Merge branch 'psa_cipher_integration' into development-psa-proposed

This commit is contained in:
Hanno Becker 2018-11-23 11:26:57 +00:00
commit a0a96a0c56
3 changed files with 191 additions and 31 deletions

View file

@ -54,6 +54,19 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
#define MAX_KEY_BYTES 32 /* 256 bits */ #define MAX_KEY_BYTES 32 /* 256 bits */
#define TICKET_KEY_NAME_BYTES 4
#define TICKET_IV_BYTES 12
#define TICKET_CRYPT_LEN_BYTES 2
#define TICKET_AUTH_TAG_BYTES 16
#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
TICKET_IV_BYTES + \
TICKET_CRYPT_LEN_BYTES + \
TICKET_AUTH_TAG_BYTES )
#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
TICKET_IV_BYTES + \
TICKET_CRYPT_LEN_BYTES )
/* /*
* Generate/update a key * Generate/update a key
*/ */
@ -141,11 +154,27 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES ) if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 || #if defined(MBEDTLS_USE_PSA_CRYPTO)
( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 ) ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
{ cipher_info, TICKET_AUTH_TAG_BYTES );
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
return( ret );
/* We don't yet expect to support all ciphers through PSA,
* so allow fallback to ordinary mbedtls_cipher_setup(). */
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
return( ret );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
cipher_info, TICKET_AUTH_TAG_BYTES );
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
return( ret );
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
return( ret ); return( ret );
}
if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 || if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 ) ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
@ -278,6 +307,7 @@ static int ssl_load_session( mbedtls_ssl_session *session,
* The key_name, iv, and length of encrypted_state are the additional * The key_name, iv, and length of encrypted_state are the additional
* authenticated data. * authenticated data.
*/ */
int mbedtls_ssl_ticket_write( void *p_ticket, int mbedtls_ssl_ticket_write( void *p_ticket,
const mbedtls_ssl_session *session, const mbedtls_ssl_session *session,
unsigned char *start, unsigned char *start,
@ -289,9 +319,9 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
mbedtls_ssl_ticket_context *ctx = p_ticket; mbedtls_ssl_ticket_context *ctx = p_ticket;
mbedtls_ssl_ticket_key *key; mbedtls_ssl_ticket_key *key;
unsigned char *key_name = start; unsigned char *key_name = start;
unsigned char *iv = start + 4; unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
unsigned char *state_len_bytes = iv + 12; unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
unsigned char *state = state_len_bytes + 2; unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
unsigned char *tag; unsigned char *tag;
size_t clear_len, ciph_len; size_t clear_len, ciph_len;
@ -302,7 +332,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
/* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag, /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
* in addition to session itself, that will be checked when writing it. */ * in addition to session itself, that will be checked when writing it. */
if( end - start < 4 + 12 + 2 + 16 ) if( end - start < TICKET_MIN_LEN )
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
@ -317,9 +347,9 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
*ticket_lifetime = ctx->ticket_lifetime; *ticket_lifetime = ctx->ticket_lifetime;
memcpy( key_name, key->name, 4 ); memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 ) if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
goto cleanup; goto cleanup;
/* Dump session state */ /* Dump session state */
@ -335,8 +365,11 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
/* Encrypt and authenticate */ /* Encrypt and authenticate */
tag = state + clear_len; tag = state + clear_len;
if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx, if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
iv, 12, key_name, 4 + 12 + 2, iv, TICKET_IV_BYTES,
state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 ) /* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
state, clear_len, state, &ciph_len,
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
{ {
goto cleanup; goto cleanup;
} }
@ -346,7 +379,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
goto cleanup; goto cleanup;
} }
*tlen = 4 + 12 + 2 + 16 + ciph_len; *tlen = TICKET_MIN_LEN + ciph_len;
cleanup: cleanup:
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
@ -385,17 +418,16 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
mbedtls_ssl_ticket_context *ctx = p_ticket; mbedtls_ssl_ticket_context *ctx = p_ticket;
mbedtls_ssl_ticket_key *key; mbedtls_ssl_ticket_key *key;
unsigned char *key_name = buf; unsigned char *key_name = buf;
unsigned char *iv = buf + 4; unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
unsigned char *enc_len_p = iv + 12; unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
unsigned char *ticket = enc_len_p + 2; unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
unsigned char *tag; unsigned char *tag;
size_t enc_len, clear_len; size_t enc_len, clear_len;
if( ctx == NULL || ctx->f_rng == NULL ) if( ctx == NULL || ctx->f_rng == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
/* See mbedtls_ssl_ticket_write() */ if( len < TICKET_MIN_LEN )
if( len < 4 + 12 + 2 + 16 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
@ -409,7 +441,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
tag = ticket + enc_len; tag = ticket + enc_len;
if( len != 4 + 12 + 2 + enc_len + 16 ) if( len != TICKET_MIN_LEN + enc_len )
{ {
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup; goto cleanup;
@ -425,9 +457,13 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
} }
/* Decrypt and authenticate */ /* Decrypt and authenticate */
if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12, if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
key_name, 4 + 12 + 2, ticket, enc_len, iv, TICKET_IV_BYTES,
ticket, &clear_len, tag, 16 ) ) != 0 ) /* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len,
ticket, &clear_len,
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
{ {
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
ret = MBEDTLS_ERR_SSL_INVALID_MAC; ret = MBEDTLS_ERR_SSL_INVALID_MAC;

View file

@ -632,6 +632,9 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
{ {
int ret = 0; int ret = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int psa_fallthrough;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char tmp[64]; unsigned char tmp[64];
unsigned char keyblk[256]; unsigned char keyblk[256];
unsigned char *key1; unsigned char *key1;
@ -640,6 +643,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
unsigned char *mac_dec; unsigned char *mac_dec;
size_t mac_key_len; size_t mac_key_len;
size_t iv_copy_len; size_t iv_copy_len;
size_t taglen = 0;
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
const mbedtls_md_info_t *md_info; const mbedtls_md_info_t *md_info;
@ -899,7 +903,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
cipher_info->mode == MBEDTLS_MODE_CCM || cipher_info->mode == MBEDTLS_MODE_CCM ||
cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
{ {
size_t taglen, explicit_ivlen; size_t explicit_ivlen;
transform->maclen = 0; transform->maclen = 0;
mac_key_len = 0; mac_key_len = 0;
@ -1119,6 +1123,43 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
} }
#endif #endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Only use PSA-based ciphers for TLS-1.2.
* That's relevant at least for TLS-1.0, where
* we assume that mbedtls_cipher_crypt() updates
* the structure field for the IV, which the PSA-based
* implementation currently doesn't. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
cipher_info, taglen );
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
return( ret );
}
if( ret == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based encryption cipher context" ) );
psa_fallthrough = 0;
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
psa_fallthrough = 1;
}
}
else
psa_fallthrough = 1;
#else
psa_fallthrough = 1;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
if( psa_fallthrough == 1 )
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
cipher_info ) ) != 0 ) cipher_info ) ) != 0 )
{ {
@ -1126,6 +1167,42 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
return( ret ); return( ret );
} }
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Only use PSA-based ciphers for TLS-1.2.
* That's relevant at least for TLS-1.0, where
* we assume that mbedtls_cipher_crypt() updates
* the structure field for the IV, which the PSA-based
* implementation currently doesn't. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
cipher_info, taglen );
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
return( ret );
}
if( ret == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based decryption cipher context" ) );
psa_fallthrough = 0;
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
psa_fallthrough = 1;
}
}
else
psa_fallthrough = 1;
#else
psa_fallthrough = 1;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
if( psa_fallthrough == 1 )
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
cipher_info ) ) != 0 ) cipher_info ) ) != 0 )
{ {

View file

@ -185,6 +185,12 @@ requires_config_value_at_most() {
fi fi
} }
requires_ciphersuite_enabled() {
if [ -z "$($P_CLI --help | grep $1)" ]; then
SKIP_NEXT="YES"
fi
}
# skip next test if OpenSSL doesn't support FALLBACK_SCSV # skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() { requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@ -519,14 +525,6 @@ run_test() {
SKIP_NEXT="YES" SKIP_NEXT="YES"
fi fi
# should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then
SKIP_NEXT="NO"
echo "SKIP"
SKIPS=$(( $SKIPS + 1 ))
return
fi
# does this test use a proxy? # does this test use a proxy?
if [ "X$1" = "X-p" ]; then if [ "X$1" = "X-p" ]; then
PXY_CMD="$2" PXY_CMD="$2"
@ -541,6 +539,26 @@ run_test() {
CLI_EXPECT="$3" CLI_EXPECT="$3"
shift 3 shift 3
# Check if server forces ciphersuite
FORCE_CIPHERSUITE=$(echo "$SRV_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
if [ ! -z "$FORCE_CIPHERSUITE" ]; then
requires_ciphersuite_enabled $FORCE_CIPHERSUITE
fi
# Check if client forces ciphersuite
FORCE_CIPHERSUITE=$(echo "$CLI_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
if [ ! -z "$FORCE_CIPHERSUITE" ]; then
requires_ciphersuite_enabled $FORCE_CIPHERSUITE
fi
# should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then
SKIP_NEXT="NO"
echo "SKIP"
SKIPS=$(( $SKIPS + 1 ))
return
fi
# fix client port # fix client port
if [ -n "$PXY_CMD" ]; then if [ -n "$PXY_CMD" ]; then
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g ) CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
@ -734,6 +752,23 @@ run_test() {
rm -f $SRV_OUT $CLI_OUT $PXY_OUT rm -f $SRV_OUT $CLI_OUT $PXY_OUT
} }
run_test_psa() {
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSA-supported ciphersuite: $1" \
"$P_SRV debug_level=1 force_version=tls1_2" \
"$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \
0 \
-c "Successfully setup PSA-based decryption cipher context" \
-c "Successfully setup PSA-based encryption cipher context" \
-s "Successfully setup PSA-based decryption cipher context" \
-s "Successfully setup PSA-based encryption cipher context" \
-C "Failed to setup PSA-based cipher context"\
-S "Failed to setup PSA-based cipher context"\
-s "Protocol is TLSv1.2" \
-S "error" \
-C "error"
}
cleanup() { cleanup() {
rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
@ -880,6 +915,18 @@ run_test "Opaque key for client authentication" \
-S "error" \ -S "error" \
-C "error" -C "error"
# Test ciphersuites which we expect to be fully supported by PSA Crypto
# and check that we don't fall back to Mbed TLS' internal crypto primitives.
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
# Test current time in ServerHello # Test current time in ServerHello
requires_config_enabled MBEDTLS_HAVE_TIME requires_config_enabled MBEDTLS_HAVE_TIME
run_test "ServerHello contains gmt_unix_time" \ run_test "ServerHello contains gmt_unix_time" \