From e699270908f409ecc303bc0c1bb8e3b2675362d7 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 7 May 2019 18:27:13 +0300 Subject: [PATCH 01/17] Add a single exit point in key derivation function Add a single exit point in `mbedtls_ssl_derive_keys()`. --- library/ssl_tls.c | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da42ed7ae..c2903605c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1036,7 +1036,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); - return( ret ); + goto end; } /* Get MAC length */ @@ -1106,7 +1106,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #endif { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto end; } } } @@ -1168,7 +1169,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_SRV_C */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto end; } #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) @@ -1178,7 +1180,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) if( mac_key_len > sizeof( transform->mac_enc ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto end; } memcpy( transform->mac_enc, mac_enc, mac_key_len ); @@ -1202,7 +1205,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #endif { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto end; } #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ @@ -1220,7 +1224,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) mac_key_len ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + goto end; } } #else @@ -1253,7 +1258,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); - return( ret ); + goto end; } if( ret == 0 ) @@ -1279,7 +1284,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) cipher_info ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); - return( ret ); + goto end; } #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1296,7 +1301,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); - return( ret ); + goto end; } if( ret == 0 ) @@ -1322,7 +1327,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) cipher_info ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); - return( ret ); + goto end; } if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, @@ -1330,7 +1335,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) MBEDTLS_ENCRYPT ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); - return( ret ); + goto end; } if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, @@ -1338,7 +1343,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) MBEDTLS_DECRYPT ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); - return( ret ); + goto end; } #if defined(MBEDTLS_CIPHER_MODE_CBC) @@ -1348,14 +1353,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) MBEDTLS_PADDING_NONE ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); - return( ret ); + goto end; } if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, MBEDTLS_PADDING_NONE ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); - return( ret ); + goto end; } } #endif /* MBEDTLS_CIPHER_MODE_CBC */ @@ -1375,7 +1380,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto end; } } @@ -1389,14 +1395,16 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) inflateInit( &transform->ctx_inflate ) != Z_OK ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); - return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); + ret = MBEDTLS_ERR_SSL_COMPRESSION_FAILED; + goto end; } } #endif /* MBEDTLS_ZLIB_SUPPORT */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); +end: - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SSL_PROTO_SSL3) From a9f9a73920855ccb5fea2032bda6cf29bd9b50ea Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 7 May 2019 18:29:02 +0300 Subject: [PATCH 02/17] Zeroize secret data in the exit point Zeroize the secret data in `mbedtls_ssl_derive_keys()` in the single exit point. --- library/ssl_tls.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c2903605c..b5e850ada 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -988,9 +988,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); - mbedtls_platform_zeroize( handshake->randbytes, - sizeof( handshake->randbytes ) ); - /* * Determine the appropriate key, IV and MAC length. */ @@ -1365,7 +1362,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_CIPHER_MODE_CBC */ - mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) ); #if defined(MBEDTLS_ZLIB_SUPPORT) // Initialize compression @@ -1403,7 +1399,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); end: - + mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) ); + mbedtls_platform_zeroize( handshake->randbytes, + sizeof( handshake->randbytes ) ); return( ret ); } From 3b350856ff912eabd2ebf10c2c8be99e4280c01b Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 7 May 2019 18:31:49 +0300 Subject: [PATCH 03/17] Have the temporary buffer allocated dynamically Change `tmp` buffer to be dynamically allocated, as it is now dependent on external label given as input, in `tls_prf_generic()`. --- library/ssl_tls.c | 57 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b5e850ada..e1415a893 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -425,7 +425,8 @@ static int tls1_prf( const unsigned char *secret, size_t slen, size_t nb, hs; size_t i, j, k; const unsigned char *S1, *S2; - unsigned char tmp[128]; + unsigned char *tmp; + size_t tmp_len = 0; unsigned char h_i[20]; const mbedtls_md_info_t *md_info; mbedtls_md_context_t md_ctx; @@ -433,8 +434,13 @@ static int tls1_prf( const unsigned char *secret, size_t slen, mbedtls_md_init( &md_ctx ); - if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + tmp_len = 20 + strlen( label ) + rlen; + tmp = mbedtls_calloc( 1, tmp_len ); + if( tmp == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto exit; + } hs = ( slen + 1 ) / 2; S1 = secret; @@ -449,10 +455,15 @@ static int tls1_prf( const unsigned char *secret, size_t slen, * First compute P_md5(secret,label+random)[0..dlen] */ if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + { + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto exit; + } if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - return( ret ); + { + goto exit; + } mbedtls_md_hmac_starts( &md_ctx, S1, hs ); mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); @@ -480,10 +491,15 @@ static int tls1_prf( const unsigned char *secret, size_t slen, * XOR out with P_sha1(secret,label+random)[0..dlen] */ if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + { + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto exit; + } if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - return( ret ); + { + goto exit; + } mbedtls_md_hmac_starts( &md_ctx, S2, hs ); mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); @@ -505,12 +521,14 @@ static int tls1_prf( const unsigned char *secret, size_t slen, dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); } +exit: mbedtls_md_free( &md_ctx ); - mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); + mbedtls_platform_zeroize( tmp, tmp_len ); mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); - return( 0 ); + mbedtls_free( tmp ); + return( ret ); } #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ @@ -593,7 +611,8 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, { size_t nb; size_t i, j, k, md_len; - unsigned char tmp[128]; + unsigned char *tmp; + size_t tmp_len = 0; unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; mbedtls_md_context_t md_ctx; @@ -606,8 +625,13 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, md_len = mbedtls_md_get_size( md_info ); - if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + tmp_len = md_len + strlen( label ) + rlen; + tmp = mbedtls_calloc( 1, tmp_len ); + if( tmp == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto exit; + } nb = strlen( label ); memcpy( tmp + md_len, label, nb ); @@ -618,7 +642,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, * Compute P_(secret, label + random)[0..dlen] */ if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - return( ret ); + goto exit; mbedtls_md_hmac_starts( &md_ctx, secret, slen ); mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); @@ -640,12 +664,15 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, dstbuf[i + j] = h_i[j]; } +exit: mbedtls_md_free( &md_ctx ); - mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); + mbedtls_platform_zeroize( tmp, tmp_len ); mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); - return( 0 ); + mbedtls_free( tmp ); + + return( ret ); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SHA256_C) From f5cc10d93b6c04df741202e3a3af268e01b638e3 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 7 May 2019 18:33:40 +0300 Subject: [PATCH 04/17] Add an extra key export function Add an additional function `mbedtls_ssl_export_keys_ext_t()` for exporting key, that adds additional information such as the used `tls_prf` and the random bytes. --- include/mbedtls/ssl.h | 73 +++++++++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 18 +++++++++++ 2 files changed, 91 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 135be0501..766217c44 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -559,6 +559,25 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx, */ typedef int mbedtls_ssl_get_timer_t( void * ctx ); +/** + * \brief Function type: TLS-PRF function. + * + * \param secret Secret for the key derivation function. + * \param slen Length of the secret. + * \param label String label for the key derivation function, + * terminated with null character. + * \param random Random bytes. + * \param rlen Length of the random bytes buffer. + * \param dstbuf The buffer holding the derived key. + * \param dlen Length of the output buffer. + * + * \return 0 on sucess. An SSL specific error on failure. + */ +typedef int mbedtls_ssl_tls_prf( const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen ); + /* Defined below */ typedef struct mbedtls_ssl_session mbedtls_ssl_session; typedef struct mbedtls_ssl_context mbedtls_ssl_context; @@ -920,6 +939,11 @@ struct mbedtls_ssl_config /** Callback to export key block and master secret */ int (*f_export_keys)( void *, const unsigned char *, const unsigned char *, size_t, size_t, size_t ); + /** Callback to export key block, master secret, + * tls_prf and random bytes. Should replace f_export_keys */ + int (*f_export_keys_ext)( void *, const unsigned char *, + const unsigned char *, size_t, size_t, size_t, + mbedtls_ssl_tls_prf *, unsigned char[32], unsigned char[32]); void *p_export_keys; /*!< context for key export callback */ #endif @@ -1624,6 +1648,41 @@ typedef int mbedtls_ssl_export_keys_t( void *p_expkey, size_t maclen, size_t keylen, size_t ivlen ); + +/** + * \brief Callback type: Export key block, master secret, + * handshake randbytes and the tls_prf function + * used to derive keys. + * + * \note This is required for certain uses of TLS, e.g. EAP-TLS + * (RFC 5216) and Thread. The key pointers are ephemeral and + * therefore must not be stored. The master secret and keys + * should not be used directly except as an input to a key + * derivation function. + * + * \param p_expkey Context for the callback. + * \param ms Pointer to master secret (fixed length: 48 bytes). + * \param kb Pointer to key block, see RFC 5246 section 6.3. + * (variable length: 2 * maclen + 2 * keylen + 2 * ivlen). + * \param maclen MAC length. + * \param keylen Key length. + * \param ivlen IV length. + * \param tls_prf The TLS PRF function used in the handshake. + * \param client_random The client random bytes. + * \param server_random The server random bytes. + * + * \return 0 if successful, or + * a specific MBEDTLS_ERR_XXX code. + */ +typedef int mbedtls_ssl_export_keys_ext_t( void *p_expkey, + const unsigned char *ms, + const unsigned char *kb, + size_t maclen, + size_t keylen, + size_t ivlen, + mbedtls_ssl_tls_prf *tls_prf, + unsigned char client_random[32], + unsigned char server_random[32] ); #endif /* MBEDTLS_SSL_EXPORT_KEYS */ /** @@ -1689,6 +1748,20 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, mbedtls_ssl_export_keys_t *f_export_keys, void *p_export_keys ); + +/** + * \brief Configure extended key export callback. + * (Default: none.) + * + * \note See \c mbedtls_ssl_export_keys_ext_t. + * + * \param conf SSL configuration context + * \param f_export_keys_ext Callback for exporting keys + * \param p_export_keys Context for the callback + */ +void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf, + mbedtls_ssl_export_keys_ext_t *f_export_keys_ext, + void *p_export_keys ); #endif /* MBEDTLS_SSL_EXPORT_KEYS */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e1415a893..6a6ed0e47 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1265,6 +1265,16 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) mac_key_len, keylen, iv_copy_len ); } + + if( ssl->conf->f_export_keys_ext != NULL ) + { + ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys, + session->master, keyblk, + mac_key_len, transform->keylen, + iv_copy_len, handshake->tls_prf, + handshake->randbytes + 32, + handshake->randbytes ); + } #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -8653,6 +8663,14 @@ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, conf->f_export_keys = f_export_keys; conf->p_export_keys = p_export_keys; } + +void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf, + mbedtls_ssl_export_keys_ext_t *f_export_keys_ext, + void *p_export_keys ) +{ + conf->f_export_keys_ext = f_export_keys_ext; + conf->p_export_keys = p_export_keys; +} #endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) From c4d3ef472162081c79302fad615f08d92f54ca40 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 7 May 2019 18:35:49 +0300 Subject: [PATCH 05/17] Add ChangeLog entry Add ChangeLog entry describing the new key export feature. --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 58ff14734..e205835bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,8 @@ Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. + * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, + and the used tls-prf. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. From b7fd64ce2bb861d0ce2f3614ad0ac75b4dbf860d Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 12 May 2019 11:03:32 +0300 Subject: [PATCH 06/17] Add eap-tls key derivation in the examples. Add support for eap-tls key derivation functionality, in `ssl_client2` and `ssl_server2` reference applications. --- library/ssl_tls.c | 2 +- programs/ssl/ssl_client2.c | 97 +++++++++++++++++++++++++++++++++++++- programs/ssl/ssl_server2.c | 96 +++++++++++++++++++++++++++++++++++++ 3 files changed, 193 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6a6ed0e47..620adf968 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1270,7 +1270,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys, session->master, keyblk, - mac_key_len, transform->keylen, + mac_key_len, keylen, iv_copy_len, handshake->tls_prf, handshake->randbytes + 32, handshake->randbytes ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2cddfb42a..353a5800f 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -126,7 +126,7 @@ int main( void ) #define DFL_EXTENDED_MS -1 #define DFL_ETM -1 #define DFL_CA_CALLBACK 0 - +#define DFL_EAP_TLS 0 #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST_END "\r\n\r\n" @@ -204,6 +204,13 @@ int main( void ) #define USAGE_TICKETS "" #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +#define USAGE_EAP_TLS \ + " eap_tls=%%d default: 0 (disabled)\n" +#else +#define USAGE_EAP_TLS "" +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) #define USAGE_TRUNC_HMAC \ " trunc_hmac=%%d default: library default\n" @@ -348,6 +355,7 @@ int main( void ) " reco_delay=%%d default: 0 seconds\n" \ " reconnect_hard=%%d default: 0 (disabled)\n" \ USAGE_TICKETS \ + USAGE_EAP_TLS \ USAGE_MAX_FRAG_LEN \ USAGE_TRUNC_HMAC \ USAGE_CONTEXT_CRT_CB \ @@ -448,10 +456,44 @@ struct options int extended_ms; /* negotiate extended master secret? */ int etm; /* negotiate encrypt then mac? */ int context_crt_cb; /* use context-specific CRT verify callback */ + int eap_tls; /* derive EAP-TLS keying material? */ } opt; int query_config( const char *config ); +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +typedef struct eap_tls_keys +{ + unsigned char master_secret[48]; + unsigned char randbytes[64]; + mbedtls_ssl_tls_prf *tls_prf; +} eap_tls_keys; + +static int eap_tls_key_derivation ( void *p_expkey, + const unsigned char *ms, + const unsigned char *kb, + size_t maclen, + size_t keylen, + size_t ivlen, + mbedtls_ssl_tls_prf *tls_prf, + unsigned char client_random[32], + unsigned char server_random[32] ) +{ + eap_tls_keys *keys = (eap_tls_keys *)p_expkey; + + ( ( void ) kb ); + ( ( void ) maclen ); + ( ( void ) keylen ); + ( ( void ) ivlen ); + memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) ); + memcpy( keys->randbytes, client_random, 32 ); + memcpy( keys->randbytes + 32, server_random, 32 ); + keys->tls_prf = tls_prf; + + return( 0 ); +} +#endif + static void my_debug( void *ctx, int level, const char *file, int line, const char *str ) @@ -713,6 +755,12 @@ int main( int argc, char *argv[] ) #endif char *p, *q; const int *list; +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + unsigned char eap_tls_keymaterial[16]; + unsigned char eap_tls_iv[8]; + const char* eap_tls_label = "client EAP encryption"; + eap_tls_keys eap_tls_keying; +#endif /* * Make sure memory references are valid. @@ -818,6 +866,7 @@ int main( int argc, char *argv[] ) opt.extended_ms = DFL_EXTENDED_MS; opt.etm = DFL_ETM; opt.dgram_packing = DFL_DGRAM_PACKING; + opt.eap_tls = DFL_EAP_TLS; for( i = 1; i < argc; i++ ) { @@ -1176,6 +1225,12 @@ int main( int argc, char *argv[] ) { return query_config( q ); } + else if( strcmp( p, "eap_tls" ) == 0 ) + { + opt.eap_tls = atoi( q ); + if( opt.eap_tls < 0 || opt.eap_tls > 1 ) + goto usage; + } else goto usage; } @@ -1652,6 +1707,12 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm ); #endif +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( opt.eap_tls != 0 ) + mbedtls_ssl_conf_export_keys_ext_cb( &conf, eap_tls_key_derivation, + &eap_tls_keying ); +#endif + #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) if( opt.recsplit != DFL_RECSPLIT ) mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit @@ -1917,6 +1978,40 @@ int main( int argc, char *argv[] ) } #endif +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( opt.eap_tls != 0 && + eap_tls_keying.tls_prf != NULL ) + { + size_t j = 0; + eap_tls_keying.tls_prf( eap_tls_keying.master_secret, + sizeof( eap_tls_keying.master_secret ), + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_keymaterial, + sizeof( eap_tls_keymaterial ) ); + mbedtls_printf( " EAP-TLS key material is:" ); + for( j = 0; j < sizeof( eap_tls_keymaterial ); j++ ) + { + if( j % 8 == 0 ) + mbedtls_printf("\n "); + mbedtls_printf("%02x ", eap_tls_keymaterial[j] ); + } + mbedtls_printf("\n"); + + eap_tls_keying.tls_prf( NULL, 0, eap_tls_label, eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), eap_tls_iv, + sizeof( eap_tls_iv ) ); + mbedtls_printf( " EAP-TLS IV is:" ); + for( j = 0; j < sizeof( eap_tls_iv ); j++ ) + { + if( j % 8 == 0 ) + mbedtls_printf("\n "); + mbedtls_printf("%02x ", eap_tls_iv[j] ); + } + mbedtls_printf("\n"); + } +#endif if( opt.reconnect != 0 ) { mbedtls_printf(" . Saving session for reuse..." ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5ee90ac35..54e2e5197 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -168,6 +168,7 @@ int main( void ) #define DFL_EXTENDED_MS -1 #define DFL_ETM -1 #define DFL_CA_CALLBACK 0 +#define DFL_EAP_TLS 0 #define LONG_RESPONSE "

01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ @@ -281,6 +282,13 @@ int main( void ) #define USAGE_TICKETS "" #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +#define USAGE_EAP_TLS \ + " eap_tls=%%d default: 0 (disabled)\n" +#else +#define USAGE_EAP_TLS "" +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + #if defined(MBEDTLS_SSL_CACHE_C) #define USAGE_CACHE \ " cache_max=%%d default: cache default (50)\n" \ @@ -442,6 +450,7 @@ int main( void ) " exchanges=%%d default: 1\n" \ "\n" \ USAGE_TICKETS \ + USAGE_EAP_TLS \ USAGE_CACHE \ USAGE_MAX_FRAG_LEN \ USAGE_TRUNC_HMAC \ @@ -563,10 +572,44 @@ struct options int dtls_mtu; /* UDP Maximum tranport unit for DTLS */ int dgram_packing; /* allow/forbid datagram packing */ int badmac_limit; /* Limit of records with bad MAC */ + int eap_tls; /* derive EAP-TLS keying material? */ } opt; int query_config( const char *config ); +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +typedef struct eap_tls_keys +{ + unsigned char master_secret[48]; + unsigned char randbytes[64]; + mbedtls_ssl_tls_prf *tls_prf; +} eap_tls_keys; + +static int eap_tls_key_derivation ( void *p_expkey, + const unsigned char *ms, + const unsigned char *kb, + size_t maclen, + size_t keylen, + size_t ivlen, + mbedtls_ssl_tls_prf *tls_prf, + unsigned char client_random[32], + unsigned char server_random[32] ) +{ + eap_tls_keys *keys = (eap_tls_keys *)p_expkey; + + ( ( void ) kb ); + ( ( void ) maclen ); + ( ( void ) keylen ); + ( ( void ) ivlen ); + memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) ); + memcpy( keys->randbytes, client_random, 32 ); + memcpy( keys->randbytes + 32, server_random, 32 ); + keys->tls_prf = tls_prf; + + return( 0 ); +} +#endif + static void my_debug( void *ctx, int level, const char *file, int line, const char *str ) @@ -1444,6 +1487,12 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; #endif +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + unsigned char eap_tls_keymaterial[16]; + unsigned char eap_tls_iv[8]; + const char* eap_tls_label = "client EAP encryption"; + eap_tls_keys eap_tls_keying; +#endif #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); @@ -1585,6 +1634,7 @@ int main( int argc, char *argv[] ) opt.badmac_limit = DFL_BADMAC_LIMIT; opt.extended_ms = DFL_EXTENDED_MS; opt.etm = DFL_ETM; + opt.eap_tls = DFL_EAP_TLS; for( i = 1; i < argc; i++ ) { @@ -1975,6 +2025,12 @@ int main( int argc, char *argv[] ) { return query_config( q ); } + else if( strcmp( p, "eap_tls" ) == 0 ) + { + opt.eap_tls = atoi( q ); + if( opt.eap_tls < 0 || opt.eap_tls > 1 ) + goto usage; + } else goto usage; } @@ -2537,6 +2593,12 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm ); #endif +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( opt.eap_tls != 0 ) + mbedtls_ssl_conf_export_keys_ext_cb( &conf, eap_tls_key_derivation, + &eap_tls_keying ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 ) @@ -3117,6 +3179,40 @@ handshake: } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( opt.eap_tls != 0 && + eap_tls_keying.tls_prf != NULL ) + { + size_t j = 0; + eap_tls_keying.tls_prf( eap_tls_keying.master_secret, + sizeof( eap_tls_keying.master_secret ), + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_keymaterial, + sizeof( eap_tls_keymaterial ) ); + mbedtls_printf( " EAP-TLS key material is:" ); + for( j = 0; j < sizeof( eap_tls_keymaterial ); j++ ) + { + if( j % 8 == 0 ) + mbedtls_printf("\n "); + mbedtls_printf("%02x ", eap_tls_keymaterial[j] ); + } + mbedtls_printf("\n"); + + eap_tls_keying.tls_prf( NULL, 0, eap_tls_label, eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), eap_tls_iv, + sizeof( eap_tls_iv ) ); + mbedtls_printf( " EAP-TLS IV is:" ); + for( j = 0; j < sizeof( eap_tls_iv ); j++ ) + { + if( j % 8 == 0 ) + mbedtls_printf("\n "); + mbedtls_printf("%02x ", eap_tls_iv[j] ); + } + mbedtls_printf("\n"); + } +#endif if( opt.exchanges == 0 ) goto close_notify; From 51d3ab544f46dc5eda6fbd5560f4fddba76215d6 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 12 May 2019 14:54:30 +0300 Subject: [PATCH 07/17] Add public API for tls_prf Add a public API for key derivation, introducing an enum for `tls_prf` type. --- include/mbedtls/ssl.h | 60 +++++++++++++++++++++------------- include/mbedtls/ssl_internal.h | 8 +++-- library/ssl_tls.c | 58 ++++++++++++++++++++++++++++++-- programs/ssl/ssl_client2.c | 49 ++++++++++++++++++--------- programs/ssl/ssl_server2.c | 49 ++++++++++++++++++--------- 5 files changed, 164 insertions(+), 60 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 766217c44..a460e2073 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -450,6 +450,18 @@ typedef enum } mbedtls_ssl_states; +/* + * The tls_prf function types. + */ +typedef enum +{ + MBEDTLS_SSL_TLS_PRF_NONE, + MBEDTLS_SSL_TLS_PRF_SSL3, + MBEDTLS_SSL_TLS_PRF_TLS1, + MBEDTLS_SSL_TLS_PRF_SHA384, + MBEDTLS_SSL_TLS_PRF_SHA256 +} +mbedtls_tls_prf_types; /** * \brief Callback type: send data on the network. * @@ -559,25 +571,6 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx, */ typedef int mbedtls_ssl_get_timer_t( void * ctx ); -/** - * \brief Function type: TLS-PRF function. - * - * \param secret Secret for the key derivation function. - * \param slen Length of the secret. - * \param label String label for the key derivation function, - * terminated with null character. - * \param random Random bytes. - * \param rlen Length of the random bytes buffer. - * \param dstbuf The buffer holding the derived key. - * \param dlen Length of the output buffer. - * - * \return 0 on sucess. An SSL specific error on failure. - */ -typedef int mbedtls_ssl_tls_prf( const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen ); - /* Defined below */ typedef struct mbedtls_ssl_session mbedtls_ssl_session; typedef struct mbedtls_ssl_context mbedtls_ssl_context; @@ -943,7 +936,7 @@ struct mbedtls_ssl_config * tls_prf and random bytes. Should replace f_export_keys */ int (*f_export_keys_ext)( void *, const unsigned char *, const unsigned char *, size_t, size_t, size_t, - mbedtls_ssl_tls_prf *, unsigned char[32], unsigned char[32]); + unsigned char[32], unsigned char[32], mbedtls_tls_prf_types ); void *p_export_keys; /*!< context for key export callback */ #endif @@ -1667,9 +1660,9 @@ typedef int mbedtls_ssl_export_keys_t( void *p_expkey, * \param maclen MAC length. * \param keylen Key length. * \param ivlen IV length. - * \param tls_prf The TLS PRF function used in the handshake. * \param client_random The client random bytes. * \param server_random The server random bytes. + * \param tls_prf_type The tls_prf enum type. * * \return 0 if successful, or * a specific MBEDTLS_ERR_XXX code. @@ -1680,9 +1673,9 @@ typedef int mbedtls_ssl_export_keys_ext_t( void *p_expkey, size_t maclen, size_t keylen, size_t ivlen, - mbedtls_ssl_tls_prf *tls_prf, unsigned char client_random[32], - unsigned char server_random[32] ); + unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type ); #endif /* MBEDTLS_SSL_EXPORT_KEYS */ /** @@ -3560,6 +3553,27 @@ void mbedtls_ssl_session_init( mbedtls_ssl_session *session ); */ void mbedtls_ssl_session_free( mbedtls_ssl_session *session ); +/** + * \brief TLS-PRF function for key derivation. + * + * \param prf The tls_prf type funtion type to be used. + * \param secret Secret for the key derivation function. + * \param slen Length of the secret. + * \param label String label for the key derivation function, + * terminated with null character. + * \param random Random bytes. + * \param rlen Length of the random bytes buffer. + * \param dstbuf The buffer holding the derived key. + * \param dlen Length of the output buffer. + * + * \return 0 on sucess. An SSL specific error on failure. + */ +int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, + const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen ); + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index ac4d96dbf..9c4be53f7 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -276,6 +276,10 @@ struct mbedtls_ssl_sig_hash_set_t #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ +typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen ); /* * This structure contains the parameters only needed during handshake. */ @@ -425,9 +429,7 @@ struct mbedtls_ssl_handshake_params void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); void (*calc_verify)(mbedtls_ssl_context *, unsigned char *); void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); - int (*tls_prf)(const unsigned char *, size_t, const char *, - const unsigned char *, size_t, - unsigned char *, size_t); + mbedtls_ssl_tls_prf_cb *tls_prf; mbedtls_ssl_ciphersuite_t const *ciphersuite_info; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 620adf968..df106a530 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -751,6 +751,43 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ +int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, + const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen ) +{ + mbedtls_ssl_tls_prf_cb *tls_prf = NULL; + + switch( prf ) + { +#if defined(MBEDTLS_SSL_PROTO_SSL3) + case MBEDTLS_SSL_TLS_PRF_SSL3: + tls_prf = ssl3_prf; + break; +#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) + case MBEDTLS_SSL_TLS_PRF_TLS1: + tls_prf = tls1_prf; + break; +#endif +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_SSL_TLS_PRF_SHA384: + tls_prf = tls_prf_sha384; + break; +#endif +#if defined(MBEDTLS_SHA256_C) + case MBEDTLS_SSL_TLS_PRF_SHA256: + tls_prf = tls_prf_sha256; + break; +#endif + default: + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) ); +} + int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { int ret = 0; @@ -774,6 +811,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * "The master secret is always exactly 48 bytes in length." */ size_t const master_secret_len = 48; +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + mbedtls_tls_prf_types tls_prf_type = MBEDTLS_SSL_TLS_PRF_NONE; +#endif + #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) unsigned char session_hash[48]; #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ @@ -815,6 +856,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = ssl3_prf; handshake->calc_verify = ssl_calc_verify_ssl; handshake->calc_finished = ssl_calc_finished_ssl; +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + tls_prf_type = MBEDTLS_SSL_TLS_PRF_SSL3; +#endif } else #endif @@ -824,6 +868,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = tls1_prf; handshake->calc_verify = ssl_calc_verify_tls; handshake->calc_finished = ssl_calc_finished_tls; +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + tls_prf_type = MBEDTLS_SSL_TLS_PRF_TLS1; +#endif } else #endif @@ -835,6 +882,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = tls_prf_sha384; handshake->calc_verify = ssl_calc_verify_tls_sha384; handshake->calc_finished = ssl_calc_finished_tls_sha384; +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + tls_prf_type = MBEDTLS_SSL_TLS_PRF_SHA384; +#endif } else #endif @@ -844,6 +894,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = tls_prf_sha256; handshake->calc_verify = ssl_calc_verify_tls_sha256; handshake->calc_finished = ssl_calc_finished_tls_sha256; +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + tls_prf_type = MBEDTLS_SSL_TLS_PRF_SHA256; +#endif } else #endif @@ -1271,9 +1324,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys, session->master, keyblk, mac_key_len, keylen, - iv_copy_len, handshake->tls_prf, + iv_copy_len, handshake->randbytes + 32, - handshake->randbytes ); + handshake->randbytes, + tls_prf_type); } #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 353a5800f..a9bcd01f3 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -466,7 +466,7 @@ typedef struct eap_tls_keys { unsigned char master_secret[48]; unsigned char randbytes[64]; - mbedtls_ssl_tls_prf *tls_prf; + mbedtls_tls_prf_types tls_prf_type; } eap_tls_keys; static int eap_tls_key_derivation ( void *p_expkey, @@ -475,9 +475,9 @@ static int eap_tls_key_derivation ( void *p_expkey, size_t maclen, size_t keylen, size_t ivlen, - mbedtls_ssl_tls_prf *tls_prf, unsigned char client_random[32], - unsigned char server_random[32] ) + unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type ) { eap_tls_keys *keys = (eap_tls_keys *)p_expkey; @@ -488,7 +488,7 @@ static int eap_tls_key_derivation ( void *p_expkey, memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) ); memcpy( keys->randbytes, client_random, 32 ); memcpy( keys->randbytes + 32, server_random, 32 ); - keys->tls_prf = tls_prf; + keys->tls_prf_type = tls_prf_type; return( 0 ); } @@ -1979,17 +1979,25 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_SSL_EXPORT_KEYS) - if( opt.eap_tls != 0 && - eap_tls_keying.tls_prf != NULL ) + if( opt.eap_tls != 0 ) { size_t j = 0; - eap_tls_keying.tls_prf( eap_tls_keying.master_secret, - sizeof( eap_tls_keying.master_secret ), - eap_tls_label, - eap_tls_keying.randbytes, - sizeof( eap_tls_keying.randbytes ), - eap_tls_keymaterial, - sizeof( eap_tls_keymaterial ) ); + + if( ( ret = mbedtls_ssl_tls_prf( eap_tls_keying.tls_prf_type, + eap_tls_keying.master_secret, + sizeof( eap_tls_keying.master_secret ), + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_keymaterial, + sizeof( eap_tls_keymaterial ) ) ) + != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n", + -ret ); + goto exit; + } + mbedtls_printf( " EAP-TLS key material is:" ); for( j = 0; j < sizeof( eap_tls_keymaterial ); j++ ) { @@ -1999,9 +2007,18 @@ int main( int argc, char *argv[] ) } mbedtls_printf("\n"); - eap_tls_keying.tls_prf( NULL, 0, eap_tls_label, eap_tls_keying.randbytes, - sizeof( eap_tls_keying.randbytes ), eap_tls_iv, - sizeof( eap_tls_iv ) ); + if( ( ret = mbedtls_ssl_tls_prf( eap_tls_keying.tls_prf_type, NULL, 0, + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_iv, + sizeof( eap_tls_iv ) ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n", + -ret ); + goto exit; + } + mbedtls_printf( " EAP-TLS IV is:" ); for( j = 0; j < sizeof( eap_tls_iv ); j++ ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 54e2e5197..363b2dc2d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -582,7 +582,7 @@ typedef struct eap_tls_keys { unsigned char master_secret[48]; unsigned char randbytes[64]; - mbedtls_ssl_tls_prf *tls_prf; + mbedtls_tls_prf_types tls_prf_type; } eap_tls_keys; static int eap_tls_key_derivation ( void *p_expkey, @@ -591,9 +591,9 @@ static int eap_tls_key_derivation ( void *p_expkey, size_t maclen, size_t keylen, size_t ivlen, - mbedtls_ssl_tls_prf *tls_prf, unsigned char client_random[32], - unsigned char server_random[32] ) + unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type ) { eap_tls_keys *keys = (eap_tls_keys *)p_expkey; @@ -604,7 +604,7 @@ static int eap_tls_key_derivation ( void *p_expkey, memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) ); memcpy( keys->randbytes, client_random, 32 ); memcpy( keys->randbytes + 32, server_random, 32 ); - keys->tls_prf = tls_prf; + keys->tls_prf_type = tls_prf_type; return( 0 ); } @@ -3180,17 +3180,25 @@ handshake: #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) - if( opt.eap_tls != 0 && - eap_tls_keying.tls_prf != NULL ) + if( opt.eap_tls != 0 ) { size_t j = 0; - eap_tls_keying.tls_prf( eap_tls_keying.master_secret, - sizeof( eap_tls_keying.master_secret ), - eap_tls_label, - eap_tls_keying.randbytes, - sizeof( eap_tls_keying.randbytes ), - eap_tls_keymaterial, - sizeof( eap_tls_keymaterial ) ); + + if( ( ret = mbedtls_ssl_tls_prf( eap_tls_keying.tls_prf_type, + eap_tls_keying.master_secret, + sizeof( eap_tls_keying.master_secret ), + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_keymaterial, + sizeof( eap_tls_keymaterial ) ) ) + != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n", + -ret ); + goto exit; + } + mbedtls_printf( " EAP-TLS key material is:" ); for( j = 0; j < sizeof( eap_tls_keymaterial ); j++ ) { @@ -3200,9 +3208,18 @@ handshake: } mbedtls_printf("\n"); - eap_tls_keying.tls_prf( NULL, 0, eap_tls_label, eap_tls_keying.randbytes, - sizeof( eap_tls_keying.randbytes ), eap_tls_iv, - sizeof( eap_tls_iv ) ); + if( ( ret = mbedtls_ssl_tls_prf( eap_tls_keying.tls_prf_type, NULL, 0, + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_iv, + sizeof( eap_tls_iv ) ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n", + -ret ); + goto exit; + } + mbedtls_printf( " EAP-TLS IV is:" ); for( j = 0; j < sizeof( eap_tls_iv ); j++ ) { From 824ad7b3513be4c0f68cb7136dbd049db5611ff9 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Mon, 13 May 2019 14:09:00 +0300 Subject: [PATCH 08/17] Add tests for the public tls_prf API Add tests for `mbedtls_ssl_tls_prf` wiht and without the function types dependencies. --- tests/suites/test_suite_ssl.data | 39 ++++++++++++++++++++++++++++ tests/suites/test_suite_ssl.function | 25 ++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 2b3517dec..73585831a 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -5633,3 +5633,42 @@ ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_MINOR_ Record crypt, little space, NULL cipher, SSL3, MD5, short tag, EtM depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0 + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SSL3 +depends_on:MBEDTLS_SSL_PROTO_SSL3 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SSL3:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"3ff3d192aa599255339def5a9723444a":0 + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.0 enabled +depends_on:MBEDTLS_SSL_PROTO_TLS1 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":0 + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.1 enabled +depends_on:MBEDTLS_SSL_PROTO_TLS1_1 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":0 + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384 +depends_on:MBEDTLS_SHA512_C:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":0 + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA256:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"7f9998393198a02c8d731ccc2ef90b2c":0 + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SSL3 not enabled +depends_on:!MBEDTLS_SSL_PROTO_SSL3 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SSL3:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"3ff3d192aa599255339def5a9723444a":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.0 enabled +depends_on:!MBEDTLS_SSL_PROTO_TLS1 +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384 +depends_on:!MBEDTLS_SHA512_C +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256 +depends_on:!MBEDTLS_SHA256_C +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA256:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"7f9998393198a02c8d731ccc2ef90b2c":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 05ecd8ad5..69b97789f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -541,3 +541,28 @@ exit: mbedtls_free( buf ); } /* END_CASE */ + +/* BEGIN_CASE */ +void ssl_tls_prf( int type, data_t * secret, data_t * random, + char *label, data_t *result_hex_str, int exp_ret ) +{ + unsigned char *output; + + output = mbedtls_calloc( 1, result_hex_str->len ); + if( output == NULL ) + goto exit; + + TEST_ASSERT( mbedtls_ssl_tls_prf( type, secret->x, secret->len, + label, random->x, random->len, + output, result_hex_str->len ) == exp_ret ); + + if( exp_ret == 0 ) + { + TEST_ASSERT( hexcmp( output, result_hex_str->x, + result_hex_str->len, result_hex_str->len ) == 0 ); + } +exit: + + mbedtls_free( output ); +} +/* END_CASE */ From cf28009839be2bc5f9ed2de1f68180d71c64a3a1 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 14 May 2019 20:19:13 +0300 Subject: [PATCH 09/17] Add function to retrieve the tls_prf type Add `tls_prf_get_type()` static function that returns the `mbedtls_tls_prf_types` according to the used `tls_prf` function. --- library/ssl_tls.c | 55 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index df106a530..0f05276f0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -751,6 +751,43 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) +{ +#if defined(MBEDTLS_SSL_PROTO_SSL3) + if( tls_prf == ssl3_prf ) + { + returnn( MBEDTLS_SSL_TLS_PRF_SSL3 ); + } + else +#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) + if( tls_prf == tls1_prf ) + { + return( MBEDTLS_SSL_TLS_PRF_TLS1 ); + } + else +#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SHA512_C) + if( tls_prf == tls_prf_sha384 ) + { + return( MBEDTLS_SSL_TLS_PRF_SHA384 ); + } + else +#endif +#if defined(MBEDTLS_SHA256_C) + if( tls_prf == tls_prf_sha256 ) + { + return( MBEDTLS_SSL_TLS_PRF_SHA256 ); + } + else +#endif +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + return( MBEDTLS_SSL_TLS_PRF_NONE ); +} +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, const unsigned char *secret, size_t slen, const char *label, @@ -811,10 +848,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * "The master secret is always exactly 48 bytes in length." */ size_t const master_secret_len = 48; -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - mbedtls_tls_prf_types tls_prf_type = MBEDTLS_SSL_TLS_PRF_NONE; -#endif - #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) unsigned char session_hash[48]; #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ @@ -856,9 +889,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = ssl3_prf; handshake->calc_verify = ssl_calc_verify_ssl; handshake->calc_finished = ssl_calc_finished_ssl; -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - tls_prf_type = MBEDTLS_SSL_TLS_PRF_SSL3; -#endif } else #endif @@ -868,9 +898,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = tls1_prf; handshake->calc_verify = ssl_calc_verify_tls; handshake->calc_finished = ssl_calc_finished_tls; -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - tls_prf_type = MBEDTLS_SSL_TLS_PRF_TLS1; -#endif } else #endif @@ -882,9 +909,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = tls_prf_sha384; handshake->calc_verify = ssl_calc_verify_tls_sha384; handshake->calc_finished = ssl_calc_finished_tls_sha384; -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - tls_prf_type = MBEDTLS_SSL_TLS_PRF_SHA384; -#endif } else #endif @@ -894,9 +918,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) handshake->tls_prf = tls_prf_sha256; handshake->calc_verify = ssl_calc_verify_tls_sha256; handshake->calc_finished = ssl_calc_finished_tls_sha256; -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - tls_prf_type = MBEDTLS_SSL_TLS_PRF_SHA256; -#endif } else #endif @@ -1327,7 +1348,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) iv_copy_len, handshake->randbytes + 32, handshake->randbytes, - tls_prf_type); + tls_prf_get_type( handshake->tls_prf ) ); } #endif From f75e252909fccf27818b63fbc8e10994ce714d2b Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 14 May 2019 20:38:49 +0300 Subject: [PATCH 10/17] Add test for export keys functionality Add test in `ssl-opts.sh` that the export keys callback is actually called. --- programs/ssl/ssl_client2.c | 9 ++++++--- programs/ssl/ssl_server2.c | 9 ++++++--- tests/ssl-opt.sh | 12 ++++++++++++ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a9bcd01f3..a33cfb5ad 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -482,14 +482,17 @@ static int eap_tls_key_derivation ( void *p_expkey, eap_tls_keys *keys = (eap_tls_keys *)p_expkey; ( ( void ) kb ); - ( ( void ) maclen ); - ( ( void ) keylen ); - ( ( void ) ivlen ); memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) ); memcpy( keys->randbytes, client_random, 32 ); memcpy( keys->randbytes + 32, server_random, 32 ); keys->tls_prf_type = tls_prf_type; + if( opt.debug_level > 2 ) + { + mbedtls_printf("exported maclen is %zu\n",maclen); + mbedtls_printf("exported keylen is %zu\n",keylen); + mbedtls_printf("exported ivlen is %zu\n",ivlen); + } return( 0 ); } #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 363b2dc2d..d246988bf 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -598,14 +598,17 @@ static int eap_tls_key_derivation ( void *p_expkey, eap_tls_keys *keys = (eap_tls_keys *)p_expkey; ( ( void ) kb ); - ( ( void ) maclen ); - ( ( void ) keylen ); - ( ( void ) ivlen ); memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) ); memcpy( keys->randbytes, client_random, 32 ); memcpy( keys->randbytes + 32, server_random, 32 ); keys->tls_prf_type = tls_prf_type; + if( opt.debug_level > 2 ) + { + mbedtls_printf("exported maclen is %zu\n",maclen); + mbedtls_printf("exported keylen is %zu\n",keylen); + mbedtls_printf("exported ivlen is %zu\n",ivlen); + } return( 0 ); } #endif diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 08d4be308..cef87bceb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -7939,6 +7939,18 @@ run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -s "Extra-header:" \ -c "Extra-header:" +requires_config_enabled MBEDTLS_SSL_EXPORT_KEYS +run_test "export keys functionality" \ + "$P_SRV eap_tls=1 debug_level=3" \ + "$P_CLI eap_tls=1 debug_level=3" \ + 0 \ + -s "exported maclen is " \ + -s "exported keylen is " \ + -s "exported ivlen is " \ + -c "exported maclen is " \ + -c "exported keylen is " \ + -c "exported ivlen is " + # Final report echo "------------------------------------------------------------------------" From 780d8158f79f2aa217a929a65f3b498b2ac13733 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 14 May 2019 20:41:08 +0300 Subject: [PATCH 11/17] Add changeLog entry Add changeLog entry describing the new `mbedtls_ssl_tls_prf()` API. --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e205835bc..f01b870ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -63,6 +63,7 @@ Features https://sweet32.info/SWEET32_CCS16.pdf. * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, and the used tls-prf. + * Add public API for tls-prf function, according to requested enum. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. From aa947f1cef0fd44f4ad617deb8c9461b144300a7 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 12:28:21 +0300 Subject: [PATCH 12/17] Fix ChangeLog entry location Move the ChangeLog entries to correct section, as it was in an already released section, due to rebase error. --- ChangeLog | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f01b870ca..3aa84e73c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ Features Contributed by Jack Lloyd and Fortanix Inc. * Add the Wi-SUN Field Area Network (FAN) device extended key usage. * Add the oid certificate policy x509 extension. + * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, + and the used tls-prf. + * Add public API for tls-prf function, according to requested enum. Bugfix * Fix private key DER output in the key_app_writer example. File contents @@ -34,6 +37,11 @@ Bugfix * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. +API Changes + * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, + and the used tls-prf. + * Add public API for tls-prf function, according to requested enum. + Changes * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. @@ -61,9 +69,6 @@ Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. - * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, - and the used tls-prf. - * Add public API for tls-prf function, according to requested enum. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. From 0810f0babdb8ef6fd20deba9b2c3ecc060fe0159 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 12:32:32 +0300 Subject: [PATCH 13/17] Fix typo Fix typo `returnn` -> `return` --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0f05276f0..d8b5f2bc3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -757,7 +757,7 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) #if defined(MBEDTLS_SSL_PROTO_SSL3) if( tls_prf == ssl3_prf ) { - returnn( MBEDTLS_SSL_TLS_PRF_SSL3 ); + return( MBEDTLS_SSL_TLS_PRF_SSL3 ); } else #endif From d2f25f7ea8e7dcf7b57984aa82a7d529540b7c3f Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 14:54:22 +0300 Subject: [PATCH 14/17] Fix missing tls version test failures Add checks for tls_prf tests with the relevant tls version configuration. --- library/ssl_tls.c | 11 +++++++---- tests/suites/test_suite_ssl.data | 8 ++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d8b5f2bc3..d25dffd07 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -802,22 +802,25 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, case MBEDTLS_SSL_TLS_PRF_SSL3: tls_prf = ssl3_prf; break; -#endif +#endif /* MBEDTLS_SSL_PROTO_SSL3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) case MBEDTLS_SSL_TLS_PRF_TLS1: tls_prf = tls1_prf; break; -#endif +#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA512_C) case MBEDTLS_SSL_TLS_PRF_SHA384: tls_prf = tls_prf_sha384; break; -#endif +#endif /* MBEDTLS_SHA512_C */ #if defined(MBEDTLS_SHA256_C) case MBEDTLS_SSL_TLS_PRF_SHA256: tls_prf = tls_prf_sha256; break; -#endif +#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ default: return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 73585831a..fd81ffec4 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -5661,14 +5661,14 @@ SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SSL3 not enabled depends_on:!MBEDTLS_SSL_PROTO_SSL3 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SSL3:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"3ff3d192aa599255339def5a9723444a":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.0 enabled -depends_on:!MBEDTLS_SSL_PROTO_TLS1 +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_TLS1 TLS 1.X not enabled +depends_on:!MBEDTLS_SSL_PROTO_TLS1:!MBEDTLS_SSL_PROTO_TLS1_1 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_TLS1:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"8defca540d41d4c79d390027295bb4e6":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384 +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384 SHA-512 not enabled depends_on:!MBEDTLS_SHA512_C ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256 +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256 SHA-256 not enabled depends_on:!MBEDTLS_SHA256_C ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA256:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"7f9998393198a02c8d731ccc2ef90b2c":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE From 6b9b1b88fbebc9d7a6a7c350191c13c99446edac Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 17:04:33 +0300 Subject: [PATCH 15/17] Initialize psa_crypto in ssl test Call `psa_crypto_init()` in `tls_prf` ssl test in case `MBEDTLS_USE_PSA_CRYPTO` is defined since tls_prf may use psa crypto. --- tests/suites/test_suite_ssl.function | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 69b97789f..ecf186ed3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -552,6 +552,10 @@ void ssl_tls_prf( int type, data_t * secret, data_t * random, if( output == NULL ) goto exit; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + TEST_ASSERT( psa_crypto_init() == 0 ); +#endif + TEST_ASSERT( mbedtls_ssl_tls_prf( type, secret->x, secret->len, label, random->x, random->len, output, result_hex_str->len ) == exp_ret ); From 801faf0fa1518678976aa1d70226544eba0cdc50 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 17:45:24 +0300 Subject: [PATCH 16/17] Fix mingw CI failures Change `%z` formatting of `size_t` to `%u` and casting to unsigned. --- programs/ssl/ssl_client2.c | 6 +++--- programs/ssl/ssl_server2.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a33cfb5ad..9260fbf1a 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -489,9 +489,9 @@ static int eap_tls_key_derivation ( void *p_expkey, if( opt.debug_level > 2 ) { - mbedtls_printf("exported maclen is %zu\n",maclen); - mbedtls_printf("exported keylen is %zu\n",keylen); - mbedtls_printf("exported ivlen is %zu\n",ivlen); + mbedtls_printf("exported maclen is %u\n", (unsigned)maclen); + mbedtls_printf("exported keylen is %u\n", (unsigned)keylen); + mbedtls_printf("exported ivlen is %u\n", (unsigned)ivlen); } return( 0 ); } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d246988bf..0b2350236 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -605,9 +605,9 @@ static int eap_tls_key_derivation ( void *p_expkey, if( opt.debug_level > 2 ) { - mbedtls_printf("exported maclen is %zu\n",maclen); - mbedtls_printf("exported keylen is %zu\n",keylen); - mbedtls_printf("exported ivlen is %zu\n",ivlen); + mbedtls_printf("exported maclen is %u\n", (unsigned)maclen); + mbedtls_printf("exported keylen is %u\n", (unsigned)keylen); + mbedtls_printf("exported ivlen is %u\n", (unsigned)ivlen); } return( 0 ); } From 51c4507b9c791df16591e83437631a1bfbc0328e Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 17:49:54 +0300 Subject: [PATCH 17/17] Remove unneeded whitespaces Delete extra whitespace in Changelog and in paramter alignment. --- ChangeLog | 4 ++-- programs/ssl/ssl_client2.c | 10 +++++----- programs/ssl/ssl_server2.c | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3aa84e73c..8044ae57f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,7 +9,7 @@ Features Contributed by Jack Lloyd and Fortanix Inc. * Add the Wi-SUN Field Area Network (FAN) device extended key usage. * Add the oid certificate policy x509 extension. - * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, + * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, and the used tls-prf. * Add public API for tls-prf function, according to requested enum. @@ -38,7 +38,7 @@ Bugfix sni entry parameter. Reported by inestlerode in #560. API Changes - * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, + * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, and the used tls-prf. * Add public API for tls-prf function, according to requested enum. diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 9260fbf1a..62f2c5790 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2011,11 +2011,11 @@ int main( int argc, char *argv[] ) mbedtls_printf("\n"); if( ( ret = mbedtls_ssl_tls_prf( eap_tls_keying.tls_prf_type, NULL, 0, - eap_tls_label, - eap_tls_keying.randbytes, - sizeof( eap_tls_keying.randbytes ), - eap_tls_iv, - sizeof( eap_tls_iv ) ) ) != 0 ) + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_iv, + sizeof( eap_tls_iv ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n", -ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0b2350236..807f880f8 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3212,11 +3212,11 @@ handshake: mbedtls_printf("\n"); if( ( ret = mbedtls_ssl_tls_prf( eap_tls_keying.tls_prf_type, NULL, 0, - eap_tls_label, - eap_tls_keying.randbytes, - sizeof( eap_tls_keying.randbytes ), - eap_tls_iv, - sizeof( eap_tls_iv ) ) ) != 0 ) + eap_tls_label, + eap_tls_keying.randbytes, + sizeof( eap_tls_keying.randbytes ), + eap_tls_iv, + sizeof( eap_tls_iv ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n", -ret );