Manuel Pégourié-Gonnard
70701e39b5
Merge pull request #5726 from mprse/mixed_psk_1_v2
...
Mixed PSK 1: Extend PSK-to-MS algorithm in PSA (v.2)
2022-04-21 17:11:52 +02:00
Manuel Pégourié-Gonnard
90c70146b5
Merge pull request #5728 from superna9999/5711-pk-opaque-rsa-pss-sign
...
RSA-PSS sign 1: PK
2022-04-21 17:11:18 +02:00
Gilles Peskine
9d8716c5aa
Merge pull request #5739 from gilles-peskine-arm/depends-curves-positive-only
...
Don't test with all-but-one elliptic curves
2022-04-21 12:34:44 +02:00
Neil Armstrong
843795ad2f
Use macro for public key buffer size in pk_psa_wrap_sign_ext()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-21 12:23:28 +02:00
Neil Armstrong
13e76be02b
Reorganize & simplify mbedtls_pk_sign_ext() handling of wrapped RSA-PSS
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-21 12:08:52 +02:00
Gilles Peskine
afbfed9397
Merge pull request #5582 from gilles-peskine-arm/ssl-opt-auto-psk
...
Run ssl-opt.sh in more reduced configurations
2022-04-21 12:03:53 +02:00
Przemek Stekiel
4e47a91d2e
Fix indentation issues
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
4daaa2bd05
derive_output mix-psk test: add more cases for derivation of output key
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
6aabc473ce
derive_output test: remove redundant tests with raw key agreement
...
Already handled by input_bytes().
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
e665466a80
derive_output test: add other key type value 11 to handle raw key type
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
c5bd1b8b24
PSA key derivation mix-psk tests: add description for bad state cases
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
03faf5d2c1
psa_tls12_prf_psk_to_ms_set_key: clear buffers after usage
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
937b90febf
Add null check for pms allocation
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
7f1c89d1d4
Provide other_secret, other_secret_length fields if MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS is defined
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
e47201b34a
rename: psa_tls12_prf_set_other_key->psa_tls12_prf_psk_to_ms_set_other_key and adapt code
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
38647defa8
derive_output() test: fix code style
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
2503f7e4cb
Handle empty other secret when passed with input bytes
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
cd00d7f724
test PSA key derivation: add positive and negative cases for mixed-psk
...
Mix-PSK-to-MS test vectors are generated using python-tls library:
https://github.com/python-tls/tls
Steps to generate test vectors:
1. git clone git@github.com:python-tls/tls.git
2. cd tls
3. python3 setup.py build
4. sudo python3 setup.py install
5. Use the python script below to generate Master Secret (see description for details):
"""
Script to derive MS using mixed PSK to MS algorithm.
Script can be used to generate expected result for mixed PSK to MS tests.
Script uses python tls library:
https://github.com/python-tls/tls
Example usage:
derive_ms.py <secret> <other_secret> <seed> <label> <hash>
derive_ms.py 01020304 ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7 5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f 6d617374657220736563726574 SHA256
secret : 01020304
other_secret : ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7
pms : 0030ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7000401020304
seed : 5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f
label : 6d617374657220736563726574
output : 168fecea35190f9df34c042f24ecaa5e7825337f2cd82719464df5462f16aae84cb38a65c0d612ca9273f998ad32c05b
"""
from cryptography.hazmat.primitives import hashes
from tls._common.prf import prf
import os
import sys
def build_pms(other_secret: bytes, secret: bytes) -> bytes:
other_secret_size = len(other_secret).to_bytes(2, byteorder='big')
secret_size = len(secret).to_bytes(2, byteorder='big')
return(other_secret_size + other_secret + secret_size + secret)
def derive_ms(secret: bytes, other_secret: bytes, seed: bytes, label: bytes, hash: hashes.HashAlgorithm) -> bytes:
return prf(build_pms(other_secret, secret), label, seed, hash, 48)
def main():
#check args
if len(sys.argv) != 6:
print("Invalid number of arguments. Expected: <secret> <other_secret> <seed> <label> <hash>" )
return
if sys.argv[5] != 'SHA384' and sys.argv[5] != 'SHA256':
print("Invalid hash algorithm. Expected: SHA256 or SHA384" )
return
secret = bytes.fromhex(sys.argv[1])
other_secret = bytes.fromhex(sys.argv[2])
seed = bytes.fromhex(sys.argv[3])
label = bytes.fromhex(sys.argv[4])
hash_func = hashes.SHA384() if sys.argv[5] == 'SHA384' else hashes.SHA256()
pms = build_pms(other_secret, secret)
actual_output = derive_ms(secret, other_secret, seed, label, hash_func)
print('secret : ' + secret.hex())
print('other_secret : ' + other_secret.hex())
print('pms : ' + pms.hex())
print('seed : ' + seed.hex())
print('label : ' + label.hex())
print('output : ' + actual_output.hex())
if __name__ == "__main__":
main()
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:41:41 +02:00
Neil Armstrong
23143dca2a
Update mbedtls_pk_wrap_as_opaque() public documentation for RSA & RSA-PSS
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-21 11:33:54 +02:00
Ronald Cron
771e42a270
Merge pull request #5698 from ronald-cron-arm/tls13-misc
...
TLS 1.3 - miscellaneous
The "merge TLS testing" job of the internal CI ran successfully thus CI is OK.
2022-04-21 09:57:36 +02:00
Paul Elliott
7ea6ae892e
Merge pull request #5743 from Anton-TF/build-win32
...
Fix Windows build host detection
2022-04-21 08:42:56 +01:00
Ronald Cron
fd8cbda3ec
Remove ECDH code specific to TLS 1.3
...
ECDH operations in TLS 1.3 are now done through PSA.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-04-19 18:31:24 +02:00
Ronald Cron
9d0a3e8296
generate_tls13_compat_tests.py: Fix/Unify parameter ordering
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-04-19 18:31:24 +02:00
Ronald Cron
df5f8681cc
ssl-opt.sh: Fix/Unify TLS 1.3 test descriptions
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-04-19 18:31:24 +02:00
Ronald Cron
fd6193c285
ssl_tls13_client: Add downgrade attack protection
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-04-19 18:31:24 +02:00
Ronald Cron
217d699d85
Fix Doxygen marks
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-04-19 18:28:51 +02:00
Paul Elliott
a2da9c7e45
Merge pull request #5631 from gstrauss/enum-tls-vers
...
Unify internal/external TLS protocol version enums
2022-04-19 17:05:26 +01:00
Gilles Peskine
f4d70b2944
Merge pull request #5608 from AndrzejKurek/raw-key-agreement-fail
...
Add a test for a raw key agreement failure
2022-04-19 14:00:48 +02:00
Manuel Pégourié-Gonnard
46435f05e1
Merge pull request #5706 from hanno-arm/bn_mul_cleanup
...
Simplify structure of bignum inline assembly
2022-04-19 11:30:05 +02:00
Hanno Becker
606cb1626f
Add comment explaining structure of UMAAL assembly
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-17 06:59:33 +01:00
Hanno Becker
d46d96cc3f
Add 2-fold unrolled assembly for umaal based multiplication
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-17 06:19:55 +01:00
Hanno Becker
63eb28c728
Use separate counters for 8-fold and single multiplication steps
...
Compilers are likely to generate shorter assembly for loops of the
form `while( cnt-- ) { ... }` rather than
`for( ; count >= X; count -= X ) { ... }`. (E.g. the latter needs
a subtract+compare+branch after each loop, while the former only
needs decrement+branch).
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-17 06:16:03 +01:00
Hanno Becker
eacf3b9eb4
Simplify organization of inline assembly for bignum
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-17 06:16:03 +01:00
Gilles Peskine
5bd0b51048
Use terse output from lsof
...
This both simplifies parsing a little, and suppresses warnings. Suppressing
warnings is both good and bad: on the one hand it resolves problems such as
https://github.com/Mbed-TLS/mbedtls/issues/5731 , on the other hand it may
hide clues as to why lsof wouldn't be working as expected.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:34:23 +02:00
Gilles Peskine
a841c2a20f
test_cmake_out_of_source: run an ssl-opt test case that exists
...
component_test_cmake_out_of_source was running the ssl-opt.sh test case
"Fallback SCSV: beginning of list", but this test case was removed in Mbed
TLS 3.0, so ssl-opt.sh was running nothing, which is not an effective test.
In 2.x, the test case was chosen because it uses an additional auxiliary
program tests/scripts/tcp_client.pl. This auxiliary program is no longer
used. So instead, run at least one test case that's sure to exist.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:31:25 +02:00
Gilles Peskine
7393ec5ccf
test_cmake_out_of_source: validate that ssl-opt passed
...
If the ssl-opt test case was skipped, the test was ineffective.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:30:24 +02:00
Gilles Peskine
09dc05b880
Merge pull request #5635 from gilles-peskine-arm/psa-test-op-fail
...
PSA: systematically test operation failure
2022-04-15 10:52:47 +02:00
Manuel Pégourié-Gonnard
63ed7cbf36
Merge pull request #5701 from hanno-arm/mpi_mul_hlp
...
Make size of output in mpi_mul_hlp() explicit
2022-04-15 10:09:06 +02:00
Glenn Strauss
8315811ea7
Remove restrictive proto ver negotiation checks
...
Overly restrictive protocol version negotiation checks might be
"version intolerant". TLS 1.3 and DTLS 1.3 move the version to
the "supported_versions" ClientHello extension.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
bbdc83b55b
Use mbedtls_ssl_protocol_version in public structs
...
Use mbedtls_ssl_protocol_version in public structs, even when doing
so results in a binary-incompatible change to the public structure
(PR feedback from @ronald-cron-arm)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
59b0d54ba0
Convert tests to use mbedtls_ssl_conf_(min|max)_tls_version()
...
Replace use of mbedtls_ssl_conf_(min/max)_version()
(PR feedback from @ronald-cron-arm)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
d09b343ffc
Deprecate mbedtls_ssl_conf_(min/max)_version()
...
Deprecate mbedtls_ssl_conf_max_version()
Replaced with mbedtls_ssl_conf_max_tls_version()
Deprecate mbedtls_ssl_conf_min_version()
Replaced with mbedtls_ssl_conf_min_tls_version()
(PR feedback from @ronald-cron-arm)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
39e624ca76
Convert tests to use MBEDTLS_SSL_VERSION_TLS1_*
...
(PR feedback from @ronald-cron-arm)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
cd78df6aa4
handshake->min_minor_ver to ->min_tls_version
...
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
041a37635b
Remove some tls_ver < MBEDTLS_SSL_VERSION_TLS1_2 checks
...
mbedtls no longer supports earlier TLS protocol versions
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
e3af4cb72a
mbedtls_ssl_(read|write)_version using tls_version
...
remove use of MBEDTLS_SSL_MINOR_VERSION_*
remove use of MBEDTLS_SSL_MAJOR_VERSION_*
(only remaining use is in tests/suites/test_suite_ssl.data)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
60bfe60d0f
mbedtls_ssl_ciphersuite_t min_tls_version,max_tls_version
...
Store the TLS version in tls_version instead of major, minor version num
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible, as the struct is now smaller.
Reduce size of mbedtls_ssl_ciphersuite_t
members are defined using integral types instead of enums in
order to pack structure and reduce memory usage by internal
ciphersuite_definitions[]
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:12 -04:00
Glenn Strauss
2dfcea2b9d
mbedtls_ssl_config min_tls_version, max_tls_version
...
Store the TLS version in tls_version instead of major, minor version num
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms. For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).
New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:39:43 -04:00
Glenn Strauss
da7851c825
Rename mbedtls_ssl_session minor_ver to tls_version
...
Store the TLS version instead of minor version number in tls_version.
Note: struct member size changed from unsigned char to uint16_t
Due to standard structure padding, the structure size does not change
unless alignment is 1-byte (instead of 2-byte or more)
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is compatible on little-endian platforms,
but not compatible on big-endian platforms. The enum values for
the lower byte of MBEDTLS_SSL_VERSION_TLS1_2 and of
MBEDTLS_SSL_VERSION_TLS1_3 matches MBEDTLS_SSL_MINOR_VERSION_3 and
MBEDTLS_SSL_MINOR_VERSION_4, respectively.
Note: care has been taken to preserve serialized session format,
which uses only the lower byte of the TLS version.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:23:57 -04:00
Glenn Strauss
07c641605e
Rename mbedtls_ssl_transform minor_ver to tls_version
...
Store the TLS version in tls_version instead of minor version number.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:23:54 -04:00