Merge pull request #5532 from ronald-cron-arm/tls13_and_use_psa_crypto
Make TLS 1.3 compatible with MBEDTLS_USE_PSA_CRYPTO
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
commit
3d1f8b9c00
6 changed files with 42 additions and 221 deletions
3
ChangeLog.d/tls13_and_use_psa_crypto.txt
Normal file
3
ChangeLog.d/tls13_and_use_psa_crypto.txt
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
Bugfix
|
||||
* The TLS 1.3 implementation is now compatible with the
|
||||
MBEDTLS_USE_PSA_CRYPTO configuration option.
|
||||
|
|
@ -126,8 +126,11 @@ MVP definition
|
|||
|
||||
The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the
|
||||
sense that when enabling the TLS 1.3 MVP in the library there is no need to
|
||||
modify the configuration for TLS 1.2. Mbed TLS SSL/TLS related features are
|
||||
not supported or not applicable to the TLS 1.3 MVP:
|
||||
modify the configuration for TLS 1.2. The MBEDTLS_USE_PSA_CRYPTO configuration
|
||||
option is an exception though, the TLS 1.3 MVP is not compatible with it.
|
||||
|
||||
Mbed TLS SSL/TLS related features are not supported or not applicable to the
|
||||
TLS 1.3 MVP:
|
||||
|
||||
| Mbed TLS configuration option | Support |
|
||||
| ---------------------------------------- | ------- |
|
||||
|
|
|
|||
|
|
@ -7484,12 +7484,40 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
|
|||
size_t dst_len,
|
||||
size_t *olen )
|
||||
{
|
||||
((void) ssl);
|
||||
((void) md);
|
||||
((void) dst);
|
||||
((void) dst_len);
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_hash_operation_t *hash_operation_to_clone;
|
||||
psa_hash_operation_t hash_operation = psa_hash_operation_init();
|
||||
|
||||
*olen = 0;
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
|
||||
|
||||
switch( md )
|
||||
{
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
|
||||
break;
|
||||
#endif
|
||||
|
||||
default:
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_hash_clone( hash_operation_to_clone, &hash_operation );
|
||||
if( status != PSA_SUCCESS )
|
||||
goto exit;
|
||||
|
||||
status = psa_hash_finish( &hash_operation, dst, dst_len, olen );
|
||||
if( status != PSA_SUCCESS )
|
||||
goto exit;
|
||||
|
||||
exit:
|
||||
return( psa_ssl_status_to_mbedtls( status ) );
|
||||
}
|
||||
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -278,8 +278,7 @@ class MbedTLSCli(TLSProgram):
|
|||
def pre_checks(self):
|
||||
ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
|
||||
'requires_config_enabled MBEDTLS_SSL_CLI_C',
|
||||
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3',
|
||||
'requires_config_disabled MBEDTLS_USE_PSA_CRYPTO']
|
||||
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3']
|
||||
|
||||
if self._compat_mode:
|
||||
ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE']
|
||||
|
|
|
|||
|
|
@ -9047,7 +9047,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3: minimal feature sets - openssl" \
|
||||
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
@ -9080,7 +9079,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3: minimal feature sets - gnutls" \
|
||||
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
@ -9197,7 +9195,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3: CertificateRequest check - openssl" \
|
||||
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
|
||||
"$P_CLI debug_level=4 force_version=tls13 " \
|
||||
|
|
@ -9212,7 +9209,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3: CertificateRequest check - gnutls" \
|
||||
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
@ -9225,7 +9221,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
requires_openssl_tls1_3
|
||||
run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \
|
||||
"$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
|
||||
|
|
@ -9240,7 +9235,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
requires_openssl_tls1_3
|
||||
run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \
|
||||
"$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
|
||||
|
|
@ -9257,7 +9251,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \
|
||||
"$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
|
||||
"$P_CLI debug_level=4 force_version=tls13" \
|
||||
|
|
@ -9273,7 +9266,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \
|
||||
"$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
|
||||
"$P_CLI debug_level=4 force_version=tls13" \
|
||||
|
|
@ -9296,7 +9288,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3 m->O both peers do not support middlebox compatibility" \
|
||||
"$O_NEXT_SRV -msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
@ -9308,7 +9299,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3 m->O server with middlebox compat support, not client" \
|
||||
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
@ -9322,7 +9312,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3 m->G both peers do not support middlebox compatibility" \
|
||||
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
@ -9335,7 +9324,6 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
|||
requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
requires_config_enabled MBEDTLS_DEBUG_C
|
||||
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "TLS 1.3 m->G server with middlebox compat support, not client" \
|
||||
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
|
||||
"$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \
|
||||
|
|
|
|||
Loading…
Reference in a new issue