From 47e3cb1875ad690d5e9571ea34f84d28403b4515 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Sep 2022 13:17:03 +0200 Subject: [PATCH 01/17] ssl_tls13_generic.c: adapt guards for MBEDTLS_SHAxxx_C Signed-off-by: Przemek Stekiel --- library/ssl_tls13_generic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 2b9ac5c57..0ecdd403f 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1388,7 +1388,7 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) { -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript", hash_transcript, hash_len ); @@ -1398,11 +1398,11 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) #else mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); #endif -#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ } else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) { -#if defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript", hash_transcript, hash_len ); @@ -1412,12 +1412,12 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) #else mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 ); #endif -#endif /* MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ } -#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) ssl->handshake->update_checksum( ssl, hash_transcript, hash_len ); -#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ return( ret ); } From a9a88161075ceee8206807beb558b0f5d65482dc Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Sep 2022 13:18:55 +0200 Subject: [PATCH 02/17] ssl.h: adapt guards for MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN Signed-off-by: Przemek Stekiel --- include/mbedtls/ssl.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3d820a525..ada605361 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -338,11 +338,15 @@ #define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#if defined(MBEDTLS_SHA384_C) +#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_256) ) #define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 48 -#elif defined(MBEDTLS_SHA256_C) +#elif ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_384) ) #define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 32 -#endif /* MBEDTLS_SHA256_C */ +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /* * Default range for DTLS retransmission timer value, in milliseconds. From cf9d972a9abb214d78008a0a4419d9bdc29abc4b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Sep 2022 13:29:25 +0200 Subject: [PATCH 03/17] Fix config for MBEDTLS_SSL_PROTO_TLS1_3 Remove MBEDTLS_HKDF_C as it is not needed since #5838 Reasoning: we need SHA-256 or SHA-384 via PSA because they're used by HKDF which is now always done via PSA. If in addition to that USE_PSA is enabled, then everything is done via PSA so that's enough. Otherwise, we need the software implementation of SHA-256 or SHA-384, plus MD_C because we're using a VIA_MD_OR_PSA_BASED_ON_USE_PSA as discussed above. Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index e00ffb5a9..33e4d0d9b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -260,7 +260,7 @@ #error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled" #endif -#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C) +#if defined(MBEDTLS_HKDF_C) && !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) #error "MBEDTLS_HKDF_C defined, but not all prerequisites" #endif @@ -755,10 +755,9 @@ * Otherwise support for at least one ciphersuite mandates either SHA_256 or * SHA_384. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ - ( ( !defined(MBEDTLS_HKDF_C) ) || \ - ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) || \ - ( !defined(MBEDTLS_PSA_CRYPTO_C) ) ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + !( ( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_348) ) && \ + ( defined(MBEDTLS_USE_PSA_CRYPTO) || ( defined(MBEDTLS_MD_C) && ( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) ) ) ) ) #error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" #endif From a4af13a46c1a280e37f3c72836b7e3c3c53cca13 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Sep 2022 13:35:15 +0200 Subject: [PATCH 04/17] test_psa_crypto_config_accel_hash_use_psa: enable TLS 1.3 Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6c70f78db..985579e58 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1851,6 +1851,9 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C scripts/config.py unset MBEDTLS_SHA1_C From a06787a6296dc06fba04631fc4a52d5a87ccb1f9 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 2 Sep 2022 14:41:44 +0200 Subject: [PATCH 05/17] build_info.h: include config_psa.h also when MBEDTLS_PSA_CRYPTO_C This is done to have PSA_WANT_xxx symbols available in check_config.h when MBEDTLS_PSA_CRYPTO_C. Signed-off-by: Przemek Stekiel --- include/mbedtls/build_info.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 234debd01..6195ac979 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -77,7 +77,11 @@ #if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO) #define MBEDTLS_PK_WRITE_C #endif -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) + +/* Make sure all configuration symbols are set before including check_config.h, + * even the ones that are calculated programmatically. */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \ + defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ #include "mbedtls/config_psa.h" #endif From 153b442cc3c0c39209c31b462146416e924f19c7 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 5 Sep 2022 12:36:25 +0200 Subject: [PATCH 06/17] mbedtls_ssl_tls13_sig_alg_is_supported: adapt guards Signed-off-by: Przemek Stekiel --- library/ssl_misc.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4842135bf..84023b414 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2178,18 +2178,18 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( switch( sig_alg ) { #if defined(MBEDTLS_PKCS1_V15) -#if defined(MBEDTLS_SHA256_C) +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: break; -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: break; -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: break; -#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_PKCS1_V15 */ default: return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( From 9dfbf3a006af2812c8c8c627fa1cd94334c74d1e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 6 Sep 2022 07:40:46 +0200 Subject: [PATCH 07/17] ssl_tls13_generic.c: optimize code to save memory Signed-off-by: Przemek Stekiel --- library/ssl_tls13_generic.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 0ecdd403f..b71e6536b 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1386,9 +1386,9 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) hash_len += 4; +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) { -#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript", hash_transcript, hash_len ); @@ -1398,11 +1398,11 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) #else mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); #endif -#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ } +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) { -#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript", hash_transcript, hash_len ); @@ -1412,9 +1412,8 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) #else mbedtls_sha512_starts( &ssl->handshake->fin_sha384, 1 ); #endif -#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ } - +#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) ssl->handshake->update_checksum( ssl, hash_transcript, hash_len ); #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ From 9408b70513e7ee11fd98f850b1c3c88faf291b47 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 6 Sep 2022 07:44:12 +0200 Subject: [PATCH 08/17] check_config.h: revert HKDF requirements Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 33e4d0d9b..30699c47a 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -260,7 +260,7 @@ #error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled" #endif -#if defined(MBEDTLS_HKDF_C) && !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) +#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C) #error "MBEDTLS_HKDF_C defined, but not all prerequisites" #endif From dcec7ac3e804c699292432e2704524a72256c256 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 6 Sep 2022 07:54:33 +0200 Subject: [PATCH 09/17] test_psa_crypto_config_accel_hash_use_psa: enable tls.1.3 at the end and adapt comment Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 985579e58..0752f7b41 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1851,9 +1851,6 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE - scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C scripts/config.py unset MBEDTLS_SHA1_C @@ -1873,8 +1870,10 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - # TLS 1.3 currently depends on SHA256_C || SHA384_C - # but is already disabled in the default config + # Enable TLS 1.3: use PSA implementation for hashes + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all From 8a2f2b0bd64f423cc5b18febc439c9be601364a9 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 6 Sep 2022 08:07:43 +0200 Subject: [PATCH 10/17] check_config.h: fix TLS 1.3 requirements (add HKDF_EXTRACT/EXPAND) and comments Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 30699c47a..c2fda364b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -750,11 +750,13 @@ #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif -/* - * HKDF is mandatory for TLS 1.3. - * Otherwise support for at least one ciphersuite mandates either SHA_256 or - * SHA_384. - */ +/* TLS 1.3 requires separate HKDF parts from PSA */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + !( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_HKDF_EXTRACT) && defined(PSA_WANT_ALG_HKDF_EXPAND) ) +#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" +#endif + +/* TLS 1.3 requires at least one ciphersuite, so at least SHA-256 or SHA-384 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ !( ( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_348) ) && \ ( defined(MBEDTLS_USE_PSA_CRYPTO) || ( defined(MBEDTLS_MD_C) && ( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) ) ) ) ) From 0852ef8b9613a8f14cc126360d5f5091bf1d31ec Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 7 Sep 2022 10:56:30 +0200 Subject: [PATCH 11/17] mbedtls_ssl_reset_transcript_for_hrr: remove redundant 'else' statement Signed-off-by: Przemek Stekiel --- library/ssl_tls13_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index b71e6536b..edf1c30e1 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1401,7 +1401,7 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) - else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) { MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript", hash_transcript, hash_len ); From ce0aa58fd98240b6716d352306f9bf0c2308dce0 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 12 Sep 2022 13:24:25 +0200 Subject: [PATCH 12/17] check_config.h: make TLS1.3 requirements verification more readable Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index c2fda364b..fa70058de 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -757,11 +757,21 @@ #endif /* TLS 1.3 requires at least one ciphersuite, so at least SHA-256 or SHA-384 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ - !( ( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_348) ) && \ - ( defined(MBEDTLS_USE_PSA_CRYPTO) || ( defined(MBEDTLS_MD_C) && ( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) ) ) ) ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* We always need at least one of the hashes via PSA (for use with HKDF) */ +#if !( defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384) ) #error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" -#endif +#endif /* !(PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384) */ +#if !defined(MBEDTLS_USE_PSA_CRYPTO) +/* When USE_PSA_CRYPTO is not defined, we also need SHA-256 or SHA-384 via the + * legacy interface, including via the MD layer, for the parts of the code + * that are shared with TLS 1.2 (running handshake hash). */ +#if !defined(MBEDTLS_MD_C) || \ + !( defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) ) +#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" +#endif /* !MBEDTLS_MD_C || !(MBEDTLS_SHA256_C || MBEDTLS_SHA384_C) */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* * The current implementation of TLS 1.3 requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE. From 004c2181f03892b5c55a5819885fcca1b29f77c6 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 14 Sep 2022 09:09:16 +0200 Subject: [PATCH 13/17] ssl_misc.h: hash guards adaptations Signed-off-by: Przemyslaw Stekiel --- library/ssl_misc.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 84023b414..a59e672ef 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2137,33 +2137,33 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( switch( sig_alg ) { #if defined(MBEDTLS_ECDSA_C) -#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) +#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: break; -#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) +#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: break; -#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: break; -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_PKCS1_V21) -#if defined(MBEDTLS_SHA256_C) +#if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) +#endif /* PSA_WANT_ALG_SHA_256 */ +#if defined(PSA_WANT_ALG_SHA_384) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: break; -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) +#endif /* PSA_WANT_ALG_SHA_384 */ +#if defined(PSA_WANT_ALG_SHA_512) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: break; -#endif /* MBEDTLS_SHA512_C */ +#endif /* PSA_WANT_ALG_SHA_512 */ #endif /* MBEDTLS_PKCS1_V21 */ default: return( 0 ); From 034492bd567e8ad5a6db75f621ffe3072edf209d Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 14 Sep 2022 11:09:20 +0200 Subject: [PATCH 14/17] ssl.h: Fix hash guards Signed-off-by: Przemyslaw Stekiel --- include/mbedtls/ssl.h | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index ada605361..0fcac689f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -338,13 +338,9 @@ #define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \ - ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_256) ) +#if defined(PSA_WANT_ALG_SHA_384) #define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 48 -#elif ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \ - ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_384) ) +#elif defined(PSA_WANT_ALG_SHA_256) #define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 32 #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ From da6452578f00fba4ee0806d6d3c41b1807d831b0 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 14 Sep 2022 12:50:51 +0200 Subject: [PATCH 15/17] ssl_tls13_generic.c: fix hash buffer sizes (use PSA_HASH_MAX_SIZE) Signed-off-by: Przemyslaw Stekiel --- library/ssl_tls13_generic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index edf1c30e1..6f60fab0a 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -976,7 +976,7 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, psa_algorithm_t psa_algorithm = PSA_ALG_NONE; uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE; size_t signature_len = 0; - unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char verify_hash[PSA_HASH_MAX_SIZE]; size_t verify_hash_len; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -1361,7 +1361,7 @@ cleanup: int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ]; + unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4]; size_t hash_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; uint16_t cipher_suite = ssl->session_negotiate->ciphersuite; @@ -1371,7 +1371,7 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac, hash_transcript + 4, - MBEDTLS_MD_MAX_SIZE, + PSA_HASH_MAX_SIZE, &hash_len ); if( ret != 0 ) { From ab9b9d4669bcd5a78450a140da99be78038ca986 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 14 Sep 2022 13:51:07 +0200 Subject: [PATCH 16/17] ssl_tls13_keys.h: use PSA max hash size Signed-off-by: Przemyslaw Stekiel --- library/ssl_tls13_keys.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index b1155fb2a..d82bf7a93 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -81,7 +81,7 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels; * Since contexts are always hashes of message transcripts, this can * be approximated from above by the maximum hash size. */ #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ - MBEDTLS_MD_MAX_SIZE + PSA_HASH_MAX_SIZE /* Maximum desired length for expanded key material generated * by HKDF-Expand-Label. From 67ffab560078ffcc4244b1e41e0c633a2ddc963d Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 14 Sep 2022 14:07:01 +0200 Subject: [PATCH 17/17] ssl.h: use PSA hash buffer size when PSA is used Signed-off-by: Przemyslaw Stekiel --- include/mbedtls/ssl.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0fcac689f..1e0220a6a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -629,7 +629,12 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE +#else #define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + /* Length in number of bytes of the TLS sequence number */ #define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8