Merge pull request #6255 from mprse/md_tls13
Driver-only hashes: TLS 1.3
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
commit
409a620dea
7 changed files with 65 additions and 44 deletions
|
|
@ -77,7 +77,11 @@
|
|||
#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#define MBEDTLS_PK_WRITE_C
|
||||
#endif
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
|
||||
/* Make sure all configuration symbols are set before including check_config.h,
|
||||
* even the ones that are calculated programmatically. */
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
|
||||
defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */
|
||||
#include "mbedtls/config_psa.h"
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -750,18 +750,29 @@
|
|||
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
/*
|
||||
* HKDF is mandatory for TLS 1.3.
|
||||
* Otherwise support for at least one ciphersuite mandates either SHA_256 or
|
||||
* SHA_384.
|
||||
*/
|
||||
/* TLS 1.3 requires separate HKDF parts from PSA */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
( ( !defined(MBEDTLS_HKDF_C) ) || \
|
||||
( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) || \
|
||||
( !defined(MBEDTLS_PSA_CRYPTO_C) ) )
|
||||
!( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_HKDF_EXTRACT) && defined(PSA_WANT_ALG_HKDF_EXPAND) )
|
||||
#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
/* TLS 1.3 requires at least one ciphersuite, so at least SHA-256 or SHA-384 */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
/* We always need at least one of the hashes via PSA (for use with HKDF) */
|
||||
#if !( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384) )
|
||||
#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites"
|
||||
#endif /* !(PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384) */
|
||||
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/* When USE_PSA_CRYPTO is not defined, we also need SHA-256 or SHA-384 via the
|
||||
* legacy interface, including via the MD layer, for the parts of the code
|
||||
* that are shared with TLS 1.2 (running handshake hash). */
|
||||
#if !defined(MBEDTLS_MD_C) || \
|
||||
!( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) )
|
||||
#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites"
|
||||
#endif /* !MBEDTLS_MD_C || !(MBEDTLS_SHA256_C || MBEDTLS_SHA384_C) */
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
/*
|
||||
* The current implementation of TLS 1.3 requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -338,11 +338,11 @@
|
|||
#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
#define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 48
|
||||
#elif defined(MBEDTLS_SHA256_C)
|
||||
#elif defined(PSA_WANT_ALG_SHA_256)
|
||||
#define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 32
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
|
||||
/*
|
||||
* Default range for DTLS retransmission timer value, in milliseconds.
|
||||
|
|
@ -629,7 +629,12 @@ union mbedtls_ssl_premaster_secret
|
|||
|
||||
#define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret )
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE
|
||||
#else
|
||||
#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
|
||||
/* Length in number of bytes of the TLS sequence number */
|
||||
#define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8
|
||||
|
|
|
|||
|
|
@ -2137,33 +2137,33 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
|
|||
switch( sig_alg )
|
||||
{
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||
#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
|
||||
#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||
#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
|
||||
#if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
||||
#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
||||
#if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS1_V21)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#if defined(PSA_WANT_ALG_SHA_512)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
#endif /* PSA_WANT_ALG_SHA_512 */
|
||||
#endif /* MBEDTLS_PKCS1_V21 */
|
||||
default:
|
||||
return( 0 );
|
||||
|
|
@ -2178,18 +2178,18 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
|
|||
switch( sig_alg )
|
||||
{
|
||||
#if defined(MBEDTLS_PKCS1_V15)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#endif /* MBEDTLS_PKCS1_V15 */
|
||||
default:
|
||||
return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
|
||||
|
|
|
|||
|
|
@ -976,7 +976,7 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
|
|||
psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
|
||||
uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
|
||||
size_t signature_len = 0;
|
||||
unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
|
||||
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
|
||||
size_t verify_hash_len;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
|
|
@ -1361,7 +1361,7 @@ cleanup:
|
|||
int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
|
||||
unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
|
||||
size_t hash_len;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
|
||||
|
|
@ -1371,7 +1371,7 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
|
|||
|
||||
ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
|
||||
hash_transcript + 4,
|
||||
MBEDTLS_MD_MAX_SIZE,
|
||||
PSA_HASH_MAX_SIZE,
|
||||
&hash_len );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
|
@ -1386,9 +1386,9 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
|
|||
|
||||
hash_len += 4;
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
|
||||
{
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
|
||||
hash_transcript, hash_len );
|
||||
|
||||
|
|
@ -1398,11 +1398,11 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
|
|||
#else
|
||||
mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
|
||||
#endif
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
}
|
||||
else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||
{
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
|
||||
hash_transcript, hash_len );
|
||||
|
||||
|
|
@ -1412,12 +1412,11 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
|
|||
#else
|
||||
mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 );
|
||||
#endif
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
|
||||
#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
|
|||
* Since contexts are always hashes of message transcripts, this can
|
||||
* be approximated from above by the maximum hash size. */
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \
|
||||
MBEDTLS_MD_MAX_SIZE
|
||||
PSA_HASH_MAX_SIZE
|
||||
|
||||
/* Maximum desired length for expanded key material generated
|
||||
* by HKDF-Expand-Label.
|
||||
|
|
|
|||
|
|
@ -1870,8 +1870,10 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
|
|||
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
|
||||
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
|
||||
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||
# TLS 1.3 currently depends on SHA256_C || SHA384_C
|
||||
# but is already disabled in the default config
|
||||
# Enable TLS 1.3: use PSA implementation for hashes
|
||||
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
|
||||
scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
|
||||
|
||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
|
||||
|
|
|
|||
Loading…
Reference in a new issue