XiaokangQian
eaf3651e31
Rebase and solve conflicts
...
Change handshake_msg related functions
Share the ssl_write_sig_alg_ext
Change-Id: I3d342baac302aa1d87c6f3ef75d85c7dc030070c
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-07 01:37:04 +00:00
Neil Armstrong
8ecd66884f
Keep raw PSK when set via mbedtls_ssl_conf_psk() and feed as input_bytes
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-05 14:01:49 +02:00
Neil Armstrong
80f6f32495
Make mbedtls_ssl_psk_derive_premaster() only for when MBEDTLS_USE_PSA_CRYPTO is not selected
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Neil Armstrong
044a32c4c6
Remove mbedtls_ssl_get_psk() and it's usage when MBEDTLS_USE_PSA_CRYPTO is selected
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Neil Armstrong
e952a30d47
Remove RAW PSK when MBEDTLS_USE_PSA_CRYPTO is selected
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Neil Armstrong
501c93220d
Import PSK as opaque PSA key for mbedtls_ssl_conf_psk() & mbedtls_ssl_set_hs_psk()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Manuel Pégourié-Gonnard
67397fa4fd
Merge pull request #5704 from mprse/mixed_psk_2cx
...
Mixed PSK 2a, 2b, 2c: enable client/server support opaque RSA-PSK, ECDHE-PSK, DHE-PSK
2022-04-29 10:47:16 +02:00
Przemek Stekiel
169bf0b8b0
Fix comments (#endif flags)
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-29 07:53:29 +02:00
Gilles Peskine
8855e36030
Merge pull request #5674 from superna9999/5668-abstract-tls-mode-cleanup
...
Cipher cleanup: abstract TLS mode
2022-04-28 12:33:38 +02:00
Przemek Stekiel
8a4b7fd7c3
Optimize code
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-28 10:21:03 +02:00
Przemek Stekiel
8abcee9290
Fix typos
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-28 09:16:28 +02:00
Neil Armstrong
2230e6c06d
Simplify PSA transform->ivlen set in ssl_tls12_populate_transform()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-27 10:36:14 +02:00
Gilles Peskine
301711e96e
Simplify mbedtls_ssl_get_base_mode
...
Reduce the amount of ifdef's by making the USE_PSA_CRYPTO and
non-USE_PSA_CRYPTO definitions independent.
No behavior change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-27 10:28:55 +02:00
Gilles Peskine
e108d987ea
Simplify mbedtls_ssl_get_mode
...
Reduce the imbrications between preprocessor directives and C instructions.
Handle encrypt-then-mac separately.
No behavior change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-27 10:28:55 +02:00
Przemek Stekiel
99114f3084
Fix build flags for opaque/raw psk checks
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:54:34 +02:00
Przemek Stekiel
b293aaa61b
Enable support for psa opaque DHE-PSK key exchange on the client side
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:54:33 +02:00
Przemek Stekiel
19b80f8151
Enable support for psa opaque ECDHE-PSK key exchange on the client side
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:52:28 +02:00
Przemek Stekiel
51a1f36be0
setup_psa_key_derivation(): change salt parameter to other_secret
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:52:28 +02:00
Przemek Stekiel
c2033409e3
Add support for psa rsa-psk key exchange
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:52:27 +02:00
Przemek Stekiel
ae4ed30435
Fix naming: random bytes are the seed (not salt) in derivation process
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:52:27 +02:00
Przemek Stekiel
1f02703e53
setup_psa_key_derivation(): add optional salt parameter
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:52:27 +02:00
Manuel Pégourié-Gonnard
55132c6a9a
Merge pull request #5703 from superna9999/5322-ecdh-remove-legacy-context
...
TLS ECDH 4: remove legacy context
2022-04-22 14:27:06 +02:00
Neil Armstrong
f2c82f0a3b
Introduce MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM macro to determine if Encrypt-then-MAC with CBC is used in a ciphersuite
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
ccc074e44d
Use correct condition to use encrypt_then_mac in ssl_tls.c
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
d1be7674a4
Use PSA_BLOCK_CIPHER_BLOCK_LENGTH instead of PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE in ssl_tls12_populate_transform()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
6b27c97a91
Rename mbedtls_get_mode() to mbedtls_ssl_get_mode()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
ab555e0a6c
Rename mbedtls_get_mode_from_XXX to mbedtls_ssl_get_mode_from_XXX
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
a0eeb7f470
Remove cipher_info in ssl_tls12_populate_transform() when USE_PSA_CRYPTO is defined
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
7fea33ea4d
Use mbedtls_get_mode_from_ciphersuite() in ssl_tls12_populate_transform()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
4bf4c8675f
Introduce mbedtls_get_mode_from_ciphersuite() by reusing mbedtls_get_mode_from_transform() logic
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
8a0f3e8cf0
Introduce mbedtls_ssl_mode_t & mbedtls_get_mode_from_transform()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:26 +02:00
XiaokangQian
4d3a60475c
Change default config version to development style
...
Change-Id: I9c1088f235524211e727d03b96de8d82e60bd426
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-04-21 13:46:17 +00:00
XiaokangQian
060d867598
Update parse_key_share in server side and version config
...
Change-Id: Ic91c061027d0ee4dca2055df21809cbb4388f3ef
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-04-21 09:24:56 +00:00
XiaokangQian
75d40ef8cb
Refine code base on review
...
Remove useless hrr code
Share validate_cipher_suit between client and server
Fix test failure when tls13 only in server side
Change-Id: I5d6a7932bd8448ebf542bc86cdcab8862bc28e9b
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-04-20 11:05:24 +00:00
XiaokangQian
8f9dfe41c0
Fix comments about coding styles and test cases
...
Change-Id: I70ebc05e9dd9fa084d7b0ce724a25464c3425e22
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-04-20 07:45:50 +00:00
XiaokangQian
ed582dd023
Update based on comments
...
Remove cookie support from server side
Change code to align with coding styles
Re-order functions of client_hello
Change-Id: If31509ece402f8276e6cac37f261e0b166d05e18
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-04-20 07:43:48 +00:00
XiaokangQian
c4b8c99a38
Rebase and solve conflicts and issues
...
Change-Id: I17246c5b2f8a8ec4989c8b0b83b55cad0491b78a
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-04-20 07:43:48 +00:00
Paul Elliott
a2da9c7e45
Merge pull request #5631 from gstrauss/enum-tls-vers
...
Unify internal/external TLS protocol version enums
2022-04-19 17:05:26 +01:00
Glenn Strauss
041a37635b
Remove some tls_ver < MBEDTLS_SSL_VERSION_TLS1_2 checks
...
mbedtls no longer supports earlier TLS protocol versions
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
60bfe60d0f
mbedtls_ssl_ciphersuite_t min_tls_version,max_tls_version
...
Store the TLS version in tls_version instead of major, minor version num
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible, as the struct is now smaller.
Reduce size of mbedtls_ssl_ciphersuite_t
members are defined using integral types instead of enums in
order to pack structure and reduce memory usage by internal
ciphersuite_definitions[]
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:12 -04:00
Glenn Strauss
2dfcea2b9d
mbedtls_ssl_config min_tls_version, max_tls_version
...
Store the TLS version in tls_version instead of major, minor version num
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms. For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).
New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:39:43 -04:00
Glenn Strauss
da7851c825
Rename mbedtls_ssl_session minor_ver to tls_version
...
Store the TLS version instead of minor version number in tls_version.
Note: struct member size changed from unsigned char to uint16_t
Due to standard structure padding, the structure size does not change
unless alignment is 1-byte (instead of 2-byte or more)
Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is compatible on little-endian platforms,
but not compatible on big-endian platforms. The enum values for
the lower byte of MBEDTLS_SSL_VERSION_TLS1_2 and of
MBEDTLS_SSL_VERSION_TLS1_3 matches MBEDTLS_SSL_MINOR_VERSION_3 and
MBEDTLS_SSL_MINOR_VERSION_4, respectively.
Note: care has been taken to preserve serialized session format,
which uses only the lower byte of the TLS version.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:23:57 -04:00
Glenn Strauss
07c641605e
Rename mbedtls_ssl_transform minor_ver to tls_version
...
Store the TLS version in tls_version instead of minor version number.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:23:54 -04:00
Glenn Strauss
dff84620a0
Unify internal/external TLS protocol version enums
...
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 13:45:20 -04:00
Neil Armstrong
f3f46416e3
Remove ecdh_ctx variable, init & free when USE_PSA_CRYPTO isn't selected
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-12 14:43:39 +02:00
Neil Armstrong
a33a255dcf
Disable non-PSA ECDHE code in mbedtls_ssl_psk_derive_premaster() when USE_PSA_CRYPTO is selected
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-12 14:40:47 +02:00
Glenn Strauss
236e17ec26
Introduce mbedtls_ssl_hs_cb_t typedef
...
Inline func for mbedtls_ssl_conf_cert_cb()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-07 14:18:30 -04:00
Manuel Pégourié-Gonnard
1b05aff3ad
Merge pull request #5624 from superna9999/5312-tls-server-ecdh
...
TLS ECDH 3b: server-side static ECDH (1.2)
2022-04-07 11:46:25 +02:00
Neil Armstrong
f716a700a1
Rename mbedtls_ssl_handshake_params variable ecdh_psa_shared_key to ecdh_psa_privkey_is_external
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-04 11:23:46 +02:00
Ronald Cron
0e980e8e84
Merge pull request #5640 from ronald-cron-arm/version-negotiation-2
...
TLS 1.2/1.3 version negotiation - 2
2022-04-01 12:29:06 +02:00
Manuel Pégourié-Gonnard
33a9d61885
Merge pull request #5638 from paul-elliott-arm/ssl_cid_accessors
...
Accessors to own CID within mbedtls_ssl_context
2022-04-01 11:36:00 +02:00
Manuel Pégourié-Gonnard
451114fe42
Merge pull request #5647 from superna9999/5179-follow-up-tls-record-hmac-no-mdinfo
...
Remove md_info in ssl_tls12_populate_transform() when USE_PSA_CRYPTO is defined
2022-04-01 10:04:56 +02:00
Paul Elliott
0113cf1022
Add accessor for own cid to ssl context
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-31 19:21:41 +01:00
Neil Armstrong
8113d25d1e
Add ecdh_psa_shared_key flag to protect PSA privkey if imported
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-31 15:24:17 +02:00
Ronald Cron
a980adf4ce
Merge pull request #5637 from ronald-cron-arm/version-negotiation-1
...
TLS 1.2/1.3 version negotiation - 1
2022-03-31 11:47:16 +02:00
Ronald Cron
1fa4f6863b
ssl_tls.c: Return in error if default config fails
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-31 09:27:35 +02:00
Ronald Cron
37bdaab64f
tls: Simplify the logic of the config version check and test it
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-31 09:26:58 +02:00
Neil Armstrong
e451295179
Remove md_info in ssl_tls12_populate_transform() when USE_PSA_CRYPTO is defined
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-30 16:41:12 +02:00
Manuel Pégourié-Gonnard
3304f253d7
Merge pull request #5653 from paul-elliott-arm/handshake_over
...
Add mbedtls_ssl_is_handshake_over()
2022-03-30 12:16:40 +02:00
Ronald Cron
f660655b84
TLS: Allow hybrid TLS 1.2/1.3 in default configurations
...
This implies that when both TLS 1.2 and TLS 1.3
are included in the build all the TLS 1.2 tests
using the default configuration now go through
a version negotiation on the client side.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
e71639d39b
Simplify TLS major version default value setting
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
9f0fba374c
Add logic to switch to TLS 1.2
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
e1d3f06399
Allow hybrid TLS 1.3 + TLS 1.2 configuration
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
fbd9f99f10
ssl_tls.c: Move some client specific functions to ssl_client.c
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
27c85e743f
ssl_tls.c: Unify TLS 1.2 and TLS 1.3 SSL state logs
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Ronald Cron
8f6d39a81d
Make some handshake TLS 1.3 utility routines available for TLS 1.2
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
086ee0be0e
ssl_tls.c: Reject TLS 1.3 version configuration for server
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
a25cf58681
ssl_tls.c: Remove one unnecessary minor version check
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
c2f13a0568
ssl_tls.c: Modify mbedtls_ssl_set_calc_verify_md()
...
Modify mbedtls_ssl_set_calc_verify_md() taking into
account that it is an TLS 1.2 only function.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
4dcbca952e
ssl_tls.c: Move mbedtls_ssl_set_calc_verify_md() to TLS 1.2 section
...
In ssl_tls.c, move mbedtls_ssl_set_calc_verify_md() under the
"if defined(MBEDTLS_SSL_PROTO_TLS1_2)" pre-processor directive
as it is specific to TLS 1.2.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
81591aa0f3
ssl_tls.c: Remove ssl_set_handshake_prfs unnecessary minor_ver param
...
ssl_set_handshake_prfs() is TLS 1.2 specific and only called
from TLS 1.2 only code thus no need to pass the TLS minor
version of the currebt session.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
f12b81d387
ssl_tls.c: Fix PSA ECDH private key destruction
...
In TLS 1.3, a PSA ECDH private key may be created
even if MBEDTLS_SSL_USA_PSA_CRYPTO is disabled. We
must destroy this key if still referenced by an
handshake context when we free such context.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Ronald Cron
8540cf66ac
ssl_tls.c: Propose PKCS1 v1.5 signatures with SHA_384/512
...
In case of TLS 1.3 and hybrid TLS 1.2/1.3, propose
PKCS1 v1.5 signatures with SHA_384/512 not only
SHA_256. There is no point in not proposing them
if they are available.
In TLS 1.3 those could be useful for certificate
signature verification.
In hybrid TLS 1.2/1.3 this allows to propose for
TLS 1.2 the same set of signature algorithms.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Manuel Pégourié-Gonnard
39f2f73e69
Merge pull request #5630 from ronald-cron-arm/restore-full-compat-testing
...
Restore full TLS compatibility testing
2022-03-28 18:31:17 +02:00
Ronald Cron
fb39f15fa1
ssl_tls.c: Use ETM status only in CBC mode case
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-25 16:50:18 +01:00
XiaokangQian
9b93c0dd8d
Change cookie parameters for dtls and tls 1.3
...
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
Paul Elliott
27b0d94e25
Use mbedtls_ssl_is_handshake_over()
...
Switch over to using the new function both internally and in tests.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-24 14:43:52 +00:00
Manuel Pégourié-Gonnard
f4042f076b
Merge pull request #5573 from superna9999/5176-5177-5178-5179-tsl-record-hmac
...
TLS record HMAC
2022-03-21 11:36:44 +01:00
Ronald Cron
8d7afc642c
Merge pull request #5523 from ronald-cron-arm/one-flush-output-development
...
TLS 1.3: One flush output
2022-03-21 08:44:04 +01:00
Neil Armstrong
29c0c040fc
Only make PSA HMAC key exportable when NULL or CBC & not EtM in ssl_tls12_populate_transform()
...
This requires moving the HMAC init after CIPHER init.
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:10:09 +01:00
Ronald Cron
3f20b77517
Improve comment
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
66dbf9118e
TLS 1.3: Do not send handshake data in handshake step handlers
...
Send data (call to mbedtls_ssl_flush_output()) only from
the loop over the handshake steps. That way, we do not
have to take care of the partial writings (MBEDTLS_ERR_SSL_WANT_WRITE
error code) on the network in handshake step handlers.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Neil Armstrong
6828d8fdc4
Return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if MAC algorithm isn't supported in ssl_tls.c
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-02 15:37:11 +01:00
Neil Armstrong
321116c755
Remove spurious debug in ssl_tls12_populate_transform()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-02 15:06:15 +01:00
Glenn Strauss
6989407261
Add accessor to retrieve SNI during handshake
...
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 19:55:53 -05:00
Glenn Strauss
36872dbd0b
Provide means to reset handshake cert list
...
Extend mbedtls_ssl_set_hs_own_cert() to reset handshake cert list
if cert provided is null. Previously, mbedtls_ssl_set_hs_own_cert()
only provided a way to append to the handshake certificate list,
without providing a way to replace the handshake certificate list.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 19:55:48 -05:00
Glenn Strauss
2ed95279c0
Add server certificate selection callback
...
https://github.com/ARMmbed/mbedtls/issues/5430
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 17:31:49 -05:00
Neil Armstrong
e858996413
Use PSA version of mbedtls_ct_hmac() in mbedtls_ssl_decrypt_buf()
...
Due to mbedtls_ct_hmac() implementation the decryption MAC key
must be exportable.
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:17:50 +01:00
Neil Armstrong
cf8841a076
Remove non-PSA MAC keys in mbedtls_ssl_transform when MBEDTLS_USE_PSA_CRYPTO is defined
...
Also remove last usage of non-PSA MAC keys in ssl_decrypt_non_etm_cbc() SSL test.
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:49 +01:00
Neil Armstrong
0760ade761
Setup & Import HMAC keys in ssl_tls12_populate_transform()
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:49 +01:00
Neil Armstrong
39b8e7dde4
Add, Initialize & Free HMAC keys in mbedtls_ssl_transform
...
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-23 09:24:57 +01:00
Gilles Peskine
c63a1e0e15
Fix mbedtls_ssl_get_version() for TLSv1.3
...
Test it in ssl-opt.sh.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
e1a0c25f71
New function to access the TLS version from a context as an enum
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Jerry Yu
f1b23caa4e
move wrong comments
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
18621dfd23
remove extra empty line
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
50f2f703a7
remove extra guards
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
840fbb2817
guards populate_transform reference
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
4f9e3efbeb
move session_save/load_tls12
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
d9d91da7c7
move sig_hash_*
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
ee40f9d4b3
move get_key_exchange_md_tls12
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
9bccc4c63f
move populate_transform
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
e93ffcd2c7
move tls_prf_get_type
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
392112c058
move tls12prf_from_cs
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
0b3d7c1ea1
move parse_finished
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
3c8e47bbbf
move write_finished
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
2a9fff571d
move wrapup
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
aef0015ba0
move wrapup_free_hs_transform
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
b7ba49ef74
move calc_finished_tls_sha384
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
615bd6f5b9
move calc_finished_tls_sha256
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
d952669ad8
move write_certificate
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
c2c673da59
move resend_hello_request
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
ce3dca4175
move psk_derive_premaster
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
c1cb384708
move calc_verify_tls_sha384
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
8392e0dae4
move calc_verify_tls_sha256
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
d62f87e151
move derive_keys
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
2a7b5ac791
move compute_master
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
d6ab235972
move use_opaque_psk
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
f009d86186
move set_handshake_prfs
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
dc7bd17d11
move tls_prf_sha256/384
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
ed14c93008
add static prototypes
...
prepare for moving functions
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:01 +08:00
Jerry Yu
53d23e2c95
Guards tls_prf functions with TLS1_2
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
c73c618094
Wrap function not used by test_tls13_only
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
# Conflicts:
# library/ssl_tls13_generic.c
2022-02-21 09:06:00 +08:00
Jerry Yu
bef175db96
Wrap derive_keys with TLS1_2 option
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
db8c48aaff
tls13_only:Remove unnecessary functions
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
7d2396332d
fix wrong setting of max_minor version
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
c5aef88be6
tls13_only: guard ssl_{cli,srv}.c with TLS1_2
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
c10f6b4735
tls13_only: simple test pass
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
c3091b1c8c
tls13_only: compile pass
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Manuel Pégourié-Gonnard
3d1f8b9c00
Merge pull request #5532 from ronald-cron-arm/tls13_and_use_psa_crypto
...
Make TLS 1.3 compatible with MBEDTLS_USE_PSA_CRYPTO
2022-02-16 17:33:47 +01:00
Ronald Cron
b788c044b7
Use PSA status to Mbed TLS error code conversion function
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-02-15 09:14:15 +01:00
Manuel Pégourié-Gonnard
e14b644f4d
Merge pull request #5456 from mpg/cleanup-ecdh-psa
...
Cleanup PSA-based ECDHE in TLS 1.2
2022-02-15 09:09:07 +01:00
Ronald Cron
f6893e11c7
Finalize PSA hash operations in TLS 1.3
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-02-11 16:10:34 +01:00
Manuel Pégourié-Gonnard
62b49cd06a
Merge pull request #5472 from yuhaoth/pr/move-client-auth
...
Move client_auth to handshake
2022-02-09 10:57:00 +01:00
Ronald Cron
6ca6faa67e
Merge pull request #5080 from xffbai/add-tls13-read-certificate-request
...
add tls1_3 read certificate request
2022-02-09 09:51:55 +01:00
Xiaofei Bai
c234ecf695
Update mbedtls_ssl_handshake_free() and address review comments.
...
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2022-02-08 10:26:42 +00:00
Xiaofei Bai
51f515a503
update based on comments
...
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2022-02-08 07:28:04 +00:00
Manuel Pégourié-Gonnard
422370d633
Improve a comment and fix some whitespace
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-07 11:55:21 +01:00
Przemyslaw Stekiel
6928a5164d
Compile mbedtls_ssl_cipher_to_psa() conditionally under MBEDTLS_USE_PSA_CRYPTO only
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-03 14:55:24 +01:00
Manuel Pégourié-Gonnard
0d63b84fa4
Add mbedtls_ssl_check_curve_tls_id() (internal)
...
This can be used to validate the server's choice of group in the PSA
case (this will be done in the next commit).
Note that new function doesn't depend on ECP_C, as it only requires
mbedtls_ssl_get_groups(), which is always available. As a general rule,
functions for defining and enforcing policy in the TLS module should not
depend on low-level modules but work with TLS-level identifiers are much
as possible, and this new function follows that principle.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:15 +01:00
Przemyslaw Stekiel
d66387f8fa
Init psa status to PSA_ERROR_CORRUPTION_DETECTED
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-03 09:16:41 +01:00
Przemyslaw Stekiel
f9cd60853f
ssl_tls1X_populate_transform(): import psa keys only if alg is not MBEDTLS_SSL_NULL_CIPHER
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-01 11:25:55 +01:00
Przemyslaw Stekiel
77aec8d181
Rename ssl_psa_status_to_mbedtls->psa_ssl_status_to_mbedtls
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 20:22:53 +01:00
Przemyslaw Stekiel
89dad93a78
Rename psa_status_to_mbedtls->ssl_psa_status_to_mbedtls and add conversion for PSA_ERROR_INVALID_SIGNATURE
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:39:24 +01:00
Przemyslaw Stekiel
f57b45660d
Rename tls_mbedtls_cipher_to_psa() to be consistent with function naming convention.
...
New function name: mbedtls_ssl_cipher_to_psa().
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
9b22c2b1e6
Rename: mbedtls_cipher_to_psa -> tls_mbedtls_cipher_to_psa
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
6be9cf542f
Cleanup the code
...
Use conditional compilation for psa and mbedtls code (MBEDTLS_USE_PSA_CRYPTO).
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
ce09e7d868
Use psa_status_to_mbedtls() for psa error case
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
fe7397d8a7
Fix key attributes encrypt or decrypt only (not both)
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
e87475d834
Move psa_status_to_mbedtls to ssl_misc.h
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
1fe065b235
Fix conditional compilation (MBEDTLS_USE_PSA_CRYPTO)
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-01-31 15:38:29 +01:00