Merge pull request #6194 from xkqian/tls13_add_psk_client_cases
TLS 1.3: Add PSK client cases
diff --git a/CMakeLists.txt b/CMakeLists.txt
index f2741d4..59a960a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -120,38 +120,33 @@
# Create a symbolic link from ${base_name} in the binary directory
# to the corresponding path in the source directory.
+# Note: Copies the file(s) on Windows.
function(link_to_source base_name)
- # Get OS dependent path to use in `execute_process`
- if (CMAKE_HOST_WIN32)
- #mklink is an internal command of cmd.exe it can only work with \
- string(REPLACE "/" "\\" link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
- string(REPLACE "/" "\\" target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
- else()
- set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
- set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
- endif()
+ set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
+ set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
# Linking to non-existent file is not desirable. At best you will have a
# dangling link, but when building in tree, this can create a symbolic link
# to itself.
if (EXISTS ${target} AND NOT EXISTS ${link})
if (CMAKE_HOST_UNIX)
- set(command ln -s ${target} ${link})
+ execute_process(COMMAND ln -s ${target} ${link}
+ RESULT_VARIABLE result
+ ERROR_VARIABLE output)
+
+ if (NOT ${result} EQUAL 0)
+ message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
+ endif()
else()
if (IS_DIRECTORY ${target})
- set(command cmd.exe /c mklink /j ${link} ${target})
+ file(GLOB_RECURSE files FOLLOW_SYMLINKS LIST_DIRECTORIES false RELATIVE ${target} "${target}/*")
+ foreach(file IN LISTS files)
+ configure_file("${target}/${file}" "${link}/${file}" COPYONLY)
+ endforeach(file)
else()
- set(command cmd.exe /c mklink /h ${link} ${target})
+ configure_file(${target} ${link} COPYONLY)
endif()
endif()
-
- execute_process(COMMAND ${command}
- RESULT_VARIABLE result
- ERROR_VARIABLE output)
-
- if (NOT ${result} EQUAL 0)
- message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
- endif()
endif()
endfunction(link_to_source)
diff --git a/ChangeLog.d/ecjpake_to_pms.txt b/ChangeLog.d/ecjpake_to_pms.txt
new file mode 100644
index 0000000..4dd2075
--- /dev/null
+++ b/ChangeLog.d/ecjpake_to_pms.txt
@@ -0,0 +1,5 @@
+API changes
+ * Add an ad-hoc key derivation function handling ECJPAKE to PMS
+ calculation that can be used to derive the session secret in TLS 1.2,
+ as described in draft-cragie-tls-ecjpake-01. This can be achieved by
+ using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.
diff --git a/ChangeLog.d/fix_hard_link_across_drives b/ChangeLog.d/fix_hard_link_across_drives
new file mode 100644
index 0000000..0c55c30
--- /dev/null
+++ b/ChangeLog.d/fix_hard_link_across_drives
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix a build issue on Windows where the source and build directory could not be on
+ different drives (#5751).
diff --git a/ChangeLog.d/tls13_sig_alg_selection.txt b/ChangeLog.d/tls13_sig_alg_selection.txt
new file mode 100644
index 0000000..8857750
--- /dev/null
+++ b/ChangeLog.d/tls13_sig_alg_selection.txt
@@ -0,0 +1,3 @@
+Features
+ * Add support for opaque keys as the private keys associated to certificates
+ for authentication in TLS 1.3.
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 2609787..5b27dda 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -237,6 +237,12 @@
#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */
+#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
+
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1
@@ -721,6 +727,11 @@
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
+#endif
+
#if defined(MBEDTLS_CHACHA20_C)
#define PSA_WANT_KEY_TYPE_CHACHA20 1
#define PSA_WANT_ALG_STREAM_CIPHER 1
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 8359a9f..9e8ae37 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1580,6 +1580,16 @@
#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
/**
+ * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
+ *
+ * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server
+ * after handshake completion. This is not used in TLS 1.2 and relevant only if
+ * the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
+ *
+ */
+#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
+
+/**
* \def MBEDTLS_SSL_PROTO_DTLS
*
* Enable support for DTLS (all available versions).
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b40b4f4..eda6bc2 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1323,9 +1323,17 @@
#if defined(MBEDTLS_SSL_RENEGOTIATION)
uint8_t MBEDTLS_PRIVATE(disable_renegotiation); /*!< disable renegotiation? */
#endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_CLI_C)
+ uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */
#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ uint16_t MBEDTLS_PRIVATE(new_session_tickets_count); /*!< number of NewSessionTicket */
+#endif
+
#if defined(MBEDTLS_SSL_SRV_C)
uint8_t MBEDTLS_PRIVATE(cert_req_ca_list); /*!< enable sending CA list in
Certificate Request messages? */
@@ -4103,7 +4111,8 @@
void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
#endif /* MBEDTLS_SSL_SRV_C */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_CLI_C)
/**
* \brief Enable / Disable session tickets (client only).
* (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
@@ -4115,7 +4124,34 @@
* MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
*/
void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/**
+ * \brief Number of NewSessionTicket messages for the server to send
+ * after handshake completion.
+ *
+ * \note The default value is
+ * \c MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS.
+ *
+ * \note In case of a session resumption, this setting only partially apply.
+ * At most one ticket is sent in that case to just renew the pool of
+ * tickets of the client. The rationale is to avoid the number of
+ * tickets on the server to become rapidly out of control when the
+ * server has the same configuration for all its connection instances.
+ *
+ * \param conf SSL configuration
+ * \param num_tickets Number of NewSessionTicket.
+ *
+ */
+void mbedtls_ssl_conf_new_session_tickets( mbedtls_ssl_config *conf,
+ uint16_t num_tickets );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_SRV_C &&
+ MBEDTLS_SSL_PROTO_TLS1_3*/
#if defined(MBEDTLS_SSL_RENEGOTIATION)
/**
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 9011a55..5ab4fde 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -89,6 +89,8 @@
#define PSA_WANT_ALG_STREAM_CIPHER 1
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
+
/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
* Note: when adding support, also adjust include/mbedtls/config_psa.h */
//#define PSA_WANT_ALG_XTS 1
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 1024d6b..231ea62 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -239,6 +239,15 @@
*/
#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128
+/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,
+ * which is expected to work with P-256 curve only. */
+#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65
+
+/* The size of a serialized K.X coordinate to be used in
+ * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256
+ * curve. */
+#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32
+
/** The maximum size of a block cipher. */
#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 957b4c6..afba325 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -202,6 +202,12 @@
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF ||
MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+typedef struct
+{
+ uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE];
+} psa_tls12_ecjpake_to_pms_t;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
@@ -267,6 +273,9 @@
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf);
#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms);
+#endif
} MBEDTLS_PRIVATE(ctx);
};
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 5e6e5e3..b465ddb 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -2021,6 +2021,20 @@
#define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \
(PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
+/* The TLS 1.2 ECJPAKE-to-PMS KDF. It takes the shared secret K (an EC point
+ * in case of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2
+ * will use to derive the session secret, as defined by step 2 of
+ * https://datatracker.ietf.org/doc/html/draft-cragie-tls-ecjpake-01#section-8.7.
+ * Uses PSA_ALG_SHA_256.
+ * This function takes a single input:
+ * #PSA_KEY_DERIVATION_INPUT_SECRET is the shared secret K from EC J-PAKE.
+ * The only supported curve is secp256r1 (the 256-bit curve in
+ * #PSA_ECC_FAMILY_SECP_R1), so the input must be exactly 65 bytes.
+ * The output has to be read as a single chunk of 32 bytes, defined as
+ * PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE.
+ */
+#define PSA_ALG_TLS12_ECJPAKE_TO_PMS ((psa_algorithm_t)0x08000609)
+
/* This flag indicates whether the key derivation algorithm is suitable for
* use on low-entropy secrets such as password - these algorithms are also
* known as key stretching or password hashing schemes. These are also the
diff --git a/library/chachapoly.c b/library/chachapoly.c
index dc75b20..1f75528 100644
--- a/library/chachapoly.c
+++ b/library/chachapoly.c
@@ -39,12 +39,6 @@
#if !defined(MBEDTLS_CHACHAPOLY_ALT)
-/* Parameter validation macros */
-#define CHACHAPOLY_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
-#define CHACHAPOLY_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
#define CHACHAPOLY_STATE_INIT ( 0 )
#define CHACHAPOLY_STATE_AAD ( 1 )
#define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
@@ -91,8 +85,6 @@
void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
{
- CHACHAPOLY_VALIDATE( ctx != NULL );
-
mbedtls_chacha20_init( &ctx->chacha20_ctx );
mbedtls_poly1305_init( &ctx->poly1305_ctx );
ctx->aad_len = 0U;
@@ -118,8 +110,6 @@
const unsigned char key[32] )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( key != NULL );
ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
@@ -132,8 +122,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char poly1305_key[64];
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( nonce != NULL );
/* Set counter = 0, will be update to 1 when generating Poly1305 key */
ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
@@ -170,9 +158,6 @@
const unsigned char *aad,
size_t aad_len )
{
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
-
if( ctx->state != CHACHAPOLY_STATE_AAD )
return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
@@ -187,9 +172,6 @@
unsigned char *output )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( len == 0 || input != NULL );
- CHACHAPOLY_VALIDATE_RET( len == 0 || output != NULL );
if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
@@ -237,8 +219,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char len_block[16];
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( mac != NULL );
if( ctx->state == CHACHAPOLY_STATE_INIT )
{
@@ -314,13 +294,6 @@
unsigned char *output,
unsigned char tag[16] )
{
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( nonce != NULL );
- CHACHAPOLY_VALIDATE_RET( tag != NULL );
- CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
- CHACHAPOLY_VALIDATE_RET( length == 0 || input != NULL );
- CHACHAPOLY_VALIDATE_RET( length == 0 || output != NULL );
-
return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
length, nonce, aad, aad_len,
input, output, tag ) );
@@ -339,12 +312,6 @@
unsigned char check_tag[16];
size_t i;
int diff;
- CHACHAPOLY_VALIDATE_RET( ctx != NULL );
- CHACHAPOLY_VALIDATE_RET( nonce != NULL );
- CHACHAPOLY_VALIDATE_RET( tag != NULL );
- CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
- CHACHAPOLY_VALIDATE_RET( length == 0 || input != NULL );
- CHACHAPOLY_VALIDATE_RET( length == 0 || output != NULL );
if( ( ret = chachapoly_crypt_and_tag( ctx,
MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
diff --git a/library/check_crypto_config.h b/library/check_crypto_config.h
index c74437e..e60e666 100644
--- a/library/check_crypto_config.h
+++ b/library/check_crypto_config.h
@@ -93,4 +93,9 @@
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
#endif
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) && \
+ !defined(PSA_WANT_ALG_SHA_256)
+#error "PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS defined, but not all prerequisites"
+#endif
+
#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/library/dhm.c b/library/dhm.c
index 1e95bda..1ba5339 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -55,11 +55,6 @@
#if !defined(MBEDTLS_DHM_ALT)
-#define DHM_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA )
-#define DHM_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
/*
* helper to validate the mbedtls_mpi size and import it
*/
@@ -120,7 +115,6 @@
void mbedtls_dhm_init( mbedtls_dhm_context *ctx )
{
- DHM_VALIDATE( ctx != NULL );
memset( ctx, 0, sizeof( mbedtls_dhm_context ) );
}
@@ -173,9 +167,6 @@
const unsigned char *end )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( p != NULL && *p != NULL );
- DHM_VALIDATE_RET( end != NULL );
if( ( ret = dhm_read_bignum( &ctx->P, p, end ) ) != 0 ||
( ret = dhm_read_bignum( &ctx->G, p, end ) ) != 0 ||
@@ -252,10 +243,6 @@
int ret;
size_t n1, n2, n3;
unsigned char *p;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( output != NULL );
- DHM_VALIDATE_RET( olen != NULL );
- DHM_VALIDATE_RET( f_rng != NULL );
ret = dhm_make_common( ctx, x_size, f_rng, p_rng );
if( ret != 0 )
@@ -300,9 +287,6 @@
const mbedtls_mpi *G )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( P != NULL );
- DHM_VALIDATE_RET( G != NULL );
if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ||
( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 )
@@ -320,8 +304,6 @@
const unsigned char *input, size_t ilen )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( input != NULL );
if( ilen < 1 || ilen > mbedtls_dhm_get_len( ctx ) )
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
@@ -341,9 +323,6 @@
void *p_rng )
{
int ret;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( output != NULL );
- DHM_VALIDATE_RET( f_rng != NULL );
if( olen < 1 || olen > mbedtls_dhm_get_len( ctx ) )
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
@@ -440,9 +419,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi GYb;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( output != NULL );
- DHM_VALIDATE_RET( olen != NULL );
if( f_rng == NULL )
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
@@ -518,9 +494,6 @@
mbedtls_pem_context pem;
#endif /* MBEDTLS_PEM_PARSE_C */
- DHM_VALIDATE_RET( dhm != NULL );
- DHM_VALIDATE_RET( dhmin != NULL );
-
#if defined(MBEDTLS_PEM_PARSE_C)
mbedtls_pem_init( &pem );
@@ -667,8 +640,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
unsigned char *buf;
- DHM_VALIDATE_RET( dhm != NULL );
- DHM_VALIDATE_RET( path != NULL );
if( ( ret = load_file( path, &buf, &n ) ) != 0 )
return( ret );
diff --git a/library/pk.c b/library/pk.c
index 5dd0fa8..8dc19ef 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -46,19 +46,11 @@
#include <limits.h>
#include <stdint.h>
-/* Parameter validation macros based on platform_util.h */
-#define PK_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
-#define PK_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
/*
* Initialise a mbedtls_pk_context
*/
void mbedtls_pk_init( mbedtls_pk_context *ctx )
{
- PK_VALIDATE( ctx != NULL );
-
ctx->pk_info = NULL;
ctx->pk_ctx = NULL;
}
@@ -83,7 +75,6 @@
*/
void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx )
{
- PK_VALIDATE( ctx != NULL );
ctx->pk_info = NULL;
ctx->rs_ctx = NULL;
}
@@ -137,7 +128,6 @@
*/
int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
{
- PK_VALIDATE_RET( ctx != NULL );
if( info == NULL || ctx->pk_info != NULL )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -200,7 +190,6 @@
mbedtls_rsa_alt_context *rsa_alt;
const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
- PK_VALIDATE_RET( ctx != NULL );
if( ctx->pk_info != NULL )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -404,10 +393,8 @@
const unsigned char *sig, size_t sig_len,
mbedtls_pk_restart_ctx *rs_ctx )
{
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
- hash != NULL );
- PK_VALIDATE_RET( sig != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
if( ctx->pk_info == NULL ||
pk_hashlen_helper( md_alg, &hash_len ) != 0 )
@@ -462,10 +449,8 @@
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len )
{
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
- hash != NULL );
- PK_VALIDATE_RET( sig != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
if( ctx->pk_info == NULL )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -588,13 +573,10 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_pk_restart_ctx *rs_ctx )
{
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
- hash != NULL );
- PK_VALIDATE_RET( sig != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- if( ctx->pk_info == NULL ||
- pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+ if( ctx->pk_info == NULL || pk_hashlen_helper( md_alg, &hash_len ) != 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@@ -707,11 +689,6 @@
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( input != NULL || ilen == 0 );
- PK_VALIDATE_RET( output != NULL || osize == 0 );
- PK_VALIDATE_RET( olen != NULL );
-
if( ctx->pk_info == NULL )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -730,11 +707,6 @@
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( input != NULL || ilen == 0 );
- PK_VALIDATE_RET( output != NULL || osize == 0 );
- PK_VALIDATE_RET( olen != NULL );
-
if( ctx->pk_info == NULL )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -753,9 +725,6 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- PK_VALIDATE_RET( pub != NULL );
- PK_VALIDATE_RET( prv != NULL );
-
if( pub->pk_info == NULL ||
prv->pk_info == NULL )
{
@@ -800,7 +769,6 @@
*/
int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
{
- PK_VALIDATE_RET( ctx != NULL );
if( ctx->pk_info == NULL )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
diff --git a/library/pkparse.c b/library/pkparse.c
index 73d59a6..2a9a558 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -56,12 +56,6 @@
#define mbedtls_free free
#endif
-/* Parameter validation macros based on platform_util.h */
-#define PK_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
-#define PK_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
#if defined(MBEDTLS_FS_IO)
/*
* Load all data from a file into a given buffer.
@@ -75,10 +69,6 @@
FILE *f;
long size;
- PK_VALIDATE_RET( path != NULL );
- PK_VALIDATE_RET( buf != NULL );
- PK_VALIDATE_RET( n != NULL );
-
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
@@ -133,9 +123,6 @@
size_t n;
unsigned char *buf;
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( path != NULL );
-
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
@@ -160,9 +147,6 @@
size_t n;
unsigned char *buf;
- PK_VALIDATE_RET( ctx != NULL );
- PK_VALIDATE_RET( path != NULL );
-
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
@@ -620,11 +604,6 @@
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
const mbedtls_pk_info_t *pk_info;
- PK_VALIDATE_RET( p != NULL );
- PK_VALIDATE_RET( *p != NULL );
- PK_VALIDATE_RET( end != NULL );
- PK_VALIDATE_RET( pk != NULL );
-
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
@@ -1217,10 +1196,8 @@
mbedtls_pem_context pem;
#endif
- PK_VALIDATE_RET( pk != NULL );
if( keylen == 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
- PK_VALIDATE_RET( key != NULL );
#if defined(MBEDTLS_PEM_PARSE_C)
mbedtls_pem_init( &pem );
@@ -1436,10 +1413,8 @@
mbedtls_pem_context pem;
#endif
- PK_VALIDATE_RET( ctx != NULL );
if( keylen == 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
- PK_VALIDATE_RET( key != NULL || keylen == 0 );
#if defined(MBEDTLS_PEM_PARSE_C)
mbedtls_pem_init( &pem );
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 8b99340..4d87b07 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -59,12 +59,6 @@
#define mbedtls_free free
#endif
-/* Parameter validation macros based on platform_util.h */
-#define PK_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
-#define PK_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
#if defined(MBEDTLS_RSA_C)
/*
* RSAPublicKey ::= SEQUENCE {
@@ -182,11 +176,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
- PK_VALIDATE_RET( p != NULL );
- PK_VALIDATE_RET( *p != NULL );
- PK_VALIDATE_RET( start != NULL );
- PK_VALIDATE_RET( key != NULL );
-
#if defined(MBEDTLS_RSA_C)
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
MBEDTLS_ASN1_CHK_ADD( len, pk_write_rsa_pubkey( p, start, mbedtls_pk_rsa( *key ) ) );
@@ -233,10 +222,8 @@
mbedtls_pk_type_t pk_type;
const char *oid;
- PK_VALIDATE_RET( key != NULL );
if( size == 0 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
- PK_VALIDATE_RET( buf != NULL );
c = buf + size;
@@ -333,10 +320,8 @@
unsigned char *c;
size_t len = 0;
- PK_VALIDATE_RET( key != NULL );
if( size == 0 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
- PK_VALIDATE_RET( buf != NULL );
c = buf + size;
@@ -500,9 +485,6 @@
unsigned char output_buf[PUB_DER_MAX_BYTES];
size_t olen = 0;
- PK_VALIDATE_RET( key != NULL );
- PK_VALIDATE_RET( buf != NULL || size == 0 );
-
if( ( ret = mbedtls_pk_write_pubkey_der( key, output_buf,
sizeof(output_buf) ) ) < 0 )
{
@@ -526,9 +508,6 @@
const char *begin, *end;
size_t olen = 0;
- PK_VALIDATE_RET( key != NULL );
- PK_VALIDATE_RET( buf != NULL || size == 0 );
-
if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
return( ret );
diff --git a/library/poly1305.c b/library/poly1305.c
index 7375a0c..f0d4cb6 100644
--- a/library/poly1305.c
+++ b/library/poly1305.c
@@ -44,12 +44,6 @@
#define inline __inline
#endif
-/* Parameter validation macros */
-#define POLY1305_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
-#define POLY1305_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
/*
@@ -258,8 +252,6 @@
void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
{
- POLY1305_VALIDATE( ctx != NULL );
-
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
}
@@ -274,9 +266,6 @@
int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
const unsigned char key[32] )
{
- POLY1305_VALIDATE_RET( ctx != NULL );
- POLY1305_VALIDATE_RET( key != NULL );
-
/* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
ctx->r[0] = MBEDTLS_GET_UINT32_LE( key, 0 ) & 0x0FFFFFFFU;
ctx->r[1] = MBEDTLS_GET_UINT32_LE( key, 4 ) & 0x0FFFFFFCU;
@@ -310,8 +299,6 @@
size_t remaining = ilen;
size_t queue_free_len;
size_t nblocks;
- POLY1305_VALIDATE_RET( ctx != NULL );
- POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
{
@@ -369,9 +356,6 @@
int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
unsigned char mac[16] )
{
- POLY1305_VALIDATE_RET( ctx != NULL );
- POLY1305_VALIDATE_RET( mac != NULL );
-
/* Process any leftover data */
if( ctx->queue_len > 0U )
{
@@ -400,9 +384,6 @@
{
mbedtls_poly1305_context ctx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- POLY1305_VALIDATE_RET( key != NULL );
- POLY1305_VALIDATE_RET( mac != NULL );
- POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
mbedtls_poly1305_init( &ctx );
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 4a0bd83..38b49cb 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -4245,7 +4245,8 @@
#if defined(BUILTIN_ALG_ANY_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
- defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
#define AT_LEAST_ONE_BUILTIN_KDF
#endif /* At least one builtin KDF */
@@ -4352,6 +4353,14 @@
else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS )
+ {
+ mbedtls_platform_zeroize( operation->ctx.tls12_ecjpake_to_pms.data,
+ sizeof( operation->ctx.tls12_ecjpake_to_pms.data ) );
+ }
+ else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
{
status = PSA_ERROR_BAD_STATE;
}
@@ -4633,6 +4642,31 @@
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
+ psa_tls12_ecjpake_to_pms_t *ecjpake,
+ uint8_t *output,
+ size_t output_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_size = 0;
+
+ if( output_length != 32 )
+ return ( PSA_ERROR_INVALID_ARGUMENT );
+
+ status = psa_hash_compute( PSA_ALG_SHA_256, ecjpake->data,
+ PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
+ &output_size );
+ if( status != PSA_SUCCESS )
+ return ( status );
+
+ if( output_size != output_length )
+ return ( PSA_ERROR_GENERIC_ERROR );
+
+ return ( PSA_SUCCESS );
+}
+#endif
+
psa_status_t psa_key_derivation_output_bytes(
psa_key_derivation_operation_t *operation,
uint8_t *output,
@@ -4687,6 +4721,15 @@
else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS )
+ {
+ status = psa_key_derivation_tls12_ecjpake_to_pms_read(
+ &operation->ctx.tls12_ecjpake_to_pms, output, output_length );
+ }
+ else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+
{
(void) kdf_alg;
return( PSA_ERROR_BAD_STATE );
@@ -5079,6 +5122,10 @@
if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
return( 1 );
#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS )
+ return( 1 );
+#endif
return( 0 );
}
@@ -5102,19 +5149,26 @@
if( ! is_kdf_alg_supported( kdf_alg ) )
return( PSA_ERROR_NOT_SUPPORTED );
- /* All currently supported key derivation algorithms are based on a
- * hash algorithm. */
+ /* All currently supported key derivation algorithms (apart from
+ * ecjpake to pms) are based on a hash algorithm. */
psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
size_t hash_size = PSA_HASH_LENGTH( hash_alg );
- if( hash_size == 0 )
- return( PSA_ERROR_NOT_SUPPORTED );
+ if( kdf_alg != PSA_ALG_TLS12_ECJPAKE_TO_PMS )
+ {
+ if( hash_size == 0 )
+ return( PSA_ERROR_NOT_SUPPORTED );
- /* Make sure that hash_alg is a supported hash algorithm. Otherwise
- * we might fail later, which is somewhat unfriendly and potentially
- * risk-prone. */
- psa_status_t status = psa_hash_try_support( hash_alg );
- if( status != PSA_SUCCESS )
- return( status );
+ /* Make sure that hash_alg is a supported hash algorithm. Otherwise
+ * we might fail later, which is somewhat unfriendly and potentially
+ * risk-prone. */
+ psa_status_t status = psa_hash_try_support( hash_alg );
+ if( status != PSA_SUCCESS )
+ return( status );
+ }
+ else
+ {
+ hash_size = PSA_HASH_LENGTH( PSA_ALG_SHA_256 );
+ }
if( ( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) &&
@@ -5122,11 +5176,14 @@
{
return( PSA_ERROR_NOT_SUPPORTED );
}
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
- if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) ||
+ ( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) )
operation->capacity = hash_size;
else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
+ MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
operation->capacity = 255 * hash_size;
return( PSA_SUCCESS );
}
@@ -5515,6 +5572,29 @@
}
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+static psa_status_t psa_tls12_ecjpake_to_pms_input(
+ psa_tls12_ecjpake_to_pms_t *ecjpake,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length )
+{
+ if( data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
+ step != PSA_KEY_DERIVATION_INPUT_SECRET )
+ {
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ /* Check if the passed point is in an uncompressed form */
+ if( data[0] != 0x04 )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+
+ /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
+ memcpy( ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE );
+
+ return( PSA_SUCCESS );
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
/** Check whether the given key type is acceptable for the given
* input step of a key derivation.
*
@@ -5593,6 +5673,14 @@
}
else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS )
+ {
+ status = psa_tls12_ecjpake_to_pms_input(
+ &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length );
+ }
+ else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
{
/* This can't happen unless the operation object was not initialized */
(void) data;
diff --git a/library/rsa.c b/library/rsa.c
index e597555..4df240a 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -74,19 +74,12 @@
#if !defined(MBEDTLS_RSA_ALT)
-/* Parameter validation macros */
-#define RSA_VALIDATE_RET( cond ) \
- MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
-#define RSA_VALIDATE( cond ) \
- MBEDTLS_INTERNAL_VALIDATE( cond )
-
int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
const mbedtls_mpi *N,
const mbedtls_mpi *P, const mbedtls_mpi *Q,
const mbedtls_mpi *D, const mbedtls_mpi *E )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- RSA_VALIDATE_RET( ctx != NULL );
if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
@@ -111,7 +104,6 @@
unsigned char const *E, size_t E_len )
{
int ret = 0;
- RSA_VALIDATE_RET( ctx != NULL );
if( N != NULL )
{
@@ -241,8 +233,6 @@
#endif
int n_missing, pq_missing, d_missing, is_pub, is_priv;
- RSA_VALIDATE_RET( ctx != NULL );
-
have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
@@ -345,7 +335,6 @@
{
int ret = 0;
int is_priv;
- RSA_VALIDATE_RET( ctx != NULL );
/* Check if key is private or public */
is_priv =
@@ -390,7 +379,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int is_priv;
- RSA_VALIDATE_RET( ctx != NULL );
/* Check if key is private or public */
is_priv =
@@ -434,7 +422,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int is_priv;
- RSA_VALIDATE_RET( ctx != NULL );
/* Check if key is private or public */
is_priv =
@@ -471,8 +458,6 @@
*/
void mbedtls_rsa_init( mbedtls_rsa_context *ctx )
{
- RSA_VALIDATE( ctx != NULL );
-
memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
ctx->padding = MBEDTLS_RSA_PKCS_V15;
@@ -549,8 +534,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi H, G, L;
int prime_quality = 0;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( f_rng != NULL );
/*
* If the modulus is 1024 bit long or shorter, then the security strength of
@@ -663,8 +646,6 @@
*/
int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
{
- RSA_VALIDATE_RET( ctx != NULL );
-
if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
@@ -688,8 +669,6 @@
*/
int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
{
- RSA_VALIDATE_RET( ctx != NULL );
-
if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
{
@@ -719,9 +698,6 @@
int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
const mbedtls_rsa_context *prv )
{
- RSA_VALIDATE_RET( pub != NULL );
- RSA_VALIDATE_RET( prv != NULL );
-
if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
mbedtls_rsa_check_privkey( prv ) != 0 )
{
@@ -747,9 +723,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen;
mbedtls_mpi T;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( input != NULL );
- RSA_VALIDATE_RET( output != NULL );
if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -917,10 +890,6 @@
* checked result; should be the same in the end. */
mbedtls_mpi I, C;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( input != NULL );
- RSA_VALIDATE_RET( output != NULL );
-
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1308,11 +1277,6 @@
unsigned char *p = output;
unsigned int hlen;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( output != NULL );
- RSA_VALIDATE_RET( ilen == 0 || input != NULL );
- RSA_VALIDATE_RET( label_len == 0 || label != NULL );
-
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1374,10 +1338,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = output;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( output != NULL );
- RSA_VALIDATE_RET( ilen == 0 || input != NULL );
-
olen = ctx->len;
/* first comparison checks for overflow */
@@ -1426,10 +1386,6 @@
const unsigned char *input,
unsigned char *output )
{
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( output != NULL );
- RSA_VALIDATE_RET( ilen == 0 || input != NULL );
-
switch( ctx->padding )
{
#if defined(MBEDTLS_PKCS1_V15)
@@ -1469,12 +1425,6 @@
unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
unsigned int hlen;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
- RSA_VALIDATE_RET( label_len == 0 || label != NULL );
- RSA_VALIDATE_RET( input != NULL );
- RSA_VALIDATE_RET( olen != NULL );
-
/*
* Parameters sanity checks
*/
@@ -1595,11 +1545,6 @@
size_t ilen;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
- RSA_VALIDATE_RET( input != NULL );
- RSA_VALIDATE_RET( olen != NULL );
-
ilen = ctx->len;
if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
@@ -1634,11 +1579,6 @@
unsigned char *output,
size_t output_max_len)
{
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
- RSA_VALIDATE_RET( input != NULL );
- RSA_VALIDATE_RET( olen != NULL );
-
switch( ctx->padding )
{
#if defined(MBEDTLS_PKCS1_V15)
@@ -1676,11 +1616,8 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t msb;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
- RSA_VALIDATE_RET( sig != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1952,11 +1889,8 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *sig_try = NULL, *verif = NULL;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
- RSA_VALIDATE_RET( sig != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -2020,11 +1954,8 @@
const unsigned char *hash,
unsigned char *sig )
{
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
- RSA_VALIDATE_RET( sig != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
switch( ctx->padding )
{
@@ -2066,11 +1997,8 @@
size_t observed_salt_len, msb;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = {0};
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( sig != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
siglen = ctx->len;
@@ -2165,11 +2093,8 @@
const unsigned char *sig )
{
mbedtls_md_type_t mgf1_hash_id;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( sig != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
? (mbedtls_md_type_t) ctx->hash_id
@@ -2198,11 +2123,8 @@
size_t sig_len;
unsigned char *encoded = NULL, *encoded_expected = NULL;
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( sig != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
sig_len = ctx->len;
@@ -2267,11 +2189,8 @@
const unsigned char *hash,
const unsigned char *sig )
{
- RSA_VALIDATE_RET( ctx != NULL );
- RSA_VALIDATE_RET( sig != NULL );
- RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
- hashlen == 0 ) ||
- hash != NULL );
+ if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
switch( ctx->padding )
{
@@ -2298,8 +2217,6 @@
int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- RSA_VALIDATE_RET( dst != NULL );
- RSA_VALIDATE_RET( src != NULL );
dst->len = src->len;
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 2e35e6c..afacb76 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -624,6 +624,9 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ uint16_t new_session_tickets_count; /*!< number of session tickets */
+#endif
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 12e1c1b..f0615ea 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -763,6 +763,13 @@
mbedtls_ssl_transform_init( ssl->transform_negotiate );
ssl_handshake_params_init( ssl->handshake );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS)
+ ssl->handshake->new_session_tickets_count =
+ ssl->conf->new_session_tickets_count ;
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
@@ -2611,6 +2618,15 @@
#endif
#if defined(MBEDTLS_SSL_SRV_C)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+void mbedtls_ssl_conf_new_session_tickets( mbedtls_ssl_config *conf,
+ uint16_t num_tickets )
+{
+ conf->new_session_tickets_count = num_tickets;
+}
+#endif
+
void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_ticket_write_t *f_ticket_write,
mbedtls_ssl_ticket_parse_t *f_ticket_parse,
@@ -4644,6 +4660,10 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_conf_new_session_tickets(
+ conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS );
+#endif
/*
* Allow all TLS 1.3 key exchange modes by default.
*/
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index f74cb40..abb7a14 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -906,12 +906,8 @@
case MBEDTLS_SSL_SIG_RSA:
switch( sig_alg )
{
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
- return( key_size <= 3072 );
-
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
- return( key_size <= 7680 );
-
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
return( 1 );
@@ -928,42 +924,12 @@
}
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_select_sig_alg_for_certificate_verify(
- mbedtls_ssl_context *ssl,
- mbedtls_pk_context *own_key,
- uint16_t *algorithm )
-{
- uint16_t *sig_alg = ssl->handshake->received_sig_algs;
-
- *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
- for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
- {
- if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) &&
- mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) &&
- mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "select_sig_alg_for_certificate_verify:"
- "selected signature algorithm %s [%04x]",
- mbedtls_ssl_sig_alg_to_str( *sig_alg ),
- *sig_alg ) );
- *algorithm = *sig_alg;
- return( 0 );
- }
- }
- MBEDTLS_SSL_DEBUG_MSG( 2,
- ( "select_sig_alg_for_certificate_verify:"
- "no suitable signature algorithm found" ) );
- return( -1 );
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *out_len )
{
- int ret;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = buf;
mbedtls_pk_context *own_key;
@@ -971,14 +937,9 @@
size_t handshake_hash_len;
unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
size_t verify_buffer_len;
- mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
- mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
- psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
- uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
+
+ uint16_t *sig_alg = ssl->handshake->received_sig_algs;
size_t signature_len = 0;
- unsigned char verify_hash[PSA_HASH_MAX_SIZE];
- size_t verify_hash_len;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
*out_len = 0;
@@ -1011,64 +972,84 @@
* opaque signature<0..2^16-1>;
* } CertificateVerify;
*/
- ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key,
- &algorithm );
- if( ret != 0 )
+ /* Check there is space for the algorithm identifier (2 bytes) and the
+ * signature length (2 bytes).
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+
+ for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
{
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "signature algorithm not in received or offered list." ) );
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
+ mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+ psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
+ unsigned char verify_hash[PSA_HASH_MAX_SIZE];
+ size_t verify_hash_len;
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
- mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
+ if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
+ continue;
+ if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
+ continue;
+
+ if( !mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
+ continue;
+
+ if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ *sig_alg, &pk_type, &md_alg ) != 0 )
+ {
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ /* Hash verify buffer with indicated hash function */
+ psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg );
+ status = psa_hash_compute( psa_algorithm,
+ verify_buffer,
+ verify_buffer_len,
+ verify_hash, sizeof( verify_hash ),
+ &verify_hash_len );
+ if( status != PSA_SUCCESS )
+ return( psa_ssl_status_to_mbedtls( status ) );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
+
+ if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
+ md_alg, verify_hash, verify_hash_len,
+ p + 4, (size_t)( end - ( p + 4 ) ), &signature_len,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature failed with %s",
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
+ MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_pk_sign_ext", ret );
+
+ /* The signature failed. This is possible if the private key
+ * was not suitable for the signature operation as purposely we
+ * did not check its suitability completely. Let's try with
+ * another signature algorithm.
+ */
+ continue;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature with %s",
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
+
+ break;
+ }
+
+ if( *sig_alg == MBEDTLS_TLS1_3_SIG_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "no suitable signature algorithm" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s",
- mbedtls_ssl_sig_alg_to_str( algorithm )) );
+ MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
+ MBEDTLS_PUT_UINT16_BE( signature_len, p, 2 );
- if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
- algorithm, &pk_type, &md_alg ) != 0 )
- {
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
+ *out_len = 4 + signature_len;
- /* Check there is space for the algorithm identifier (2 bytes) and the
- * signature length (2 bytes).
- */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
- MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
- p += 2;
-
- /* Hash verify buffer with indicated hash function */
- psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg );
- status = psa_hash_compute( psa_algorithm,
- verify_buffer,
- verify_buffer_len,
- verify_hash,sizeof( verify_hash ),
- &verify_hash_len );
- if( status != PSA_SUCCESS )
- return( psa_ssl_status_to_mbedtls( status ) );
-
- MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
-
- if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
- md_alg, verify_hash, verify_hash_len,
- p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
- ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
- return( ret );
- }
-
- MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
- p += 2 + signature_len;
-
- *out_len = (size_t)( p - buf );
-
- return( ret );
+ return( 0 );
}
int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 94a07c8..6591ecb 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1111,6 +1111,36 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg )
+{
+ switch( sig_alg )
+ {
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
+ return( PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) );
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
+ return( PSA_ALG_ECDSA( PSA_ALG_SHA_384 ) );
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
+ return( PSA_ALG_ECDSA( PSA_ALG_SHA_512 ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_384 ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_512 ) );
+ default:
+ return( PSA_ALG_NONE );
+ }
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
/*
* Pick best ( private key, certificate chain ) pair based on the signature
* algorithms supported by the client.
@@ -1136,9 +1166,19 @@
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
{
+ if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
+ continue;
+
+ if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
+ continue;
+
for( key_cert = key_cert_list; key_cert != NULL;
key_cert = key_cert->next )
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm_t psa_alg = PSA_ALG_NONE;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
key_cert->cert );
@@ -1162,8 +1202,18 @@
"check signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg( *sig_alg );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
- *sig_alg, &key_cert->cert->pk ) )
+ *sig_alg, &key_cert->cert->pk )
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ && psa_alg != PSA_ALG_NONE &&
+ mbedtls_pk_can_do_ext( &key_cert->cert->pk, psa_alg,
+ PSA_KEY_USAGE_SIGN_HASH ) == 1
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ )
{
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG( 3,
@@ -2619,7 +2669,21 @@
/* Check whether the use of session tickets is enabled */
if( ssl->conf->f_ticket_write == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled,"
+ " callback is not set" ) );
+ return( SSL_NEW_SESSION_TICKET_SKIP );
+ }
+ if( ssl->conf->new_session_tickets_count == 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled,"
+ " configured count is zero" ) );
+ return( SSL_NEW_SESSION_TICKET_SKIP );
+ }
+
+ if( ssl->handshake->new_session_tickets_count == 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: all tickets have "
+ "been sent." ) );
return( SSL_NEW_SESSION_TICKET_SKIP );
}
@@ -2852,6 +2916,15 @@
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len ) );
+ /* Limit session tickets count to one when resumption connection.
+ *
+ * See document of mbedtls_ssl_conf_new_session_tickets.
+ */
+ if( ssl->handshake->resume == 1 )
+ ssl->handshake->new_session_tickets_count = 0;
+ else
+ ssl->handshake->new_session_tickets_count--;
+
mbedtls_ssl_handshake_set_state( ssl,
MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
}
@@ -3002,7 +3075,11 @@
* as part of ssl_prepare_handshake_step.
*/
ret = 0;
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+
+ if( ssl->handshake->new_session_tickets_count == 0 )
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+ else
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
break;
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 6beaa12..6377162 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -346,10 +346,11 @@
#define USAGE_KEY_OPAQUE_ALGS \
" key_opaque_algs=%%s Allowed opaque key algorithms.\n" \
- " comma-separated pair of values among the following:\n" \
- " rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \
- " ecdsa-sign, ecdh, none (only acceptable for\n" \
- " the second value).\n" \
+ " comma-separated pair of values among the following:\n" \
+ " rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
+ " rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
+ " ecdsa-sign, ecdh, none (only acceptable for\n" \
+ " the second value).\n" \
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#define USAGE_TLS1_3_KEY_EXCHANGE_MODES \
@@ -1139,7 +1140,7 @@
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
- if( opt.tickets < 0 || opt.tickets > 2 )
+ if( opt.tickets < 0 )
goto usage;
}
else if( strcmp( p, "alpn" ) == 0 )
@@ -1821,7 +1822,8 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf( " ok (key type: %s)\n",
- strlen( opt.key_file ) ? mbedtls_pk_get_name( &pkey ) : "none" );
+ strlen( opt.key_file ) || strlen( opt.key_opaque_alg1 ) ?
+ mbedtls_pk_get_name( &pkey ) : "none" );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
@@ -2668,6 +2670,9 @@
*/
if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM )
{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+ int ticket_id = 0;
+#endif
do
{
len = sizeof( buf ) - 1;
@@ -2715,7 +2720,8 @@
case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
/* We were waiting for application data but got
* a NewSessionTicket instead. */
- mbedtls_printf( " got new session ticket.\n" );
+ mbedtls_printf( " got new session ticket ( %d ).\n",
+ ticket_id++ );
if( opt.reconnect != 0 )
{
mbedtls_printf(" . Saving session for reuse..." );
@@ -2749,7 +2755,6 @@
(unsigned) session_data_len );
}
}
-
continue;
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 3113d1b..7526bc6 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -458,15 +458,17 @@
#endif
#define USAGE_KEY_OPAQUE_ALGS \
- " key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \
- " comma-separated pair of values among the following:\n" \
- " rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \
- " ecdsa-sign, ecdh, none (only acceptable for\n" \
- " the second value).\n" \
- " key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n" \
- " comma-separated pair of values among the following:\n" \
- " rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \
- " ecdsa-sign, ecdh, none (only acceptable for\n" \
+ " key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \
+ " comma-separated pair of values among the following:\n" \
+ " rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
+ " rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
+ " ecdsa-sign, ecdh, none (only acceptable for\n" \
+ " the second value).\n" \
+ " key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n" \
+ " comma-separated pair of values among the following:\n" \
+ " rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
+ " rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
+ " ecdsa-sign, ecdh, none (only acceptable for\n" \
" the second value).\n"
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#define USAGE_TLS1_3_KEY_EXCHANGE_MODES \
@@ -1997,7 +1999,7 @@
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
- if( opt.tickets < 0 || opt.tickets > 1 )
+ if( opt.tickets < 0 )
goto usage;
}
else if( strcmp( p, "ticket_rotate" ) == 0 )
@@ -2915,7 +2917,7 @@
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED )
+ if( opt.tickets != MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
{
if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
rng_get, &rng,
@@ -2930,7 +2932,9 @@
mbedtls_ssl_ticket_write,
mbedtls_ssl_ticket_parse,
&ticket_ctx );
-
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_conf_new_session_tickets( &conf, opt.tickets );
+#endif
/* exercise manual ticket rotation (not required for typical use)
* (used for external synchronization of session ticket encryption keys)
*/
diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c
index a7f3d0e..cf810a3 100644
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -205,6 +205,9 @@
if( strcmp( *alg1, "rsa-sign-pkcs1" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss" ) != 0 &&
+ strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
+ strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
+ strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
strcmp( *alg1, "rsa-decrypt" ) != 0 &&
strcmp( *alg1, "ecdsa-sign" ) != 0 &&
strcmp( *alg1, "ecdh" ) != 0 )
@@ -212,6 +215,9 @@
if( strcmp( *alg2, "rsa-sign-pkcs1" ) != 0 &&
strcmp( *alg2, "rsa-sign-pss" ) != 0 &&
+ strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
+ strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
+ strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
strcmp( *alg2, "rsa-decrypt" ) != 0 &&
strcmp( *alg2, "ecdsa-sign" ) != 0 &&
strcmp( *alg2, "ecdh" ) != 0 &&
@@ -245,6 +251,21 @@
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH );
*usage |= PSA_KEY_USAGE_SIGN_HASH;
}
+ else if( strcmp( algs[i], "rsa-sign-pss-sha256" ) == 0 )
+ {
+ *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 );
+ *usage |= PSA_KEY_USAGE_SIGN_HASH;
+ }
+ else if( strcmp( algs[i], "rsa-sign-pss-sha384" ) == 0 )
+ {
+ *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 );
+ *usage |= PSA_KEY_USAGE_SIGN_HASH;
+ }
+ else if( strcmp( algs[i], "rsa-sign-pss-sha512" ) == 0 )
+ {
+ *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 );
+ *usage |= PSA_KEY_USAGE_SIGN_HASH;
+ }
else if( strcmp( algs[i], "rsa-decrypt" ) == 0 )
{
*psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT;
diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py
index 592fc0a..f52ca9a 100644
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ b/scripts/mbedtls_dev/crypto_knowledge.py
@@ -357,6 +357,7 @@
'HKDF': AlgorithmCategory.KEY_DERIVATION,
'TLS12_PRF': AlgorithmCategory.KEY_DERIVATION,
'TLS12_PSK_TO_MS': AlgorithmCategory.KEY_DERIVATION,
+ 'TLS12_ECJPAKE_TO_PMS': AlgorithmCategory.KEY_DERIVATION,
'PBKDF': AlgorithmCategory.KEY_DERIVATION,
'ECDH': AlgorithmCategory.KEY_AGREEMENT,
'FFDH': AlgorithmCategory.KEY_AGREEMENT,
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 961577c..a1b47f4 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -120,6 +120,9 @@
# Treat uninitialised variables as errors.
set -e -o pipefail -u
+# Enable ksh/bash extended file matching patterns
+shopt -s extglob
+
pre_check_environment () {
if [ -d library -a -d include -a -d tests ]; then :; else
echo "Must be run from mbed TLS root" >&2
@@ -295,7 +298,7 @@
-iname CMakeCache.txt -o \
-path './cmake/*.cmake' \) -exec rm -f {} \+
# Recover files overwritten by in-tree CMake builds
- rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile
+ rm -f include/Makefile include/mbedtls/Makefile programs/!(fuzz)/Makefile
# Remove any artifacts from the component_test_cmake_as_subdirectory test.
rm -rf programs/test/cmake_subproject/build
@@ -314,7 +317,9 @@
# Restore files that may have been clobbered by the job
for x in $files_to_back_up; do
- cp -p "$x$backup_suffix" "$x"
+ if [[ -e "$x$backup_suffix" ]]; then
+ cp -p "$x$backup_suffix" "$x"
+ fi
done
}
@@ -2077,6 +2082,7 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2096,6 +2102,7 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2115,6 +2122,7 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2133,6 +2141,7 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2170,6 +2179,7 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
@@ -2189,6 +2199,7 @@
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f4fe100..67e9cfb 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2042,6 +2042,59 @@
-S "error" \
-C "error"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_RSA_C
+run_test "TLS 1.3 opaque key: no suitable algorithm found" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required key_opaque=1 key_opaque_algs=rsa-decrypt,none" \
+ "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
+ 1 \
+ -s "The SSL configuration is tls13 only" \
+ -c "key type: Opaque" \
+ -s "key types: Opaque, Opaque" \
+ -c "error" \
+ -s "no suitable signature algorithm"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_RSA_C
+run_test "TLS 1.3 opaque key: suitable algorithm found" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
+ "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
+ 0 \
+ -s "The SSL configuration is tls13 only" \
+ -c "key type: Opaque" \
+ -s "key types: Opaque, Opaque" \
+ -C "error" \
+ -S "error" \
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_RSA_C
+run_test "TLS 1.3 opaque key: first client sig alg not suitable" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pss-sha512,none" \
+ "$P_CLI debug_level=4 sig_algs=rsa_pss_rsae_sha256,rsa_pss_rsae_sha512" \
+ 0 \
+ -s "The SSL configuration is tls13 only" \
+ -s "key types: Opaque, Opaque" \
+ -s "CertificateVerify signature failed with rsa_pss_rsae_sha256" \
+ -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
+ -C "error" \
+ -S "error" \
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_RSA_C
+run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required key_opaque=1 key_opaque_algs2=ecdsa-sign,none key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
+ "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
+ 0 \
+ -s "The SSL configuration is tls13 only" \
+ -c "key type: Opaque" \
+ -s "key types: Opaque, Opaque" \
+ -C "error" \
+ -S "error" \
+
# Test using a RSA opaque private key for server authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
@@ -11520,7 +11573,7 @@
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "signature algorithm not in received or offered list." \
+ -c "no suitable signature algorithm" \
-C "unknown pk type"
requires_gnutls_tls1_3
@@ -11538,7 +11591,7 @@
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "signature algorithm not in received or offered list." \
+ -c "no suitable signature algorithm" \
-C "unknown pk type"
# Test using an opaque private key for client authentication
@@ -11792,7 +11845,7 @@
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "signature algorithm not in received or offered list." \
+ -c "no suitable signature algorithm" \
-C "unkown pk type"
requires_gnutls_tls1_3
@@ -11811,7 +11864,7 @@
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "signature algorithm not in received or offered list." \
+ -c "no suitable signature algorithm" \
-C "unkown pk type"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -12494,7 +12547,7 @@
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
0 \
-c "Protocol is TLSv1.3" \
- -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -c "CertificateVerify signature with rsa_pss_rsae_sha512" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3
@@ -12510,7 +12563,7 @@
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
0 \
-c "Protocol is TLSv1.3" \
- -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -c "CertificateVerify signature with rsa_pss_rsae_sha512" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -12527,8 +12580,8 @@
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
0 \
-c "Protocol is TLSv1.3" \
- -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
- -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -c "CertificateVerify signature with rsa_pss_rsae_sha512" \
+ -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
-c "HTTP/1.0 200 [Oo][Kk]"
@@ -12547,7 +12600,7 @@
-sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
0 \
-c "TLSv1.3" \
- -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
requires_gnutls_tls1_3
@@ -12566,7 +12619,7 @@
0 \
-c "Negotiated version: 3.4" \
-c "HTTP/1.0 200 [Oo][Kk]" \
- -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
requires_gnutls_tls1_3
@@ -12583,8 +12636,7 @@
--x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \
--priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \
1 \
- -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
- -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+ -S "ssl_tls13_pick_key_cert:check signature algorithm"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -12600,8 +12652,7 @@
-cert data_files/server2-sha256.crt -key data_files/server2.key \
-sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \
1 \
- -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
- -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+ -S "ssl_tls13_pick_key_cert:check signature algorithm"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
@@ -12616,8 +12667,7 @@
"$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \
1 \
- -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
- -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+ -S "ssl_tls13_pick_key_cert:check signature algorithm"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -12673,7 +12723,7 @@
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
1 \
- -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+ -c "no suitable signature algorithm"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -12687,7 +12737,7 @@
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
1 \
- -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+ -c "no suitable signature algorithm"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
@@ -12702,7 +12752,7 @@
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
1 \
- -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+ -c "no suitable signature algorithm"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -12735,14 +12785,32 @@
-c "HTTP/1.0 200 OK" \
-s "This is a resumed session"
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+# https://github.com/openssl/openssl/issues/10714
+# Until now, OpenSSL client does not support reconnect.
+skip_next_test
+run_test "TLS 1.3: NewSessionTicket: Basic check, O->m" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
+ "$O_NEXT_CLI -msg -debug -tls1_3 -reconnect" \
+ 0 \
+ -s "=> write NewSessionTicket msg" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \
- "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
- "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%DISABLE_TLS13_COMPAT_MODE -V -r" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
+ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
0 \
-c "Connecting again- trying to resume previous session" \
-c "NEW SESSION TICKET (4) was received" \
@@ -12759,11 +12827,11 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_DEBUG_C
run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \
- "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=1" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
"$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
0 \
-c "Protocol is TLSv1.3" \
- -c "got new session ticket." \
+ -c "got new session ticket ( 3 )" \
-c "Saving session for reuse... ok" \
-c "Reconnecting with saved session" \
-c "HTTP/1.0 200 OK" \
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index e8cc076..3dc2b8b 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -1,3 +1,6 @@
+PK invalid parameters
+pk_invalid_param:
+
PK valid parameters
valid_parameters:
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 91fe869..beb3e7c 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -300,6 +300,53 @@
/* END_CASE */
/* BEGIN_CASE */
+void pk_invalid_param()
+{
+ mbedtls_pk_context ctx;
+ mbedtls_pk_type_t pk_type = 0;
+ unsigned char buf[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+ size_t buf_size = sizeof( buf );
+
+ mbedtls_pk_init( &ctx );
+
+ TEST_EQUAL( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+ mbedtls_pk_verify_restartable( &ctx, MBEDTLS_MD_NONE,
+ NULL, buf_size,
+ buf, buf_size,
+ NULL ) );
+ TEST_EQUAL( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+ mbedtls_pk_verify_restartable( &ctx, MBEDTLS_MD_SHA256,
+ NULL, 0,
+ buf, buf_size,
+ NULL ) );
+ TEST_EQUAL( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+ mbedtls_pk_verify_ext( pk_type, NULL,
+ &ctx, MBEDTLS_MD_NONE,
+ NULL, buf_size,
+ buf, buf_size ) );
+ TEST_EQUAL( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+ mbedtls_pk_verify_ext( pk_type, NULL,
+ &ctx, MBEDTLS_MD_SHA256,
+ NULL, 0,
+ buf, buf_size ) );
+ TEST_EQUAL( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+ mbedtls_pk_sign_restartable( &ctx, MBEDTLS_MD_NONE,
+ NULL, buf_size,
+ buf, buf_size, &buf_size,
+ NULL, NULL,
+ NULL ) );
+ TEST_EQUAL( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+ mbedtls_pk_sign_restartable( &ctx, MBEDTLS_MD_SHA256,
+ NULL, 0,
+ buf, buf_size, &buf_size,
+ NULL, NULL,
+ NULL ) );
+exit:
+ mbedtls_pk_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void valid_parameters( )
{
mbedtls_pk_context pk;
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c8b229c..f2478be 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4824,6 +4824,10 @@
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
derive_setup:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_SUCCESS
+PSA key derivation setup: TLS 1.2 ECJPAKE to PMS
+depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+derive_setup:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_SUCCESS
+
PSA key derivation setup: not a key derivation algorithm (HMAC)
depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256
derive_setup:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_INVALID_ARGUMENT
@@ -5793,6 +5797,47 @@
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"ff":0:1:0
+PSA key derivation: ECJPAKE to PMS, no input
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: ECJPAKE to PMS, input too short
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"deadbeef":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: ECJPAKE to PMS, input too long
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000de":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: ECJPAKE to PMS, bad input format
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT
+
+#NIST CAVS 11.0 SHA-256 ShortMSG vector for L=256
+PSA key derivation: ECJPAKE to PMS, good case
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_SUCCESS
+
+PSA key derivation: ECJPAKE to PMS, bad derivation step
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SEED:32:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_SUCCESS
+
+PSA key derivation: ECJPAKE to PMS, capacity 1 byte too big
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:33:PSA_ERROR_INVALID_ARGUMENT:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_SUCCESS
+
+PSA key derivation: ECJPAKE to PMS, capacity 1 byte too small
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:31:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_ERROR_INSUFFICIENT_DATA
+
+PSA key derivation: ECJPAKE to PMS, output too short
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"4f":PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: ECJPAKE to PMS, output too long
+depends_on:PSA_WANT_ALG_SHA_256
+derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a400":PSA_ERROR_INSUFFICIENT_DATA
+
PSA key derivation: HKDF SHA-256, read maximum capacity minus 1
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index c74acf6..fa237d3 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7797,6 +7797,51 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS:MBEDTLS_SHA256_C */
+void derive_ecjpake_to_pms( data_t *input, int expected_input_status_arg,
+ int derivation_step,
+ int capacity, int expected_capacity_status_arg,
+ data_t *expected_output,
+ int expected_output_status_arg )
+{
+ psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
+ psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+ psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step;
+ uint8_t *output_buffer = NULL;
+ psa_status_t status;
+ psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg;
+ psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg;
+ psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg;
+
+ ASSERT_ALLOC( output_buffer, expected_output->len );
+ PSA_ASSERT( psa_crypto_init() );
+
+ PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
+ TEST_EQUAL( psa_key_derivation_set_capacity( &operation, capacity ),
+ expected_capacity_status);
+
+ TEST_EQUAL( psa_key_derivation_input_bytes( &operation,
+ step, input->x, input->len ),
+ expected_input_status );
+
+ if( ( (psa_status_t) expected_input_status ) != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_key_derivation_output_bytes( &operation, output_buffer,
+ expected_output->len );
+
+ TEST_EQUAL( status, expected_output_status );
+ if( expected_output->len != 0 && expected_output_status == PSA_SUCCESS )
+ ASSERT_COMPARE( output_buffer, expected_output->len, expected_output->x,
+ expected_output->len );
+
+exit:
+ mbedtls_free( output_buffer );
+ psa_key_derivation_abort( &operation );
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void derive_key_exercise( int alg_arg,
data_t *key_data,
diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function
index a866d43..65731ed 100644
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@@ -16,6 +16,8 @@
mbedtls_rsa_context ctx;
const int invalid_padding = 42;
const int invalid_hash_id = 0xff;
+ unsigned char buf[] = {0x00,0x01,0x02,0x03,0x04,0x05};
+ size_t buf_len = sizeof( buf );
mbedtls_rsa_init( &ctx );
@@ -29,6 +31,28 @@
invalid_hash_id ),
MBEDTLS_ERR_RSA_INVALID_PADDING );
+ TEST_EQUAL( mbedtls_rsa_pkcs1_sign(&ctx, NULL,
+ NULL, MBEDTLS_MD_NONE,
+ buf_len,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_pkcs1_sign(&ctx, NULL,
+ NULL, MBEDTLS_MD_SHA256,
+ 0,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_pkcs1_verify(&ctx, MBEDTLS_MD_NONE,
+ buf_len,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_pkcs1_verify(&ctx, MBEDTLS_MD_SHA256,
+ 0,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
#if !defined(MBEDTLS_PKCS1_V15)
TEST_EQUAL( mbedtls_rsa_set_padding( &ctx,
MBEDTLS_RSA_PKCS_V15,
@@ -36,6 +60,32 @@
MBEDTLS_ERR_RSA_INVALID_PADDING );
#endif
+#if defined(MBEDTLS_PKCS1_V15)
+ TEST_EQUAL( mbedtls_rsa_rsassa_pkcs1_v15_sign(&ctx, NULL,
+ NULL, MBEDTLS_MD_NONE,
+ buf_len,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pkcs1_v15_sign(&ctx, NULL,
+ NULL, MBEDTLS_MD_SHA256,
+ 0,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pkcs1_v15_verify(&ctx, MBEDTLS_MD_NONE,
+ buf_len,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pkcs1_v15_verify(&ctx, MBEDTLS_MD_SHA256,
+ 0,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+
+#endif
+
#if !defined(MBEDTLS_PKCS1_V21)
TEST_EQUAL( mbedtls_rsa_set_padding( &ctx,
MBEDTLS_RSA_PKCS_V21,
@@ -43,6 +93,42 @@
MBEDTLS_ERR_RSA_INVALID_PADDING );
#endif
+#if defined(MBEDTLS_PKCS1_V21)
+ TEST_EQUAL( mbedtls_rsa_rsassa_pss_sign_ext(&ctx, NULL, NULL,
+ MBEDTLS_MD_NONE, buf_len,
+ NULL, buf_len,
+ buf ),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pss_sign_ext(&ctx, NULL, NULL,
+ MBEDTLS_MD_SHA256, 0,
+ NULL, buf_len,
+ buf ),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pss_verify_ext(&ctx, MBEDTLS_MD_NONE,
+ buf_len, NULL,
+ MBEDTLS_MD_NONE,
+ buf_len, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pss_verify_ext(&ctx, MBEDTLS_MD_SHA256,
+ 0, NULL,
+ MBEDTLS_MD_NONE,
+ buf_len, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pss_verify(&ctx, MBEDTLS_MD_NONE,
+ buf_len,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+ TEST_EQUAL( mbedtls_rsa_rsassa_pss_verify(&ctx, MBEDTLS_MD_SHA256,
+ 0,
+ NULL, buf),
+ MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+#endif
+
exit:
mbedtls_rsa_free( &ctx );
}