The test suites `test_suite_gcm.aes{128,192,256}_en.data` contains
numerous NIST test vectors for AES-*-GCM against which the GCM
API mbedtls_gcm_xxx() is tested.
However, one level higher at the cipher API, no tests exist which
exercise mbedtls_cipher_auth_{encrypt/decrypt}() for GCM ciphers,
although test_suite_cipher.function contains the test auth_crypt_tv
which does precisely that and is already used e.g. in
test_suite_cipher.ccm.
This commit replicates the test vectors from
test_suite_gcm.aes{128,192,256}_en.data in test_suite_cipher.gcm.data
and adds a run of auth_crypt_tv for each of them.
The conversion was mainly done through the sed command line
```
s/gcm_decrypt_and_verify:\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):
\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\)/auth_crypt_tv:
\1:\2:\4:\5:\3:\7:\8:\9/
```
Revived from a previous PR by Gilles, see:
https://github.com/ARMmbed/mbedtls/pull/1293/files#diff-568ef321d275f2035b8b26a70ee9af0bR71
This will be useful in eliminating temporary stack buffers for transcoding the
signature: in order to do that in place we need to be able to make assumptions
about the size of the output buffer, which this macro will provide. (See next
commit.)
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
While at it, clarify who's responsible for destroying the underlying key. That
can't be us because some keys cannot be destroyed and we wouldn't know. So
let's leave that up to the caller.
Otherwise, if `mbedtls_psa_get_free_key_slot()` fails to find a fresh
key slot, the slot value will be undefined, and the call to
`psa_destroy_key()` at the end of `main()` is undefined behavior.
Previously, command line arguments `psk_slot` and `psk_list_slot`
could be used to indicate the PSA key slots that the example
applications should use to store the PSK(s) provided.
This commit changes this approach to use the utility function
`mbedtls_psa_get_free_key_slot()` to obtain free key slots from
the PSA Crypto implementation automatically, so that users only
need to pass boolean flags `psk_opaque` and `psk_list_opaque`
on the command line to enable / disable PSA-based opaque PSKs.
The code maintains the invariant that raw and opaque PSKs are never
configured simultaneously, so strictly speaking `ssl_conf_remove_psk()`
need not consider clearing the raw PSK if it has already cleared an
opaque one - and previously, it didn't. However, it doesn't come at
any cost to keep this check as a safe-guard to future unforeseen
situations where opaque and raw PSKs _are_ both present.
In multiple places, it occurrs as the fixed length of
the master secret, so use a constant with a descriptive
name instead. This is reinforced by the fact the some
further occurrences of '48' are semantically different.
This commit adds command line parameters `psk_slot` and `psk_list_slot`
to the example application `programs/ssl/ssl_server2`. These have the
following semantics:
- `psk_slot`: The same semantics as for the `ssl_client2` example
application. That is, if a PSK is configured through the use
of the command line parameters `psk` and `psk_identity`, then
`psk_slot=X` can be used to import the PSK into PSA key slot X
and registering it statically with the SSL configuration through
the new API call mbedtls_ssl_conf_hs_opaque().
- `psk_list_slot`: In addition to the static PSK registered in the
the SSL configuration, servers can register a callback for picking
the PSK corresponding to the PSK identity that the client chose.
The `ssl_server2` example application uses such a callback to select
the PSK from a list of PSKs + Identities provided through the
command line parameter `psk_list`, and to register the selected
PSK via `mbedtls_ssl_set_hs_psk()`. In this case, the new parameter
`psk_list_slot=X` has the effect of registering all PSKs provided in
in `psk_list` as PSA keys in the key slots starting from slot `X`,
and having the PSK selection callback register the chosen PSK
through the new API function `mbedtls_ssl_set_hs_psk_opaque()`.
This commit adds support for the use of PSA-based opaque PSKs
in the TLS client example application programs/ssl/ssl_client2.
Specifically, a numerical command line option `psk_slot` with
the following constraints and semantics is added:
- It can only be used alongside the provisioning of a raw PSK
through the preexisting `psk` command line option.
- It can only be used if both TLS 1.2 and a PSK-only ciphersuite
are enforced through the appropriate use of the `min_version`
and `force_ciphersuite` command line options.
- If the previous conditions are met, setting `psk_slot=d` will
result in the PSA key slot with identifier `d` being populated
with the raw PSK data specified through the `psk` parameter
and passed to Mbed TLS via `mbedtls_ssl_conf_psk_opaque()`
prior to the handshake.
Enforcing the TLS version and ciphersuite is necessary to determine
the exact KDF algorithm the PSK will be used for. This is required
as it is currently not possible to set up a key without specifying
exactly one algorithm the key may be used with.
This commit adds a field `psk_opaque` to the handshake parameter
struct `mbedtls_ssl_handshake_params` which indicates if the user
has configured the use of an opaque PSK.
This commit adds two public API functions
mbedtls_ssl_conf_psk_opaque()
mbedtls_ssl_set_hs_psk_opaque()
which allow to configure the use of opaque, PSA-maintained PSKs
at configuration time or run time.
