hashlen ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } - md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); - if( md_info == NULL ) + hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id ); + if( hlen == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_info ); - if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) { /* Calculate the largest possible salt length, up to the hash size. @@ -1623,30 +1675,20 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, p += slen; - mbedtls_md_init( &md_ctx ); - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - goto exit; - /* Generate H = Hash( M' ) */ - if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) - goto exit; - if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) - goto exit; - if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) - goto exit; - if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) - goto exit; - if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) - goto exit; + ret = hash_mprime( hash, hashlen, salt, slen, p, ctx->hash_id ); + if( ret != 0 ) + return( ret ); /* Compensate for boundary condition when applying mask */ if( msb % 8 == 0 ) offset = 1; /* maskedDB: Apply dbMask to DB */ - if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, - &md_ctx ) ) != 0 ) - goto exit; + ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, + ctx->hash_id ); + if( ret != 0 ) + return( ret ); msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; sig[0] &= 0xFF >> ( olen * 8 - msb ); @@ -1654,12 +1696,6 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, p += hlen; *p++ = 0xBC; -exit: - mbedtls_md_free( &md_ctx ); - - if( ret != 0 ) - return( ret ); - return mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ); } @@ -1733,14 +1769,14 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, /* Are we signing hashed or raw data? */ if( md_alg != MBEDTLS_MD_NONE ) { - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) + unsigned char md_size = mbedtls_hash_info_get_size( md_alg ); + if( md_size == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if( hashlen != mbedtls_md_get_size( md_info ) ) + if( hashlen != md_size ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); /* Double-check that 8 + hashlen + oid_size can be used as a @@ -1846,11 +1882,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *sig_try = NULL, *verif = NULL; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); - RSA_VALIDATE_RET( sig != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; if( ctx->padding != MBEDTLS_RSA_PKCS_V15 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1914,11 +1947,8 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, const unsigned char *hash, unsigned char *sig ) { - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); - RSA_VALIDATE_RET( sig != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; switch( ctx->padding ) { @@ -1955,19 +1985,13 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, size_t siglen; unsigned char *p; unsigned char *hash_start; - unsigned char result[MBEDTLS_MD_MAX_SIZE]; - unsigned char zeros[8]; + unsigned char result[MBEDTLS_HASH_MAX_SIZE]; unsigned int hlen; size_t observed_salt_len, msb; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = {0}; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( sig != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; siglen = ctx->len; @@ -1987,22 +2011,18 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, if( md_alg != MBEDTLS_MD_NONE ) { /* Gather length of hash to sign */ - md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) + size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg ); + if( exp_hashlen == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if( hashlen != mbedtls_md_get_size( md_info ) ) + if( hashlen != exp_hashlen ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } - md_info = mbedtls_md_info_from_type( mgf1_hash_id ); - if( md_info == NULL ) + hlen = mbedtls_hash_info_get_size( mgf1_hash_id ); + if( hlen == 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md_info ); - - memset( zeros, 0, 8 ); - /* * Note: EMSA-PSS verification is over the length of N - 1 bits */ @@ -2022,13 +2042,9 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); hash_start = p + siglen - hlen - 1; - mbedtls_md_init( &md_ctx ); - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - goto exit; - - ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); + ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id ); if( ret != 0 ) - goto exit; + return( ret ); buf[0] &= 0xFF >> ( siglen * 8 - msb ); @@ -2036,49 +2052,28 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, p++; if( *p++ != 0x01 ) - { - ret = MBEDTLS_ERR_RSA_INVALID_PADDING; - goto exit; - } + return( MBEDTLS_ERR_RSA_INVALID_PADDING ); observed_salt_len = hash_start - p; if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && observed_salt_len != (size_t) expected_salt_len ) { - ret = MBEDTLS_ERR_RSA_INVALID_PADDING; - goto exit; + return( MBEDTLS_ERR_RSA_INVALID_PADDING ); } /* * Generate H = Hash( M' ) */ - ret = mbedtls_md_starts( &md_ctx ); - if ( ret != 0 ) - goto exit; - ret = mbedtls_md_update( &md_ctx, zeros, 8 ); - if ( ret != 0 ) - goto exit; - ret = mbedtls_md_update( &md_ctx, hash, hashlen ); - if ( ret != 0 ) - goto exit; - ret = mbedtls_md_update( &md_ctx, p, observed_salt_len ); - if ( ret != 0 ) - goto exit; - ret = mbedtls_md_finish( &md_ctx, result ); - if ( ret != 0 ) - goto exit; + ret = hash_mprime( hash, hashlen, p, observed_salt_len, + result, mgf1_hash_id ); + if( ret != 0 ) + return( ret ); if( memcmp( hash_start, result, hlen ) != 0 ) - { - ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; - goto exit; - } - -exit: - mbedtls_md_free( &md_ctx ); + return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - return( ret ); + return( 0 ); } /* @@ -2091,11 +2086,8 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, const unsigned char *sig ) { mbedtls_md_type_t mgf1_hash_id; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( sig != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) ? (mbedtls_md_type_t) ctx->hash_id @@ -2124,11 +2116,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, size_t sig_len; unsigned char *encoded = NULL, *encoded_expected = NULL; - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( sig != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; sig_len = ctx->len; @@ -2193,11 +2182,8 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, const unsigned char *hash, const unsigned char *sig ) { - RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( sig != NULL ); - RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && - hashlen == 0 ) || - hash != NULL ); + if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; switch( ctx->padding ) { @@ -2224,8 +2210,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - RSA_VALIDATE_RET( dst != NULL ); - RSA_VALIDATE_RET( src != NULL ); dst->len = src->len; diff --git a/thirdparty/mbedtls/library/sha1.c b/thirdparty/mbedtls/library/sha1.c index 6fc9371231542d..5ae818a646a2e7 100644 --- a/thirdparty/mbedtls/library/sha1.c +++ b/thirdparty/mbedtls/library/sha1.c @@ -32,26 +32,12 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_printf printf -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ - -#define SHA1_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA ) - -#define SHA1_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond ) #if !defined(MBEDTLS_SHA1_ALT) void mbedtls_sha1_init( mbedtls_sha1_context *ctx ) { - SHA1_VALIDATE( ctx != NULL ); - memset( ctx, 0, sizeof( mbedtls_sha1_context ) ); } @@ -66,9 +52,6 @@ void mbedtls_sha1_free( mbedtls_sha1_context *ctx ) void mbedtls_sha1_clone( mbedtls_sha1_context *dst, const mbedtls_sha1_context *src ) { - SHA1_VALIDATE( dst != NULL ); - SHA1_VALIDATE( src != NULL ); - *dst = *src; } @@ -77,8 +60,6 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, */ int mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) { - SHA1_VALIDATE_RET( ctx != NULL ); - ctx->total[0] = 0; ctx->total[1] = 0; @@ -100,9 +81,6 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, uint32_t temp, W[16], A, B, C, D, E; } local; - SHA1_VALIDATE_RET( ctx != NULL ); - SHA1_VALIDATE_RET( (const unsigned char *)data != NULL ); - local.W[ 0] = MBEDTLS_GET_UINT32_BE( data, 0 ); local.W[ 1] = MBEDTLS_GET_UINT32_BE( data, 4 ); local.W[ 2] = MBEDTLS_GET_UINT32_BE( data, 8 ); @@ -277,9 +255,6 @@ int mbedtls_sha1_update( mbedtls_sha1_context *ctx, size_t fill; uint32_t left; - SHA1_VALIDATE_RET( ctx != NULL ); - SHA1_VALIDATE_RET( ilen == 0 || input != NULL ); - if( ilen == 0 ) return( 0 ); @@ -329,9 +304,6 @@ int mbedtls_sha1_finish( mbedtls_sha1_context *ctx, uint32_t used; uint32_t high, low; - SHA1_VALIDATE_RET( ctx != NULL ); - SHA1_VALIDATE_RET( (unsigned char *)output != NULL ); - /* * Add padding: 0x80 then 0x00 until 8 bytes remain for the length */ @@ -392,9 +364,6 @@ int mbedtls_sha1( const unsigned char *input, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_sha1_context ctx; - SHA1_VALIDATE_RET( ilen == 0 || input != NULL ); - SHA1_VALIDATE_RET( (unsigned char *)output != NULL ); - mbedtls_sha1_init( &ctx ); if( ( ret = mbedtls_sha1_starts( &ctx ) ) != 0 ) diff --git a/thirdparty/mbedtls/library/sha256.c b/thirdparty/mbedtls/library/sha256.c index ac15ef8d1d160d..1a9a855fab19d8 100644 --- a/thirdparty/mbedtls/library/sha256.c +++ b/thirdparty/mbedtls/library/sha256.c @@ -32,17 +32,7 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_printf printf -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if defined(__aarch64__) # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ @@ -149,18 +139,12 @@ static int mbedtls_a64_crypto_sha256_determine_support( void ) #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */ -#define SHA256_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA ) -#define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond ) - #if !defined(MBEDTLS_SHA256_ALT) #define SHA256_BLOCK_SIZE 64 void mbedtls_sha256_init( mbedtls_sha256_context *ctx ) { - SHA256_VALIDATE( ctx != NULL ); - memset( ctx, 0, sizeof( mbedtls_sha256_context ) ); } @@ -175,9 +159,6 @@ void mbedtls_sha256_free( mbedtls_sha256_context *ctx ) void mbedtls_sha256_clone( mbedtls_sha256_context *dst, const mbedtls_sha256_context *src ) { - SHA256_VALIDATE( dst != NULL ); - SHA256_VALIDATE( src != NULL ); - *dst = *src; } @@ -186,12 +167,12 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst, */ int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) { - SHA256_VALIDATE_RET( ctx != NULL ); - #if defined(MBEDTLS_SHA224_C) - SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); + if( is224 != 0 && is224 != 1 ) + return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; #else - SHA256_VALIDATE_RET( is224 == 0 ); + if( is224 != 0 ) + return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; #endif ctx->total[0] = 0; @@ -427,9 +408,6 @@ int mbedtls_internal_sha256_process_c( mbedtls_sha256_context *ctx, unsigned int i; - SHA256_VALIDATE_RET( ctx != NULL ); - SHA256_VALIDATE_RET( (const unsigned char *)data != NULL ); - for( i = 0; i < 8; i++ ) local.A[i] = ctx->state[i]; @@ -579,9 +557,6 @@ int mbedtls_sha256_update( mbedtls_sha256_context *ctx, size_t fill; uint32_t left; - SHA256_VALIDATE_RET( ctx != NULL ); - SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); - if( ilen == 0 ) return( 0 ); @@ -633,9 +608,6 @@ int mbedtls_sha256_finish( mbedtls_sha256_context *ctx, uint32_t used; uint32_t high, low; - SHA256_VALIDATE_RET( ctx != NULL ); - SHA256_VALIDATE_RET( (unsigned char *)output != NULL ); - /* * Add padding: 0x80 then 0x00 until 8 bytes remain for the length */ @@ -683,9 +655,11 @@ int mbedtls_sha256_finish( mbedtls_sha256_context *ctx, MBEDTLS_PUT_UINT32_BE( ctx->state[5], output, 20 ); MBEDTLS_PUT_UINT32_BE( ctx->state[6], output, 24 ); + int truncated = 0; #if defined(MBEDTLS_SHA224_C) - if( ctx->is224 == 0 ) + truncated = ctx->is224; #endif + if( !truncated ) MBEDTLS_PUT_UINT32_BE( ctx->state[7], output, 28 ); return( 0 ); @@ -705,14 +679,13 @@ int mbedtls_sha256( const unsigned char *input, mbedtls_sha256_context ctx; #if defined(MBEDTLS_SHA224_C) - SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); + if( is224 != 0 && is224 != 1 ) + return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; #else - SHA256_VALIDATE_RET( is224 == 0 ); + if( is224 != 0 ) + return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; #endif - SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); - SHA256_VALIDATE_RET( (unsigned char *)output != NULL ); - mbedtls_sha256_init( &ctx ); if( ( ret = mbedtls_sha256_starts( &ctx, is224 ) ) != 0 ) diff --git a/thirdparty/mbedtls/library/sha512.c b/thirdparty/mbedtls/library/sha512.c index be03ec3316b016..92ada8c35ffdcd 100644 --- a/thirdparty/mbedtls/library/sha512.c +++ b/thirdparty/mbedtls/library/sha512.c @@ -38,17 +38,7 @@ #include -#if defined(MBEDTLS_SELF_TEST) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_printf printf -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif /* MBEDTLS_PLATFORM_C */ -#endif /* MBEDTLS_SELF_TEST */ #if defined(__aarch64__) # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ @@ -164,10 +154,6 @@ static int mbedtls_a64_crypto_sha512_determine_support( void ) #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ -#define SHA512_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA ) -#define SHA512_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond ) - #if !defined(MBEDTLS_SHA512_ALT) #define SHA512_BLOCK_SIZE 128 @@ -183,8 +169,6 @@ static void sha512_put_uint64_be( uint64_t n, unsigned char *b, uint8_t i ) void mbedtls_sha512_init( mbedtls_sha512_context *ctx ) { - SHA512_VALIDATE( ctx != NULL ); - memset( ctx, 0, sizeof( mbedtls_sha512_context ) ); } @@ -199,9 +183,6 @@ void mbedtls_sha512_free( mbedtls_sha512_context *ctx ) void mbedtls_sha512_clone( mbedtls_sha512_context *dst, const mbedtls_sha512_context *src ) { - SHA512_VALIDATE( dst != NULL ); - SHA512_VALIDATE( src != NULL ); - *dst = *src; } @@ -210,11 +191,12 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, */ int mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ) { - SHA512_VALIDATE_RET( ctx != NULL ); #if defined(MBEDTLS_SHA384_C) - SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 ); + if( is384 != 0 && is384 != 1 ) + return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; #else - SHA512_VALIDATE_RET( is384 == 0 ); + if( is384 != 0 ) + return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; #endif ctx->total[0] = 0; @@ -569,9 +551,6 @@ int mbedtls_internal_sha512_process_c( mbedtls_sha512_context *ctx, uint64_t A[8]; } local; - SHA512_VALIDATE_RET( ctx != NULL ); - SHA512_VALIDATE_RET( (const unsigned char *)data != NULL ); - #define SHR(x,n) ((x) >> (n)) #define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n)))) @@ -735,9 +714,6 @@ int mbedtls_sha512_update( mbedtls_sha512_context *ctx, size_t fill; unsigned int left; - SHA512_VALIDATE_RET( ctx != NULL ); - SHA512_VALIDATE_RET( ilen == 0 || input != NULL ); - if( ilen == 0 ) return( 0 ); @@ -788,9 +764,6 @@ int mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned used; uint64_t high, low; - SHA512_VALIDATE_RET( ctx != NULL ); - SHA512_VALIDATE_RET( (unsigned char *)output != NULL ); - /* * Add padding: 0x80 then 0x00 until 16 bytes remain for the length */ @@ -837,9 +810,11 @@ int mbedtls_sha512_finish( mbedtls_sha512_context *ctx, sha512_put_uint64_be( ctx->state[4], output, 32 ); sha512_put_uint64_be( ctx->state[5], output, 40 ); + int truncated = 0; #if defined(MBEDTLS_SHA384_C) - if( ctx->is384 == 0 ) + truncated = ctx->is384; #endif + if( !truncated ) { sha512_put_uint64_be( ctx->state[6], output, 48 ); sha512_put_uint64_be( ctx->state[7], output, 56 ); @@ -862,12 +837,12 @@ int mbedtls_sha512( const unsigned char *input, mbedtls_sha512_context ctx; #if defined(MBEDTLS_SHA384_C) - SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 ); + if( is384 != 0 && is384 != 1 ) + return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; #else - SHA512_VALIDATE_RET( is384 == 0 ); + if( is384 != 0 ) + return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; #endif - SHA512_VALIDATE_RET( ilen == 0 || input != NULL ); - SHA512_VALIDATE_RET( (unsigned char *)output != NULL ); mbedtls_sha512_init( &ctx ); diff --git a/thirdparty/mbedtls/library/ssl_cache.c b/thirdparty/mbedtls/library/ssl_cache.c index 6505e11402d5b1..8405d2798f2f9e 100644 --- a/thirdparty/mbedtls/library/ssl_cache.c +++ b/thirdparty/mbedtls/library/ssl_cache.c @@ -25,13 +25,7 @@ #if defined(MBEDTLS_SSL_CACHE_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/ssl_cache.h" #include "ssl_misc.h" diff --git a/thirdparty/mbedtls/library/ssl_ciphersuites.c b/thirdparty/mbedtls/library/ssl_ciphersuites.c index 835159e63e4246..a83527f87aac04 100644 --- a/thirdparty/mbedtls/library/ssl_ciphersuites.c +++ b/thirdparty/mbedtls/library/ssl_ciphersuites.c @@ -23,16 +23,14 @@ #if defined(MBEDTLS_SSL_TLS_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#endif #include "mbedtls/ssl_ciphersuites.h" #include "mbedtls/ssl.h" #include "ssl_misc.h" +#include "mbedtls/legacy_or_psa.h" + #include /* @@ -295,22 +293,22 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ 0, MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 }, -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ 0, MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ -#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS1_3_AES_128_CCM_SHA256, "TLS1-3-AES-128-CCM-SHA256", MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ @@ -321,20 +319,20 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ MBEDTLS_CIPHERSUITE_SHORT_TAG, MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 }, -#endif /* MBEDTLS_SHA256_C && MBEDTLS_CCM_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_CCM_C */ #endif /* MBEDTLS_AES_C */ -#if defined(MBEDTLS_CHACHAPOLY_C) && defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_CHACHAPOLY_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, "TLS1-3-CHACHA20-POLY1305-SHA256", MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ 0, MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 }, -#endif /* MBEDTLS_CHACHAPOLY_C && MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_CHACHAPOLY_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_CHACHAPOLY_C) && \ - defined(MBEDTLS_SHA256_C) && \ + defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, @@ -393,11 +391,11 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif #endif /* MBEDTLS_CHACHAPOLY_C && - MBEDTLS_SHA256_C && + MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) #if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, @@ -408,8 +406,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, @@ -422,8 +420,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, @@ -436,7 +434,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if defined(MBEDTLS_CCM_C) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM", MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, @@ -459,49 +457,49 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ #if defined(MBEDTLS_CIPHER_NULL_CIPHER) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) #if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, @@ -512,8 +510,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, @@ -526,8 +524,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, @@ -540,62 +538,62 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ #if defined(MBEDTLS_CIPHER_NULL_CIPHER) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) #if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA384_C) && \ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_GCM_C) { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C && MBEDTLS_GCM_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_GCM_C */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_GCM_C) { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, @@ -614,10 +612,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, @@ -627,7 +625,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CCM_C) { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM", @@ -651,7 +649,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, @@ -661,9 +659,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, @@ -673,22 +671,22 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -696,15 +694,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) #if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA384_C) && \ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_GCM_C) { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C && MBEDTLS_GCM_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_GCM_C */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_GCM_C) { MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, @@ -723,9 +721,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA, @@ -737,7 +735,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if defined(MBEDTLS_CCM_C) { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM", MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, @@ -760,7 +758,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, 0, @@ -770,9 +768,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA, 0, @@ -782,23 +780,23 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -806,7 +804,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) #if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, @@ -817,8 +815,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, @@ -831,8 +829,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, @@ -845,54 +843,54 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ #if defined(MBEDTLS_CIPHER_NULL_CIPHER) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) #if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, @@ -903,8 +901,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_CIPHER_MODE_CBC */ -#endif /* MBEDTLS_SHA1_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, @@ -917,8 +915,8 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_CIPHER_MODE_CBC) { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, @@ -931,85 +929,85 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif /* MBEDTLS_GCM_C */ -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ #if defined(MBEDTLS_CIPHER_NULL_CIPHER) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK, 0, @@ -1019,7 +1017,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CCM_C) { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM", @@ -1043,35 +1041,35 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -1080,37 +1078,37 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, @@ -1120,7 +1118,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CCM_C) { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM", @@ -1144,35 +1142,35 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -1182,21 +1180,21 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, @@ -1206,25 +1204,25 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -1233,37 +1231,37 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384", MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA", MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, @@ -1273,41 +1271,41 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) #if defined(MBEDTLS_CIPHER_MODE_CBC) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256", MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384", MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_GCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -1326,21 +1324,21 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_CIPHER_NULL_CIPHER) #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, MBEDTLS_CIPHERSUITE_WEAK, @@ -1349,95 +1347,95 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384", MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, MBEDTLS_CIPHERSUITE_WEAK, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ @@ -1445,28 +1443,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384, "TLS-RSA-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384, "TLS-RSA-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256, "TLS-RSA-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256, "TLS-RSA-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, @@ -1478,28 +1476,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, @@ -1511,28 +1509,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384, "TLS-PSK-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384, "TLS-PSK-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256, "TLS-PSK-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256, "TLS-PSK-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, @@ -1544,28 +1542,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, @@ -1577,28 +1575,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, @@ -1610,14 +1608,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, @@ -1629,28 +1627,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, @@ -1662,28 +1660,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, @@ -1695,28 +1693,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384, "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, @@ -1728,28 +1726,28 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384", MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA384_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384", MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256", MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, 0, MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, #endif -#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)) { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256", MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, @@ -1933,10 +1931,10 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg( const mbedtls_ssl_ci case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: return( PSA_ALG_RSA_PKCS1V15_SIGN( - mbedtls_psa_translate_md( info->mac ) ) ); + mbedtls_hash_info_psa_from_md( info->mac ) ) ); case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - return( PSA_ALG_ECDSA( mbedtls_psa_translate_md( info->mac ) ) ); + return( PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( info->mac ) ) ); case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: diff --git a/thirdparty/mbedtls/library/ssl_client.c b/thirdparty/mbedtls/library/ssl_client.c index 1e0f2b23811924..2c4ce43161667e 100644 --- a/thirdparty/mbedtls/library/ssl_client.c +++ b/thirdparty/mbedtls/library/ssl_client.c @@ -24,13 +24,7 @@ #if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include @@ -112,6 +106,9 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, *olen = hostname_len + 9; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SERVERNAME ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ @@ -183,6 +180,9 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */ MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); } #endif /* MBEDTLS_SSL_ALPN */ @@ -302,7 +302,8 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); @@ -376,9 +377,11 @@ static int ssl_write_client_hello_cipher_suites( /* * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ + int renegotiating = 0; #if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) + renegotiating = ( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ); #endif + if( !renegotiating ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); @@ -432,7 +435,8 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *out_len ) + size_t *out_len, + size_t *binders_len ) { int ret; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -443,6 +447,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, int tls12_uses_ec = 0; *out_len = 0; + *binders_len = 0; #if defined(MBEDTLS_SSL_PROTO_TLS1_2) unsigned char propose_tls12 = @@ -559,7 +564,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Keeping track of the included extensions */ - handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; + handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; #endif /* First write extensions, then the total length */ @@ -612,7 +617,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) if( #if defined(MBEDTLS_SSL_PROTO_TLS1_3) ( propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) || @@ -627,7 +632,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, return( ret ); p += output_len; } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( propose_tls12 ) @@ -641,6 +646,20 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11) + * MUST be the last extension in the ClientHello. + */ + if( propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) + { + ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( + ssl, p, end, &output_len, binders_len ); + if( ret != 0 ) + return( ret ); + p += output_len; + } +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + /* Write the length of the list of extensions. */ extensions_len = p - p_extensions_len - 2; @@ -655,6 +674,11 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, p_extensions_len, extensions_len ); } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->sent_extensions ); +#endif + *out_len = p - buf; return( 0 ); } @@ -702,6 +726,34 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl ) { int ret; size_t session_id_len; + mbedtls_ssl_session *session_negotiate = ssl->session_negotiate; + + if( session_negotiate == NULL ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_HAVE_TIME) + + /* Check if a tls13 ticket has been configured. */ + if( ssl->handshake->resume != 0 && + session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + session_negotiate->ticket != NULL ) + { + mbedtls_time_t now = mbedtls_time( NULL ); + uint64_t age = (uint64_t)( now - session_negotiate->ticket_received ); + if( session_negotiate->ticket_received > now || + age > session_negotiate->ticket_lifetime ) + { + /* Without valid ticket, disable session resumption.*/ + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "Ticket expired, disable session resumption" ) ); + ssl->handshake->resume = 0; + } + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && + MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_HAVE_TIME */ if( ssl->conf->f_rng == NULL ) { @@ -720,7 +772,7 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl ) { if( ssl->handshake->resume ) { - ssl->tls_version = ssl->session_negotiate->tls_version; + ssl->tls_version = session_negotiate->tls_version; ssl->handshake->min_tls_version = ssl->tls_version; } else @@ -754,7 +806,7 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl ) * to zero, except in the case of a TLS 1.2 session renegotiation or * session resumption. */ - session_id_len = ssl->session_negotiate->id_len; + session_id_len = session_negotiate->id_len; #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 ) @@ -773,12 +825,15 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl ) * RFC 5077 section 3.4: "When presenting a ticket, the client MAY * generate and include a Session ID in the TLS ClientHello." */ + int renegotiating = 0; #if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) + if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) + renegotiating = 1; #endif + if( !renegotiating ) { - if( ( ssl->session_negotiate->ticket != NULL ) && - ( ssl->session_negotiate->ticket_len != 0 ) ) + if( ( session_negotiate->ticket != NULL ) && + ( session_negotiate->ticket_len != 0 ) ) { session_id_len = 32; } @@ -810,13 +865,13 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ - if( session_id_len != ssl->session_negotiate->id_len ) + if( session_id_len != session_negotiate->id_len ) { - ssl->session_negotiate->id_len = session_id_len; + session_negotiate->id_len = session_id_len; if( session_id_len > 0 ) { ret = ssl->conf->f_rng( ssl->conf->p_rng, - ssl->session_negotiate->id, + session_negotiate->id, session_id_len ); if( ret != 0 ) { @@ -826,9 +881,39 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl ) } } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + ssl->handshake->resume ) + { + int hostname_mismatch = ssl->hostname != NULL || + session_negotiate->hostname != NULL; + if( ssl->hostname != NULL && session_negotiate->hostname != NULL ) + { + hostname_mismatch = strcmp( + ssl->hostname, session_negotiate->hostname ) != 0; + } + + if( hostname_mismatch ) + { + MBEDTLS_SSL_DEBUG_MSG( + 1, ( "Hostname mismatch the session ticket, " + "disable session resumption." ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + } + else + { + return mbedtls_ssl_session_set_hostname( session_negotiate, + ssl->hostname ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && + MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_SSL_SERVER_NAME_INDICATION */ + return( 0 ); } - /* * Write ClientHello handshake message. * Handler for MBEDTLS_SSL_CLIENT_HELLO @@ -837,7 +922,7 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) { int ret = 0; unsigned char *buf; - size_t buf_len, msg_len; + size_t buf_len, msg_len, binders_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); @@ -849,7 +934,8 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( ssl_write_client_hello_body( ssl, buf, buf + buf_len, - &msg_len ) ); + &msg_len, + &binders_len ) ); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) @@ -883,8 +969,21 @@ int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ { - mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, - buf, msg_len ); + + mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, + msg_len ); + ssl->handshake->update_checksum( ssl, buf, msg_len - binders_len ); +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + if( binders_len > 0 ) + { + MBEDTLS_SSL_PROC_CHK( + mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( + ssl, buf + msg_len - binders_len, buf + msg_len ) ); + ssl->handshake->update_checksum( ssl, buf + msg_len - binders_len, + binders_len ); + } +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len ) ); diff --git a/thirdparty/mbedtls/library/ssl_cookie.c b/thirdparty/mbedtls/library/ssl_cookie.c index 4b2d2d2bf191aa..3f9bf87b4239bb 100644 --- a/thirdparty/mbedtls/library/ssl_cookie.c +++ b/thirdparty/mbedtls/library/ssl_cookie.c @@ -25,12 +25,7 @@ #if defined(MBEDTLS_SSL_COOKIE_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/ssl_cookie.h" #include "ssl_misc.h" @@ -38,21 +33,23 @@ #include "mbedtls/platform_util.h" #include "mbedtls/constant_time.h" +#include "mbedtls/legacy_or_psa.h" + #include /* - * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is - * available. Try SHA-256 first, 512 wastes resources + * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-384 is + * available. Try SHA-256 first, 384 wastes resources */ -#if defined(MBEDTLS_SHA224_C) +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) #define COOKIE_MD MBEDTLS_MD_SHA224 #define COOKIE_MD_OUTLEN 32 #define COOKIE_HMAC_LEN 28 -#elif defined(MBEDTLS_SHA384_C) +#elif defined(MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA) #define COOKIE_MD MBEDTLS_MD_SHA384 #define COOKIE_MD_OUTLEN 48 #define COOKIE_HMAC_LEN 28 -#elif defined(MBEDTLS_SHA1_C) +#elif defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA) #define COOKIE_MD MBEDTLS_MD_SHA1 #define COOKIE_MD_OUTLEN 20 #define COOKIE_HMAC_LEN 20 @@ -117,7 +114,7 @@ int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx, (void)f_rng; (void)p_rng; - alg = mbedtls_psa_translate_md( COOKIE_MD ); + alg = mbedtls_hash_info_psa_from_md( COOKIE_MD ); if( alg == 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); diff --git a/thirdparty/mbedtls/library/ssl_debug_helpers.h b/thirdparty/mbedtls/library/ssl_debug_helpers.h index 9f1df736bdf6b7..4412f8e2138f8c 100644 --- a/thirdparty/mbedtls/library/ssl_debug_helpers.h +++ b/thirdparty/mbedtls/library/ssl_debug_helpers.h @@ -43,6 +43,32 @@ const char *mbedtls_ssl_sig_alg_to_str( uint16_t in ); const char *mbedtls_ssl_named_group_to_str( uint16_t in ); +const char *mbedtls_ssl_get_extension_name( unsigned int extension_type ); + +void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, uint32_t extensions_mask, + const char *extra ); + +void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, unsigned int extension_type, + const char *extra_msg0, const char *extra_msg1 ); + +#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extensions_mask ) \ + mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ + hs_msg_type, extensions_mask, NULL ) + +#define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) \ + mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__, \ + hs_msg_type, extension_type, \ + extra, NULL ) +#else + +#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask ) + +#define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) + #endif /* MBEDTLS_DEBUG_C */ -#endif /* SSL_DEBUG_HELPERS_H */ +#endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */ diff --git a/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c b/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c index 992db09e2b17f9..e3e93f8c65ca0b 100644 --- a/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c +++ b/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c @@ -135,8 +135,7 @@ const char *mbedtls_ssl_states_str( mbedtls_ssl_states in ) [MBEDTLS_SSL_SERVER_FINISHED] = "MBEDTLS_SSL_SERVER_FINISHED", [MBEDTLS_SSL_FLUSH_BUFFERS] = "MBEDTLS_SSL_FLUSH_BUFFERS", [MBEDTLS_SSL_HANDSHAKE_WRAPUP] = "MBEDTLS_SSL_HANDSHAKE_WRAPUP", - [MBEDTLS_SSL_HANDSHAKE_OVER] = "MBEDTLS_SSL_HANDSHAKE_OVER", - [MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET] = "MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET", + [MBEDTLS_SSL_NEW_SESSION_TICKET] = "MBEDTLS_SSL_NEW_SESSION_TICKET", [MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT] = "MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT", [MBEDTLS_SSL_HELLO_RETRY_REQUEST] = "MBEDTLS_SSL_HELLO_RETRY_REQUEST", [MBEDTLS_SSL_ENCRYPTED_EXTENSIONS] = "MBEDTLS_SSL_ENCRYPTED_EXTENSIONS", @@ -145,6 +144,9 @@ const char *mbedtls_ssl_states_str( mbedtls_ssl_states in ) [MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO] = "MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO", [MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO] = "MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO", [MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST] = "MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST", + [MBEDTLS_SSL_HANDSHAKE_OVER] = "MBEDTLS_SSL_HANDSHAKE_OVER", + [MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET] = "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET", + [MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH] = "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH", }; if( in > ( sizeof( in_to_str )/sizeof( in_to_str[0]) - 1 ) || diff --git a/thirdparty/mbedtls/library/ssl_misc.h b/thirdparty/mbedtls/library/ssl_misc.h index 39a47cac79a0ca..0e0479a917ba4e 100644 --- a/thirdparty/mbedtls/library/ssl_misc.h +++ b/thirdparty/mbedtls/library/ssl_misc.h @@ -30,7 +30,9 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "psa/crypto.h" #include "mbedtls/psa_util.h" +#include "hash_info.h" #endif +#include "mbedtls/legacy_or_psa.h" #if defined(MBEDTLS_MD5_C) #include "mbedtls/md5.h" @@ -48,17 +50,13 @@ #include "mbedtls/sha512.h" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + !defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/ecjpake.h" #endif #include "common.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Shorthand for restartable ECC */ #if defined(MBEDTLS_ECP_RESTARTABLE) && \ defined(MBEDTLS_SSL_CLI_C) && \ @@ -72,34 +70,147 @@ #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ +/* Faked handshake message identity for HelloRetryRequest. */ +#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO ) + /* - * Mask of TLS 1.3 handshake extensions used in extensions_present - * of mbedtls_ssl_handshake_params. - */ -#define MBEDTLS_SSL_EXT_NONE 0 - -#define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 ) -#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 ) -#define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 ) -#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 ) -#define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 ) -#define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 ) -#define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 ) -#define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 ) -#define MBEDTLS_SSL_EXT_SCT ( 1 << 8 ) -#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 ) -#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 ) -#define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 ) -#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 ) -#define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 ) -#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 ) -#define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 ) -#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 ) -#define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 ) -#define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 ) -#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 ) -#define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 ) -#define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 ) + * Internal identity of handshake extensions + */ +#define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 +#define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 +#define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 +#define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 +#define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 +#define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 +#define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 +#define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 +#define MBEDTLS_SSL_EXT_ID_ALPN 8 +#define MBEDTLS_SSL_EXT_ID_SCT 9 +#define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 +#define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 +#define MBEDTLS_SSL_EXT_ID_PADDING 12 +#define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 +#define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 +#define MBEDTLS_SSL_EXT_ID_COOKIE 16 +#define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 +#define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 +#define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 +#define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 +#define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 +#define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 +#define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 +#define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 +#define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 +#define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 + +/* Utility for translating IANA extension type. */ +uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type ); +uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); +/* Macros used to define mask constants */ +#define MBEDTLS_SSL_EXT_MASK( id ) ( 1ULL << ( MBEDTLS_SSL_EXT_ID_##id ) ) +/* Reset value of extension mask */ +#define MBEDTLS_SSL_EXT_MASK_NONE 0 + +/* In messages containing extension requests, we should ignore unrecognized + * extensions. In messages containing extension responses, unrecognized + * extensions should result in handshake abortion. Messages containing + * extension requests include ClientHello, CertificateRequest and + * NewSessionTicket. Messages containing extension responses include + * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. + * + * RFC 8446 section 4.1.3 + * + * The ServerHello MUST only include extensions which are required to establish + * the cryptographic context and negotiate the protocol version. + * + * RFC 8446 section 4.2 + * + * If an implementation receives an extension which it recognizes and which is + * not specified for the message in which it appears, it MUST abort the handshake + * with an "illegal_parameter" alert. + */ + +/* Extensions that are not recognized by TLS 1.3 */ +#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ + ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \ + MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \ + MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \ + MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \ + MBEDTLS_SSL_EXT_MASK( TRUNCATED_HMAC ) | \ + MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) ) + +/* RFC 8446 section 4.2. Allowed extensions for ClientHello */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ + ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \ + MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \ + MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \ + MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \ + MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \ + MBEDTLS_SSL_EXT_MASK( ALPN ) | \ + MBEDTLS_SSL_EXT_MASK( SCT ) | \ + MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( PADDING ) | \ + MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \ + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \ + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) | \ + MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \ + MBEDTLS_SSL_EXT_MASK( COOKIE ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) | \ + MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \ + MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \ + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED ) + +/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ + ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \ + MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \ + MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \ + MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \ + MBEDTLS_SSL_EXT_MASK( ALPN ) | \ + MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) ) + +/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ + ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \ + MBEDTLS_SSL_EXT_MASK( SCT ) | \ + MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \ + MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \ + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED ) + +/* RFC 8446 section 4.2. Allowed extensions for Certificate */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ + ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \ + MBEDTLS_SSL_EXT_MASK( SCT ) ) + +/* RFC 8446 section 4.2. Allowed extensions for ServerHello */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ + ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \ + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) ) + +/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ + ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \ + MBEDTLS_SSL_EXT_MASK( COOKIE ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) ) + +/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ + ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \ + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED ) /* * Helper macros for function call with return check. @@ -183,9 +294,9 @@ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /* Ciphersuites using HMAC */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ -#elif defined(MBEDTLS_SHA256_C) +#elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ #else #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ @@ -243,7 +354,7 @@ #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE @@ -253,7 +364,7 @@ #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8) #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ /* * Check that we obey the standard's message size bounds @@ -598,8 +709,6 @@ struct mbedtls_ssl_handshake_params size_t ecrs_n; /*!< place for saving a length */ #endif - size_t pmslen; /*!< premaster length */ - mbedtls_ssl_ciphersuite_t const *ciphersuite_info; void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); @@ -611,17 +720,25 @@ struct mbedtls_ssl_handshake_params * Handshake specific crypto variables */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ + uint8_t key_exchange_mode; /*!< Selected key exchange mode */ /** Number of HelloRetryRequest messages received/sent from/to the server. */ int hello_retry_request_count; + #if defined(MBEDTLS_SSL_SRV_C) /** selected_group of key_share extension in HelloRetryRequest message. */ uint16_t hrr_selected_group; +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + uint16_t new_session_tickets_count; /*!< number of session tickets */ +#endif #endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; #endif @@ -655,7 +772,13 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ + mbedtls_svc_key_id_t psa_pake_password; + uint8_t psa_pake_ctx_is_ok; +#else mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ size_t ecjpake_cache_len; /*!< Length of cached data */ @@ -667,7 +790,7 @@ struct mbedtls_ssl_handshake_params const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ uint8_t psk_opaque_is_internal; @@ -675,7 +798,8 @@ struct mbedtls_ssl_handshake_params unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + uint16_t selected_identity; +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ @@ -766,28 +890,21 @@ struct mbedtls_ssl_handshake_params uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages. - * Those pointers own the transforms they reference. */ - mbedtls_ssl_transform *transform_handshake; - mbedtls_ssl_transform *transform_earlydata; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - /* * Checksum contexts */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_operation_t fin_sha256_psa; #else mbedtls_sha256_context fin_sha256; #endif #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_operation_t fin_sha384_psa; #else - mbedtls_sha512_context fin_sha512; + mbedtls_sha512_context fin_sha384; #endif #endif @@ -842,19 +959,23 @@ struct mbedtls_ssl_handshake_params unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN]; /*!< random bytes */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; /*!< premaster secret */ + size_t pmslen; /*!< premaster length */ +#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - int extensions_present; /*!< extension presence; Each bitfield - represents an extension and defined - as \c MBEDTLS_SSL_EXT_XXX */ + uint32_t sent_extensions; /*!< extensions sent by endpoint */ + uint32_t received_extensions; /*!< extensions received by endpoint */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) unsigned char certificate_request_context_len; unsigned char *certificate_request_context; #endif + /** TLS 1.3 transform for encrypted handshake messages. */ + mbedtls_ssl_transform *transform_handshake; union { unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE]; @@ -863,6 +984,11 @@ struct mbedtls_ssl_handshake_params } tls13_master_secrets; mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_early_secrets tls13_early_secrets; + /** TLS 1.3 transform for early data and handshake messages. */ + mbedtls_ssl_transform *transform_earlydata; +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1009,7 +1135,7 @@ struct mbedtls_ssl_transform #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) uint8_t in_cid_len; uint8_t out_cid_len; - unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ]; unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ @@ -1344,17 +1470,23 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned char const *msg, size_t msg_len ); +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ); + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if !defined(MBEDTLS_USE_PSA_CRYPTO) MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ); #endif /* !MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +#if defined(MBEDTLS_SSL_CLI_C) MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ); #endif - #if defined(MBEDTLS_USE_PSA_CRYPTO) /** * Get the first defined opaque PSK by order of precedence: @@ -1407,7 +1539,7 @@ static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_PK_C) unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ); @@ -1769,6 +1901,8 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +#if defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /** * Given a list of key exchange modes, check if at least one of them is * supported. @@ -1815,6 +1949,49 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +#endif /* MBEDTLS_SSL_SRV_C && + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + +/* + * Helper functions for extensions checking. + */ + +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_check_received_extension( + mbedtls_ssl_context *ssl, + int hs_msg_type, + unsigned int received_extension_type, + uint32_t hs_msg_allowed_extensions_mask ); + +static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( + mbedtls_ssl_context *ssl, unsigned int extension_type ) +{ + ssl->handshake->sent_extensions |= + mbedtls_ssl_get_extension_mask( extension_type ); +} + +/* + * Helper functions to check the selected key exchange mode. + */ +static inline int mbedtls_ssl_tls13_key_exchange_mode_check( + mbedtls_ssl_context *ssl, int kex_mask ) +{ + return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 ); +} + +static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( + mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); +} + +static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( + mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); +} /* * Fetch TLS 1.3 handshake message header @@ -1831,7 +2008,7 @@ int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * Handler of TLS 1.3 write Certificate message */ @@ -1844,7 +2021,7 @@ int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl ); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Generic handler of Certificate Verify @@ -1871,10 +2048,16 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( size_t *out_len ); #endif /* MBEDTLS_ECDH_C */ +#if defined(MBEDTLS_SSL_EARLY_DATA) +int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ); +#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* * Parse TLS Signature Algorithm extension */ @@ -1882,7 +2065,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ /* Get handshake transcript */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -2002,7 +2185,7 @@ static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group ) static inline const void *mbedtls_ssl_get_sig_algs( const mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) if( ssl->handshake != NULL && @@ -2014,17 +2197,14 @@ static inline const void *mbedtls_ssl_get_sig_algs( #endif return( ssl->conf->sig_algs ); -#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ ((void) ssl); return( NULL ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ } - -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl, uint16_t own_sig_alg ) { @@ -2039,94 +2219,40 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss } return( 0 ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - -static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl, - uint16_t proposed_sig_alg ) -{ - const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); - if( sig_alg == NULL ) - return( 0 ); - - for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ ) - { - if( *sig_alg == proposed_sig_alg ) - return( 1 ); - } - return( 0 ); -} - -static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( - uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg ) -{ - *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff ); - *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff ); - if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE ) - return( 0 ); - - switch( sig_alg ) - { -#if defined(MBEDTLS_PKCS1_V21) -#if defined(MBEDTLS_SHA256_C) - case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: - *md_alg = MBEDTLS_MD_SHA256; - *pk_type = MBEDTLS_PK_RSASSA_PSS; - break; -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) - case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: - *md_alg = MBEDTLS_MD_SHA384; - *pk_type = MBEDTLS_PK_RSASSA_PSS; - break; -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) - case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: - *md_alg = MBEDTLS_MD_SHA512; - *pk_type = MBEDTLS_PK_RSASSA_PSS; - break; -#endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_PKCS1_V21 */ - default: - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); - } - return( 0 ); -} - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( const uint16_t sig_alg ) { switch( sig_alg ) { #if defined(MBEDTLS_ECDSA_C) -#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) +#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: break; -#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) +#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: break; -#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: break; -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_PKCS1_V21) -#if defined(MBEDTLS_SHA256_C) +#if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* PSA_WANT_ALG_SHA_256 */ +#if defined(PSA_WANT_ALG_SHA_384) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: break; -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* PSA_WANT_ALG_SHA_384 */ +#if defined(PSA_WANT_ALG_SHA_512) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: break; -#endif /* MBEDTLS_SHA512_C */ +#endif /* PSA_WANT_ALG_SHA_512 */ #endif /* MBEDTLS_PKCS1_V21 */ default: return( 0 ); @@ -2141,18 +2267,18 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( switch( sig_alg ) { #if defined(MBEDTLS_PKCS1_V15) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: break; -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: break; -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: break; -#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_PKCS1_V15 */ default: return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( @@ -2161,7 +2287,63 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( return( 1 ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, + mbedtls_pk_context *key ); +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ + +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl, + uint16_t proposed_sig_alg ) +{ + const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); + if( sig_alg == NULL ) + return( 0 ); + + for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ ) + { + if( *sig_alg == proposed_sig_alg ) + return( 1 ); + } + return( 0 ); +} + +static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( + uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg ) +{ + *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff ); + *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff ); + + if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE ) + return( 0 ); + + switch( sig_alg ) + { +#if defined(MBEDTLS_PKCS1_V21) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: + *md_alg = MBEDTLS_MD_SHA256; + *pk_type = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + *md_alg = MBEDTLS_MD_SHA384; + *pk_type = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + *md_alg = MBEDTLS_MD_SHA512; + *pk_type = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#endif /* MBEDTLS_PKCS1_V21 */ + default: + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + return( 0 ); +} #if defined(MBEDTLS_SSL_PROTO_TLS1_2) static inline int mbedtls_ssl_tls12_sig_alg_is_supported( @@ -2173,32 +2355,32 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported( switch( hash ) { -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_MD5: break; #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA1: break; #endif -#if defined(MBEDTLS_SHA224_C) +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA224: break; #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA256: break; #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA384: break; #endif -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA512: break; #endif @@ -2239,26 +2421,17 @@ static inline int mbedtls_ssl_sig_alg_is_supported( } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) { return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif ((void) ssl); ((void) sig_alg); return( 0 ); } - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - -MBEDTLS_CHECK_RETURN_CRITICAL -int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, - mbedtls_pk_context *key ); - -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. @@ -2322,6 +2495,52 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) } #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) + +typedef enum { + MBEDTLS_ECJPAKE_ROUND_ONE, + MBEDTLS_ECJPAKE_ROUND_TWO +} mbedtls_ecjpake_rounds_t; + +/** + * \brief Parse the provided input buffer for getting the first round + * of key exchange. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [in] input buffer to parse + * \param len [in] length of the input buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO + * + * \return 0 on success or a negative error code in case of failure + */ +int mbedtls_psa_ecjpake_read_round( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, mbedtls_ecjpake_rounds_t round ); + +/** + * \brief Write the first round of key exchange into the provided output + * buffer. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [out] the output buffer in which data will be written to + * \param len [in] length of the output buffer + * \param olen [out] the length of the data really written on the buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO + * + * \return 0 on success or a negative error code in case of failure + */ +int mbedtls_psa_ecjpake_write_round( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ); + +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + /** * \brief TLS record protection modes */ @@ -2419,4 +2638,48 @@ int mbedtls_ssl_check_dtls_clihlo_cookie( unsigned char *obuf, size_t buf_len, size_t *olen ); #endif +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +/** + * \brief Given an SSL context and its associated configuration, write the TLS + * 1.3 specific Pre-Shared key extension. + * + * \param[in] ssl SSL context + * \param[in] buf Base address of the buffer where to write the extension + * \param[in] end End address of the buffer where to write the extension + * \param[out] out_len Length in bytes of the Pre-Shared key extension: data + * written into the buffer \p buf by this function plus + * the length of the binders to be written. + * \param[out] binders_len Length of the binders to be written at the end of + * the extension. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end, + size_t *out_len, size_t *binders_len ); + +/** + * \brief Given an SSL context and its associated configuration, write the TLS + * 1.3 specific Pre-Shared key extension binders at the end of the + * ClientHello. + * + * \param[in] ssl SSL context + * \param[in] buf Base address of the buffer where to write the binders + * \param[in] end End address of the buffer where to write the binders + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end ); +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ + defined(MBEDTLS_SSL_CLI_C) +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session, + const char *hostname ); +#endif + #endif /* ssl_misc.h */ diff --git a/thirdparty/mbedtls/library/ssl_msg.c b/thirdparty/mbedtls/library/ssl_msg.c index fb0b7099798213..e4d50dbfdab019 100644 --- a/thirdparty/mbedtls/library/ssl_msg.c +++ b/thirdparty/mbedtls/library/ssl_msg.c @@ -26,13 +26,7 @@ #if defined(MBEDTLS_SSL_TLS_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/ssl.h" #include "ssl_misc.h" @@ -388,29 +382,79 @@ static int ssl_parse_inner_plaintext( unsigned char const *content, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */ -/* `add_data` must have size 13 Bytes if the CID extension is disabled, - * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ +/* The size of the `add_data` structure depends on various + * factors, namely + * + * 1) CID functionality disabled + * + * additional_data = + * 8: seq_num + + * 1: type + + * 2: version + + * 2: length of inner plaintext + + * + * size = 13 bytes + * + * 2) CID functionality based on RFC 9146 enabled + * + * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length + * = 23 + CID-length + * + * 3) CID functionality based on legacy CID version + according to draft-ietf-tls-dtls-connection-id-05 + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 + * + * size = 13 + 1 + CID-length + * + * More information about the CID usage: + * + * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the + * size of the additional data structure is calculated as: + * + * additional_data = + * 8: seq_num + + * 1: tls12_cid + + * 2: DTLSCipherText.version + + * n: cid + + * 1: cid_length + + * 2: length_of_DTLSInnerPlaintext + * + * Per RFC 9146 the size of the add_data structure is calculated as: + * + * additional_data = + * 8: seq_num_placeholder + + * 1: tls12_cid + + * 1: cid_length + + * 1: tls12_cid + + * 2: DTLSCiphertext.version + + * 2: epoch + + * 6: sequence_number + + * n: cid + + * 2: length_of_DTLSInnerPlaintext + * + */ static void ssl_extract_add_data_from_record( unsigned char* add_data, size_t *add_data_len, mbedtls_record *rec, mbedtls_ssl_protocol_version - tls_version, + tls_version, size_t taglen ) { - /* Quoting RFC 5246 (TLS 1.2): + /* Several types of ciphers have been defined for use with TLS and DTLS, + * and the MAC calculations for those ciphers differ slightly. Further + * variants were added when the CID functionality was added with RFC 9146. + * This implementations also considers the use of a legacy version of the + * CID specification published in draft-ietf-tls-dtls-connection-id-05, + * which is used in deployments. * - * additional_data = seq_num + TLSCompressed.type + - * TLSCompressed.version + TLSCompressed.length; + * We will distinguish between the non-CID and the CID cases below. * - * For the CID extension, this is extended as follows - * (quoting draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05): + * --- Non-CID cases --- * - * additional_data = seq_num + DTLSPlaintext.type + - * DTLSPlaintext.version + - * cid + - * cid_length + - * length_of_DTLSInnerPlaintext; + * Quoting RFC 5246 (TLS 1.2): + * + * additional_data = seq_num + TLSCompressed.type + + * TLSCompressed.version + TLSCompressed.length; * * For TLS 1.3, the record sequence number is dropped from the AAD * and encoded within the nonce of the AEAD operation instead. @@ -427,11 +471,72 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, * * TLSCiphertext.length = TLSInnerPlaintext.length + taglen. * - */ + * --- CID cases --- + * + * RFC 9146 uses a common pattern when constructing the data + * passed into a MAC / AEAD cipher. + * + * Data concatenation for MACs used with block ciphers with + * Encrypt-then-MAC Processing (with CID): + * + * data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * DTLSCiphertext.length + + * IV + + * ENC(content + padding + padding_length) + * + * Data concatenation for MACs used with block ciphers (with CID): + * + * data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * length_of_DTLSInnerPlaintext + + * DTLSInnerPlaintext.content + + * DTLSInnerPlaintext.real_type + + * DTLSInnerPlaintext.zeros + * + * AEAD ciphers use the following additional data calculation (with CIDs): + * + * additional_data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * length_of_DTLSInnerPlaintext + * + * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use) + * defines the additional data calculation as follows: + * + * additional_data = seq_num + + * tls12_cid + + * DTLSCipherText.version + + * cid + + * cid_length + + * length_of_DTLSInnerPlaintext + */ unsigned char *cur = add_data; size_t ad_len_field = rec->data_len; +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; +#endif + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) { @@ -445,25 +550,72 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, { ((void) tls_version); ((void) taglen); - memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); - cur += sizeof( rec->ctr ); + +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + if( rec->cid_len != 0 ) + { + // seq_num_placeholder + memcpy( cur, seq_num_placeholder, sizeof(seq_num_placeholder) ); + cur += sizeof( seq_num_placeholder ); + + // tls12_cid type + *cur = rec->type; + cur++; + + // cid_length + *cur = rec->cid_len; + cur++; + } + else +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + { + // epoch + sequence number + memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); + cur += sizeof( rec->ctr ); + } } + // type *cur = rec->type; cur++; + // version memcpy( cur, rec->ver, sizeof( rec->ver ) ); cur += sizeof( rec->ver ); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - if( rec->cid_len != 0 ) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1 + + if (rec->cid_len != 0) { - memcpy( cur, rec->cid, rec->cid_len ); + // CID + memcpy(cur, rec->cid, rec->cid_len); cur += rec->cid_len; + // cid_length *cur = rec->cid_len; cur++; + // length of inner plaintext + MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0); + cur += 2; + } + else +#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + + if( rec->cid_len != 0 ) + { + // epoch + sequence number + memcpy(cur, rec->ctr, sizeof(rec->ctr)); + cur += sizeof(rec->ctr); + + // CID + memcpy( cur, rec->cid, rec->cid_len ); + cur += rec->cid_len; + + // length of inner plaintext MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 ); cur += 2; } @@ -538,7 +690,14 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, mbedtls_ssl_mode_t ssl_mode; int auth_done = 0; unsigned char * data; - unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + /* For an explanation of the additional data length see + * the description of ssl_extract_add_data_from_record(). + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX]; +#else + unsigned char add_data[13]; +#endif size_t add_data_len; size_t post_avail; @@ -1021,13 +1180,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, size_t sign_mac_length = 0; #endif /* MBEDTLS_USE_PSA_CRYPTO */ - /* - * MAC(MAC_write_key, seq_num + - * TLSCipherText.type + - * TLSCipherText.version + - * length_of( (IV +) ENC(...) ) + - * IV + - * ENC(content + padding + padding_length)); + /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length)) */ if( post_avail < transform->maclen) @@ -1124,7 +1277,9 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_ssl_transform *transform, mbedtls_record *rec ) { +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) || defined(MBEDTLS_CIPHER_MODE_AEAD) size_t olen; +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC || MBEDTLS_CIPHER_MODE_AEAD */ mbedtls_ssl_mode_t ssl_mode; int ret; @@ -1133,7 +1288,14 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, size_t padlen = 0, correct = 1; #endif unsigned char* data; - unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ]; + /* For an explanation of the additional data length see + * the description of ssl_extract_add_data_from_record(). + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX]; +#else + unsigned char add_data[13]; +#endif size_t add_data_len; #if !defined(MBEDTLS_DEBUG_C) @@ -1669,15 +1831,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * The next two sizes are the minimum and maximum values of - * data_len over all padlen values. - * - * They're independent of padlen, since we previously did - * data_len -= padlen. - * - * Note that max_len + maclen is never more than the buffer - * length, as we previously did in_msglen -= maclen too. - */ + * The next two sizes are the minimum and maximum values of + * data_len over all padlen values. + * + * They're independent of padlen, since we previously did + * data_len -= padlen. + * + * Note that max_len + maclen is never more than the buffer + * length, as we previously did in_msglen -= maclen too. + */ const size_t max_len = rec->data_len + padlen; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; @@ -1801,8 +1963,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -1912,7 +2073,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); mbedtls_ssl_set_timer( ssl, 0 ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ssl_double_retransmit_timeout( ssl ) != 0 ) { @@ -2017,8 +2178,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( ssl->f_send == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3487,7 +3647,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, { /* Shift pointers to account for record header including CID * struct { - * ContentType special_type = tls12_cid; + * ContentType outer_type = tls12_cid; * ProtocolVersion version; * uint16 epoch; * uint48 sequence_number; @@ -3851,8 +4011,8 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, if( ssl_record_is_in_progress( ssl ) == 0 ) { + int dtls_have_buffered = 0; #if defined(MBEDTLS_SSL_PROTO_DTLS) - int have_buffered = 0; /* We only check for buffered messages if the * current datagram is fully consumed. */ @@ -3860,11 +4020,11 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, ssl_next_record_is_in_datagram( ssl ) == 0 ) { if( ssl_load_buffered_message( ssl ) == 0 ) - have_buffered = 1; + dtls_have_buffered = 1; } - if( have_buffered == 0 ) #endif /* MBEDTLS_SSL_PROTO_DTLS */ + if( dtls_have_buffered == 0 ) { ret = ssl_get_next_record( ssl ); if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ) @@ -3938,7 +4098,7 @@ static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ) if( hs == NULL ) return( -1 ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_message" ) ); if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC || ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) @@ -5288,6 +5448,50 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_RENEGOTIATION */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_check_new_session_ticket( mbedtls_ssl_context *ssl ) +{ + + if( ( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) ) || + ( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ) ) + { + return( 0 ); + } + + ssl->keep_current_message = 1; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket received" ) ); + mbedtls_ssl_handshake_set_state( ssl, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); + + return( MBEDTLS_ERR_SSL_WANT_READ ); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) +{ + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "received post-handshake message" ) ); + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + int ret = ssl_tls13_check_new_session_ticket( ssl ); + if( ret != 0 ) + return( ret ); + } +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ + + /* Fail in all other cases. */ + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* This function is called from mbedtls_ssl_read() when a handshake message is * received after the initial handshake. In this context, handshake messages * may only be sent for the purpose of initiating renegotiations. @@ -5298,7 +5502,7 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read(). */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) +static int ssl_tls12_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -5380,18 +5584,39 @@ static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ( ret = mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_WARNING, MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) { return( ret ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } return( 0 ); } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) +{ + /* Check protocol version and dispatch accordingly. */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) + { + return( ssl_tls13_handle_hs_message_post_handshake( ssl ) ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 ) + { + return( ssl_tls12_handle_hs_message_post_handshake( ssl ) ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +} /* * Receive application data decrypted from the SSL layer @@ -5443,7 +5668,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake( ssl ); if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && @@ -5699,7 +5924,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { diff --git a/thirdparty/mbedtls/library/ssl_ticket.c b/thirdparty/mbedtls/library/ssl_ticket.c index 28c4d3e55395f8..e39563bc4f706b 100644 --- a/thirdparty/mbedtls/library/ssl_ticket.c +++ b/thirdparty/mbedtls/library/ssl_ticket.c @@ -21,13 +21,7 @@ #if defined(MBEDTLS_SSL_TICKET_C) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "ssl_misc.h" #include "mbedtls/ssl_ticket.h" @@ -79,7 +73,7 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx, #endif #if defined(MBEDTLS_HAVE_TIME) - key->generation_time = (uint32_t) mbedtls_time( NULL ); + key->generation_time = mbedtls_time( NULL ); #endif if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 ) @@ -122,15 +116,15 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) #else if( ctx->ticket_lifetime != 0 ) { - uint32_t current_time = (uint32_t) mbedtls_time( NULL ); - uint32_t key_time = ctx->keys[ctx->active].generation_time; + mbedtls_time_t current_time = mbedtls_time( NULL ); + mbedtls_time_t key_time = ctx->keys[ctx->active].generation_time; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; #endif if( current_time >= key_time && - current_time - key_time < ctx->ticket_lifetime ) + (uint64_t) ( current_time - key_time ) < ctx->ticket_lifetime ) { return( 0 ); } @@ -204,7 +198,7 @@ int mbedtls_ssl_ticket_rotate( mbedtls_ssl_ticket_context *ctx, ctx->ticket_lifetime = lifetime; memcpy( key->name, name, TICKET_KEY_NAME_BYTES ); #if defined(MBEDTLS_HAVE_TIME) - key->generation_time = (uint32_t) mbedtls_time( NULL ); + key->generation_time = mbedtls_time( NULL ); #endif return 0; } diff --git a/thirdparty/mbedtls/library/ssl_tls.c b/thirdparty/mbedtls/library/ssl_tls.c index e60b82fa5f7728..9bb9dc23cde94a 100644 --- a/thirdparty/mbedtls/library/ssl_tls.c +++ b/thirdparty/mbedtls/library/ssl_tls.c @@ -27,20 +27,13 @@ #include -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#define mbedtls_printf printf -#endif /* !MBEDTLS_PLATFORM_C */ #include "mbedtls/ssl.h" #include "ssl_client.h" #include "ssl_debug_helpers.h" #include "ssl_misc.h" + #include "mbedtls/debug.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" @@ -53,6 +46,7 @@ #include "mbedtls/psa_util.h" #include "psa/crypto.h" #endif +#include "mbedtls/legacy_or_psa.h" #if defined(MBEDTLS_X509_CRT_PARSE_C) #include "mbedtls/oid.h" @@ -241,10 +235,13 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, { mbedtls_ssl_session_free( dst ); memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); - #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) dst->ticket = NULL; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + dst->hostname = NULL; #endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -293,6 +290,18 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, memcpy( dst->ticket, src->ticket, src->ticket_len ); } + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( src->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + ret = mbedtls_ssl_session_set_hostname( dst, src->hostname ); + if( ret != 0 ) + return ( ret ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && + MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ return( 0 ); @@ -418,7 +427,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, unsigned endpoint, const mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_sha256( const unsigned char *secret, size_t slen, const char *label, @@ -427,9 +436,9 @@ static int tls_prf_sha256( const unsigned char *secret, size_t slen, static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * ); static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_sha384( const unsigned char *secret, size_t slen, const char *label, @@ -438,26 +447,27 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen, static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * ); static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session, +static size_t ssl_tls12_session_save( const mbedtls_ssl_session *session, unsigned char *buf, size_t buf_len ); + MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_session_load_tls12( mbedtls_ssl_session *session, +static int ssl_tls12_session_load( mbedtls_ssl_session *session, const unsigned char *buf, size_t len ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, const unsigned char *secret, size_t slen, @@ -470,16 +480,16 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, switch( prf ) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_TLS_PRF_SHA384: tls_prf = tls_prf_sha384; break; -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_TLS_PRF_SHA256: tls_prf = tls_prf_sha256; break; -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ default: return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); @@ -511,17 +521,256 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type ) +{ + switch( extension_type ) + { + case MBEDTLS_TLS_EXT_SERVERNAME: + return( MBEDTLS_SSL_EXT_ID_SERVERNAME ); + + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + return( MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH ); + + case MBEDTLS_TLS_EXT_STATUS_REQUEST: + return( MBEDTLS_SSL_EXT_ID_STATUS_REQUEST ); + + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + return( MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS ); + + case MBEDTLS_TLS_EXT_SIG_ALG: + return( MBEDTLS_SSL_EXT_ID_SIG_ALG ); + + case MBEDTLS_TLS_EXT_USE_SRTP: + return( MBEDTLS_SSL_EXT_ID_USE_SRTP ); + + case MBEDTLS_TLS_EXT_HEARTBEAT: + return( MBEDTLS_SSL_EXT_ID_HEARTBEAT ); + + case MBEDTLS_TLS_EXT_ALPN: + return( MBEDTLS_SSL_EXT_ID_ALPN ); + + case MBEDTLS_TLS_EXT_SCT: + return( MBEDTLS_SSL_EXT_ID_SCT ); + + case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: + return( MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: + return( MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_PADDING: + return( MBEDTLS_SSL_EXT_ID_PADDING ); + + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + return( MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY ); + + case MBEDTLS_TLS_EXT_EARLY_DATA: + return( MBEDTLS_SSL_EXT_ID_EARLY_DATA ); + + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + return( MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS ); + + case MBEDTLS_TLS_EXT_COOKIE: + return( MBEDTLS_SSL_EXT_ID_COOKIE ); + + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + return( MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES ); + + case MBEDTLS_TLS_EXT_CERT_AUTH: + return( MBEDTLS_SSL_EXT_ID_CERT_AUTH ); + + case MBEDTLS_TLS_EXT_OID_FILTERS: + return( MBEDTLS_SSL_EXT_ID_OID_FILTERS ); + + case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: + return( MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH ); + + case MBEDTLS_TLS_EXT_SIG_ALG_CERT: + return( MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT ); + + case MBEDTLS_TLS_EXT_KEY_SHARE: + return( MBEDTLS_SSL_EXT_ID_KEY_SHARE ); + + case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: + return( MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC ); + + case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: + return( MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS ); + + case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: + return( MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC ); + + case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: + return( MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET ); + + case MBEDTLS_TLS_EXT_SESSION_TICKET: + return( MBEDTLS_SSL_EXT_ID_SESSION_TICKET ); + + } + + return( MBEDTLS_SSL_EXT_ID_UNRECOGNIZED ); +} + +uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ) +{ + return( 1 << mbedtls_ssl_get_extension_id( extension_type ) ); +} + +#if defined(MBEDTLS_DEBUG_C) +static const char *extension_name_table[] = { + [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized", + [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", + [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", + [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", + [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups", + [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms", + [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp", + [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat", + [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation", + [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp", + [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type", + [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type", + [MBEDTLS_SSL_EXT_ID_PADDING] = "padding", + [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key", + [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data", + [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions", + [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie", + [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes", + [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities", + [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters", + [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth", + [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert", + [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share", + [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac", + [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats", + [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac", + [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret", + [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket" +}; + +static unsigned int extension_type_table[]={ + [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, + [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, + [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, + [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST, + [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, + [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG, + [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP, + [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT, + [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN, + [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT, + [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE, + [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE, + [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING, + [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY, + [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA, + [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, + [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE, + [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, + [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH, + [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS, + [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH, + [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT, + [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE, + [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC, + [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, + [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, + [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, + [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET +}; + +const char *mbedtls_ssl_get_extension_name( unsigned int extension_type ) +{ + return( extension_name_table[ + mbedtls_ssl_get_extension_id( extension_type ) ] ); +} + +static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type ) +{ + switch( hs_msg_type ) + { + case MBEDTLS_SSL_HS_CLIENT_HELLO: + return( "ClientHello" ); + case MBEDTLS_SSL_HS_SERVER_HELLO: + return( "ServerHello" ); + case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: + return( "HelloRetryRequest" ); + case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: + return( "NewSessionTicket" ); + case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: + return( "EncryptedExtensions" ); + case MBEDTLS_SSL_HS_CERTIFICATE: + return( "Certificate" ); + case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: + return( "CertificateRequest" ); + } + return( "Unknown" ); +} + +void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, unsigned int extension_type, + const char *extra_msg0, const char *extra_msg1 ) +{ + const char *extra_msg; + if( extra_msg0 && extra_msg1 ) + { + mbedtls_debug_print_msg( + ssl, level, file, line, + "%s: %s(%u) extension %s %s.", + ssl_tls13_get_hs_msg_name( hs_msg_type ), + mbedtls_ssl_get_extension_name( extension_type ), + extension_type, + extra_msg0, extra_msg1 ); + return; + } + + extra_msg = extra_msg0 ? extra_msg0 : extra_msg1; + if( extra_msg ) + { + mbedtls_debug_print_msg( + ssl, level, file, line, + "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name( hs_msg_type ), + mbedtls_ssl_get_extension_name( extension_type ), extension_type, + extra_msg ); + return; + } + + mbedtls_debug_print_msg( + ssl, level, file, line, + "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name( hs_msg_type ), + mbedtls_ssl_get_extension_name( extension_type ), extension_type ); +} + +void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, uint32_t extensions_mask, + const char *extra ) +{ + + for( unsigned i = 0; + i < sizeof( extension_name_table ) / sizeof( extension_name_table[0] ); + i++ ) + { + mbedtls_ssl_print_extension( + ssl, level, file, line, hs_msg_type, extension_type_table[i], + extensions_mask & ( 1 << i ) ? "exists" : "does not exist", extra ); + } +} + +#endif /* MBEDTLS_DEBUG_C */ + void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) { ((void) ciphersuite_info); -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) ssl->handshake->update_checksum = ssl_update_checksum_sha384; else #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) ssl->handshake->update_checksum = ssl_update_checksum_sha256; else @@ -532,9 +781,9 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, } } -static void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - size_t total_hs_len ) +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ) { unsigned char hs_hdr[4]; @@ -559,7 +808,7 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) { ((void) ssl); -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_abort( &ssl->handshake->fin_sha256_psa ); psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); @@ -567,12 +816,12 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); #endif #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_abort( &ssl->handshake->fin_sha384_psa ); psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); #else - mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); + mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 ); #endif #endif } @@ -580,23 +829,29 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); #else mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); #endif #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len ); #else - mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); + mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len ); +#endif #endif +#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; + (void) buf; + (void) len; #endif } -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { @@ -608,14 +863,14 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, } #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len ); #else - mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); + mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len ); #endif } #endif @@ -624,7 +879,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) { memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) handshake->fin_sha256_psa = psa_hash_operation_init(); psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); @@ -633,13 +888,13 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); #endif #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) handshake->fin_sha384_psa = psa_hash_operation_init(); psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); #else - mbedtls_sha512_init( &handshake->fin_sha512 ); - mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); + mbedtls_sha512_init( &handshake->fin_sha384 ); + mbedtls_sha512_starts( &handshake->fin_sha384, 1 ); #endif #endif @@ -652,7 +907,12 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->psa_pake_ctx = psa_pake_operation_init(); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) handshake->ecjpake_cache = NULL; handshake->ecjpake_cache_len = 0; @@ -760,6 +1020,13 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) mbedtls_ssl_transform_init( ssl->transform_negotiate ); ssl_handshake_params_init( ssl->handshake ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SRV_C) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) + ssl->handshake->new_session_tickets_count = + ssl->conf->new_session_tickets_count ; +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { @@ -820,7 +1087,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* Heap allocate and translate sig_hashes from internal hash identifiers to @@ -886,7 +1153,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl->handshake->sig_algs_heap_allocated = 0; } #endif /* !MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ return( 0 ); } @@ -989,6 +1256,30 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl) if( ret != 0 ) return( ret ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* RFC 8446 section 4.4.3 + * + * If the verification fails, the receiver MUST terminate the handshake with + * a "decrypt_error" alert. + * + * If the client is configured as TLS 1.3 only with optional verify, return + * bad config. + * + */ + if( mbedtls_ssl_conf_tls13_ephemeral_enabled( + (mbedtls_ssl_context *)ssl ) && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && + ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + { + MBEDTLS_SSL_DEBUG_MSG( + 1, ( "Optional verify auth mode " + "is not available for TLS 1.3 client" ) ); + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + /* Space for further checks */ return( 0 ); @@ -1156,9 +1447,11 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, if( ssl->handshake != NULL ) { +#if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata ); mbedtls_free( ssl->handshake->transform_earlydata ); ssl->handshake->transform_earlydata = NULL; +#endif mbedtls_ssl_transform_free( ssl->handshake->transform_handshake ); mbedtls_free( ssl->handshake->transform_handshake ); @@ -1201,9 +1494,11 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) #endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) + int free_cli_id = 1; #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) - if( partial == 0 ) + free_cli_id = ( partial == 0 ); #endif + if( free_cli_id ) { mbedtls_free( ssl->cli_id ); ssl->cli_id = NULL; @@ -1363,6 +1658,23 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session if( ssl->handshake->resume == 1 ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if( session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) + { + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_from_id( session->ciphersuite ); + + if( mbedtls_ssl_validate_ciphersuite( + ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3, + MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not a valid TLS 1.3 ciphersuite.", + session->ciphersuite ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) return( ret ); @@ -1385,6 +1697,23 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, { conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; } + +#if defined(MBEDTLS_SSL_EARLY_DATA) +void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, + int early_data_enabled ) +{ + conf->early_data_enabled = early_data_enabled; +} + +#if defined(MBEDTLS_SSL_SRV_C) +void mbedtls_ssl_tls13_conf_max_early_data_size( + mbedtls_ssl_config *conf, uint32_t max_early_data_size ) +{ + conf->max_early_data_size = max_early_data_size; +} +#endif /* MBEDTLS_SSL_SRV_C */ + +#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1537,6 +1866,73 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, /* * Set EC J-PAKE password for current handshake */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_pake_role_t psa_role; + psa_status_t status; + + if( ssl->handshake == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + psa_role = PSA_PAKE_ROLE_SERVER; + else + psa_role = PSA_PAKE_ROLE_CLIENT; + + /* Empty password is not valid */ + if( ( pw == NULL) || ( pw_len == 0 ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + + status = psa_import_key( &attributes, pw, pw_len, + &ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); + psa_pake_cs_set_primitive( &cipher_suite, + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, + 256) ); + psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); + + status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, + ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + ssl->handshake->psa_pake_ctx_is_ok = 1; + + return( 0 ); +} +#else /* MBEDTLS_USE_PSA_CRYPTO */ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ) @@ -1557,18 +1953,24 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf ) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) { + if( conf->psk_identity == NULL || + conf->psk_identity_len == 0 ) + { + return( 0 ); + } + #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) + if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ - if( conf->psk != NULL ) + + if( conf->psk != NULL && conf->psk_len != 0 ) return( 1 ); return( 0 ); @@ -1614,6 +2016,7 @@ static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf, { /* Identity len will be encoded on two bytes */ if( psk_identity == NULL || + psk_identity_len == 0 || ( psk_identity_len >> 16 ) != 0 || psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) { @@ -1637,7 +2040,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* We currently only support one PSK, raw or opaque. */ - if( ssl_conf_psk_is_configured( conf ) ) + if( mbedtls_ssl_conf_has_static_psk( conf ) ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); /* Check and set raw PSK */ @@ -1691,9 +2094,9 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_attributes_t key_attributes = psa_key_attributes_init(); - psa_status_t status; - psa_algorithm_t alg; - mbedtls_svc_key_id_t key; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_algorithm_t alg = PSA_ALG_NONE; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ if( psk == NULL || ssl->handshake == NULL ) @@ -1705,12 +2108,26 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, ssl_remove_psk( ssl ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) - alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); - else - alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 ) + { + if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + alg = PSA_ALG_TLS12_PSK_TO_MS( PSA_ALG_SHA_384 ); + else + alg = PSA_ALG_TLS12_PSK_TO_MS( PSA_ALG_SHA_256 ); + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) + { + alg = PSA_ALG_HKDF_EXTRACT( PSA_ALG_ANY_HASH ); + psa_set_key_usage_flags( &key_attributes, + PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); psa_set_key_algorithm( &key_attributes, alg ); psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); @@ -1741,7 +2158,7 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* We currently only support one PSK, raw or opaque. */ - if( ssl_conf_psk_is_configured( conf ) ) + if( mbedtls_ssl_conf_has_static_psk( conf ) ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); /* Check and set opaque PSK */ @@ -1771,6 +2188,7 @@ int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), @@ -1779,7 +2197,9 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, conf->f_psk = f_psk; conf->p_psk = p_psk; } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_SRV_C */ + +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_USE_PSA_CRYPTO) static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( @@ -1876,15 +2296,263 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( mbedtls_ssl_get_base_mode( mbedtls_cipher_info_get_mode( cipher ) ); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + +#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + int encrypt_then_mac = 0; +#endif + return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) ); +} + +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* Serialization of TLS 1.3 sessions: + * + * struct { + * opaque hostname<0..2^16-1>; + * uint64 ticket_received; + * uint32 ticket_lifetime; + * opaque ticket<1..2^16-1>; + * } ClientOnlyData; + * + * struct { + * uint8 endpoint; + * uint8 ciphersuite[2]; + * uint32 ticket_age_add; + * uint8 ticket_flags; + * opaque resumption_key<0..255>; + * select ( endpoint ) { + * case client: ClientOnlyData; + * case server: uint64 start_time; + * }; + * } serialized_session_tls13; + * + */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_save( const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len, + size_t *olen ) +{ + unsigned char *p = buf; +#if defined(MBEDTLS_SSL_CLI_C) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + size_t hostname_len = ( session->hostname == NULL ) ? + 0 : strlen( session->hostname ) + 1; +#endif + size_t needed = 1 /* endpoint */ + + 2 /* ciphersuite */ + + 4 /* ticket_age_add */ + + 1 /* ticket_flags */ + + 1; /* resumption_key length */ + *olen = 0; + + if( session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + needed += session->resumption_key_len; /* resumption_key */ + +#if defined(MBEDTLS_HAVE_TIME) + needed += 8; /* start_time or ticket_received */ +#endif + +#if defined(MBEDTLS_SSL_CLI_C) + if( session->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + needed += 2 /* hostname_len */ + + hostname_len; /* hostname */ +#endif + + needed += 4 /* ticket_lifetime */ + + 2; /* ticket_len */ + + /* Check size_t overflow */ + if( session->ticket_len > SIZE_MAX - needed ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + needed += session->ticket_len; /* ticket */ + } +#endif /* MBEDTLS_SSL_CLI_C */ + + *olen = needed; + if( needed > buf_len ) + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + + p[0] = session->endpoint; + MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 1 ); + MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 3 ); + p[7] = session->ticket_flags; + + /* save resumption_key */ + p[8] = session->resumption_key_len; + p += 9; + memcpy( p, session->resumption_key, session->resumption_key_len ); + p += session->resumption_key_len; + +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if( session->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + MBEDTLS_PUT_UINT64_BE( (uint64_t) session->start, p, 0 ); + p += 8; + } +#endif /* MBEDTLS_HAVE_TIME */ + +#if defined(MBEDTLS_SSL_CLI_C) + if( session->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 ); + p += 2; + if( hostname_len > 0 ) + { + /* save host name */ + memcpy( p, session->hostname, hostname_len ); + p += hostname_len; + } +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + +#if defined(MBEDTLS_HAVE_TIME) + MBEDTLS_PUT_UINT64_BE( (uint64_t) session->ticket_received, p, 0 ); + p += 8; +#endif + MBEDTLS_PUT_UINT32_BE( session->ticket_lifetime, p, 0 ); + p += 4; + + MBEDTLS_PUT_UINT16_BE( session->ticket_len, p, 0 ); + p += 2; + + if( session->ticket != NULL && session->ticket_len > 0 ) + { + memcpy( p, session->ticket, session->ticket_len ); + p += session->ticket_len; + } + } +#endif /* MBEDTLS_SSL_CLI_C */ + return( 0 ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_load( mbedtls_ssl_session *session, + const unsigned char *buf, + size_t len ) +{ + const unsigned char *p = buf; + const unsigned char *end = buf + len; + + if( end - p < 9 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + session->endpoint = p[0]; + session->ciphersuite = MBEDTLS_GET_UINT16_BE( p, 1 ); + session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 3 ); + session->ticket_flags = p[7]; + + /* load resumption_key */ + session->resumption_key_len = p[8]; + p += 9; + + if( end - p < session->resumption_key_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( sizeof( session->resumption_key ) < session->resumption_key_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + memcpy( session->resumption_key, p, session->resumption_key_len ); + p += session->resumption_key_len; + +#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) + if( session->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + if( end - p < 8 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + session->start = MBEDTLS_GET_UINT64_BE( p, 0 ); + p += 8; + } +#endif /* MBEDTLS_HAVE_TIME */ + +#if defined(MBEDTLS_SSL_CLI_C) + if( session->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) + size_t hostname_len; + /* load host name */ + if( end - p < 2 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + hostname_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + + if( end - p < ( long int )hostname_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + if( hostname_len > 0 ) + { + session->hostname = mbedtls_calloc( 1, hostname_len ); + if( session->hostname == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + memcpy( session->hostname, p, hostname_len ); + p += hostname_len; + } +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && + MBEDTLS_SSL_SESSION_TICKETS */ + +#if defined(MBEDTLS_HAVE_TIME) + if( end - p < 8 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + session->ticket_received = MBEDTLS_GET_UINT64_BE( p, 0 ); + p += 8; +#endif + if( end - p < 4 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 ); + p += 4; + + if( end - p < 2 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + session->ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + + if( end - p < ( long int )session->ticket_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + if( session->ticket_len > 0 ) + { + session->ticket = mbedtls_calloc( 1, session->ticket_len ); + if( session->ticket == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + memcpy( session->ticket, p, session->ticket_len ); + p += session->ticket_len; + } + } +#endif /* MBEDTLS_SSL_CLI_C */ -#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) - int encrypt_then_mac = 0; -#endif - return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) ); + return( 0 ); + +} +#else /* MBEDTLS_SSL_SESSION_TICKETS */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_save( const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len, + size_t *olen ) +{ + ((void) session); + ((void) buf); + ((void) buf_len); + *olen = 0; + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +static int ssl_tls13_session_load( const mbedtls_ssl_session *session, + unsigned char *buf, + size_t buf_len ) +{ + ((void) session); + ((void) buf); + ((void) buf_len); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} +#endif /* !MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type, size_t taglen, psa_algorithm_t *alg, @@ -2084,7 +2752,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) /* * Set allowed/preferred hashes for handshake signatures @@ -2105,7 +2773,7 @@ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, #endif /* !MBEDTLS_DEPRECATED_REMOVED */ conf->sig_algs = sig_algs; } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) #if !defined(MBEDTLS_DEPRECATED_REMOVED) @@ -2309,6 +2977,7 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss } #endif /* MBEDTLS_SSL_DTLS_SRTP */ +#if !defined(MBEDTLS_DEPRECATED_REMOVED) void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) { conf->max_tls_version = (major << 8) | minor; @@ -2318,6 +2987,7 @@ void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int mino { conf->min_tls_version = (major << 8) | minor; } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, @@ -2388,6 +3058,15 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets #endif #if defined(MBEDTLS_SSL_SRV_C) + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +void mbedtls_ssl_conf_new_session_tickets( mbedtls_ssl_config *conf, + uint16_t num_tickets ) +{ + conf->new_session_tickets_count = num_tickets; +} +#endif + void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, mbedtls_ssl_ticket_write_t *f_ticket_write, mbedtls_ssl_ticket_parse_t *f_ticket_parse, @@ -2811,13 +3490,19 @@ static int ssl_session_save( const mbedtls_ssl_session *session, { unsigned char *p = buf; size_t used = 0; + size_t remaining_len; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + size_t out_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif + if( session == NULL ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); if( !omit_header ) { /* * Add Mbed TLS version identifier */ - used += sizeof( ssl_serialized_session_header ); if( used <= buf_len ) @@ -2838,17 +3523,24 @@ static int ssl_session_save( const mbedtls_ssl_session *session, } /* Forward to version-specific serialization routine. */ + remaining_len = (buf_len >= used) ? buf_len - used : 0; switch( session->tls_version ) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: - { - size_t remaining_len = used <= buf_len ? buf_len - used : 0; - used += ssl_session_save_tls12( session, p, remaining_len ); + used += ssl_tls12_session_save( session, p, remaining_len ); break; - } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case MBEDTLS_SSL_VERSION_TLS1_3: + ret = ssl_tls13_session_save( session, p, remaining_len, &out_len ); + if( ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ) + return( ret ); + used += out_len; + break; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + default: return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } @@ -2885,6 +3577,11 @@ static int ssl_session_load( mbedtls_ssl_session *session, { const unsigned char *p = buf; const unsigned char * const end = buf + len; + size_t remaining_len; + + + if( session == NULL ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); if( !omit_header ) { @@ -2911,16 +3608,19 @@ static int ssl_session_load( mbedtls_ssl_session *session, session->tls_version = 0x0300 | *p++; /* Dispatch according to TLS version. */ + remaining_len = ( end - p ); switch( session->tls_version ) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: - { - size_t remaining_len = ( end - p ); - return( ssl_session_load_tls12( session, p, remaining_len ) ); - } + return( ssl_tls12_session_load( session, p, remaining_len ) ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case MBEDTLS_SSL_VERSION_TLS1_3: + return( ssl_tls13_session_load( session, p, remaining_len ) ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + default: return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -2986,7 +3686,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ssl == NULL || ssl->conf == NULL || ssl->handshake == NULL || - mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -2999,6 +3699,10 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ret != 0 ) goto cleanup; + /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or + * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { @@ -3009,6 +3713,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) { case MBEDTLS_SSL_HELLO_REQUEST: ssl->state = MBEDTLS_SSL_CLIENT_HELLO; + ret = 0; break; case MBEDTLS_SSL_CLIENT_HELLO: @@ -3085,7 +3790,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); /* Main handshake loop */ - while( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake_step( ssl ); @@ -3244,7 +3949,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) if ( ssl->handshake->sig_algs_heap_allocated ) mbedtls_free( (void*) handshake->sig_algs ); @@ -3256,7 +3961,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_free( (void*) handshake->certificate_request_context ); } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 ) @@ -3266,18 +3971,18 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_abort( &handshake->fin_sha256_psa ); #else mbedtls_sha256_free( &handshake->fin_sha256 ); #endif #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_abort( &handshake->fin_sha384_psa ); #else - mbedtls_sha512_free( &handshake->fin_sha512 ); + mbedtls_sha512_free( &handshake->fin_sha384 ); #endif #endif @@ -3287,8 +3992,15 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif + #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_abort( &handshake->psa_pake_ctx ); + psa_destroy_key( handshake->psa_pake_password ); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) mbedtls_free( handshake->ecjpake_cache ); handshake->ecjpake_cache = NULL; @@ -3302,7 +4014,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_free( (void *) handshake->curves ); #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) { @@ -3322,7 +4034,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_free( handshake->psk ); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -3366,9 +4078,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_transform_free( handshake->transform_handshake ); + mbedtls_free( handshake->transform_handshake ); +#if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_transform_free( handshake->transform_earlydata ); mbedtls_free( handshake->transform_earlydata ); - mbedtls_free( handshake->transform_handshake ); +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ @@ -3396,6 +4110,10 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + mbedtls_free( session->hostname ); +#endif mbedtls_free( session->ticket ); #endif @@ -3532,7 +4250,7 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - /* Protocol must be DLTS, not TLS */ + /* Protocol must be DTLS, not TLS */ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) ); @@ -3711,6 +4429,9 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, const unsigned char * const end = buf + len; size_t session_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + tls_prf_fn prf_func = NULL; +#endif /* * The context should have been freshly setup or reset. @@ -3796,17 +4517,22 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, ssl->transform_out = ssl->transform; ssl->transform_negotiate = NULL; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + prf_func = ssl_tls12prf_from_cs( ssl->session->ciphersuite ); + if( prf_func == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Read random bytes and populate structure */ if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + ret = ssl_tls12_populate_transform( ssl->transform, ssl->session->ciphersuite, ssl->session->master, #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) ssl->session->encrypt_then_mac, #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - ssl_tls12prf_from_cs( ssl->session->ciphersuite ), + prf_func, p, /* currently pointing to randbytes */ MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ ssl->conf->endpoint, @@ -4110,122 +4836,124 @@ static int ssl_preset_suiteb_ciphersuites[] = { 0 }; -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* NOTICE: * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following * rules SHOULD be upheld. * - No duplicate entries. * - But if there is a good reason, do not change the order of the algorithms. - * - ssl_tls12_present* is for TLS 1.2 use only. + * - ssl_tls12_preset* is for TLS 1.2 use only. * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. - * - * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate - * declaring an RSA public key and Mbed TLS is configured in hybrid mode, if - * `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then - * the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm - * for its signature in the key exchange message. As Mbed TLS 1.2 does not - * support them, the handshake fails. */ static uint16_t ssl_preset_default_sig_algs[] = { -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C) && \ +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, -#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA256_C && +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA384_C) && \ +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, -#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C && +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& MBEDTLS_ECP_DP_SECP384R1_ENABLED */ -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA512_C) && \ +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, -#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C && +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& MBEDTLS_ECP_DP_SECP521R1_ENABLED */ -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ + +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */ -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */ - -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA384_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA384_C */ - -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */ - MBEDTLS_TLS_SIG_NONE }; /* NOTICE: see above */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) static uint16_t ssl_tls12_preset_default_sig_algs[] = { -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_ECDSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ), #endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #if defined(MBEDTLS_RSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512 ), #endif -#endif /* MBEDTLS_SHA512_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_ECDSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ), #endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #if defined(MBEDTLS_RSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ), #endif -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA256_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_ECDSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ), #endif +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #if defined(MBEDTLS_RSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ), #endif -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ MBEDTLS_TLS_SIG_NONE }; #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* NOTICE: see above */ static uint16_t ssl_preset_suiteb_sig_algs[] = { -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C) && \ +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, -#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA256_C && +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA384_C) && \ +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, -#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C && +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& MBEDTLS_ECP_DP_SECP384R1_ENABLED */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, -#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_RSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ MBEDTLS_TLS_SIG_NONE }; @@ -4233,27 +4961,27 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = { /* NOTICE: see above */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_ECDSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ), #endif #if defined(MBEDTLS_RSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ), #endif -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_ECDSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ), #endif #if defined(MBEDTLS_RSA_C) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ), #endif -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ MBEDTLS_TLS_SIG_NONE }; #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ static uint16_t ssl_preset_suiteb_groups[] = { #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) @@ -4265,7 +4993,7 @@ static uint16_t ssl_preset_suiteb_groups[] = { MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; -#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` * to make sure there are no duplicated signature algorithm entries. */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -4289,7 +5017,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs ) return( ret ); } -#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ /* * Load default in mbedtls_ssl_config @@ -4301,7 +5029,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #endif -#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) if( ssl_check_no_sig_alg_duplication( ssl_preset_suiteb_sig_algs ) ) { mbedtls_printf( "ssl_preset_suiteb_sig_algs has duplicated entries\n" ); @@ -4327,7 +5055,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ /* Use the functions here so that they are covered in tests, * but otherwise access member directly for efficiency */ @@ -4398,6 +5126,19 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) + +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_conf_early_data( conf, MBEDTLS_SSL_EARLY_DATA_DISABLED ); +#if defined(MBEDTLS_SSL_SRV_C) + mbedtls_ssl_tls13_conf_max_early_data_size( + conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE ); +#endif +#endif /* MBEDTLS_SSL_EARLY_DATA */ + +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_conf_new_session_tickets( + conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS ); +#endif /* * Allow all TLS 1.3 key exchange modes by default. */ @@ -4454,14 +5195,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( conf ) ) conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ conf->sig_algs = ssl_preset_suiteb_sig_algs; -#endif +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) conf->curve_list = NULL; @@ -4480,14 +5221,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_default; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( conf ) ) conf->sig_algs = ssl_tls12_preset_default_sig_algs; else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ conf->sig_algs = ssl_preset_default_sig_algs; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) conf->curve_list = NULL; @@ -4512,7 +5253,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) mbedtls_mpi_free( &conf->dhm_G ); #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) { @@ -4534,7 +5275,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) conf->psk_identity = NULL; conf->psk_identity_len = 0; } -#endif +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) ssl_key_cert_free( conf->key_cert ); @@ -4599,27 +5340,27 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) { switch( hash ) { -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_MD5: return( MBEDTLS_MD_MD5 ); #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA1: return( MBEDTLS_MD_SHA1 ); #endif -#if defined(MBEDTLS_SHA224_C) +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA224: return( MBEDTLS_MD_SHA224 ); #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA256: return( MBEDTLS_MD_SHA256 ); #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA384: return( MBEDTLS_MD_SHA384 ); #endif -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA512: return( MBEDTLS_MD_SHA512 ); #endif @@ -4635,27 +5376,27 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ) { switch( md ) { -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_MD5: return( MBEDTLS_SSL_HASH_MD5 ); #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA1: return( MBEDTLS_SSL_HASH_SHA1 ); #endif -#if defined(MBEDTLS_SHA224_C) +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA224: return( MBEDTLS_SSL_HASH_SHA224 ); #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA256: return( MBEDTLS_SSL_HASH_SHA256 ); #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA384: return( MBEDTLS_SSL_HASH_SHA384 ); #endif -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA512: return( MBEDTLS_SSL_HASH_SHA512 ); #endif @@ -4690,7 +5431,14 @@ int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls */ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) { - uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id( grp_id )->tls_id; + const mbedtls_ecp_curve_info *grp_info = + mbedtls_ecp_curve_info_from_grp_id( grp_id ); + + if ( grp_info == NULL ) + return -1; + + uint16_t tls_id = grp_info->tls_id; + return mbedtls_ssl_check_curve_tls_id( ssl, tls_id ); } #endif /* MBEDTLS_ECP_C */ @@ -4784,13 +5532,13 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, switch( md ) { -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA384: hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; break; #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA256: hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; break; @@ -4809,11 +5557,15 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, goto exit; exit: +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; +#endif return( psa_ssl_status_to_mbedtls( status ) ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, unsigned char *dst, @@ -4827,7 +5579,7 @@ static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); mbedtls_sha512_init( &sha512 ); - mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha384 ); if( ( ret = mbedtls_sha512_finish( &sha512, dst ) ) != 0 ) { @@ -4842,9 +5594,9 @@ static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl, mbedtls_sha512_free( &sha512 ); return( ret ); } -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, unsigned char *dst, @@ -4873,7 +5625,7 @@ static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl, mbedtls_sha256_free( &sha256 ); return( ret ); } -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, const mbedtls_md_type_t md, @@ -4884,17 +5636,24 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, switch( md ) { -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA384: return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ); -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_MD_SHA256: return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ); -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ default: +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; + (void) dst; + (void) dst_len; + (void) olen; +#endif break; } return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -4902,7 +5661,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, #endif /* !MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* mbedtls_ssl_parse_sig_alg_ext() * * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` @@ -5010,7 +5769,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) @@ -5081,6 +5840,8 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de return( PSA_SUCCESS ); } +#if defined(PSA_WANT_ALG_SHA_384) || \ + defined(PSA_WANT_ALG_SHA_256) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_generic( mbedtls_md_type_t md_type, const unsigned char *secret, size_t slen, @@ -5155,9 +5916,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, return( 0 ); } - +#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ #else /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_MD_C) && \ + ( defined(MBEDTLS_SHA256_C) || \ + defined(MBEDTLS_SHA384_C) ) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_generic( mbedtls_md_type_t md_type, const unsigned char *secret, size_t slen, @@ -5241,16 +6005,19 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, exit: mbedtls_md_free( &md_ctx ); - mbedtls_platform_zeroize( tmp, tmp_len ); + if ( tmp != NULL ) + mbedtls_platform_zeroize( tmp, tmp_len ); + mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); mbedtls_free( tmp ); return( ret ); } +#endif /* MBEDTLS_MD_C && ( MBEDTLS_SHA256_C || MBEDTLS_SHA384_C ) */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_sha256( const unsigned char *secret, size_t slen, const char *label, @@ -5260,9 +6027,9 @@ static int tls_prf_sha256( const unsigned char *secret, size_t slen, return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, label, random, rlen, dstbuf, dlen ) ); } -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_sha384( const unsigned char *secret, size_t slen, const char *label, @@ -5272,7 +6039,7 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen, return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, label, random, rlen, dstbuf, dlen ) ); } -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ /* * Set appropriate PRF function and other SSL / TLS1.2 functions @@ -5287,7 +6054,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, mbedtls_md_type_t hash ) { -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( hash == MBEDTLS_MD_SHA384 ) { handshake->tls_prf = tls_prf_sha384; @@ -5296,7 +6063,7 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, } else #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) { (void) hash; handshake->tls_prf = tls_prf_sha256; @@ -5458,6 +6225,55 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, else #endif { +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + psa_status_t status; + psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PMS KDF for ECJPAKE" ) ); + + handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; + + status = psa_key_derivation_setup( &derivation, alg ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_key_derivation_set_capacity( &derivation, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_get_implicit_key( &handshake->psa_pake_ctx, + &derivation ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_output_bytes( &derivation, + handshake->premaster, + handshake->pmslen ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_abort( &derivation ); + if( status != PSA_SUCCESS ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } +#endif ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, lbl, seed, seed_len, master, @@ -5548,12 +6364,12 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) { switch( md ) { -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA384: ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; break; #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_SSL_HASH_SHA256: ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; break; @@ -5561,11 +6377,14 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) default: return( -1 ); } - +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; +#endif return( 0 ); } -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hlen ) @@ -5612,9 +6431,9 @@ void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, #endif /* MBEDTLS_USE_PSA_CRYPTO */ return; } -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hlen ) @@ -5649,7 +6468,7 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); - mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha384 ); mbedtls_sha512_finish( &sha512, hash ); *hlen = 48; @@ -5661,7 +6480,7 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl, #endif /* MBEDTLS_USE_PSA_CRYPTO */ return; } -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) @@ -6333,14 +7152,27 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, /* If certificate uses an EC key, make sure the curve is OK. * This is a public key, so it can't be opaque, so can_do() is a good * enough check to ensure pk_ec() is safe to use here. */ - if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && - mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) + if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) ) { - ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; + /* and in the unlikely case the above assumption no longer holds + * we are making sure that pk_ec() here does not return a NULL + */ + const mbedtls_ecp_keypair *ec = mbedtls_pk_ec( *pk ); + if( ec == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_pk_ec() returned NULL" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + if( mbedtls_ssl_check_curve( ssl, ec->grp.id ) != 0 ) + { + ssl->session_negotiate->verify_result |= + MBEDTLS_X509_BADCERT_BAD_KEY; - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); - if( ret == 0 ) - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } } } #endif /* MBEDTLS_ECP_C */ @@ -6626,7 +7458,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *ssl, unsigned char *buf, int from ) { @@ -6700,11 +7532,10 @@ static void ssl_calc_finished_tls_sha256( MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ -#if defined(MBEDTLS_SHA384_C) - +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *ssl, unsigned char *buf, int from ) { @@ -6751,7 +7582,7 @@ static void ssl_calc_finished_tls_sha384( MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); - mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha384 ); /* * TLSv1.2: @@ -6777,7 +7608,7 @@ static void ssl_calc_finished_tls_sha384( MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) { @@ -6864,7 +7695,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) #endif mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); - ssl->state++; + ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); } @@ -7070,30 +7901,39 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) */ static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) { -#if defined(MBEDTLS_SHA384_C) const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = - mbedtls_ssl_ciphersuite_from_id( ciphersuite_id ); - - if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + mbedtls_ssl_ciphersuite_from_id( ciphersuite_id ); +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) return( tls_prf_sha384 ); -#else - (void) ciphersuite_id; + else +#endif +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + { + if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) + return( tls_prf_sha256 ); + } #endif - return( tls_prf_sha256 ); +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ciphersuite_info; +#endif + + return( NULL ); } #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) { ((void) tls_prf); -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( tls_prf == tls_prf_sha384 ) { return( MBEDTLS_SSL_TLS_PRF_SHA384 ); } else #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( tls_prf == tls_prf_sha256 ) { return( MBEDTLS_SSL_TLS_PRF_SHA256 ); @@ -7114,7 +7954,6 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) * - [in] ciphersuite * - [in] master * - [in] encrypt_then_mac - * - [in] compression * - [in] tls_prf: pointer to PRF to use for key derivation * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random * - [in] tls_version: TLS version @@ -7235,10 +8074,10 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - mac_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + mac_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac ); if( mac_alg == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_psa_translate_md for %u not found", + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_info_psa_from_md for %u not found", (unsigned) ciphersuite_info->mac ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -7317,11 +8156,16 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * sequence number). */ transform->ivlen = 12; + + int is_chachapoly = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( key_type == PSA_KEY_TYPE_CHACHA20 ) + is_chachapoly = ( key_type == PSA_KEY_TYPE_CHACHA20 ); #else - if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY ) + is_chachapoly = ( mbedtls_cipher_info_get_mode( cipher_info ) + == MBEDTLS_MODE_CHACHAPOLY ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ + + if( is_chachapoly ) transform->fixed_ivlen = 12; else transform->fixed_ivlen = 4; @@ -7575,8 +8419,11 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, } if( ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) || - ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) && - ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) ) ) + ( ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + && ( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) +#endif + ) ) /* mbedtls_ct_hmac() requires the key to be exportable */ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_VERIFY_HASH ); @@ -7610,6 +8457,99 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, return( ret ); } +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_psa_ecjpake_read_round( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, mbedtls_ecjpake_rounds_t round ) +{ + psa_status_t status; + size_t input_offset = 0; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; + + for( ; remaining_steps > 0; remaining_steps-- ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + } + + if( input_offset != len ) + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + + return( 0 ); +} + +int mbedtls_psa_ecjpake_write_round( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; + + for( ; remaining_steps > 0; remaining_steps-- ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* + * For each step, prepend 1 byte with the length of the data as + * given by psa_pake_output(). + */ + status = psa_pake_output( pake_ctx, step, + buf + output_offset + 1, + len - output_offset - 1, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + *(buf + output_offset) = (uint8_t) output_len; + + output_offset += output_len + 1; + } + } + + *olen = output_offset; + + return( 0 ); +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, @@ -7618,7 +8558,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, { psa_status_t status; psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; - psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg ); + psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md( md_alg ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) ); @@ -7759,7 +8699,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( if( ssl->handshake->key_cert && ssl->handshake->key_cert->key ) { psa_algorithm_t psa_hash_alg = - mbedtls_psa_translate_md( hash_alg_received ); + mbedtls_hash_info_psa_from_md( hash_alg_received ); if( sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && ! mbedtls_pk_can_do_ext( ssl->handshake->key_cert->key, @@ -7790,7 +8730,6 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( * struct { * uint64 start_time; * uint8 ciphersuite[2]; // defined by the standard - * uint8 compression; // 0 or 1 * uint8 session_id_len; // at most 32 * opaque session_id[32]; * opaque master[48]; // fixed length in the standard @@ -7803,7 +8742,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( * } serialized_session_tls12; * */ -static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session, +static size_t ssl_tls12_session_save( const mbedtls_ssl_session *session, unsigned char *buf, size_t buf_len ) { @@ -7838,7 +8777,6 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session, * Basic mandatory fields */ used += 2 /* ciphersuite */ - + 1 /* compression */ + 1 /* id_len */ + sizeof( session->id ) + sizeof( session->master ) @@ -7849,8 +8787,6 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session, MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 ); p += 2; - *p++ = MBEDTLS_BYTE_0( session->compression ); - *p++ = MBEDTLS_BYTE_0( session->id_len ); memcpy( p, session->id, 32 ); p += 32; @@ -7955,7 +8891,7 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session, } MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_session_load_tls12( mbedtls_ssl_session *session, +static int ssl_tls12_session_load( mbedtls_ssl_session *session, const unsigned char *buf, size_t len ) { @@ -7994,14 +8930,12 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session, /* * Basic mandatory fields */ - if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) ) + if( 2 + 1 + 32 + 48 + 4 > (size_t)( end - p ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); session->ciphersuite = ( p[0] << 8 ) | p[1]; p += 2; - session->compression = *p++; - session->id_len = *p++; memcpy( session->id, p, 32 ); p += 32; @@ -8174,8 +9108,13 @@ int mbedtls_ssl_validate_ciphersuite( #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { return( -1 ); } @@ -8194,7 +9133,7 @@ int mbedtls_ssl_validate_ciphersuite( return( 0 ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* * Function for writing a signature algorithm extension. * @@ -8293,11 +9232,12 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SIG_ALG ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /* @@ -8493,8 +9433,63 @@ int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl, p[6] = MBEDTLS_BYTE_0( protocol_name_len ); memcpy( p + 7, ssl->alpn_chosen, protocol_name_len ); + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN ); +#endif + return ( 0 ); } #endif /* MBEDTLS_SSL_ALPN */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ + defined(MBEDTLS_SSL_CLI_C) +int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session, + const char *hostname ) +{ + /* Initialize to suppress unnecessary compiler warning */ + size_t hostname_len = 0; + + /* Check if new hostname is valid before + * making any change to current one */ + if( hostname != NULL ) + { + hostname_len = strlen( hostname ); + + if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + /* Now it's clear that we will overwrite the old hostname, + * so we can free it safely */ + if( session->hostname != NULL ) + { + mbedtls_platform_zeroize( session->hostname, + strlen( session->hostname ) ); + mbedtls_free( session->hostname ); + } + + /* Passing NULL as hostname shall clear the old one */ + if( hostname == NULL ) + { + session->hostname = NULL; + } + else + { + session->hostname = mbedtls_calloc( 1, hostname_len + 1 ); + if( session->hostname == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + memcpy( session->hostname, hostname, hostname_len ); + } + + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && + MBEDTLS_SSL_SESSION_TICKETS && + MBEDTLS_SSL_SERVER_NAME_INDICATION && + MBEDTLS_SSL_CLI_C */ + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/thirdparty/mbedtls/library/ssl_tls12_client.c b/thirdparty/mbedtls/library/ssl_tls12_client.c index 7fa6443a02e3f0..7a1745205c34ed 100644 --- a/thirdparty/mbedtls/library/ssl_tls12_client.c +++ b/thirdparty/mbedtls/library/ssl_tls12_client.c @@ -21,13 +21,7 @@ #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/ssl.h" #include "ssl_client.h" @@ -53,26 +47,7 @@ #include "mbedtls/platform_util.h" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) -{ - if( conf->psk_identity == NULL || - conf->psk_identity_len == 0 ) - { - return( 0 ); - } - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) - return( 1 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - if( conf->psk != NULL && conf->psk_len != 0 ) - return( 1 ); - - return( 0 ); -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#include "hash_info.h" #if defined(MBEDTLS_SSL_RENEGOTIATION) MBEDTLS_CHECK_RETURN_CRITICAL @@ -85,7 +60,7 @@ static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, *olen = 0; - /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the + /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the * initial ClientHello, in which case also adding the renegotiation * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) @@ -157,13 +132,18 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = buf; - size_t kkpp_len; + size_t kkpp_len = 0; *olen = 0; /* Skip costly extension if we can't use EC J-PAKE anyway */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) + return( 0 ); +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); @@ -183,6 +163,18 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); + if ( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -192,6 +184,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, "mbedtls_ecjpake_write_round_one", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); if( ssl->handshake->ecjpake_cache == NULL ) @@ -233,9 +226,6 @@ static int ssl_write_cid_ext( mbedtls_ssl_context *ssl, size_t ext_len; /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; @@ -874,10 +864,11 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -914,6 +905,24 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache = NULL; ssl->handshake->ecjpake_cache_len = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( ret ); + } + + return( 0 ); +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -926,6 +935,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -1413,7 +1423,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif ssl->session_negotiate->ciphersuite != i || - ssl->session_negotiate->compression != comp || ssl->session_negotiate->id_len != n || memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) { @@ -1423,7 +1432,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) ssl->session_negotiate->start = mbedtls_time( NULL ); #endif ssl->session_negotiate->ciphersuite = i; - ssl->session_negotiate->compression = comp; ssl->session_negotiate->id_len = n; memcpy( ssl->session_negotiate->id, buf + 35, n ); } @@ -1486,8 +1494,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } #endif - if( comp != MBEDTLS_SSL_COMPRESS_NULL - ) + if( comp != MBEDTLS_SSL_COMPRESS_NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); mbedtls_ssl_send_alert_message( @@ -1496,7 +1503,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - ssl->session_negotiate->compression = comp; ext = buf + 40 + n; @@ -1779,10 +1785,10 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, unsigned char **p, @@ -1847,7 +1853,15 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, return( 0 ); } +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #else +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) { @@ -1877,6 +1891,15 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) return( 0 ); } +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, unsigned char **p, @@ -1912,11 +1935,10 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, return( ret ); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ - +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, @@ -1949,8 +1971,8 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, } /* - * Note: we currently ignore the PKS identity hint, as we only allow one - * PSK to be provisionned on the client. This could be changed later if + * Note: we currently ignore the PSK identity hint, as we only allow one + * PSK to be provisioned on the client. This could be changed later if * someone needs that feature. */ *p += len; @@ -2045,66 +2067,6 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, - unsigned char **p, - unsigned char *end, - mbedtls_md_type_t *md_alg, - mbedtls_pk_type_t *pk_alg ) -{ - *md_alg = MBEDTLS_MD_NONE; - *pk_alg = MBEDTLS_PK_NONE; - - if( (*p) + 2 > end ) - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - - /* - * Get hash algorithm - */ - if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) - == MBEDTLS_MD_NONE ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - /* - * Get signature algorithm - */ - if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) - == MBEDTLS_PK_NONE ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - /* - * Check if the signature algorithm is acceptable - */ - if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", - (*p)[1] ) ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", - (*p)[0] ) ); - *p += 2; - - return( 0 ); -} -#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL @@ -2369,6 +2331,47 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we check only + * that TLS ID here + */ + uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 ); + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( read_tls_id != curve_info->tls_id ) ) + { + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + p += 3; + + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -2380,6 +2383,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -2392,24 +2396,38 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) { size_t sig_len, hashlen; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - unsigned char hash[PSA_HASH_MAX_SIZE]; -#else - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; -#endif + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; + mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); size_t params_len = p - params; void *rs_ctx = NULL; + uint16_t sig_alg; mbedtls_pk_context * peer_pk; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( ssl->session_negotiate->peer_cert == NULL ) + { + /* Should never happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* * Handle the digitally-signed structure */ - if( ssl_parse_signature_algorithm( ssl, &p, end, - &md_alg, &pk_alg ) != 0 ) + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 ); + if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( + sig_alg, &pk_alg, &md_alg ) != 0 && + ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) && + ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); @@ -2419,9 +2437,9 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } + p += 2; - if( pk_alg != - mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) + if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); @@ -2479,18 +2497,6 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - peer_pk = &ssl->handshake->peer_pubkey; -#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - if( ssl->session_negotiate->peer_cert == NULL ) - { - /* Should never happen */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - peer_pk = &ssl->session_negotiate->peer_cert->pk; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - /* * Verify signature */ @@ -2509,12 +2515,33 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) rs_ctx = &ssl->handshake->ecrs_ctx.pk; #endif - if( ( ret = mbedtls_pk_verify_restartable( peer_pk, - md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 ) +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + if( pk_alg == MBEDTLS_PK_RSASSA_PSS ) + { + mbedtls_pk_rsassa_pss_options rsassa_pss_options; + rsassa_pss_options.mgf1_hash_id = md_alg; + rsassa_pss_options.expected_salt_len = + mbedtls_hash_info_get_size( md_alg ); + if( rsassa_pss_options.expected_salt_len == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + ret = mbedtls_pk_verify_ext( pk_alg, &rsassa_pss_options, + peer_pk, + md_alg, hash, hashlen, + p, sig_len ); + } + else +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ + ret = mbedtls_pk_verify_restartable( peer_pk, + md_alg, hash, hashlen, p, sig_len, rs_ctx ); + + if( ret != 0 ) { + int send_alert_msg = 1; #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) + send_alert_msg = ( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ); #endif + if( send_alert_msg ) mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, @@ -2704,7 +2731,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) for( size_t i = 0; i < sig_alg_len; i += 2 ) { MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Supported Signature Algorithm found: %d,%d", + ( "Supported Signature Algorithm found: %02x %02x", sig_alg[i], sig_alg[i + 1] ) ); } #endif @@ -2730,7 +2757,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) { unsigned char *p = dn + i + 2; mbedtls_x509_name name; - mbedtls_x509_name *name_cur, *name_prv; size_t asn1_len; char s[MBEDTLS_X509_MAX_DN_NAME_SIZE]; memset( &name, 0, sizeof( name ) ); @@ -2750,14 +2776,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "DN hint: %.*s", mbedtls_x509_dn_gets( s, sizeof(s), &name ), s ) ); - name_cur = name.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( name.next ); } #endif @@ -3285,6 +3304,21 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) { header_len = 4; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + header_len; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + header_len; + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + out_p, end_p - out_p, &content_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); + if ( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + header_len, MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, @@ -3304,6 +3338,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ @@ -3627,7 +3662,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && ssl->handshake->new_session_ticket != 0 ) { - ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; + ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET; } #endif @@ -3704,7 +3739,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) * Finished */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) - case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: + case MBEDTLS_SSL_NEW_SESSION_TICKET: ret = ssl_parse_new_session_ticket( ssl ); break; #endif diff --git a/thirdparty/mbedtls/library/ssl_tls12_server.c b/thirdparty/mbedtls/library/ssl_tls12_server.c index 4e18e628522e5d..eeb579a5c566ad 100644 --- a/thirdparty/mbedtls/library/ssl_tls12_server.c +++ b/thirdparty/mbedtls/library/ssl_tls12_server.c @@ -21,13 +21,7 @@ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif #include "mbedtls/ssl.h" #include "ssl_misc.h" @@ -36,6 +30,7 @@ #include "mbedtls/platform_util.h" #include "constant_time_internal.h" #include "mbedtls/constant_time.h" +#include "hash_info.h" #include @@ -273,10 +268,11 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -294,16 +290,37 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, const unsigned char *buf, - size_t len ) + size_t len) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); return( 0 ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + + return( ret ); + } +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -312,6 +329,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Only mark the extension as OK when we're sure it is */ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; @@ -358,9 +376,6 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, } /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; @@ -713,11 +728,13 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, #endif list = ssl->conf->key_cert; + int pk_alg_is_none = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( pk_alg == PSA_ALG_NONE ) + pk_alg_is_none = ( pk_alg == PSA_ALG_NONE ); #else - if( pk_alg == MBEDTLS_PK_NONE ) + pk_alg_is_none = ( pk_alg == MBEDTLS_PK_NONE ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( pk_alg_is_none ) return( 0 ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); @@ -734,18 +751,21 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", cur->cert ); + int key_type_matches = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - if( ( ssl->conf->f_async_sign_start == NULL && - ssl->conf->f_async_decrypt_start == NULL && - ! mbedtls_pk_can_do_ext( cur->key, pk_alg, pk_usage ) ) || - ! mbedtls_pk_can_do_ext( &cur->cert->pk, pk_alg, pk_usage ) ) + key_type_matches = ( ( ssl->conf->f_async_sign_start != NULL || + ssl->conf->f_async_decrypt_start != NULL || + mbedtls_pk_can_do_ext( cur->key, pk_alg, pk_usage ) ) && + mbedtls_pk_can_do_ext( &cur->cert->pk, pk_alg, pk_usage ) ); #else - if( ! mbedtls_pk_can_do_ext( cur->key, pk_alg, pk_usage ) ) + key_type_matches = ( + mbedtls_pk_can_do_ext( cur->key, pk_alg, pk_usage ) ); #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #else - if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) ) + key_type_matches = mbedtls_pk_can_do( &cur->cert->pk, pk_alg ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( !key_type_matches ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); continue; @@ -922,6 +942,8 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); + int renegotiating; + #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) read_record_header: #endif @@ -930,9 +952,11 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) * otherwise read it ourselves manually in order to support SSLv2 * ClientHello, which doesn't use the same record layer format. */ + renegotiating = 0; #if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) + renegotiating = ( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ); #endif + if( !renegotiating ) { if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) { @@ -1298,7 +1322,10 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) buf + ciph_offset + 2, ciph_len ); /* - * Check the compression algorithms length and pick one + * Check the compression algorithm's length. + * The list contents are ignored because implementing + * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only + * option supported by Mbed TLS. */ comp_offset = ciph_offset + 2 + ciph_len; @@ -1317,12 +1344,6 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", buf + comp_offset + 1, comp_len ); - ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; - /* See comments in ssl_write_client_hello() */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; -#endif /* * Check the extension length */ @@ -1751,9 +1772,6 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) ); /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; @@ -1995,6 +2013,18 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 ); p += 2; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); + if ( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return; + } +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -2003,6 +2033,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); return; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 ); p += 2; @@ -2180,8 +2211,7 @@ static void ssl_handle_id_based_session_resumption( mbedtls_ssl_context *ssl ) if( ret != 0 ) goto exit; - if( session->ciphersuite != session_tmp.ciphersuite || - session->compression != session_tmp.compression ) + if( session->ciphersuite != session_tmp.ciphersuite ) { /* Mismatch between cached and negotiated session */ goto exit; @@ -2331,12 +2361,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 ); p += 2; - *p++ = MBEDTLS_BYTE_0( ssl->session_negotiate->compression ); + *p++ = MBEDTLS_BYTE_0( MBEDTLS_SSL_COMPRESS_NULL ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", - (unsigned int) ssl->session_negotiate->compression ) ); + (unsigned int) MBEDTLS_SSL_COMPRESS_NULL ) ); /* * First write extensions, then the total length @@ -2531,10 +2561,15 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) ) continue; - MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len ); + /* Write elements at offsets starting from 1 (offset 0 is for the + * length). Thus the offset of each element is the length of the + * partial list including that element. */ sa_len += 2; + MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len ); + } + /* Fill in list length. */ MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 ); sa_len += 2; p += sa_len; @@ -2808,6 +2843,46 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + ssl->out_msglen; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + ssl->out_msglen; + size_t output_offset = 0; + size_t output_len = 0; + const mbedtls_ecp_curve_info *curve_info; + + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we hardcode its + * TLS ID here + */ + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); + output_offset += 3; + + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + out_p + output_offset, + end_p - out_p - output_offset, &output_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); + if( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); + } + + output_offset += output_len; + ssl->out_msglen += output_offset; +#else size_t len = 0; ret = mbedtls_ecjpake_write_round_two( @@ -2822,6 +2897,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } ssl->out_msglen += len; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -3063,11 +3139,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; size_t hashlen = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - unsigned char hash[PSA_HASH_MAX_SIZE]; -#else - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; -#endif + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* @@ -3409,8 +3482,14 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, size_t peer_pmssize ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert( ssl ); + if( own_cert == NULL ) { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no local certificate" ) ); + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + } + mbedtls_pk_context *public_key = &own_cert->pk; mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl ); - mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk; size_t len = mbedtls_pk_get_len( public_key ); #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -4036,6 +4115,18 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -4052,6 +4143,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ diff --git a/thirdparty/mbedtls/library/ssl_tls13_client.c b/thirdparty/mbedtls/library/ssl_tls13_client.c index 2b68306f0b0b2f..0109f776c0da5d 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_client.c +++ b/thirdparty/mbedtls/library/ssl_tls13_client.c @@ -32,6 +32,7 @@ #include "ssl_misc.h" #include "ssl_client.h" #include "ssl_tls13_keys.h" +#include "ssl_debug_helpers.h" /* Write extensions */ @@ -89,6 +90,9 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl, *out_len = 5 + versions_len; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); + return( 0 ); } @@ -210,6 +214,7 @@ static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl ) /* * Functions for writing key_share extension. */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl, uint16_t *group_id ) @@ -358,13 +363,13 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len ); - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); cleanup: return( ret ); } - +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ /* * ssl_tls13_parse_hrr_key_share_ext() @@ -379,6 +384,7 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) { +#if defined(MBEDTLS_ECDH_C) const mbedtls_ecp_curve_info *curve_info = NULL; const unsigned char *p = buf; int selected_group; @@ -435,6 +441,12 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl, ssl->handshake->offered_group_id = selected_group; return( 0 ); +#else + (void) ssl; + (void) buf; + (void) end; + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); +#endif } /* @@ -504,7 +516,6 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl, else return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; return( ret ); } @@ -592,8 +603,537 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, *out_len = handshake->hrr_cookie_len + 6; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE ); + + return( 0 ); +} + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +/* + * ssl_tls13_write_psk_key_exchange_modes_ext() structure: + * + * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; + * + * struct { + * PskKeyExchangeMode ke_modes<1..255>; + * } PskKeyExchangeModes; + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) +{ + unsigned char *p = buf; + int ke_modes_len = 0; + + ((void) ke_modes_len ); + *out_len = 0; + + /* Skip writing extension if no PSK key exchange mode + * is enabled in the config. + */ + if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) ); + return( 0 ); + } + + /* Require 7 bytes of data, otherwise fail, + * even if extension might be shorter. + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "client hello, adding psk_key_exchange_modes extension" ) ); + + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 ); + + /* Skip extension length (2 bytes) and + * ke_modes length (1 byte) for now. + */ + p += 5; + + if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) ) + { + *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE; + ke_modes_len++; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) ); + } + + if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) ) + { + *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE; + ke_modes_len++; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) ); + } + + /* Now write the extension and ke_modes length */ + MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 ); + buf[4] = ke_modes_len; + + *out_len = p - buf; + + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ); + + return ( 0 ); +} + +static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite ) +{ + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); + + if( ciphersuite_info != NULL ) + return( mbedtls_psa_translate_md( ciphersuite_info->mac ) ); + + return( PSA_ALG_NONE ); +} + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + return( ssl->handshake->resume && + session != NULL && session->ticket != NULL ); +} + +#if defined(MBEDTLS_SSL_EARLY_DATA) +static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl ) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + return( ssl->handshake->resume && + session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + ( session->ticket_flags & + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) && + mbedtls_ssl_tls13_cipher_suite_is_offered( + ssl, session->ciphersuite ) ); +} +#endif + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl, + psa_algorithm_t *hash_alg, + const unsigned char **identity, + size_t *identity_len ) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + + if( !ssl_tls13_has_configured_ticket( ssl ) ) + return( -1 ); + + *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite ); + *identity = session->ticket; + *identity_len = session->ticket_len; + return( 0 ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl, + psa_algorithm_t *hash_alg, + const unsigned char **psk, + size_t *psk_len ) +{ + + mbedtls_ssl_session *session = ssl->session_negotiate; + + if( !ssl_tls13_has_configured_ticket( ssl ) ) + return( -1 ); + + *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite ); + *psk = session->resumption_key; + *psk_len = session->resumption_key_len; + + return( 0 ); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl, + psa_algorithm_t *hash_alg, + const unsigned char **identity, + size_t *identity_len ) +{ + + if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) ) + return( -1 ); + + *hash_alg = PSA_ALG_SHA_256; + *identity = ssl->conf->psk_identity; + *identity_len = ssl->conf->psk_identity_len; + return( 0 ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl, + psa_algorithm_t *hash_alg, + const unsigned char **psk, + size_t *psk_len ) +{ + + if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) ) + return( -1 ); + + *hash_alg = PSA_ALG_SHA_256; + *psk = ssl->conf->psk; + *psk_len = ssl->conf->psk_len; + return( 0 ); +} + +static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl ) +{ + int configured_psk_count = 0; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( ssl_tls13_has_configured_ticket( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) ); + configured_psk_count++; + } +#endif + if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) ); + configured_psk_count++; + } + return( configured_psk_count ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + const unsigned char *identity, + size_t identity_len, + uint32_t obfuscated_ticket_age, + size_t *out_len ) +{ + ((void) ssl); + *out_len = 0; + + /* + * - identity_len (2 bytes) + * - identity (psk_identity_len bytes) + * - obfuscated_ticket_age (4 bytes) + */ + MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 + identity_len ); + + MBEDTLS_PUT_UINT16_BE( identity_len, buf, 0 ); + memcpy( buf + 2, identity, identity_len ); + MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, buf, 2 + identity_len ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", buf, 6 + identity_len ); + + *out_len = 6 + identity_len; + + return( 0 ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + int psk_type, + psa_algorithm_t hash_alg, + const unsigned char *psk, + size_t psk_len, + size_t *out_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char binder_len; + unsigned char transcript[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; + size_t transcript_len = 0; + + *out_len = 0; + + binder_len = PSA_HASH_LENGTH( hash_alg ); + + /* + * - binder_len (1 bytes) + * - binder (binder_len bytes) + */ + MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 + binder_len ); + + buf[0] = binder_len; + + /* Get current state of handshake transcript. */ + ret = mbedtls_ssl_get_handshake_transcript( + ssl, mbedtls_hash_info_md_from_psa( hash_alg ), + transcript, sizeof( transcript ), &transcript_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg, + psk, psk_len, psk_type, + transcript, buf + 1 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret ); + return( ret ); + } + MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", buf, 1 + binder_len ); + + *out_len = 1 + binder_len; + + return( 0 ); +} + +/* + * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure: + * + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * } OfferedPsks; + * + * struct { + * select (Handshake.msg_type) { + * case client_hello: OfferedPsks; + * ... + * }; + * } PreSharedKeyExtension; + * + */ +int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( + mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, + size_t *out_len, size_t *binders_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int configured_psk_count = 0; + unsigned char *p = buf; + psa_algorithm_t hash_alg; + const unsigned char *identity; + size_t identity_len; + size_t l_binders_len = 0; + size_t output_len; + + *out_len = 0; + *binders_len = 0; + + /* Check if we have any PSKs to offer. If no, skip pre_shared_key */ + configured_psk_count = ssl_tls13_get_configured_psk_count( ssl ); + if( configured_psk_count == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) ); + return( 0 ); + } + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d", + configured_psk_count ) ); + + /* Check if we have space to write the extension, binders included. + * - extension_type (2 bytes) + * - extension_data_len (2 bytes) + * - identities_len (2 bytes) + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); + p += 6; + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( ssl_tls13_ticket_get_identity( + ssl, &hash_alg, &identity, &identity_len ) == 0 ) + { +#if defined(MBEDTLS_HAVE_TIME) + mbedtls_time_t now = mbedtls_time( NULL ); + mbedtls_ssl_session *session = ssl->session_negotiate; + uint32_t obfuscated_ticket_age = + (uint32_t)( now - session->ticket_received ); + + obfuscated_ticket_age *= 1000; + obfuscated_ticket_age += session->ticket_age_add; + + ret = ssl_tls13_write_identity( ssl, p, end, + identity, identity_len, + obfuscated_ticket_age, + &output_len ); +#else + ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, + 0, &output_len ); +#endif /* MBEDTLS_HAVE_TIME */ + if( ret != 0 ) + return( ret ); + + p += output_len; + l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg ); + } +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + + if( ssl_tls13_psk_get_identity( + ssl, &hash_alg, &identity, &identity_len ) == 0 ) + { + + ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, 0, + &output_len ); + if( ret != 0 ) + return( ret ); + + p += output_len; + l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg ); + } + + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "client hello, adding pre_shared_key extension, " + "omitting PSK binder list" ) ); + + /* Take into account the two bytes for the length of the binders. */ + l_binders_len += 2; + /* Check if there is enough space for binders */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len ); + + /* + * - extension_type (2 bytes) + * - extension_data_len (2 bytes) + * - identities_len (2 bytes) + */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 ); + MBEDTLS_PUT_UINT16_BE( p - buf - 4 + l_binders_len , buf, 2 ); + MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 ); + + *out_len = ( p - buf ) + l_binders_len; + *binders_len = l_binders_len; + + MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf ); + + return( 0 ); +} + +int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( + mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *p = buf; + psa_algorithm_t hash_alg = PSA_ALG_NONE; + const unsigned char *psk; + size_t psk_len; + size_t output_len; + + /* Check if we have space to write binders_len. + * - binders_len (2 bytes) + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + p += 2; + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 ) + { + + ret = ssl_tls13_write_binder( ssl, p, end, + MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION, + hash_alg, psk, psk_len, + &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; + } +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + + if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 ) + { + + ret = ssl_tls13_write_binder( ssl, p, end, + MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL, + hash_alg, psk, psk_len, + &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) ); + + /* + * - binders_len (2 bytes) + */ + MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf ); + + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); + + return( 0 ); +} + +/* + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * + * select (Handshake.msg_type) { + * ... + * case server_hello: uint16 selected_identity; + * }; + * + * } PreSharedKeyExtension; + * + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int selected_identity; + const unsigned char *psk; + size_t psk_len; + psa_algorithm_t hash_alg; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 ); + selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 ); + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) ); + + if( selected_identity >= ssl_tls13_get_configured_psk_count( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid PSK identity." ) ); + + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) ) + { + ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ); + } + else +#endif + if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) ) + { + ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret ); + return( ret ); + } + return( 0 ); } +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, unsigned char *buf, @@ -623,6 +1163,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, return( ret ); p += ext_len; +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) { ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len ); @@ -630,6 +1171,46 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, return( ret ); p += ext_len; } +#endif + +#if defined(MBEDTLS_SSL_EARLY_DATA) + if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && + ssl_tls13_early_data_has_valid_ticket( ssl ) && + ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) + { + ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len ); + if( ret != 0 ) + return( ret ); + p += ext_len; + + /* Initializes the status to `rejected`. It will be updated to + * `accepted` if the EncryptedExtension message contain an early data + * indication extension. + */ + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) ); + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + /* For PSK-based key exchange we need the pre_shared_key extension + * and the psk_key_exchange_modes extension. + * + * The pre_shared_key extension MUST be the last extension in the + * ClientHello. Servers MUST check that it is the last extension and + * otherwise fail the handshake with an "illegal_parameter" alert. + * + * Add the psk_key_exchange_modes extension. + */ + ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len ); + if( ret != 0 ) + return( ret ); + p += ext_len; +#endif *out_len = p - buf; @@ -811,6 +1392,7 @@ static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present( ssl, buf, end ) ); + if( ret == 0 ) { MBEDTLS_SSL_PROC_CHK_NEG( @@ -844,7 +1426,12 @@ static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl, return( SSL_SERVER_HELLO_TLS1_2 ); } - handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + ssl->session_negotiate->endpoint = ssl->conf->endpoint; + ssl->session_negotiate->tls_version = ssl->tls_version; +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; ret = ssl_server_hello_is_hrr( ssl, buf, end ); switch( ret ) @@ -954,6 +1541,9 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, uint16_t cipher_suite; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; int fatal_alert = 0; + uint32_t allowed_extensions_mask; + int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : + MBEDTLS_SSL_HS_SERVER_HELLO; /* * Check there is space for minimal fields @@ -1070,7 +1660,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, * ... */ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); - if( p[0] != 0 ) + if( p[0] != MBEDTLS_SSL_COMPRESS_NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) ); fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; @@ -1096,6 +1686,11 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + allowed_extensions_mask = is_hrr ? + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR : + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH; + while( p < extensions_end ) { unsigned int extension_type; @@ -1110,16 +1705,15 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, hs_msg_type, extension_type, allowed_extensions_mask ); + if( ret != 0 ) + return( ret ); + switch( extension_type ) { case MBEDTLS_TLS_EXT_COOKIE: - if( !is_hrr ) - { - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; - goto cleanup; - } - ret = ssl_tls13_parse_cookie_ext( ssl, p, extension_data_end ); if( ret != 0 ) @@ -1139,12 +1733,19 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, goto cleanup; break; +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; - goto cleanup; + if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext( + ssl, p, extension_data_end ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret ); + return( ret ); + } + break; +#endif case MBEDTLS_TLS_EXT_KEY_SHARE: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); @@ -1170,18 +1771,15 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, break; default: - MBEDTLS_SSL_DEBUG_MSG( - 3, - ( "unknown extension found: %u ( ignoring )", - extension_type ) ); - - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; goto cleanup; } p += extension_data_len; } + MBEDTLS_SSL_PRINT_EXTS( 3, hs_msg_type, handshake->received_extensions ); + cleanup: if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ) @@ -1199,6 +1797,23 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, return( ret ); } +#if defined(MBEDTLS_DEBUG_C) +static const char *ssl_tls13_get_kex_mode_str(int mode) +{ + switch( mode ) + { + case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK: + return "psk"; + case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL: + return "ephemeral"; + case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL: + return "psk_ephemeral"; + default: + return "unknown mode"; + } +} +#endif /* MBEDTLS_DEBUG_C */ + MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) { @@ -1213,22 +1828,22 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) * 3) If only the key_share extension was received then the key * exchange mode is EPHEMERAL-only. */ - switch( handshake->extensions_present & - ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) ) + switch( handshake->received_extensions & + ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ) ) { /* Only the pre_shared_key extension was received */ - case MBEDTLS_SSL_EXT_PRE_SHARED_KEY: - handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + case MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ): + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; break; /* Only the key_share extension was received */ - case MBEDTLS_SSL_EXT_KEY_SHARE: - handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; + case MBEDTLS_SSL_EXT_MASK( KEY_SHARE ): + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; break; /* Both the pre_shared_key and key_share extensions were received */ - case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ): - handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + case ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ): + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; break; /* Neither pre_shared_key nor key_share extension was received */ @@ -1238,6 +1853,19 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) goto cleanup; } + if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "Key exchange mode(%s) is not supported.", + ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) ); + goto cleanup; + } + + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "Selected key exchange mode: %s", + ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) ); + /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. * * TODO: We don't have to do this in case we offered 0-RTT and the @@ -1383,6 +2011,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, size_t extensions_len; const unsigned char *p = buf; const unsigned char *extensions_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -1392,6 +2021,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + while( p < extensions_end ) { unsigned int extension_type; @@ -1410,17 +2041,14 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - /* The client MUST check EncryptedExtensions for the - * presence of any forbidden extensions and if any are found MUST abort - * the handshake with an "unsupported_extension" alert. - */ + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ); + if( ret != 0 ) + return( ret ); + switch( extension_type ) { - - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) ); - break; - #if defined(MBEDTLS_SSL_ALPN) case MBEDTLS_TLS_EXT_ALPN: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); @@ -1432,18 +2060,34 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_SSL_ALPN */ + +#if defined(MBEDTLS_SSL_EARLY_DATA) + case MBEDTLS_TLS_EXT_EARLY_DATA: + + if( extension_data_len != 0 ) + { + /* The message must be empty. */ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + break; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + default: - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "unsupported extension found: %u ", extension_type) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + MBEDTLS_SSL_PRINT_EXT( + 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + extension_type, "( ignored )" ); + break; } p += extension_data_len; } + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + handshake->received_extensions ); + /* Check that we consumed all the message. */ if( p != end ) { @@ -1473,11 +2117,19 @@ static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) ); +#if defined(MBEDTLS_SSL_EARLY_DATA) + if( ssl->handshake->received_extensions & + MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) ) + { + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + } +#endif + mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); @@ -1493,7 +2145,7 @@ static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ) } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * STATE HANDLING: CertificateRequest * @@ -1512,12 +2164,6 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) ); - return( SSL_CERTIFICATE_REQUEST_SKIP ); - } - if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); @@ -1555,7 +2201,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, size_t certificate_request_context_len = 0; size_t extensions_len = 0; const unsigned char *extensions_end; - unsigned char sig_alg_ext_found = 0; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; /* ... * opaque certificate_request_context<0..2^8-1> @@ -1571,7 +2217,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context", p, certificate_request_context_len ); - mbedtls_ssl_handshake_params *handshake = ssl->handshake; handshake->certificate_request_context = mbedtls_calloc( 1, certificate_request_context_len ); if( handshake->certificate_request_context == NULL ) @@ -1595,6 +2240,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + while( p < extensions_end ) { unsigned int extension_type; @@ -1607,6 +2254,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ); + if( ret != 0 ) + return( ret ); + switch( extension_type ) { case MBEDTLS_TLS_EXT_SIG_ALG: @@ -1616,25 +2269,22 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, p + extension_data_len ); if( ret != 0 ) return( ret ); - if( ! sig_alg_ext_found ) - sig_alg_ext_found = 1; - else - { - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Duplicate signature algorithms extensions found" ) ); - goto decode_error; - } + break; default: - MBEDTLS_SSL_DEBUG_MSG( - 3, - ( "unknown extension found: %u ( ignoring )", - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT( + 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, + extension_type, "( ignored )" ); break; } + p += extension_data_len; } + + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, + handshake->received_extensions ); + /* Check that we consumed all the message. */ if( p != end ) { @@ -1642,8 +2292,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, ( "CertificateRequest misaligned" ) ); goto decode_error; } - /* Check that we found signature algorithms extension */ - if( ! sig_alg_ext_found ) + + /* RFC 8446 section 4.3.2 + * + * The "signature_algorithms" extension MUST be specified + */ + if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithms extension found" ) ); @@ -1736,7 +2390,7 @@ static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Handler for MBEDTLS_SSL_SERVER_FINISHED @@ -1782,7 +2436,7 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl ) ( "Switch to handshake traffic keys for outbound traffic" ) ); mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) if( ssl->handshake->client_auth ) { int ret = mbedtls_ssl_tls13_write_certificate( ssl ); @@ -1812,7 +2466,7 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl ) return( 0 ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY */ @@ -1826,7 +2480,7 @@ static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl ) return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Handler for MBEDTLS_SSL_CLIENT_FINISHED @@ -1840,11 +2494,11 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl ); + ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret ); + "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret ); return ( ret ); } @@ -1876,6 +2530,275 @@ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) return( 0 ); } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + const unsigned char *p = buf; + + + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + + while( p < end ) + { + unsigned int extension_type; + size_t extension_data_len; + int ret; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 ); + extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); + extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); + p += 4; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len ); + + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ); + if( ret != 0 ) + return( ret ); + + switch( extension_type ) + { +#if defined(MBEDTLS_SSL_EARLY_DATA) + case MBEDTLS_TLS_EXT_EARLY_DATA: + if( extension_data_len != 4 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + if( ssl->session != NULL ) + { + ssl->session->ticket_flags |= + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA; + } + break; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + + default: + MBEDTLS_SSL_PRINT_EXT( + 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, + extension_type, "( ignored )" ); + break; + } + + p += extension_data_len; + } + + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, + handshake->received_extensions ); + + return( 0 ); +} + +/* + * From RFC8446, page 74 + * + * struct { + * uint32 ticket_lifetime; + * uint32 ticket_age_add; + * opaque ticket_nonce<0..255>; + * opaque ticket<1..2^16-1>; + * Extension extensions<0..2^16-2>; + * } NewSessionTicket; + * + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + unsigned char **ticket_nonce, + size_t *ticket_nonce_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *p = buf; + mbedtls_ssl_session *session = ssl->session; + size_t ticket_len; + unsigned char *ticket; + size_t extensions_len; + + *ticket_nonce = NULL; + *ticket_nonce_len = 0; + /* + * ticket_lifetime 4 bytes + * ticket_age_add 4 bytes + * ticket_nonce_len 1 byte + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 ); + + session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "ticket_lifetime: %u", + ( unsigned int )session->ticket_lifetime ) ); + + session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "ticket_age_add: %u", + ( unsigned int )session->ticket_age_add ) ); + + *ticket_nonce_len = p[8]; + p += 9; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len ); + *ticket_nonce = p; + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len ); + p += *ticket_nonce_len; + + /* Ticket */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ; + + /* Check if we previously received a ticket already. */ + if( session->ticket != NULL || session->ticket_len > 0 ) + { + mbedtls_free( session->ticket ); + session->ticket = NULL; + session->ticket_len = 0; + } + + if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( ticket, p, ticket_len ); + p += ticket_len; + session->ticket = ticket; + session->ticket_len = ticket_len; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len ); + + ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_parse_new_session_ticket_exts", + ret ); + return( ret ); + } + + /* session has been updated, allow export */ + session->exported = 0; + + return( 0 ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl, + unsigned char *ticket_nonce, + size_t ticket_nonce_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_session *session = ssl->session; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + psa_algorithm_t psa_hash_alg; + int hash_length; + +#if defined(MBEDTLS_HAVE_TIME) + /* Store ticket creation time */ + session->ticket_received = mbedtls_time( NULL ); +#endif + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite ); + if( ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + hash_length = PSA_HASH_LENGTH( psa_hash_alg ); + if( hash_length == -1 || + ( size_t )hash_length > sizeof( session->resumption_key ) ) + { + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + + MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret", + session->app_secrets.resumption_master_secret, + hash_length ); + + /* Compute resumption key + * + * HKDF-Expand-Label( resumption_master_secret, + * "resumption", ticket_nonce, Hash.length ) + */ + ret = mbedtls_ssl_tls13_hkdf_expand_label( + psa_hash_alg, + session->app_secrets.resumption_master_secret, + hash_length, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ), + ticket_nonce, + ticket_nonce_len, + session->resumption_key, + hash_length ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, + "Creating the ticket-resumed PSK failed", + ret ); + return( ret ); + } + + session->resumption_key_len = hash_length; + + MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK", + session->resumption_key, + session->resumption_key_len ); + + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *buf; + size_t buf_len; + unsigned char *ticket_nonce; + size_t ticket_nonce_len; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( + ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, + &buf, &buf_len ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket( + ssl, buf, buf + buf_len, + &ticket_nonce, &ticket_nonce_len ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket( + ssl, ticket_nonce, ticket_nonce_len ) ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); + +cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); + return( ret ); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) { int ret = 0; @@ -1899,7 +2822,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) ret = ssl_tls13_process_encrypted_extensions( ssl ); break; -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) case MBEDTLS_SSL_CERTIFICATE_REQUEST: ret = ssl_tls13_process_certificate_request( ssl ); break; @@ -1911,7 +2834,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) case MBEDTLS_SSL_CERTIFICATE_VERIFY: ret = ssl_tls13_process_certificate_verify( ssl ); break; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ case MBEDTLS_SSL_SERVER_FINISHED: ret = ssl_tls13_process_server_finished( ssl ); @@ -1921,11 +2844,11 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) ret = ssl_tls13_write_client_certificate( ssl ); break; -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: ret = ssl_tls13_write_client_certificate_verify( ssl ); break; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ case MBEDTLS_SSL_CLIENT_FINISHED: ret = ssl_tls13_write_client_finished( ssl ); @@ -1956,6 +2879,15 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: + ret = ssl_tls13_process_new_session_ticket( ssl ); + if( ret != 0 ) + break; + ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET; + break; +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); diff --git a/thirdparty/mbedtls/library/ssl_tls13_generic.c b/thirdparty/mbedtls/library/ssl_tls13_generic.c index 265d6d3097eb3c..761c00ec5205c0 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_generic.c +++ b/thirdparty/mbedtls/library/ssl_tls13_generic.c @@ -83,7 +83,7 @@ int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl, return( ret ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * STATE HANDLING: Read CertificateVerify */ @@ -213,13 +213,13 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, goto error; } - if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( + if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( algorithm, &sig_alg, &md_alg ) != 0 ) { goto error; } - hash_alg = mbedtls_psa_translate_md( md_alg ); + hash_alg = mbedtls_hash_info_psa_from_md( md_alg ); if( hash_alg == 0 ) { goto error; @@ -285,12 +285,12 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; size_t verify_buffer_len; @@ -348,7 +348,7 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) ((void) ssl); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ } /* @@ -357,7 +357,7 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) * */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* * Structure of Certificate message: @@ -398,6 +398,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, size_t certificate_list_len = 0; const unsigned char *p = buf; const unsigned char *certificate_list_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 ); certificate_request_context_len = p[0]; @@ -447,6 +448,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, while( p < certificate_list_end ) { size_t cert_data_len, extensions_len; + const unsigned char *extensions_end; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 ); cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 ); @@ -504,7 +506,48 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); - p += extensions_len; + + extensions_end = p + extensions_len; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + + while( p < extensions_end ) + { + unsigned int extension_type; + size_t extension_data_len; + + /* + * struct { + * ExtensionType extension_type; (2 bytes) + * opaque extension_data<0..2^16-1>; + * } Extension; + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); + extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); + extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); + p += 4; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); + + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ); + if( ret != 0 ) + return( ret ); + + switch( extension_type ) + { + default: + MBEDTLS_SSL_PRINT_EXT( + 3, MBEDTLS_SSL_HS_CERTIFICATE, + extension_type, "( ignored )" ); + break; + } + + p += extension_data_len; + } + + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE, + handshake->received_extensions ); } exit: @@ -512,7 +555,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, if( p != end ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } @@ -534,9 +577,9 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* Validate certificate chain sent by the server. */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -727,14 +770,14 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) unsigned char *buf; size_t buf_len; @@ -752,12 +795,12 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ) buf, buf_len ); cleanup: -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); return( ret ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * enum { * X509(0), @@ -843,6 +886,9 @@ static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl, *out_len = p - buf; + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions ); + return( 0 ); } @@ -906,12 +952,8 @@ int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, case MBEDTLS_SSL_SIG_RSA: switch( sig_alg ) { - case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: - return( key_size <= 3072 ); - - case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: - return( key_size <= 7680 ); - + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */ + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: return( 1 ); @@ -927,43 +969,13 @@ int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, return( 0 ); } -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_select_sig_alg_for_certificate_verify( - mbedtls_ssl_context *ssl, - mbedtls_pk_context *own_key, - uint16_t *algorithm ) -{ - uint16_t *sig_alg = ssl->handshake->received_sig_algs; - - *algorithm = MBEDTLS_TLS1_3_SIG_NONE; - for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ ) - { - if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) && - mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) && - mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "select_sig_alg_for_certificate_verify:" - "selected signature algorithm %s [%04x]", - mbedtls_ssl_sig_alg_to_str( *sig_alg ), - *sig_alg ) ); - *algorithm = *sig_alg; - return( 0 ); - } - } - MBEDTLS_SSL_DEBUG_MSG( 2, - ( "select_sig_alg_for_certificate_verify:" - "no suitable signature algorithm found" ) ); - return( -1 ); -} - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = buf; mbedtls_pk_context *own_key; @@ -971,14 +983,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, size_t handshake_hash_len; unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ]; size_t verify_buffer_len; - mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; - mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; - psa_algorithm_t psa_algorithm = PSA_ALG_NONE; - uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE; + + uint16_t *sig_alg = ssl->handshake->received_sig_algs; size_t signature_len = 0; - unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ]; - size_t verify_hash_len; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; *out_len = 0; @@ -1011,64 +1018,84 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, * opaque signature<0..2^16-1>; * } CertificateVerify; */ - ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key, - &algorithm ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "signature algorithm not in received or offered list." ) ); + /* Check there is space for the algorithm identifier (2 bytes) and the + * signature length (2 bytes). + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s", - mbedtls_ssl_sig_alg_to_str( algorithm ) ) ); + for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ ) + { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; + mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; + psa_algorithm_t psa_algorithm = PSA_ALG_NONE; + unsigned char verify_hash[PSA_HASH_MAX_SIZE]; + size_t verify_hash_len; - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) ) + continue; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s", - mbedtls_ssl_sig_alg_to_str( algorithm )) ); + if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) ) + continue; - if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( - algorithm, &pk_type, &md_alg ) != 0 ) - { - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } + if( !mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) ) + continue; - /* Check there is space for the algorithm identifier (2 bytes) and the - * signature length (2 bytes). - */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); - MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 ); - p += 2; + if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( + *sig_alg, &pk_type, &md_alg ) != 0 ) + { + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - /* Hash verify buffer with indicated hash function */ - psa_algorithm = mbedtls_psa_translate_md( md_alg ); - status = psa_hash_compute( psa_algorithm, - verify_buffer, - verify_buffer_len, - verify_hash,sizeof( verify_hash ), - &verify_hash_len ); - if( status != PSA_SUCCESS ) - return( psa_ssl_status_to_mbedtls( status ) ); + /* Hash verify buffer with indicated hash function */ + psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg ); + status = psa_hash_compute( psa_algorithm, + verify_buffer, + verify_buffer_len, + verify_hash, sizeof( verify_hash ), + &verify_hash_len ); + if( status != PSA_SUCCESS ) + return( psa_ssl_status_to_mbedtls( status ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); - if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key, + if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key, md_alg, verify_hash, verify_hash_len, - p + 2, (size_t)( end - ( p + 2 ) ), &signature_len, + p + 4, (size_t)( end - ( p + 4 ) ), &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature failed with %s", + mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) ); + MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_pk_sign_ext", ret ); + + /* The signature failed. This is possible if the private key + * was not suitable for the signature operation as purposely we + * did not check its suitability completely. Let's try with + * another signature algorithm. + */ + continue; + } + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature with %s", + mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) ); + + break; + } + + if( *sig_alg == MBEDTLS_TLS1_3_SIG_NONE ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no suitable signature algorithm" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 ); - p += 2 + signature_len; + MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 ); + MBEDTLS_PUT_UINT16_BE( signature_len, p, 2 ); - *out_len = (size_t)( p - buf ); + *out_len = 4 + signature_len; - return( ret ); + return( 0 ); } int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) @@ -1097,7 +1124,7 @@ int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * @@ -1347,6 +1374,39 @@ int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +/* Early Data Indication Extension + * + * struct { + * select ( Handshake.msg_type ) { + * ... + * case client_hello: Empty; + * case encrypted_extensions: Empty; + * }; + * } EarlyDataIndication; + */ +#if defined(MBEDTLS_SSL_EARLY_DATA) +int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ) +{ + unsigned char *p = buf; + *out_len = 0; + ((void) ssl); + + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); + + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 ); + MBEDTLS_PUT_UINT16_BE( 0, p, 2 ); + + *out_len = 4; + + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_EARLY_DATA ); + + return( 0 ); +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /* Reset SSL context and update hash for handling HRR. * * Replace Transcript-Hash(X) by @@ -1361,7 +1421,7 @@ int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl ) int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ]; + unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4]; size_t hash_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; uint16_t cipher_suite = ssl->session_negotiate->ciphersuite; @@ -1371,7 +1431,7 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac, hash_transcript + 4, - MBEDTLS_MD_MAX_SIZE, + PSA_HASH_MAX_SIZE, &hash_len ); if( ret != 0 ) { @@ -1386,9 +1446,9 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) hash_len += 4; +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) { -#if defined(MBEDTLS_SHA256_C) MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript", hash_transcript, hash_len ); @@ -1398,11 +1458,11 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) #else mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); #endif -#endif /* MBEDTLS_SHA256_C */ } - else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) { -#if defined(MBEDTLS_SHA384_C) MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript", hash_transcript, hash_len ); @@ -1410,14 +1470,13 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) psa_hash_abort( &ssl->handshake->fin_sha384_psa ); psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); #else - mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); + mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 ); #endif -#endif /* MBEDTLS_SHA384_C */ } - -#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) ssl->handshake->update_checksum( ssl, hash_transcript, hash_len ); -#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ return( ret ); } @@ -1505,4 +1564,61 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ +/* RFC 8446 section 4.2 + * + * If an implementation receives an extension which it recognizes and which is + * not specified for the message in which it appears, it MUST abort the handshake + * with an "illegal_parameter" alert. + * + */ +int mbedtls_ssl_tls13_check_received_extension( + mbedtls_ssl_context *ssl, + int hs_msg_type, + unsigned int received_extension_type, + uint32_t hs_msg_allowed_extensions_mask ) +{ + uint32_t extension_mask = mbedtls_ssl_get_extension_mask( + received_extension_type ); + + MBEDTLS_SSL_PRINT_EXT( + 3, hs_msg_type, received_extension_type, "received" ); + + if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 ) + { + MBEDTLS_SSL_PRINT_EXT( + 3, hs_msg_type, received_extension_type, "is illegal" ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + ssl->handshake->received_extensions |= extension_mask; + /* + * If it is a message containing extension responses, check that we + * previously sent the extension. + */ + switch( hs_msg_type ) + { + case MBEDTLS_SSL_HS_SERVER_HELLO: + case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: + case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: + case MBEDTLS_SSL_HS_CERTIFICATE: + /* Check if the received extension is sent by peer message.*/ + if( ( ssl->handshake->sent_extensions & extension_mask ) != 0 ) + return( 0 ); + break; + default: + return( 0 ); + } + + MBEDTLS_SSL_PRINT_EXT( + 3, hs_msg_type, received_extension_type, "is unsupported" ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, + MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); +} + #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ + diff --git a/thirdparty/mbedtls/library/ssl_tls13_keys.c b/thirdparty/mbedtls/library/ssl_tls13_keys.c index 51743bb3954e6b..cef61449b3a821 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_keys.c +++ b/thirdparty/mbedtls/library/ssl_tls13_keys.c @@ -215,6 +215,33 @@ int mbedtls_ssl_tls13_hkdf_expand_label( return( psa_ssl_status_to_mbedtls ( status ) ); } +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_make_traffic_key( + psa_algorithm_t hash_alg, + const unsigned char *secret, size_t secret_len, + unsigned char *key, size_t key_len, + unsigned char *iv, size_t iv_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_ssl_tls13_hkdf_expand_label( + hash_alg, + secret, secret_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), + NULL, 0, + key, key_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_hkdf_expand_label( + hash_alg, + secret, secret_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), + NULL, 0, + iv, iv_len ); + return( ret ); +} + /* * The traffic keying material is generated from the following inputs: * @@ -240,35 +267,17 @@ int mbedtls_ssl_tls13_make_traffic_keys( { int ret = 0; - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - client_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), - NULL, 0, - keys->client_write_key, key_len ); - if( ret != 0 ) - return( ret ); - - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - server_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), - NULL, 0, - keys->server_write_key, key_len ); - if( ret != 0 ) - return( ret ); - - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - client_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), - NULL, 0, - keys->client_write_iv, iv_len ); + ret = ssl_tls13_make_traffic_key( + hash_alg, client_secret, secret_len, + keys->client_write_key, key_len, + keys->client_write_iv, iv_len ); if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - server_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), - NULL, 0, - keys->server_write_iv, iv_len ); + ret = ssl_tls13_make_traffic_key( + hash_alg, server_secret, secret_len, + keys->server_write_key, key_len, + keys->server_write_iv, iv_len ); if( ret != 0 ) return( ret ); @@ -331,9 +340,12 @@ int mbedtls_ssl_tls13_evolve_secret( int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; - size_t hlen, ilen; + size_t hlen; unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 }; - unsigned char tmp_input [ MBEDTLS_ECP_MAX_BYTES ] = { 0 }; + const unsigned char all_zeroes_input[ MBEDTLS_TLS1_3_MD_MAX_SIZE ] = { 0 }; + const unsigned char *l_input = NULL; + size_t l_input_len; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; @@ -359,14 +371,15 @@ int mbedtls_ssl_tls13_evolve_secret( ret = 0; - if( input != NULL ) + if( input != NULL && input_len != 0 ) { - memcpy( tmp_input, input, input_len ); - ilen = input_len; + l_input = input; + l_input_len = input_len; } else { - ilen = hlen; + l_input = all_zeroes_input; + l_input_len = hlen; } status = psa_key_derivation_setup( &operation, @@ -385,8 +398,7 @@ int mbedtls_ssl_tls13_evolve_secret( status = psa_key_derivation_input_bytes( &operation, PSA_KEY_DERIVATION_INPUT_SECRET, - tmp_input, - ilen ); + l_input, l_input_len ); if( status != PSA_SUCCESS ) goto cleanup; @@ -403,7 +415,6 @@ int mbedtls_ssl_tls13_evolve_secret( status = ( status == PSA_SUCCESS ? abort_status : status ); ret = ( ret == 0 ? psa_ssl_status_to_mbedtls ( status ) : ret ); mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) ); - mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) ); return( ret ); } @@ -622,7 +633,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ssl_handshake_params *handshake = ssl->handshake; - psa_algorithm_t const hash_alg = mbedtls_psa_translate_md( + psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac ); /* @@ -734,7 +745,7 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl, mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; - psa_algorithm_t hash_alg = mbedtls_psa_translate_md( + psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md( ssl->handshake->ciphersuite_info->mac ); size_t const hash_len = PSA_HASH_LENGTH( hash_alg ); @@ -825,6 +836,9 @@ int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl, goto exit; } + MBEDTLS_SSL_DEBUG_BUF( 4, "mbedtls_ssl_tls13_create_psk_binder", + early_secret, hash_len ) ; + if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION ) { ret = mbedtls_ssl_tls13_derive_secret( hash_alg, @@ -1047,33 +1061,8 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( 0 ); } -int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_algorithm_t hash_alg; - mbedtls_ssl_handshake_params *handshake = ssl->handshake; - - if( handshake->ciphersuite_info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - hash_alg = mbedtls_psa_translate_md( handshake->ciphersuite_info->mac ); - - ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, NULL, NULL, 0, - handshake->tls13_master_secrets.early ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); - return( ret ); - } - - return( 0 ); -} - MBEDTLS_CHECK_RETURN_CRITICAL -static int mbedtls_ssl_tls13_get_cipher_key_info( +static int ssl_tls13_get_cipher_key_info( const mbedtls_ssl_ciphersuite_t *ciphersuite_info, size_t *key_len, size_t *iv_len ) { @@ -1101,22 +1090,224 @@ static int mbedtls_ssl_tls13_get_cipher_key_info( return 0; } +#if defined(MBEDTLS_SSL_EARLY_DATA) +/* + * ssl_tls13_generate_early_key() generates the key necessary for protecting + * the early application data and handshake messages as described in section 7 + * of RFC 8446. + * + * NOTE: Only one key is generated, the key for the traffic from the client to + * the server. The TLS 1.3 specification does not define a secret and thus + * a key for server early traffic. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_type_t md_type; + psa_algorithm_t hash_alg; + size_t hash_len; + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + size_t transcript_len; + size_t key_len; + size_t iv_len; + + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; + mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_key" ) ); + + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); + goto cleanup; + } + + md_type = ciphersuite_info->mac; + + hash_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac ); + hash_len = PSA_HASH_LENGTH( hash_alg ); + + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, + sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_get_handshake_transcript", + ret ); + goto cleanup; + } + + ret = mbedtls_ssl_tls13_derive_early_secrets( + hash_alg, handshake->tls13_master_secrets.early, + transcript, transcript_len, tls13_early_secrets ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); + goto cleanup; + } + + MBEDTLS_SSL_DEBUG_BUF( + 4, "Client early traffic secret", + tls13_early_secrets->client_early_traffic_secret, hash_len ); + + /* + * Export client handshake traffic secret + */ + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( + ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + tls13_early_secrets->client_early_traffic_secret, + hash_len, + handshake->randbytes, + handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + } + + ret = ssl_tls13_make_traffic_key( + hash_alg, + tls13_early_secrets->client_early_traffic_secret, + hash_len, traffic_keys->client_write_key, key_len, + traffic_keys->client_write_iv, iv_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret ); + goto cleanup; + } + traffic_keys->key_len = key_len; + traffic_keys->iv_len = iv_len; + + MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key", + traffic_keys->client_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_iv", + traffic_keys->client_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); + +cleanup: + /* Erase secret and transcript */ + mbedtls_platform_zeroize( + tls13_early_secrets, sizeof( mbedtls_ssl_tls13_early_secrets ) ); + mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); + return( ret ); +} + +int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_earlydata = NULL; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + /* Next evolution in key schedule: Establish early_data secret and + * key material. */ + ret = ssl_tls13_generate_early_key( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_key", + ret ); + goto cleanup; + } + + transform_earlydata = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_earlydata == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto cleanup; + } + + ret = mbedtls_ssl_tls13_populate_transform( + transform_earlydata, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); + goto cleanup; + } + handshake->transform_earlydata = transform_earlydata; + +cleanup: + mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); + if( ret != 0 ) + mbedtls_free( transform_earlydata ); + + return( ret ); +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + +int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_algorithm_t hash_alg; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + unsigned char *psk = NULL; + size_t psk_len = 0; + + if( handshake->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac ); +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) + { + ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_export_handshake_psk", + ret ); + return( ret ); + } + } +#endif + + ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, NULL, psk, psk_len, + handshake->tls13_master_secrets.early ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + mbedtls_free( (void*)psk ); +#endif + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "mbedtls_ssl_tls13_key_schedule_stage_early", + handshake->tls13_master_secrets.early, + PSA_HASH_LENGTH( hash_alg ) ); + return( 0 ); +} + /* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - psa_algorithm_t hash_alg; size_t hash_len; - unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - - size_t key_len, iv_len; + size_t key_len; + size_t iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; @@ -1124,17 +1315,16 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info, - &key_len, &iv_len ); + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); return ret; } md_type = ciphersuite_info->mac; - hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + hash_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac ); hash_len = PSA_HASH_LENGTH( hash_alg ); ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, @@ -1224,79 +1414,93 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) && defined(MBEDTLS_ECDH_C) - psa_status_t status = PSA_ERROR_GENERIC_ERROR; -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED && MBEDTLS_ECDH_C */ mbedtls_ssl_handshake_params *handshake = ssl->handshake; - psa_algorithm_t const hash_alg = mbedtls_psa_translate_md( + psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac ); + unsigned char *shared_secret = NULL; + size_t shared_secret_len = 0; -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) /* * Compute ECDHE secret used to compute the handshake secret from which * client_handshake_traffic_secret and server_handshake_traffic_secret * are derived in the handshake secret derivation stage. */ - if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) ) { if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) ) { #if defined(MBEDTLS_ECDH_C) /* Compute ECDH shared secret. */ - status = psa_raw_key_agreement( - PSA_ALG_ECDH, handshake->ecdh_psa_privkey, - handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, - handshake->premaster, sizeof( handshake->premaster ), - &handshake->pmslen ); - if( status != PSA_SUCCESS ) - { - ret = psa_ssl_status_to_mbedtls( status ); - MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret ); - return( ret ); - } - - status = psa_destroy_key( handshake->ecdh_psa_privkey ); - if( status != PSA_SUCCESS ) - { - ret = psa_ssl_status_to_mbedtls( status ); - MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret ); - return( ret ); - } - - handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + + status = psa_get_key_attributes( handshake->ecdh_psa_privkey, + &key_attributes ); + if( status != PSA_SUCCESS ) + ret = psa_ssl_status_to_mbedtls( status ); + + shared_secret_len = PSA_BITS_TO_BYTES( + psa_get_key_bits( &key_attributes ) ); + shared_secret = mbedtls_calloc( 1, shared_secret_len ); + if( shared_secret == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + status = psa_raw_key_agreement( + PSA_ALG_ECDH, handshake->ecdh_psa_privkey, + handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, + shared_secret, shared_secret_len, &shared_secret_len ); + if( status != PSA_SUCCESS ) + { + ret = psa_ssl_status_to_mbedtls( status ); + MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret ); + goto cleanup; + } + + status = psa_destroy_key( handshake->ecdh_psa_privkey ); + if( status != PSA_SUCCESS ) + { + ret = psa_ssl_status_to_mbedtls( status ); + MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret ); + goto cleanup; + } + + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; #endif /* MBEDTLS_ECDH_C */ } - else if( mbedtls_ssl_tls13_named_group_is_dhe( handshake->offered_group_id ) ) + else { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHE not supported." ) ); - return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Group not supported." ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } } -#else - return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ /* * Compute the Handshake Secret */ ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, handshake->tls13_master_secrets.early, - handshake->premaster, handshake->pmslen, + shared_secret, shared_secret_len, handshake->tls13_master_secrets.handshake ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); - return( ret ); + goto cleanup; } MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret", handshake->tls13_master_secrets.handshake, PSA_HASH_LENGTH( hash_alg ) ); -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) - mbedtls_platform_zeroize( handshake->premaster, sizeof( handshake->premaster ) ); -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ - return( 0 ); +cleanup: + if( shared_secret != NULL ) + { + mbedtls_platform_zeroize( shared_secret, shared_secret_len ); + mbedtls_free( shared_secret ); + } + + return( ret ); } /* Generate application traffic keys since any records following a 1-RTT Finished message @@ -1330,17 +1534,17 @@ int mbedtls_ssl_tls13_generate_application_keys( /* Extract basic information about hash and ciphersuite */ - ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, - &key_len, &iv_len ); + ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, + &key_len, &iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); goto cleanup; } md_type = handshake->ciphersuite_info->mac; - hash_alg = mbedtls_psa_translate_md( handshake->ciphersuite_info->mac ); + hash_alg = mbedtls_hash_info_psa_from_md( handshake->ciphersuite_info->mac ); hash_len = PSA_HASH_LENGTH( hash_alg ); /* Compute current handshake transcript. It's the caller's responsibility @@ -1480,12 +1684,43 @@ int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl ) return( ret ); } -int mbedtls_ssl_tls13_generate_resumption_master_secret( - mbedtls_ssl_context *ssl ) +int mbedtls_ssl_tls13_compute_resumption_master_secret( mbedtls_ssl_context *ssl ) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_type_t md_type; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + size_t transcript_len; + + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "=> mbedtls_ssl_tls13_compute_resumption_master_secret" ) ); + + md_type = handshake->ciphersuite_info->mac; + + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_derive_resumption_master_secret( + mbedtls_psa_translate_md( md_type ), + handshake->tls13_master_secrets.app, + transcript, transcript_len, + &ssl->session_negotiate->app_secrets ); + if( ret != 0 ) + return( ret ); + /* Erase master secrets */ - mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets, - sizeof( ssl->handshake->tls13_master_secrets ) ); + mbedtls_platform_zeroize( &handshake->tls13_master_secrets, + sizeof( handshake->tls13_master_secrets ) ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "Resumption master secret", + ssl->session_negotiate->app_secrets.resumption_master_secret, + PSA_HASH_LENGTH( mbedtls_psa_translate_md( md_type ) ) ) ; + + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "<= mbedtls_ssl_tls13_compute_resumption_master_secret" ) ); return( 0 ); } @@ -1543,4 +1778,48 @@ int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl ) return( ret ); } +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl, + unsigned char **psk, + size_t *psk_len ) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + *psk_len = 0; + *psk = NULL; + + if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + status = psa_get_key_attributes( ssl->handshake->psk_opaque, &key_attributes ); + if( status != PSA_SUCCESS ) + return( psa_ssl_status_to_mbedtls( status ) ); + + *psk_len = PSA_BITS_TO_BYTES( psa_get_key_bits( &key_attributes ) ); + *psk = mbedtls_calloc( 1, *psk_len ); + if( *psk == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + status = psa_export_key( ssl->handshake->psk_opaque, + (uint8_t *)*psk, *psk_len, psk_len ); + if( status != PSA_SUCCESS ) + { + mbedtls_free( (void *)*psk ); + *psk = NULL; + return( psa_ssl_status_to_mbedtls( status ) ); + } + return( 0 ); +#else + *psk = ssl->handshake->psk; + *psk_len = ssl->handshake->psk_len; + if( *psk == NULL ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + return( 0 ); +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ +} +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + diff --git a/thirdparty/mbedtls/library/ssl_tls13_keys.h b/thirdparty/mbedtls/library/ssl_tls13_keys.h index 76c1e93d8bde7b..fc64737cd35180 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_keys.h +++ b/thirdparty/mbedtls/library/ssl_tls13_keys.h @@ -81,7 +81,7 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels; * Since contexts are always hashes of message transcripts, this can * be approximated from above by the maximum hash size. */ #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ - MBEDTLS_MD_MAX_SIZE + PSA_HASH_MAX_SIZE /* Maximum desired length for expanded key material generated * by HKDF-Expand-Label. @@ -636,8 +636,7 @@ int mbedtls_ssl_tls13_generate_application_keys( * \returns A negative error code on failure. */ MBEDTLS_CHECK_RETURN_CRITICAL -int mbedtls_ssl_tls13_generate_resumption_master_secret( - mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_compute_resumption_master_secret( mbedtls_ssl_context *ssl ); /** * \brief Calculate the verify_data value for the client or server TLS 1.3 @@ -668,6 +667,27 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, size_t *actual_len, int which ); +#if defined(MBEDTLS_SSL_EARLY_DATA) +/** + * \brief Compute TLS 1.3 early transform + * + * \param ssl The SSL context to operate on. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + * + * \warning The function does not compute the early master secret. Call + * mbedtls_ssl_tls13_key_schedule_stage_early() before to + * call this function to generate the early master secret. + * \note For a client/server endpoint, the function computes only the + * encryption/decryption part of the transform as the decryption/ + * encryption part is not defined by the specification (no early + * traffic from the server to the client). + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /** * \brief Compute TLS 1.3 handshake transform * @@ -692,6 +712,24 @@ int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl ); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +/** + * \brief Export TLS 1.3 PSK from handshake context + * + * \param[in] ssl The SSL context to operate on. + * \param[out] psk PSK output pointer. + * \param[out] psk_len Length of PSK. + * + * \returns \c 0 if there is a configured PSK and it was exported + * successfully. + * \returns A negative error code on failure. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl, + unsigned char **psk, + size_t *psk_len ); +#endif + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ diff --git a/thirdparty/mbedtls/library/ssl_tls13_server.c b/thirdparty/mbedtls/library/ssl_tls13_server.c index 7d99433a90e054..6caae89b48d4dd 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_server.c +++ b/thirdparty/mbedtls/library/ssl_tls13_server.c @@ -24,6 +24,7 @@ #include "mbedtls/debug.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" +#include "mbedtls/constant_time.h" #include "ssl_misc.h" #include "ssl_tls13_keys.h" @@ -33,18 +34,679 @@ #include "mbedtls/ecp.h" #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif /* MBEDTLS_PLATFORM_C */ #include "ssl_misc.h" #include "ssl_tls13_keys.h" #include "ssl_debug_helpers.h" + +static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite( + mbedtls_ssl_context *ssl, + unsigned int cipher_suite ) +{ + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) ) + return( NULL ); + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); + if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info, + ssl->tls_version, + ssl->tls_version ) != 0 ) ) + { + return( NULL ); + } + return( ciphersuite_info ); +} + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +/* From RFC 8446: + * + * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; + * struct { + * PskKeyExchangeMode ke_modes<1..255>; + * } PskKeyExchangeModes; + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + const unsigned char *p = buf; + size_t ke_modes_len; + int ke_modes = 0; + + /* Read ke_modes length (1 Byte) */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); + ke_modes_len = *p++; + /* Currently, there are only two PSK modes, so even without looking + * at the content, something's wrong if the list has more than 2 items. */ + if( ke_modes_len > 2 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len ); + + while( ke_modes_len-- != 0 ) + { + switch( *p++ ) + { + case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: + ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK KEX MODE" ) ); + break; + case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: + ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) ); + break; + default: + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + } + + ssl->handshake->tls13_kex_modes = ke_modes; + return( 0 ); +} + +#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1 +#define SSL_TLS1_3_OFFERED_PSK_MATCH 0 + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_offered_psks_check_identity_match_ticket( + mbedtls_ssl_context *ssl, + const unsigned char *identity, + size_t identity_len, + uint32_t obfuscated_ticket_age, + mbedtls_ssl_session *session ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *ticket_buffer; +#if defined(MBEDTLS_HAVE_TIME) + mbedtls_time_t now; + uint64_t age_in_s; + int64_t age_diff_in_ms; +#endif + + ((void) obfuscated_ticket_age); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> check_identity_match_ticket" ) ); + + /* Ticket parser is not configured, Skip */ + if( ssl->conf->f_ticket_parse == NULL || identity_len == 0 ) + return( 0 ); + + /* We create a copy of the encrypted ticket since the ticket parsing + * function is allowed to use its input buffer as an output buffer + * (in-place decryption). We do, however, need the original buffer for + * computing the PSK binder value. + */ + ticket_buffer = mbedtls_calloc( 1, identity_len ); + if( ticket_buffer == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( ticket_buffer, identity, identity_len ); + + if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, + session, + ticket_buffer, identity_len ) ) != 0 ) + { + if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); + else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); + else + MBEDTLS_SSL_DEBUG_RET( 1, "ticket_parse", ret ); + } + + /* We delete the temporary buffer */ + mbedtls_free( ticket_buffer ); + + if( ret != 0 ) + goto exit; + + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; +#if defined(MBEDTLS_HAVE_TIME) + now = mbedtls_time( NULL ); + + if( now < session->start ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG + ", start=%" MBEDTLS_PRINTF_LONGLONG " )", + (long long)now, (long long)session->start ) ); + goto exit; + } + + age_in_s = (uint64_t)( now - session->start ); + + /* RFC 8446 section 4.6.1 + * + * Servers MUST NOT use any value greater than 604800 seconds (7 days). + * + * RFC 8446 section 4.2.11.1 + * + * Clients MUST NOT attempt to use tickets which have ages greater than + * the "ticket_lifetime" value which was provided with the ticket. + * + * For time being, the age MUST be less than 604800 seconds (7 days). + */ + if( age_in_s > 604800 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "Ticket age exceeds limitation ticket_age=%lu", + (long unsigned int)age_in_s ) ); + goto exit; + } + + /* RFC 8446 section 4.2.10 + * + * For PSKs provisioned via NewSessionTicket, a server MUST validate that + * the ticket age for the selected PSK identity (computed by subtracting + * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is + * within a small tolerance of the time since the ticket was issued. + * + * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative + * as the age units are different on the server (s) and in the + * client (ms) side. Add a -1000 ms tolerance window to take this + * into account. + */ + age_diff_in_ms = age_in_s * 1000; + age_diff_in_ms -= ( obfuscated_ticket_age - session->ticket_age_add ); + if( age_diff_in_ms <= -1000 || + age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "Ticket age outside tolerance window ( diff=%d )", + (int)age_diff_in_ms ) ); + goto exit; + } + + ret = 0; + +#endif /* MBEDTLS_HAVE_TIME */ + +exit: + if( ret != 0 ) + mbedtls_ssl_session_free( session ); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= check_identity_match_ticket" ) ); + return( ret ); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_offered_psks_check_identity_match( + mbedtls_ssl_context *ssl, + const unsigned char *identity, + size_t identity_len, + uint32_t obfuscated_ticket_age, + int *psk_type, + mbedtls_ssl_session *session ) +{ + ((void) session); + ((void) obfuscated_ticket_age); + *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; + + MBEDTLS_SSL_DEBUG_BUF( 4, "identity", identity, identity_len ); + ssl->handshake->resume = 0; + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( ssl_tls13_offered_psks_check_identity_match_ticket( + ssl, identity, identity_len, obfuscated_ticket_age, + session ) == SSL_TLS1_3_OFFERED_PSK_MATCH ) + { + ssl->handshake->resume = 1; + *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; + mbedtls_ssl_set_hs_psk( ssl, + session->resumption_key, + session->resumption_key_len ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "Ticket-resumed PSK:", + session->resumption_key, + session->resumption_key_len ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "ticket: obfuscated_ticket_age: %u", + (unsigned)obfuscated_ticket_age ) ); + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + + /* Check identity with external configured function */ + if( ssl->conf->f_psk != NULL ) + { + if( ssl->conf->f_psk( + ssl->conf->p_psk, ssl, identity, identity_len ) == 0 ) + { + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } + return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); + } + + MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len ); + /* Check identity with pre-configured psk */ + if( ssl->conf->psk_identity != NULL && + identity_len == ssl->conf->psk_identity_len && + mbedtls_ct_memcmp( ssl->conf->psk_identity, + identity, identity_len ) == 0 ) + { + mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len ); + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } + + return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, + const unsigned char *binder, + size_t binder_len, + int psk_type, + psa_algorithm_t psk_hash_alg ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + unsigned char transcript[PSA_HASH_MAX_SIZE]; + size_t transcript_len; + unsigned char *psk; + size_t psk_len; + unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; + + /* Get current state of handshake transcript. */ + ret = mbedtls_ssl_get_handshake_transcript( + ssl, mbedtls_hash_info_md_from_psa( psk_hash_alg ), + transcript, sizeof( transcript ), &transcript_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psk_hash_alg, + psk, psk_len, psk_type, + transcript, + server_computed_binder ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + mbedtls_free( (void*)psk ); +#endif + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ", + server_computed_binder, transcript_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len ); + + if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 ) + { + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } + + mbedtls_platform_zeroize( server_computed_binder, + sizeof( server_computed_binder ) ); + return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_select_ciphersuite_for_psk( + mbedtls_ssl_context *ssl, + const unsigned char *cipher_suites, + const unsigned char *cipher_suites_end, + uint16_t *selected_ciphersuite, + const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info ) +{ + psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256; + + *selected_ciphersuite = 0; + *selected_ciphersuite_info = NULL; + + /* RFC 8446, page 55. + * + * For externally established PSKs, the Hash algorithm MUST be set when the + * PSK is established or default to SHA-256 if no such algorithm is defined. + * + */ + + /* + * Search for a matching ciphersuite + */ + for ( const unsigned char *p = cipher_suites; + p < cipher_suites_end; p += 2 ) + { + uint16_t cipher_suite; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + + cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); + ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl, + cipher_suite ); + if( ciphersuite_info == NULL ) + continue; + + /* MAC of selected ciphersuite MUST be same with PSK binder if exist. + * Otherwise, client should reject. + */ + if( psk_hash_alg == mbedtls_psa_translate_md( ciphersuite_info->mac ) ) + { + *selected_ciphersuite = cipher_suite; + *selected_ciphersuite_info = ciphersuite_info; + return( 0 ); + } + } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "No matched ciphersuite" ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); +} + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_select_ciphersuite_for_resumption( + mbedtls_ssl_context *ssl, + const unsigned char *cipher_suites, + const unsigned char *cipher_suites_end, + mbedtls_ssl_session *session, + uint16_t *selected_ciphersuite, + const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info ) +{ + + *selected_ciphersuite = 0; + *selected_ciphersuite_info = NULL; + for( const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2 ) + { + uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + + if( cipher_suite != session->ciphersuite ) + continue; + + ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl, + cipher_suite ); + if( ciphersuite_info == NULL ) + continue; + + *selected_ciphersuite = cipher_suite; + *selected_ciphersuite_info = ciphersuite_info; + + return( 0 ); + } + + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_session_copy_ticket( mbedtls_ssl_session *dst, + const mbedtls_ssl_session *src ) +{ + dst->ticket_age_add = src->ticket_age_add; + dst->ticket_flags = src->ticket_flags; + dst->resumption_key_len = src->resumption_key_len; + if( src->resumption_key_len == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + memcpy( dst->resumption_key, src->resumption_key, src->resumption_key_len ); + + return( 0 ); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + +/* Parser for pre_shared_key extension in client hello + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * } OfferedPsks; + * + * struct { + * select (Handshake.msg_type) { + * case client_hello: OfferedPsks; + * .... + * }; + * } PreSharedKeyExtension; + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, + const unsigned char *pre_shared_key_ext, + const unsigned char *pre_shared_key_ext_end, + const unsigned char *ciphersuites, + const unsigned char *ciphersuites_end ) +{ + const unsigned char *identities = pre_shared_key_ext; + const unsigned char *p_identity_len; + size_t identities_len; + const unsigned char *identities_end; + const unsigned char *binders; + const unsigned char *p_binder_len; + size_t binders_len; + const unsigned char *binders_end; + int matched_identity = -1; + int identity_id = -1; + + MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension", + pre_shared_key_ext, + pre_shared_key_ext_end - pre_shared_key_ext ); + + /* identities_len 2 bytes + * identities_data >= 7 bytes + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, pre_shared_key_ext_end, 7 + 2 ); + identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 ); + p_identity_len = identities + 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, pre_shared_key_ext_end, + identities_len ); + identities_end = p_identity_len + identities_len; + + /* binders_len 2 bytes + * binders >= 33 bytes + */ + binders = identities_end; + MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, pre_shared_key_ext_end, 33 + 2 ); + binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 ); + p_binder_len = binders + 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, pre_shared_key_ext_end, binders_len ); + binders_end = p_binder_len + binders_len; + + ssl->handshake->update_checksum( ssl, pre_shared_key_ext, + identities_end - pre_shared_key_ext ); + + while( p_identity_len < identities_end && p_binder_len < binders_end ) + { + const unsigned char *identity; + size_t identity_len; + uint32_t obfuscated_ticket_age; + const unsigned char *binder; + size_t binder_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int psk_type; + uint16_t cipher_suite; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_session session; + mbedtls_ssl_session_init( &session ); +#endif + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 ); + identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 ); + identity = p_identity_len + 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 ); + obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE( identity , identity_len ); + p_identity_len += identity_len + 6; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 ); + binder_len = *p_binder_len; + binder = p_binder_len + 1; + MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len ); + p_binder_len += binder_len + 1; + + identity_id++; + if( matched_identity != -1 ) + continue; + + ret = ssl_tls13_offered_psks_check_identity_match( + ssl, identity, identity_len, obfuscated_ticket_age, + &psk_type, &session ); + if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH ) + continue; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "found matched identity" ) ); + switch( psk_type ) + { + case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL: + ret = ssl_tls13_select_ciphersuite_for_psk( + ssl, ciphersuites, ciphersuites_end, + &cipher_suite, &ciphersuite_info ); + break; + case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + ret = ssl_tls13_select_ciphersuite_for_resumption( + ssl, ciphersuites, ciphersuites_end, &session, + &cipher_suite, &ciphersuite_info ); + if( ret != 0 ) + mbedtls_ssl_session_free( &session ); +#else + ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; +#endif + break; + default: + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + if( ret != 0 ) + { + /* See below, no cipher_suite available, abort handshake */ + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_SSL_DEBUG_RET( + 2, "ssl_tls13_select_ciphersuite", ret ); + return( ret ); + } + + ret = ssl_tls13_offered_psks_check_binder_match( + ssl, binder, binder_len, psk_type, + mbedtls_psa_translate_md( ciphersuite_info->mac ) ); + if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH ) + { + /* For security reasons, the handshake should be aborted when we + * fail to validate a binder value. See RFC 8446 section 4.2.11.2 + * and appendix E.6. */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_session_free( &session ); +#endif + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Invalid binder." ) ); + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_offered_psks_check_binder_match" , ret ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( ret ); + } + + matched_identity = identity_id; + + /* Update handshake parameters */ + ssl->handshake->ciphersuite_info = ciphersuite_info; + ssl->session_negotiate->ciphersuite = cipher_suite; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "overwrite ciphersuite: %04x - %s", + cipher_suite, ciphersuite_info->name ) ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION ) + { + ret = ssl_tls13_session_copy_ticket( ssl->session_negotiate, + &session ); + mbedtls_ssl_session_free( &session ); + if( ret != 0 ) + return( ret ); + } +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + } + + if( p_identity_len != identities_end || p_binder_len != binders_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extension decode error" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + /* Update the handshake transcript with the binder list. */ + ssl->handshake->update_checksum( ssl, + identities_end, + (size_t)( binders_end - identities_end ) ); + if( matched_identity == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched PSK or ticket." ) ); + return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); + } + + ssl->handshake->selected_identity = (uint16_t)matched_identity; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) ); + + return( 0 ); +} + +/* + * struct { + * select ( Handshake.msg_type ) { + * .... + * case server_hello: + * uint16 selected_identity; + * } + * } PreSharedKeyExtension; + */ +static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) +{ + unsigned char *p = (unsigned char*)buf; + + *olen = 0; + + int not_using_psk = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + not_using_psk = ( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ); +#else + not_using_psk = ( ssl->handshake->psk == NULL ); +#endif + if( not_using_psk ) + { + /* We shouldn't have called this extension writer unless we've + * chosen to use a PSK. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) ); + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); + + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); + MBEDTLS_PUT_UINT16_BE( 2, p, 2 ); + + MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 ); + + *olen = 6; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u", + ssl->handshake->selected_identity ) ); + + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); + + return( 0 ); +} + +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + /* From RFC 8446: * struct { * ProtocolVersion versions<2..254>; @@ -266,90 +928,176 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C */ -#if defined(MBEDTLS_DEBUG_C) -static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl ) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl, + int exts_mask ) +{ + int masked = ssl->handshake->received_extensions & exts_mask; + return( masked == exts_mask ); +} + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( + mbedtls_ssl_context *ssl ) +{ + return( ssl_tls13_client_hello_has_exts( + ssl, + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | + MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | + MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) ); +} +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( + mbedtls_ssl_context *ssl ) +{ + return( ssl_tls13_client_hello_has_exts( + ssl, + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) ); +} +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */ + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( + mbedtls_ssl_context *ssl ) +{ + return( ssl_tls13_client_hello_has_exts( + ssl, + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | + MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) ); +} +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */ + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) && + ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) ); +#else + ((void) ssl); + return( 0 ); +#endif +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) + return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) && + mbedtls_ssl_tls13_psk_enabled( ssl ) && + ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) ); +#else + ((void) ssl); + return( 0 ); +#endif +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) { +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) + return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) && + mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) && + ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) ); +#else ((void) ssl); + return( 0 ); +#endif +} + +static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl ) +{ + /* + * Determine the key exchange algorithm to use. + * There are three types of key exchanges supported in TLS 1.3: + * - (EC)DH with ECDSA, + * - (EC)DH with PSK, + * - plain PSK. + * + * The PSK-based key exchanges may additionally be used with 0-RTT. + * + * Our built-in order of preference is + * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral ) + * 2 ) Certificate Mode ( ephemeral ) + * 3 ) Plain PSK Mode ( psk ) + */ + + ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; + + if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) ); + } + else + if( ssl_tls13_check_ephemeral_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) ); + } + else + if( ssl_tls13_check_psk_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( + 1, + ( "ClientHello message misses mandatory extensions." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION , + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- KEY_SHARE_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ? - "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- PRE_SHARED_KEY_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SUPPORTED_GROUPS_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ? - "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SUPPORTED_VERSION_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ? - "TRUE" : "FALSE" ) ); -#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION ) - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SERVERNAME_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ? - "TRUE" : "FALSE" ) ); -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined ( MBEDTLS_SSL_ALPN ) - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- ALPN_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ? - "TRUE" : "FALSE" ) ); -#endif /* MBEDTLS_SSL_ALPN */ -} -#endif /* MBEDTLS_DEBUG_C */ + return( 0 ); -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl, - int exts_mask ) -{ - int masked = ssl->handshake->extensions_present & exts_mask; - return( masked == exts_mask ); } -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( - mbedtls_ssl_context *ssl ) -{ - return( ssl_tls13_client_hello_has_exts( ssl, - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | - MBEDTLS_SSL_EXT_KEY_SHARE | - MBEDTLS_SSL_EXT_SIG_ALG ) ); -} +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg ) { - if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) - return( 0 ); - - if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) ) - return( 0 ); - - ssl->handshake->tls13_kex_modes = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; - return( 1 ); + switch( sig_alg ) + { + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: + return( PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) ); + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: + return( PSA_ALG_ECDSA( PSA_ALG_SHA_384 ) ); + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: + return( PSA_ALG_ECDSA( PSA_ALG_SHA_512 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: + return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: + return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: + return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_384 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: + return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_512 ) ); + default: + return( PSA_ALG_NONE ); + } } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Pick best ( private key, certificate chain ) pair based on the signature * algorithms supported by the client. @@ -375,9 +1123,19 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { + if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) ) + continue; + + if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) ) + continue; + for( key_cert = key_cert_list; key_cert != NULL; key_cert = key_cert->next ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_algorithm_t psa_alg = PSA_ALG_NONE; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate", key_cert->cert ); @@ -401,8 +1159,18 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) "check signature algorithm %s [%04x]", mbedtls_ssl_sig_alg_to_str( *sig_alg ), *sig_alg ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg( *sig_alg ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match( - *sig_alg, &key_cert->cert->pk ) ) + *sig_alg, &key_cert->cert->pk ) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + && psa_alg != PSA_ALG_NONE && + mbedtls_pk_can_do_ext( &key_cert->cert->pk, psa_alg, + PSA_KEY_USAGE_SIGN_HASH ) == 1 +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + ) { ssl->handshake->key_cert = key_cert; MBEDTLS_SSL_DEBUG_MSG( 3, @@ -424,7 +1192,7 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) return( -1 ); } #endif /* MBEDTLS_X509_CRT_PARSE_C && - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * @@ -478,16 +1246,18 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *p = buf; size_t legacy_session_id_len; - const unsigned char *cipher_suites; size_t cipher_suites_len; const unsigned char *cipher_suites_end; size_t extensions_len; const unsigned char *extensions_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; int hrr_required = 0; - const mbedtls_ssl_ciphersuite_t* ciphersuite_info; - - ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + const unsigned char *cipher_suites; + const unsigned char *pre_shared_key_ext = NULL; + const unsigned char *pre_shared_key_ext_end = NULL; +#endif /* * ClientHello layout: @@ -531,6 +1301,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, */ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + /* Store minor version for later use with ticket serialization. */ + ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; + ssl->session_negotiate->endpoint = ssl->conf->endpoint; +#endif + /* ... * Random random; * ... @@ -540,7 +1316,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); - memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); + memcpy( &handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; /* ... @@ -561,7 +1337,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, p, legacy_session_id_len ); /* * Check we have enough data for the legacy session identifier - * and the ciphersuite list length. + * and the ciphersuite list length. */ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 ); @@ -573,6 +1349,10 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, /* Check we have enough data for the ciphersuite list, the legacy * compression methods and the length of the extensions. + * + * cipher_suites cipher_suites_len bytes + * legacy_compression_methods 2 bytes + * extensions_len 2 bytes */ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 ); @@ -582,51 +1362,43 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, * with CipherSuite defined as: * uint8 CipherSuite[2]; */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) cipher_suites = p; +#endif cipher_suites_end = p + cipher_suites_len; MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", p, cipher_suites_len ); + /* * Search for a matching ciphersuite */ - int ciphersuite_match = 0; for ( ; p < cipher_suites_end; p += 2 ) { uint16_t cipher_suite; + const mbedtls_ssl_ciphersuite_t* ciphersuite_info; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 ); + cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); - /* - * Check whether this ciphersuite is valid and offered. - */ - if( ( mbedtls_ssl_validate_ciphersuite( - ssl, ciphersuite_info, ssl->tls_version, - ssl->tls_version ) != 0 ) || - ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) ) - { + ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( + ssl,cipher_suite ); + if( ciphersuite_info == NULL ) continue; - } ssl->session_negotiate->ciphersuite = cipher_suite; - ssl->handshake->ciphersuite_info = ciphersuite_info; - ciphersuite_match = 1; - - break; - + handshake->ciphersuite_info = ciphersuite_info; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s", + cipher_suite, + ciphersuite_info->name ) ); } - if( ! ciphersuite_match ) + if( handshake->ciphersuite_info == NULL ) { MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", - ciphersuite_info->name ) ); - - p = cipher_suites + cipher_suites_len; - /* ... * opaque legacy_compression_methods<1..2^8-1>; * ... @@ -656,12 +1428,31 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len ); + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + while( p < extensions_end ) { unsigned int extension_type; size_t extension_data_len; const unsigned char *extension_data_end; + /* RFC 8446, section 4.2.11 + * + * The "pre_shared_key" extension MUST be the last extension in the + * ClientHello (this facilitates implementation as described below). + * Servers MUST check that it is the last extension and otherwise fail + * the handshake with an "illegal_parameter" alert. + */ + if( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "pre_shared_key is not last extension." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); @@ -670,6 +1461,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ); + if( ret != 0 ) + return( ret ); + switch( extension_type ) { #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -683,7 +1480,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, 1, "mbedtls_ssl_parse_servername_ext", ret ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME; break; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ @@ -706,7 +1502,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS; break; #endif /* MBEDTLS_ECDH_C */ @@ -736,7 +1531,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; break; #endif /* MBEDTLS_ECDH_C */ @@ -751,7 +1545,42 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ( "ssl_tls13_parse_supported_versions_ext" ), ret ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS; + break; + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) ); + + ret = ssl_tls13_parse_key_exchange_modes_ext( + ssl, p, extension_data_end ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, "ssl_tls13_parse_key_exchange_modes_ext", ret ); + return( ret ); + } + + break; +#endif + + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + if( ( handshake->received_extensions & + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) == 0 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + /* Delay processing of the PSK identity once we have + * found out which algorithms to use. We keep a pointer + * to the buffer and the size for later processing. + */ + pre_shared_key_ext = p; + pre_shared_key_ext_end = extension_data_end; +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ break; #if defined(MBEDTLS_SSL_ALPN) @@ -765,11 +1594,10 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN; break; #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) case MBEDTLS_TLS_EXT_SIG_ALG: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); @@ -782,30 +1610,65 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ret ) ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; break; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "unknown extension found: %ud ( ignoring )", - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT( + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, + extension_type, "( ignored )" ); + break; } p += extension_data_len; } + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO, + handshake->received_extensions ); + + mbedtls_ssl_add_hs_hdr_to_checksum( ssl, + MBEDTLS_SSL_HS_CLIENT_HELLO, + p - buf ); + +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* Update checksum with either * - The entire content of the CH message, if no PSK extension is present * - The content up to but excluding the PSK extension, if present. */ - mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, - buf, p - buf ); + /* If we've settled on a PSK-based exchange, parse PSK identity ext */ + if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) && + mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && + ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) ) ) + { + handshake->update_checksum( ssl, buf, + pre_shared_key_ext - buf ); + ret = ssl_tls13_parse_pre_shared_key_ext( ssl, + pre_shared_key_ext, + pre_shared_key_ext_end, + cipher_suites, + cipher_suites_end ); + if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) + { + handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ); + } + else if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, "ssl_tls13_parse_pre_shared_key_ext" , ret ); + return( ret ); + } + } + else +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ + { + handshake->update_checksum( ssl, buf, p - buf ); + } + + ret = ssl_tls13_determine_key_exchange_mode( ssl ); + if( ret < 0 ) + return( ret ); - /* List all the extensions we have received */ -#if defined(MBEDTLS_DEBUG_C) - ssl_tls13_debug_print_client_hello_exts( ssl ); -#endif /* MBEDTLS_DEBUG_C */ + mbedtls_ssl_optimize_checksum( ssl, handshake->ciphersuite_info ); return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK ); } @@ -817,19 +1680,6 @@ static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* - * Here we only support the ephemeral or (EC)DHE key echange mode - */ - if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) ) - { - MBEDTLS_SSL_DEBUG_MSG( - 1, - ( "ClientHello message misses mandatory extensions." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION , - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } - /* * Server certificate selection */ @@ -965,6 +1815,9 @@ static int ssl_tls13_write_server_hello_supported_versions_ext( *out_len = 6; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); + return( 0 ); } @@ -1042,6 +1895,10 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, write selected_group: %s (%04x)", + mbedtls_ssl_named_group_to_str( group ), + group ) ); + /* Check if we have space for header and length fields: * - extension_type (2 bytes) * - extension_data_length (2 bytes) @@ -1067,6 +1924,8 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); + return( 0 ); } @@ -1096,7 +1955,7 @@ static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, * of the HRR is then to transmit a cookie to force the client to demonstrate * reachability at their apparent network address (primarily useful for DTLS). */ - if( ! mbedtls_ssl_tls13_some_ephemeral_enabled( ssl ) ) + if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) ) return( 0 ); /* We should only send the key_share extension if the client's initial @@ -1131,6 +1990,8 @@ static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, *out_len = 6; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); + return( 0 ); } @@ -1159,6 +2020,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, size_t output_len; *out_len = 0; + ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; /* ... * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 @@ -1227,7 +2089,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, * ... */ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); - *p++ = 0x0; + *p++ = MBEDTLS_SSL_COMPRESS_NULL; /* ... * Extension extensions<6..2^16-1>; @@ -1250,7 +2112,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, } p += output_len; - if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) ) { if( is_hrr ) ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len ); @@ -1261,6 +2123,20 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, p += output_len; } +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) + if( !is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) + { + ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext", + ret ); + return( ret ); + } + p += output_len; + } +#endif + MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 ); MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions", @@ -1270,6 +2146,11 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len ); + MBEDTLS_SSL_PRINT_EXTS( + 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : + MBEDTLS_SSL_HS_SERVER_HELLO, + ssl->handshake->sent_extensions ); + return( ret ); } @@ -1454,6 +2335,9 @@ static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len ); + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions ); + return( 0 ); } @@ -1483,8 +2367,8 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len ) ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); @@ -1498,7 +2382,7 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl ) return( ret ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) #define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0 #define SSL_CERTIFICATE_REQUEST_SKIP 1 /* Coordination: @@ -1522,7 +2406,10 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) authmode = ssl->conf->authmode; if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; return( SSL_CERTIFICATE_REQUEST_SKIP ); + } ssl->handshake->certificate_request_sent = 1; @@ -1580,6 +2467,9 @@ static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl, *out_len = p - buf; + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions ); + return( 0 ); } @@ -1666,7 +2556,7 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Handler for MBEDTLS_SSL_SERVER_FINISHED @@ -1716,11 +2606,11 @@ static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl ); + ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret ); + "mbedtls_ssl_tls13_compute_resumption_master_secret", ret ); } mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); @@ -1736,10 +2626,302 @@ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); mbedtls_ssl_tls13_handshake_wrapup( ssl ); + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); +#else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); +#endif + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET + */ +#define SSL_NEW_SESSION_TICKET_SKIP 0 +#define SSL_NEW_SESSION_TICKET_WRITE 1 +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl ) +{ + /* Check whether the use of session tickets is enabled */ + if( ssl->conf->f_ticket_write == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled," + " callback is not set" ) ); + return( SSL_NEW_SESSION_TICKET_SKIP ); + } + if( ssl->conf->new_session_tickets_count == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled," + " configured count is zero" ) ); + return( SSL_NEW_SESSION_TICKET_SKIP ); + } + + if( ssl->handshake->new_session_tickets_count == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: all tickets have " + "been sent." ) ); + return( SSL_NEW_SESSION_TICKET_SKIP ); + } + + return( SSL_NEW_SESSION_TICKET_WRITE ); +} + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl, + unsigned char *ticket_nonce, + size_t ticket_nonce_size ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_session *session = ssl->session; + mbedtls_ssl_ciphersuite_t *ciphersuite_info; + psa_algorithm_t psa_hash_alg; + int hash_length; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) ); + +#if defined(MBEDTLS_HAVE_TIME) + session->start = mbedtls_time( NULL ); +#endif + + /* Generate ticket_age_add */ + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, + (unsigned char *) &session->ticket_age_add, + sizeof( session->ticket_age_add ) ) != 0 ) ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret ); + return( ret ); + } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u", + (unsigned int)session->ticket_age_add ) ); + + /* Generate ticket_nonce */ + ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret ); + return( ret ); + } + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", + ticket_nonce, ticket_nonce_size ); + + ciphersuite_info = + (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info; + psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); + hash_length = PSA_HASH_LENGTH( psa_hash_alg ); + if( hash_length == -1 || + (size_t)hash_length > sizeof( session->resumption_key ) ) + { + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* In this code the psk key length equals the length of the hash */ + session->resumption_key_len = hash_length; + session->ciphersuite = ciphersuite_info->id; + + /* Compute resumption key + * + * HKDF-Expand-Label( resumption_master_secret, + * "resumption", ticket_nonce, Hash.length ) + */ + ret = mbedtls_ssl_tls13_hkdf_expand_label( + psa_hash_alg, + session->app_secrets.resumption_master_secret, + hash_length, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ), + ticket_nonce, + ticket_nonce_size, + session->resumption_key, + hash_length ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, + "Creating the ticket-resumed PSK failed", + ret ); + return ( ret ); + } + MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK", + session->resumption_key, + session->resumption_key_len ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret", + session->app_secrets.resumption_master_secret, + hash_length ); + + return( 0 ); +} + +/* This function creates a NewSessionTicket message in the following format: + * + * struct { + * uint32 ticket_lifetime; + * uint32 ticket_age_add; + * opaque ticket_nonce<0..255>; + * opaque ticket<1..2^16-1>; + * Extension extensions<0..2^16-2>; + * } NewSessionTicket; + * + * The ticket inside the NewSessionTicket message is an encrypted container + * carrying the necessary information so that the server is later able to + * re-start the communication. + * + * The following fields are placed inside the ticket by the + * f_ticket_write() function: + * + * - creation time (start) + * - flags (flags) + * - age add (ticket_age_add) + * - key (key) + * - key length (key_len) + * - ciphersuite (ciphersuite) + */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len, + unsigned char *ticket_nonce, + size_t ticket_nonce_size ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *p = buf; + mbedtls_ssl_session *session = ssl->session; + size_t ticket_len; + uint32_t ticket_lifetime; + + *out_len = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) ); + + /* + * ticket_lifetime 4 bytes + * ticket_age_add 4 bytes + * ticket_nonce 1 + ticket_nonce_size bytes + * ticket >=2 bytes + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 ); + + /* Generate ticket and ticket_lifetime */ + ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, + session, + p + 9 + ticket_nonce_size + 2, + end, + &ticket_len, + &ticket_lifetime); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret ); + return( ret ); + } + /* RFC 8446 4.6.1 + * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit + * unsigned integer in network byte order from the time of ticket + * issuance. Servers MUST NOT use any value greater than + * 604800 seconds (7 days). The value of zero indicates that the + * ticket should be discarded immediately. Clients MUST NOT cache + * tickets for longer than 7 days, regardless of the ticket_lifetime, + * and MAY delete tickets earlier based on local policy. A server + * MAY treat a ticket as valid for a shorter period of time than what + * is stated in the ticket_lifetime. + */ + if( ticket_lifetime > 604800 ) + ticket_lifetime = 604800; + MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u", + ( unsigned int )ticket_lifetime ) ); + + /* Write ticket_age_add */ + MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u", + ( unsigned int )session->ticket_age_add ) ); + + /* Write ticket_nonce */ + p[8] = ( unsigned char )ticket_nonce_size; + if( ticket_nonce_size > 0 ) + { + memcpy( p + 9, ticket_nonce, ticket_nonce_size ); + } + p += 9 + ticket_nonce_size; + + /* Write ticket */ + MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 ); + p += 2; + MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len); + p += ticket_len; + + /* Ticket Extensions + * + * Note: We currently don't have any extensions. + * Set length to zero. + */ + ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + MBEDTLS_PUT_UINT16_BE( 0, p, 0 ); + p += 2; + + *out_len = p - buf; + MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); + + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions ); + return( 0 ); } +/* + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET + */ +static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) ); + + if( ret == SSL_NEW_SESSION_TICKET_WRITE ) + { + unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH]; + unsigned char *buf; + size_t buf_len, msg_len; + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket( + ssl, ticket_nonce, sizeof( ticket_nonce ) ) ); + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl, + MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body( + ssl, buf, buf + buf_len, &msg_len, + ticket_nonce, sizeof( ticket_nonce ) ) ); + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( + ssl, buf_len, msg_len ) ); + + /* Limit session tickets count to one when resumption connection. + * + * See document of mbedtls_ssl_conf_new_session_tickets. + */ + if( ssl->handshake->resume == 1 ) + ssl->handshake->new_session_tickets_count = 0; + else + ssl->handshake->new_session_tickets_count--; + + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH ); + } + else + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); + } + +cleanup: + + return( ret ); +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + /* * TLS 1.3 State Machine -- server side */ @@ -1790,7 +2972,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) } break; -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) case MBEDTLS_SSL_CERTIFICATE_REQUEST: ret = ssl_tls13_write_certificate_request( ssl ); break; @@ -1802,7 +2984,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) case MBEDTLS_SSL_CERTIFICATE_VERIFY: ret = ssl_tls13_write_certificate_verify( ssl ); break; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Injection of dummy-CCS's for middlebox compatibility @@ -1833,6 +3015,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ret = ssl_tls13_handshake_wrapup( ssl ); break; +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) case MBEDTLS_SSL_CLIENT_CERTIFICATE: ret = mbedtls_ssl_tls13_process_certificate( ssl ); if( ret == 0 ) @@ -1859,6 +3042,32 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ssl, MBEDTLS_SSL_CLIENT_FINISHED ); } break; +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: + ret = ssl_tls13_write_new_session_ticket( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_write_new_session_ticket ", + ret ); + } + break; + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH: + /* This state is necessary to do the flush of the New Session + * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET + * as part of ssl_prepare_handshake_step. + */ + ret = 0; + + if( ssl->handshake->new_session_tickets_count == 0 ) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); + else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); + break; + +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); diff --git a/thirdparty/mbedtls/library/version_features.c b/thirdparty/mbedtls/library/version_features.c index 117901e1387123..e328cca3316a03 100644 --- a/thirdparty/mbedtls/library/version_features.c +++ b/thirdparty/mbedtls/library/version_features.c @@ -435,6 +435,9 @@ static const char * const features[] = { #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) "MBEDTLS_SSL_DTLS_CONNECTION_ID", #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) + "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT", +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) "MBEDTLS_SSL_ASYNC_PRIVATE", #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ @@ -468,6 +471,30 @@ static const char * const features[] = { #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE", #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) + "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED", +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED", +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) + "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED", +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */ +#if defined(MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) + "MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE", +#endif /* MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE */ +#if defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) + "MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH", +#endif /* MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH */ +#if defined(MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS) + "MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS", +#endif /* MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_EARLY_DATA) + "MBEDTLS_SSL_EARLY_DATA", +#endif /* MBEDTLS_SSL_EARLY_DATA */ +#if defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) + "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE", +#endif /* MBEDTLS_SSL_MAX_EARLY_DATA_SIZE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) "MBEDTLS_SSL_PROTO_DTLS", #endif /* MBEDTLS_SSL_PROTO_DTLS */ @@ -606,6 +633,12 @@ static const char * const features[] = { #if defined(MBEDTLS_HMAC_DRBG_C) "MBEDTLS_HMAC_DRBG_C", #endif /* MBEDTLS_HMAC_DRBG_C */ +#if defined(MBEDTLS_LMS_C) + "MBEDTLS_LMS_C", +#endif /* MBEDTLS_LMS_C */ +#if defined(MBEDTLS_LMS_PRIVATE) + "MBEDTLS_LMS_PRIVATE", +#endif /* MBEDTLS_LMS_PRIVATE */ #if defined(MBEDTLS_NIST_KW_C) "MBEDTLS_NIST_KW_C", #endif /* MBEDTLS_NIST_KW_C */ @@ -645,6 +678,9 @@ static const char * const features[] = { #if defined(MBEDTLS_PKCS5_C) "MBEDTLS_PKCS5_C", #endif /* MBEDTLS_PKCS5_C */ +#if defined(MBEDTLS_PKCS7_C) + "MBEDTLS_PKCS7_C", +#endif /* MBEDTLS_PKCS7_C */ #if defined(MBEDTLS_PKCS12_C) "MBEDTLS_PKCS12_C", #endif /* MBEDTLS_PKCS12_C */ diff --git a/thirdparty/mbedtls/library/x509.c b/thirdparty/mbedtls/library/x509.c index 249034b66c9bdc..be879730097979 100644 --- a/thirdparty/mbedtls/library/x509.c +++ b/thirdparty/mbedtls/library/x509.c @@ -43,16 +43,7 @@ #include "mbedtls/pem.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_free free -#define mbedtls_calloc calloc -#define mbedtls_printf printf -#define mbedtls_snprintf snprintf -#endif #if defined(MBEDTLS_HAVE_TIME) #include "mbedtls/platform_time.h" @@ -62,6 +53,8 @@ #include #endif +#include "mbedtls/legacy_or_psa.h" + #define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); } #define CHECK_RANGE(min, max, val) \ do \ @@ -138,31 +131,31 @@ static inline const char* md_type_to_string( mbedtls_md_type_t md_alg ) { switch( md_alg ) { -#if defined(MBEDTLS_MD5_C) +#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA) case MBEDTLS_MD_MD5: return( "MD5" ); #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA) case MBEDTLS_MD_SHA1: return( "SHA1" ); #endif -#if defined(MBEDTLS_SHA224_C) +#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA) case MBEDTLS_MD_SHA224: return( "SHA224" ); #endif -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA) case MBEDTLS_MD_SHA256: return( "SHA256" ); #endif -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA) case MBEDTLS_MD_SHA384: return( "SHA384" ); #endif -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA) case MBEDTLS_MD_SHA512: return( "SHA512" ); #endif -#if defined(MBEDTLS_RIPEMD160_C) +#if defined(MBEDTLS_HAS_ALG_RIPEMD160_VIA_MD_OR_PSA) case MBEDTLS_MD_RIPEMD160: return( "RIPEMD160" ); #endif @@ -240,7 +233,7 @@ static int x509_get_hash_alg( const mbedtls_x509_buf *alg, mbedtls_md_type_t *md * * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other - * option. Enfore this at parsing time. + * option. Enforce this at parsing time. */ int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params, mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md, @@ -466,6 +459,11 @@ static int x509_get_attr_type_value( unsigned char **p, * For the general case we still use a flat list, but we mark elements of the * same set so that they are "merged" together in the functions that consume * this list, eg mbedtls_x509_dn_gets(). + * + * On success, this function may allocate a linked list starting at cur->next + * that must later be free'd by the caller using mbedtls_free(). In error + * cases, this function frees all allocated memory internally and the caller + * has no freeing responsibilities. */ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur ) @@ -473,6 +471,7 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t set_len; const unsigned char *end_set; + mbedtls_x509_name *head = cur; /* don't use recursion, we'd risk stack overflow if not optimized */ while( 1 ) @@ -482,14 +481,17 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, */ if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) ) != 0 ) - return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ) ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ); + goto error; + } end_set = *p + set_len; while( 1 ) { if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 ) - return( ret ); + goto error; if( *p == end_set ) break; @@ -500,7 +502,10 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) ); if( cur->next == NULL ) - return( MBEDTLS_ERR_X509_ALLOC_FAILED ); + { + ret = MBEDTLS_ERR_X509_ALLOC_FAILED; + goto error; + } cur = cur->next; } @@ -514,10 +519,20 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) ); if( cur->next == NULL ) - return( MBEDTLS_ERR_X509_ALLOC_FAILED ); + { + ret = MBEDTLS_ERR_X509_ALLOC_FAILED; + goto error; + } cur = cur->next; } + +error: + /* Skip the first element as we did not allocate it */ + mbedtls_asn1_free_named_data_list_shallow( head->next ); + head->next = NULL; + + return( ret ); } static int x509_parse_int( unsigned char **p, size_t n, int *res ) diff --git a/thirdparty/mbedtls/library/x509_crl.c b/thirdparty/mbedtls/library/x509_crl.c index 0cd996dabb6642..dc2d2e3e26a7b5 100644 --- a/thirdparty/mbedtls/library/x509_crl.c +++ b/thirdparty/mbedtls/library/x509_crl.c @@ -1,5 +1,5 @@ /* - * X.509 Certidicate Revocation List (CRL) parsing + * X.509 Certificate Revocation List (CRL) parsing * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -42,15 +42,7 @@ #include "mbedtls/pem.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_free free -#define mbedtls_calloc calloc -#define mbedtls_snprintf snprintf -#endif #if defined(MBEDTLS_HAVE_TIME) #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) @@ -713,28 +705,16 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) { mbedtls_x509_crl *crl_cur = crl; mbedtls_x509_crl *crl_prv; - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; mbedtls_x509_crl_entry *entry_cur; mbedtls_x509_crl_entry *entry_prv; - if( crl == NULL ) - return; - - do + while( crl_cur != NULL ) { #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) mbedtls_free( crl_cur->sig_opts ); #endif - name_cur = crl_cur->issuer.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( crl_cur->issuer.next ); entry_cur = crl_cur->entry.next; while( entry_cur != NULL ) @@ -752,13 +732,6 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) mbedtls_free( crl_cur->raw.p ); } - crl_cur = crl_cur->next; - } - while( crl_cur != NULL ); - - crl_cur = crl; - do - { crl_prv = crl_cur; crl_cur = crl_cur->next; @@ -766,7 +739,6 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) if( crl_prv != crl ) mbedtls_free( crl_prv ); } - while( crl_cur != NULL ); } #endif /* MBEDTLS_X509_CRL_PARSE_C */ diff --git a/thirdparty/mbedtls/library/x509_crt.c b/thirdparty/mbedtls/library/x509_crt.c index b38dff085985d8..0eee97cb66dad0 100644 --- a/thirdparty/mbedtls/library/x509_crt.c +++ b/thirdparty/mbedtls/library/x509_crt.c @@ -48,16 +48,9 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#include "hash_info.h" -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_free free -#define mbedtls_calloc calloc -#define mbedtls_snprintf snprintf -#endif #if defined(MBEDTLS_THREADING_C) #include "mbedtls/threading.h" @@ -81,6 +74,7 @@ #else #include #endif /* __MBED__ */ +#include #endif /* !_WIN32 || EFIX64 || EFI32 */ #endif @@ -691,16 +685,7 @@ static int x509_get_subject_alt_name( unsigned char **p, */ if( ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) { - mbedtls_x509_sequence *seq_cur = subject_alt_name->next; - mbedtls_x509_sequence *seq_prv; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } + mbedtls_asn1_sequence_free( subject_alt_name->next ); subject_alt_name->next = NULL; return( ret ); } @@ -1657,8 +1642,22 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) } else if( stat( entry_name, &sb ) == -1 ) { - ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; - goto cleanup; + if( errno == ENOENT ) + { + /* Broken symbolic link - ignore this entry. + stat(2) will return this error for either (a) a dangling + symlink or (b) a missing file. + Given that we have just obtained the filename from readdir, + assume that it does exist and therefore treat this as a + dangling symlink. */ + continue; + } + else + { + /* Some other file error; report the error. */ + ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; + goto cleanup; + } } if( !S_ISREG( sb.st_mode ) ) @@ -1838,6 +1837,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, const char *prefix ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i; size_t n = *size; char *p = *buf; const mbedtls_x509_sequence *cur = subject_alt_name; @@ -1890,18 +1890,11 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; - if( other_name->value.hardware_module_name.val.len >= n ) + for( i = 0; i < other_name->value.hardware_module_name.val.len; i++ ) { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + ret = mbedtls_snprintf( p, n, "%02X", other_name->value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; } - - memcpy( p, other_name->value.hardware_module_name.val.p, - other_name->value.hardware_module_name.val.len ); - p += other_name->value.hardware_module_name.val.len; - - n -= other_name->value.hardware_module_name.val.len; - }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ } break; @@ -2338,11 +2331,10 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, const mbedtls_x509_crt_profile *profile ) { int flags = 0; + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; #if defined(MBEDTLS_USE_PSA_CRYPTO) - unsigned char hash[PSA_HASH_MAX_SIZE]; psa_algorithm_t psa_algorithm; #else - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; #endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t hash_length; @@ -2379,7 +2371,7 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCRL_BAD_PK; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_algorithm = mbedtls_psa_translate_md( crl_list->sig_md ); + psa_algorithm = mbedtls_hash_info_psa_from_md( crl_list->sig_md ); if( psa_hash_compute( psa_algorithm, crl_list->tbs.p, crl_list->tbs.len, @@ -2449,8 +2441,8 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, mbedtls_x509_crt_restart_ctx *rs_ctx ) { size_t hash_len; + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; #if !defined(MBEDTLS_USE_PSA_CRYPTO) - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; md_info = mbedtls_md_info_from_type( child->sig_md ); hash_len = mbedtls_md_get_size( md_info ); @@ -2459,8 +2451,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 ) return( -1 ); #else - unsigned char hash[PSA_HASH_MAX_SIZE]; - psa_algorithm_t hash_alg = mbedtls_psa_translate_md( child->sig_md ); + psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md( child->sig_md ); psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; status = psa_hash_compute( hash_alg, @@ -3294,15 +3285,8 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) { mbedtls_x509_crt *cert_cur = crt; mbedtls_x509_crt *cert_prv; - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; - mbedtls_x509_sequence *seq_cur; - mbedtls_x509_sequence *seq_prv; - if( crt == NULL ) - return; - - do + while( cert_cur != NULL ) { mbedtls_pk_free( &cert_cur->pk ); @@ -3310,53 +3294,11 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) mbedtls_free( cert_cur->sig_opts ); #endif - name_cur = cert_cur->issuer.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } - - name_cur = cert_cur->subject.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } - - seq_cur = cert_cur->ext_key_usage.next; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } - - seq_cur = cert_cur->subject_alt_names.next; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } - - seq_cur = cert_cur->certificate_policies.next; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( cert_cur->issuer.next ); + mbedtls_asn1_free_named_data_list_shallow( cert_cur->subject.next ); + mbedtls_asn1_sequence_free( cert_cur->ext_key_usage.next ); + mbedtls_asn1_sequence_free( cert_cur->subject_alt_names.next ); + mbedtls_asn1_sequence_free( cert_cur->certificate_policies.next ); if( cert_cur->raw.p != NULL && cert_cur->own_buffer ) { @@ -3364,13 +3306,6 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) mbedtls_free( cert_cur->raw.p ); } - cert_cur = cert_cur->next; - } - while( cert_cur != NULL ); - - cert_cur = crt; - do - { cert_prv = cert_cur; cert_cur = cert_cur->next; @@ -3378,7 +3313,6 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) if( cert_prv != crt ) mbedtls_free( cert_prv ); } - while( cert_cur != NULL ); } #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) diff --git a/thirdparty/mbedtls/library/x509_csr.c b/thirdparty/mbedtls/library/x509_csr.c index 25069b2a4c5198..f9462addedf3ff 100644 --- a/thirdparty/mbedtls/library/x509_csr.c +++ b/thirdparty/mbedtls/library/x509_csr.c @@ -42,15 +42,7 @@ #include "mbedtls/pem.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#include -#define mbedtls_free free -#define mbedtls_calloc calloc -#define mbedtls_snprintf snprintf -#endif #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32) #include @@ -383,9 +375,6 @@ void mbedtls_x509_csr_init( mbedtls_x509_csr *csr ) */ void mbedtls_x509_csr_free( mbedtls_x509_csr *csr ) { - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; - if( csr == NULL ) return; @@ -395,14 +384,7 @@ void mbedtls_x509_csr_free( mbedtls_x509_csr *csr ) mbedtls_free( csr->sig_opts ); #endif - name_cur = csr->subject.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( csr->subject.next ); if( csr->raw.p != NULL ) { diff --git a/thirdparty/mbedtls/library/x509write_crt.c b/thirdparty/mbedtls/library/x509write_crt.c index 2992dba0619f14..254c4b2fca288d 100644 --- a/thirdparty/mbedtls/library/x509write_crt.c +++ b/thirdparty/mbedtls/library/x509write_crt.c @@ -45,6 +45,9 @@ #include "mbedtls/psa_util.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#include "hash_info.h" +#include "mbedtls/legacy_or_psa.h" + void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) { memset( ctx, 0, sizeof( mbedtls_x509write_cert ) ); @@ -171,7 +174,7 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, is_ca, buf + sizeof(buf) - len, len ) ); } -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert *ctx, int is_ca, unsigned char tag ) @@ -253,7 +256,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * 1, (MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0) ); } -#endif /* MBEDTLS_SHA1_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned int key_usage ) @@ -293,6 +296,43 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, return( 0 ); } +int mbedtls_x509write_crt_set_ext_key_usage( mbedtls_x509write_cert *ctx, + const mbedtls_asn1_sequence *exts ) +{ + unsigned char buf[256]; + unsigned char *c = buf + sizeof(buf); + int ret; + size_t len = 0; + const mbedtls_asn1_sequence *last_ext = NULL; + const mbedtls_asn1_sequence *ext; + + memset( buf, 0, sizeof(buf) ); + + /* We need at least one extension: SEQUENCE SIZE (1..MAX) OF KeyPurposeId */ + if( exts == NULL ) + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + + /* Iterate over exts backwards, so we write them out in the requested order */ + while( last_ext != exts ) + { + for( ext = exts; ext->next != last_ext; ext = ext->next ) {} + if( ext->buf.tag != MBEDTLS_ASN1_OID ) + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( &c, buf, ext->buf.p, ext->buf.len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, ext->buf.len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OID ) ); + last_ext = ext; + } + + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); + + return mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_EXTENDED_KEY_USAGE, + MBEDTLS_OID_SIZE( MBEDTLS_OID_EXTENDED_KEY_USAGE ), + 1, c, len ); +} + int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, unsigned char ns_cert_type ) { @@ -357,12 +397,10 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *c, *c2; unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; size_t hash_length = 0; + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_algorithm_t psa_algorithm; - unsigned char hash[PSA_HASH_MAX_SIZE]; -#else - unsigned char hash[64]; #endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; @@ -500,7 +538,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, /* Compute hash of CRT. */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_algorithm = mbedtls_psa_translate_md( ctx->md_alg ); + psa_algorithm = mbedtls_hash_info_psa_from_md( ctx->md_alg ); status = psa_hash_compute( psa_algorithm, c, diff --git a/thirdparty/mbedtls/library/x509write_csr.c b/thirdparty/mbedtls/library/x509write_csr.c index 1cee318f9a5848..976f6e6df5eb50 100644 --- a/thirdparty/mbedtls/library/x509write_csr.c +++ b/thirdparty/mbedtls/library/x509write_csr.c @@ -36,6 +36,7 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#include "hash_info.h" #include #include @@ -44,13 +45,7 @@ #include "mbedtls/pem.h" #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#else -#include -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx ) { @@ -144,13 +139,13 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx, const char *sig_oid; size_t sig_oid_len = 0; unsigned char *c, *c2; - unsigned char hash[64]; + unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; size_t pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; mbedtls_pk_type_t pk_alg; #if defined(MBEDTLS_USE_PSA_CRYPTO) size_t hash_len; - psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg ); + psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md( ctx->md_alg ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Write the CSR backwards starting from the end of buf */ diff --git a/thirdparty/mbedtls/update.vsh b/thirdparty/mbedtls/update.vsh new file mode 100755 index 00000000000000..0debaf9b9f75f0 --- /dev/null +++ b/thirdparty/mbedtls/update.vsh @@ -0,0 +1,21 @@ +// This script can be used to update the thirdparty/mbedtls/ folder to a future version of mbedtls. +import os + +fn do(cmd string) { + println(cmd) + res := os.system(cmd) + if res != 0 { + panic('failed at: `${cmd}`') + } +} + +os.chdir(os.dir(@VEXE))! +do('rm -rf mbedtls/') +do('git clone --depth=1 --recursive --shallow-submodules --single-branch -b v3.3.0 https://github.com/Mbed-TLS/mbedtls.git mbedtls/') +do('rsync -a --delete mbedtls/include/ thirdparty/mbedtls/include/') +do('rsync -a --delete mbedtls/library/ thirdparty/mbedtls/library/') +do('rsync -a --delete mbedtls/3rdparty/ thirdparty/mbedtls/3rdparty/') +do('rsync -a mbedtls/LICENSE thirdparty/mbedtls/LICENSE') +do('rsync -a mbedtls/README.md thirdparty/mbedtls/README.md') +do("find thirdparty/mbedtls/ -name '*.txt' -or -name '*.inc' -or -name '.gitignore' -or -name 'Makefile' |xargs rm -f") +do('rm -rf mbedtls/') diff --git a/vlib/net/mbedtls/mbedtls.c.v b/vlib/net/mbedtls/mbedtls.c.v index c575a114d778f9..fc72ca69d810e8 100644 --- a/vlib/net/mbedtls/mbedtls.c.v +++ b/vlib/net/mbedtls/mbedtls.c.v @@ -21,6 +21,9 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/asn1write.o #flag @VEXEROOT/thirdparty/mbedtls/library/base64.o #flag @VEXEROOT/thirdparty/mbedtls/library/bignum.o +#flag @VEXEROOT/thirdparty/mbedtls/library/bignum_core.o +#flag @VEXEROOT/thirdparty/mbedtls/library/bignum_mod.o +#flag @VEXEROOT/thirdparty/mbedtls/library/bignum_mod_raw.o #flag @VEXEROOT/thirdparty/mbedtls/library/camellia.o #flag @VEXEROOT/thirdparty/mbedtls/library/ccm.o #flag @VEXEROOT/thirdparty/mbedtls/library/chacha20.o @@ -30,6 +33,7 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/cmac.o #flag @VEXEROOT/thirdparty/mbedtls/library/constant_time.o #flag @VEXEROOT/thirdparty/mbedtls/library/ctr_drbg.o +#flag @VEXEROOT/thirdparty/mbedtls/library/debug.o #flag @VEXEROOT/thirdparty/mbedtls/library/des.o #flag @VEXEROOT/thirdparty/mbedtls/library/dhm.o #flag @VEXEROOT/thirdparty/mbedtls/library/ecdh.o @@ -41,13 +45,17 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/entropy_poll.o #flag @VEXEROOT/thirdparty/mbedtls/library/error.o #flag @VEXEROOT/thirdparty/mbedtls/library/gcm.o +#flag @VEXEROOT/thirdparty/mbedtls/library/hash_info.o #flag @VEXEROOT/thirdparty/mbedtls/library/hkdf.o #flag @VEXEROOT/thirdparty/mbedtls/library/hmac_drbg.o +#flag @VEXEROOT/thirdparty/mbedtls/library/lmots.o +#flag @VEXEROOT/thirdparty/mbedtls/library/lms.o #flag @VEXEROOT/thirdparty/mbedtls/library/md.o #flag @VEXEROOT/thirdparty/mbedtls/library/md5.o #flag @VEXEROOT/thirdparty/mbedtls/library/memory_buffer_alloc.o #flag @VEXEROOT/thirdparty/mbedtls/library/mps_reader.o #flag @VEXEROOT/thirdparty/mbedtls/library/mps_trace.o +#flag @VEXEROOT/thirdparty/mbedtls/library/net_sockets.o #flag @VEXEROOT/thirdparty/mbedtls/library/nist_kw.o #flag @VEXEROOT/thirdparty/mbedtls/library/oid.o #flag @VEXEROOT/thirdparty/mbedtls/library/padlock.o @@ -56,6 +64,7 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/pk_wrap.o #flag @VEXEROOT/thirdparty/mbedtls/library/pkcs12.o #flag @VEXEROOT/thirdparty/mbedtls/library/pkcs5.o +#flag @VEXEROOT/thirdparty/mbedtls/library/pkcs7.o #flag @VEXEROOT/thirdparty/mbedtls/library/pkparse.o #flag @VEXEROOT/thirdparty/mbedtls/library/pkwrite.o #flag @VEXEROOT/thirdparty/mbedtls/library/platform.o @@ -69,6 +78,7 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_ecp.o #flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_hash.o #flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_mac.o +#flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_pake.o #flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_rsa.o #flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_se.o #flag @VEXEROOT/thirdparty/mbedtls/library/psa_crypto_slot_management.o @@ -80,7 +90,20 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/sha1.o #flag @VEXEROOT/thirdparty/mbedtls/library/sha256.o #flag @VEXEROOT/thirdparty/mbedtls/library/sha512.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_cache.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_ciphersuites.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_client.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_cookie.o #flag @VEXEROOT/thirdparty/mbedtls/library/ssl_debug_helpers_generated.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_msg.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_ticket.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls12_client.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls12_server.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_client.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_generic.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_keys.o +#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_server.o #flag @VEXEROOT/thirdparty/mbedtls/library/threading.o #flag @VEXEROOT/thirdparty/mbedtls/library/timing.o #flag @VEXEROOT/thirdparty/mbedtls/library/version.o @@ -92,24 +115,9 @@ $if prod && opt_size ? { #flag @VEXEROOT/thirdparty/mbedtls/library/x509_csr.o #flag @VEXEROOT/thirdparty/mbedtls/library/x509write_crt.o #flag @VEXEROOT/thirdparty/mbedtls/library/x509write_csr.o -#flag @VEXEROOT/thirdparty/mbedtls/library/debug.o -#flag @VEXEROOT/thirdparty/mbedtls/library/net_sockets.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_cache.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_ciphersuites.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_client.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_cookie.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_msg.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_ticket.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls12_client.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls12_server.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_keys.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_client.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_server.o -#flag @VEXEROOT/thirdparty/mbedtls/library/ssl_tls13_generic.o +#flag @VEXEROOT/thirdparty/mbedtls/3rdparty/everest/library/Hacl_Curve25519_joined.o #flag @VEXEROOT/thirdparty/mbedtls/3rdparty/everest/library/everest.o #flag @VEXEROOT/thirdparty/mbedtls/3rdparty/everest/library/x25519.o -#flag @VEXEROOT/thirdparty/mbedtls/3rdparty/everest/library/Hacl_Curve25519_joined.o #include #include @@ -196,13 +204,3 @@ fn C.mbedtls_x509_crt_parse(&C.mbedtls_x509_crt, &u8, usize) int fn C.mbedtls_x509_crt_parse_file(&C.mbedtls_x509_crt, &char) int fn C.mbedtls_high_level_strerr(int) &char - -// fn init() { -// $if ssl_pre_1_1_version ? { -// // OPENSSL_VERSION_NUMBER < 0x10100000L -// C.SSL_load_error_strings() -// C.SSL_library_init() -// } $else { -// C.OPENSSL_init_ssl(C.OPENSSL_INIT_LOAD_SSL_STRINGS, 0) -// } -// }