Merge pull request #8198 from silabs-Kusumit/kdf_incorrect_initial_capacity
KDF incorrect initial capacity
diff --git a/BRANCHES.md b/BRANCHES.md
index c085b16..b71247f 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -106,6 +106,6 @@
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see
- <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6>.
+ <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7>.
Users are urged to always use the latest version of a maintained branch.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index ad05646..78599d9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -381,7 +381,7 @@
write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion
- VERSION 3.5.1)
+ VERSION 3.5.2)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
diff --git a/ChangeLog b/ChangeLog
index 28c45f7..28f2654 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS 3.5.2 branch released 2024-01-26
+
+Security
+ * Fix a timing side channel in private key RSA operations. This side channel
+ could be sufficient for an attacker to recover the plaintext. A local
+ attacker or a remote attacker who is close to the victim on the network
+ might have precise enough timing measurements to exploit this. It requires
+ the attacker to send a large number of messages for decryption. For
+ details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
+ by Hubert Kario, Red Hat.
+ * Fix a failure to validate input when writing x509 extensions lengths which
+ could result in an integer overflow, causing a zero-length buffer to be
+ allocated to hold the extension. The extension would then be copied into
+ the buffer, causing a heap buffer overflow.
+
= Mbed TLS 3.5.1 branch released 2023-11-06
Changes
diff --git a/ChangeLog.d/7764.txt b/ChangeLog.d/7764.txt
new file mode 100644
index 0000000..4cd2079
--- /dev/null
+++ b/ChangeLog.d/7764.txt
@@ -0,0 +1,3 @@
+Features
+ * Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
+ to convert between Mbed TLS and PSA curve identifiers.
diff --git a/ChangeLog.d/8060.txt b/ChangeLog.d/8060.txt
deleted file mode 100644
index a5fd93c..0000000
--- a/ChangeLog.d/8060.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * The CCM and GCM modules no longer depend on MBEDTLS_CIPHER_C. People who
- use CCM and GCM but don't need the Cipher API can now disable
- MBEDTLS_CIPHER_C in order to save code size.
diff --git a/ChangeLog.d/8340.txt b/ChangeLog.d/8340.txt
new file mode 100644
index 0000000..5664bf1
--- /dev/null
+++ b/ChangeLog.d/8340.txt
@@ -0,0 +1,4 @@
+Features
+ * Add functions mbedtls_md_psa_alg_from_type() and
+ mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
+ psa_algorithm_t.
diff --git a/ChangeLog.d/8357.txt b/ChangeLog.d/8357.txt
deleted file mode 100644
index 9cae396..0000000
--- a/ChangeLog.d/8357.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
- * It is now possible to have AEADs support (CCM, GCM and ChaChaPoly) without
- MBEDTLS_CIPHER_C. This holds both for the builtin suport (MBEDTLS_CCM_C,
- MBEDTLS_GCM_C and MBEDTLS_CHACHAPOLY_C) as well as the PSA one
- (PSA_WANT_ALG_CCM, PSA_WANT_ALG_GCM, PSA_WANT_ALG_CHACHA20_POLY1305).
- On the PSA side this means that it is possible to enable
- MBEDTLS_PSA_CRYPTO_C without MBEDTLS_CIPHER_C if none of the
- non-authenticated ciphers is enabled.
diff --git a/ChangeLog.d/8358.txt b/ChangeLog.d/8358.txt
deleted file mode 100644
index 70b795a..0000000
--- a/ChangeLog.d/8358.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Features
- * If a cipher or AEAD mechanism has a PSA driver, you can now build the
- library without the corresponding built-in implementation. See
- docs/driver-only-builds.md for full details and current limitations.
- * It is possible to disable MBEDTLS_CIPHER_C in some circumstances, please
- see docs/driver-only-builds.md for full details and current limitations.
- * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
- disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
- MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
diff --git a/ChangeLog.d/8461.txt b/ChangeLog.d/8461.txt
new file mode 100644
index 0000000..d6a65f0
--- /dev/null
+++ b/ChangeLog.d/8461.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix unsupported PSA asymmetric encryption and decryption
+ (psa_asymmetric_[en|de]crypt) with opaque keys.
+ Resolves #8461.
diff --git a/ChangeLog.d/8726.txt b/ChangeLog.d/8726.txt
new file mode 100644
index 0000000..c1e5a40
--- /dev/null
+++ b/ChangeLog.d/8726.txt
@@ -0,0 +1,2 @@
+Features
+ * Add partial platform support for z/OS.
diff --git a/ChangeLog.d/add-record-size-limit-extension-support.txt b/ChangeLog.d/add-record-size-limit-extension-support.txt
new file mode 100644
index 0000000..3562b85
--- /dev/null
+++ b/ChangeLog.d/add-record-size-limit-extension-support.txt
@@ -0,0 +1,5 @@
+Features
+ * Add support for record size limit extension as defined by RFC 8449
+ and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
+ Application data sent and received will be fragmented according to
+ Record size limits negotiated during handshake.
diff --git a/ChangeLog.d/ctr-perf.txt b/ChangeLog.d/ctr-perf.txt
new file mode 100644
index 0000000..bc04080
--- /dev/null
+++ b/ChangeLog.d/ctr-perf.txt
@@ -0,0 +1,3 @@
+Features
+ * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
+ hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
diff --git a/ChangeLog.d/driver-only-cipher.txt b/ChangeLog.d/driver-only-cipher.txt
new file mode 100644
index 0000000..331b2f9
--- /dev/null
+++ b/ChangeLog.d/driver-only-cipher.txt
@@ -0,0 +1,11 @@
+Features
+ * If a cipher or AEAD mechanism has a PSA driver, you can now build the
+ library without the corresponding built-in implementation. Generally
+ speaking that requires both the key type and algorithm to be accelerated
+ or they'll both be built in. However, for CCM and GCM the built-in
+ implementation is able to take advantage of a driver that only
+ accelerates the key type (that is, the block cipher primitive). See
+ docs/driver-only-builds.md for full details and current limitations.
+ * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
+ disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
+ MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
diff --git a/ChangeLog.d/ecp-keypair-utilities.txt b/ChangeLog.d/ecp-keypair-utilities.txt
new file mode 100644
index 0000000..6f9714a
--- /dev/null
+++ b/ChangeLog.d/ecp-keypair-utilities.txt
@@ -0,0 +1,5 @@
+Features
+ * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
+ gaps made by making its fields private: mbedtls_ecp_set_public_key(),
+ mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
+ mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
diff --git a/ChangeLog.d/fix-tls-SuiteB.txt b/ChangeLog.d/fix-tls-SuiteB.txt
new file mode 100644
index 0000000..0be753a
--- /dev/null
+++ b/ChangeLog.d/fix-tls-SuiteB.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Remove accidental introduction of RSA signature algorithms
+ in TLS Suite B Profile. Fixes #8221.
diff --git a/ChangeLog.d/fix-tls13-server-min-version-check.txt b/ChangeLog.d/fix-tls13-server-min-version-check.txt
new file mode 100644
index 0000000..258ec6d
--- /dev/null
+++ b/ChangeLog.d/fix-tls13-server-min-version-check.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
+ is disabled at runtime. Fixes #8593.
diff --git a/ChangeLog.d/iar-gcc-perf.txt b/ChangeLog.d/iar-gcc-perf.txt
new file mode 100644
index 0000000..fb0fbb1
--- /dev/null
+++ b/ChangeLog.d/iar-gcc-perf.txt
@@ -0,0 +1,2 @@
+Features
+ * Improve performance for gcc (versions older than 9.3.0) and IAR.
diff --git a/ChangeLog.d/linux-aarch64-hwcap.txt b/ChangeLog.d/linux-aarch64-hwcap.txt
new file mode 100644
index 0000000..23af878
--- /dev/null
+++ b/ChangeLog.d/linux-aarch64-hwcap.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
+ acceleration detection when the libc headers do not define the
+ corresponding constant. Reported by valord577.
diff --git a/ChangeLog.d/no-cipher.txt b/ChangeLog.d/no-cipher.txt
new file mode 100644
index 0000000..87f2f6d
--- /dev/null
+++ b/ChangeLog.d/no-cipher.txt
@@ -0,0 +1,9 @@
+Features
+ * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
+ size by disabling it in more circumstances. In particular, the CCM and
+ GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
+ MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
+ unauthenticated (non-AEAD) ciphers are disabled, or if they're all
+ fully provided by drivers. See docs/driver-only-builds.md for full
+ details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
+ decryption still unconditionally depend on MBEDTLS_CIPHER_C.
diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 430b0ca..eda65a3 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -494,7 +494,7 @@
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
-As a starting point, return 1 if PSA crypto has been initialized. This will be refined later (to return 1 if the [accelerator subsystem](https://github.com/Mbed-TLS/mbedtls/issues/6007) has been initialized).
+As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
@@ -514,7 +514,7 @@
#### Error code conversion
-After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code.
+After calling a PSA function, MD light calls `mbedtls_md_error_from_psa` to convert its status code.
### Support all legacy algorithms in PSA
@@ -566,14 +566,15 @@
* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
-### Internal "block cipher" abstraction (Cipher light)
+### Internal "block cipher" abstraction (previously known as "Cipher light")
#### Definition
-The new module is automatically enabled in `build_info.h` by modules that need
-it, namely: CCM, GCM, only when `CIPHER_C` is not available. Note: CCM and GCM
-currently depend on the full `CIPHER_C` (enforced by `check_config.h`); this
-hard dependency would be replaced by the above auto-enablement.
+The new module is automatically enabled in `config_adjust_legacy_crypto.h` by modules that need
+it (namely: CCM, GCM) only when `CIPHER_C` is not available, or the new module
+is needed for PSA dispatch (see next section). Note: CCM and GCM currently
+depend on the full `CIPHER_C` (enforced by `check_config.h`); this hard
+dependency would be replaced by the above auto-enablement.
The following API functions are offered:
```
@@ -593,6 +594,23 @@
an `mbedtls_cipher_id_t` in the `setup()` function, because that's how they're
identifed by callers (GCM/CCM).
-#### Cipher light dual dispatch
+#### Block cipher dual dispatch
-This is likely to come in the future, but has not been defined yet.
+Support for dual dispatch in the new internal module `block_cipher` is extremely similar to that in MD light.
+
+A block cipher context contains either a legacy module's context (AES, ARIA, Camellia) or a PSA key identifier; it has a field indicating which one is in use. All fields are private.
+
+The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
+
+Support is determined at runtime using the new internal function
+```
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
+```
+
+The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA. As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
+
+Each function in the module needs to know whether to dispatch via PSA or legacy. All functions consult the context's `engine` field, except `setup()` which will set it according to the key type and the return value of `psa_can_do_cipher()` as discussed above.
+
+Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress.
+
+After calling a PSA function, `block_cipher` functions call `mbedtls_cipher_error_from_psa` to convert its status code.
diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md
new file mode 100644
index 0000000..e09d23c
--- /dev/null
+++ b/docs/architecture/psa-migration/psa-legacy-bridges.md
@@ -0,0 +1,344 @@
+Bridges between legacy and PSA crypto APIs
+==========================================
+
+## Introduction
+
+### Goal of this document
+
+This document explores the needs of applications that use both Mbed TLS legacy crypto interfaces and PSA crypto interfaces. Based on [requirements](#requirements), we [analyze gaps](#gap-analysis) and [API design](#api-design).
+
+This is a design document. The target audience is library maintainers. See the companion document [“Transitioning to the PSA API”](../../psa-transition.md) for a user focus on the same topic.
+
+### Keywords
+
+* [TODO] A part of the analysis that isn't finished.
+* [OPEN] Open question: a specific aspect of the design where there are several plausible decisions.
+* [ACTION] A finalized part of the design that will need to be carried out.
+
+### Context
+
+Mbed TLS 3.x supports two cryptographic APIs:
+
+* The legacy API `mbedtls_xxx` is inherited from PolarSSL.
+* The PSA API `psa_xxx` was introduced in Mbed TLS 2.17.
+
+Mbed TLS is gradually shifting from the legacy API to the PSA API. Mbed TLS 4.0 will be the first version where the PSA API is considered the main API, and large parts of the legacy API will be removed.
+
+In Mbed TLS 4.0, the cryptography will be provided by a separate project [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). For simplicity, in this document, we just refer to the whole as “Mbed TLS”.
+
+### Document history
+
+This document was originally written when preparing Mbed TLS 3.6. Mbed TLS 3.6 includes both PSA and legacy APIs covering largely overlapping ground. Many legacy APIs will be removed in Mbed TLS 4.0.
+
+## Requirements
+
+### Why mix APIs?
+
+There is functionality that is tied to one API and is not directly available in the other API:
+
+* Only PSA fully supports PSA accelerators and secure element integration.
+* Only PSA supports isolating cryptographic material in a secure service.
+* The legacy API has features that are not present (yet) in PSA, notably parsing and formatting asymmetric keys.
+
+The legacy API can partially leverage PSA features via `MBEDTLS_USE_PSA_CRYPTO`, but this has limited scope.
+
+In addition, many applications cannot be migrated in a single go. For large projects, it is impractical to rewrite a significant part of the code all at once. (For example, Mbed TLS itself will have taken more than 6 years to transition.) Projects that use one or more library in addition to Mbed TLS must follow the evolution of these libraries, each of which might have its own pace.
+
+### Where mixing happens
+
+Mbed TLS can be, and normally is, built with support for both APIs. Therefore no special effort is necessary to allow an application to use both APIs.
+
+Special effort is necessary to use both APIs as part of the implementation of the same feature. From an informal analysis of typical application requirements, we identify four parts of the use of cryptography which can be provided by different APIs:
+
+* Metadata manipulation: parsing and producing encrypted or signed files, finding mutually supported algorithms in a network protocol negotiation, etc.
+* Key management: parsing, generating, deriving and formatting cryptographic keys.
+* Data manipulation other than keys. In practice, most data formats within the scope of the legacy crypto APIs are trivial (ciphertexts, hashes, MACs, shared secrets). The one exception is ECDSA signatures.
+* Cryptographic operations: hash, sign, encrypt, etc.
+
+From this, we deduce the following requirements:
+
+* Convert between PSA and legacy metadata.
+* Creating a key with the legacy API and consuming it in the PSA API.
+* Creating a key with the PSA API and consuming it in the legacy API.
+* Manipulating data formats, other than keys, where the PSA API is lacking.
+
+### Scope limitations
+
+The goal of this document is to bridge the legacy API and the PSA API. The goal is not to provide a PSA way to do everything that is currently possible with the legacy API. The PSA API is less flexible in some regards, and extending it is out of scope in the present study.
+
+With respect to the legacy API, we do not consider functionality of low-level modules for individual algorithms. Our focus is on applications that use high-level legacy crypto modules (md, cipher, pk) and need to combine that with uses of the PSA APIs.
+
+## Gap analysis
+
+The document [“Transitioning to the PSA API”](../../psa-transition.md) enumerates the public header files in Mbed TLS 3.4 and the API elements (especially enums and functions) that they provide, listing PSA equivalents where they exist. There are gaps in two cases:
+
+* Where the PSA equivalents do not provide the same functionality. A typical example is parsing and formatting asymmetric keys.
+* To convert between data representations used by legacy APIs and data representations used by PSA APIs.
+
+Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms.
+
+### Generic metadata gaps
+
+#### Need for error code conversion
+
+Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use.
+
+Mbed TLS needs these conversions because it has many functions that expose one API (legacy/API) but are implemented on top of the other API. Most applications would convert legacy and PSA error code to their own error codes, and converting between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` is not particularly helpful for that. Application code might need such conversion functions when implementing an X.509 or TLS callback (returning `MBEDTLS_ERR_xxx`) on top of PSA functions, but this is a very limited use case.
+
+Conclusion: no need for public error code conversion functions.
+
+### Hash gap analysis
+
+Hashes do not involve keys, and involves no nontrivial data format. Therefore the only gap is with metadata, namely specifying a hash algorithm.
+
+Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, etc.). Therefore metadata about hashes is relevant not only when calculating hashes, but also when performing many other cryptographic operations.
+
+Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls_md_type_t`. Such functions exist in Mbed TLS 3.5 (`mbedtls_md_psa_alg_from_type`, `mbedtls_md_type_from_psa_alg`) but they are declared only in private headers.
+
+### MAC gap analysis
+
+[TODO]
+
+### Cipher and AEAD gap analysis
+
+[TODO]
+
+### Key derivation gap analysis
+
+[TODO]
+
+### Random generation gap analysis
+
+[TODO]
+
+### Asymmetric cryptography gap analysis
+
+#### Asymmetric cryptography metadata
+
+The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys can also be further classified according to their curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module.
+
+An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module:
+
+* RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption.
+* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`).
+
+ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve.
+
+Since there is no algorithm that can be used with multiple types, and PSA keys have a policy that (for the most part) limits them to one algorithm, there does not seem to be a need to convert between legacy and PSA asymmetric key types on their own. The useful metadata conversions are:
+
+* Selecting an **elliptic curve**.
+
+ This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`.
+
+ This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_from_psa`, which were introduced into the public API between Mbed TLS 3.5 and 3.6 ([#8664](https://github.com/Mbed-TLS/mbedtls/pull/8664)).
+
+* Selecting A **DHM group**.
+
+ PSA only supports predefined groups, whereas legacy only supports ad hoc groups. An existing application referring to `MBEDTLS_DHM_RFC7919_FFDHExxx` values would need to refer to `PSA_DH_FAMILY_RFC7919`; an existing application using arbitrary groups cannot migrate to PSA.
+
+* Simultaneously supporting **a key type and an algorithm**.
+
+ On the legacy side, this is an `mbedtls_pk_type_t` value and more. For ECDSA, the choice between randomized and deterministic is made at compile time. For RSA, the choice of encryption or signature algorithm is made either by configuring the underlying `mbedtls_rsa_context` or when calling the operation function.
+
+ On the PSA side, this is a `psa_key_type_t` value and an algorithm which is normally encoded as policy information in a `psa_key_attributes_t`. The algorithm is also needed in its own right when calling operation functions.
+
+#### Using a legacy key pair or public key with PSA
+
+There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`).
+
+Reasons for first creating a legacy key object, where it's impossible or impractical to directly create a PSA key:
+
+* A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions.
+* The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent.
+* The pk object may be created by a part of the application (or a third-party library) that hasn't been migrated to the PSA API yet.
+
+Reasons for needing a PSA key object:
+
+* Using the key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a few TLS functions that take PSA key identifiers, but as of Mbed TLS 3.5, it is always possible to use a legacy key instead.)
+* Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.)
+
+Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below.
+
+#### Using a PSA key as a PK context
+
+There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 and TLS APIs or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents.
+
+There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations:
+
+* It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded.
+* It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object.
+* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. This is not a priority concern, since we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA. However, this function is useful to use specific PSA keys in X.509/TLS regardless of whether X.509/TLS use the PSA API for all cryptographic operations, so this is a wart in the current API.
+
+It therefore appears that we need two ways to “convert” a PSA key to PK:
+
+* Wrapping, which is what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's lifetime and creates a PK object with limited functionality.
+* Copying, which requires a new function. This requires an exportable key but creates a fully independent, fully functional PK object.
+
+Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable.
+
+After some discussion, have not identified anything we want to change in the behavior of `mbedtls_pk_setup_opaque`. We only want to generalize it to non-`MBEDTLS_USE_PSA_CRYPTO` and to document it better.
+
+#### Signature formats
+
+The pk module uses signature formats intended for X.509. The PSA module uses the simplest sensible signature format.
+
+* For RSA, the formats are the same.
+* For ECDSA, PSA uses a fixed-size concatenation of (r,s), whereas X.509 and pk use an ASN.1 DER encoding of the sequence (r,s).
+
+Gap: We need APIs to convert between these two formats. The conversion code already exists under the hood, but it's in pieces that can't be called directly.
+
+There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain.
+
+Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage.
+
+For ECDSA, there are two plausible APIs: follow the ASN.1/X.509 write/parse APIs, or present an ordinary input/output API. The ASN.1 APIs are the way they are to accommodate nested TLV structures. But ECDSA signatures do not appear nested in TLV structures in either TLS (there's just a signature field) or X.509 (the signature is inside a BITSTRING, not directly in a SEQUENCE). So there does not seem to be a need for an ASN.1-like API for the ASN.1 format, just the format conversion itself in a buffer that just contains the signature.
+
+#### Asymmetric cryptography TODO
+
+[TODO] Other gaps?
+
+## New APIs
+
+This section presents new APIs to implement based on the [gap analysis](#gap-analysis).
+
+### General notes
+
+Each action to implement a function entails:
+
+* Implement the library function.
+* Document it precisely, including error conditions.
+* Unit-test it.
+* Mention it where relevant in the PSA transition guide.
+
+### Hash APIs
+
+Based on the [gap analysis](#hash-gap-analysis):
+
+[ACTION] [#8340](https://github.com/Mbed-TLS/mbedtls/issues/8340) Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`.
+
+### MAC APIs
+
+[TODO]
+
+### Cipher and AEAD APIs
+
+[TODO]
+
+### Key derivation APIs
+
+[TODO]
+
+### Random generation APIs
+
+[TODO]
+
+### Asymmetric cryptography APIs
+
+#### Asymmetric cryptography metadata APIs
+
+Based on the [gap analysis](#asymmetric-cryptography-metadata):
+
+* No further work is needed about RSA specifically. The amount of metadata other than hashes is sufficiently small to be handled in ad hoc ways in applications, and hashes have [their own conversions](#hash-apis).
+* No further work is needed about ECC specifically. We have just added adequate functions.
+* No further work is needed about DHM specifically. There is no good way to translate the relevant information.
+* [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm.
+ Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_copy_from_psa` do the job.
+
+#### API to create a PSA key from a PK context
+
+Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa):
+
+Given an `mbedtls_pk_context`, we want a function that creates a PSA key with the same key material and algorithm. “Same key material” is straightforward, but “same algorithm” is not, because a PK context has incomplete algorithm information. For example, there is no way to distinguish between an RSA key that is intended for signature or for encryption. Between algorithms of the same nature, there is no way to distinguish a key intended for PKCS#1v1.5 and one intended for PKCS#1v2.1 (OAEP/PSS): this is indicated in the underlying RSA context, but the indication there is only a default that can be overridden by calling `mbedtls_pk_{sign,verify}_ext`. Also there is no way to distinguish between `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)` and `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`: in the legacy interface, this is only determined when actually doing a signature/verification operation. Therefore the function that creates the PSA key needs extra information to indicate which algorithm to put in the key's policy.
+
+When creating a PSA key, apart from the key material, the key is determined by attributes, which fall under three categories:
+
+* Type and size. These are directly related to the key material and can be deduced from it if the key material is in a structured format, which is the case with an `mbedtls_pk_context` input.
+* Policy. This includes the chosen algorithm, which as discussed above cannot be fully deduced from the `mbedtls_pk_context` object. Just choosing one algorithm is problematic because it doesn't allow implementation-specific extensions, such as Mbed TLS's enrollment algorithm. The intended usage flags cannot be deduced from the PK context either, but the conversion function could sensibly just enable all the relevant usage flags. Users who want a more restrictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more restrictive usage.
+* Persistence and location. This is completely orthogonal to the information from the `mbedtls_pk_context` object. It is convenient, but not necessary, for the conversion function to allow customizing these aspects. If it doesn't, users can call the conversion function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired location.
+
+To allow the full flexibility around policies, and make the creation of a persistent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` input, like all other functions that create a PSA key. In addition, there shall be a helper function to populate a `psa_key_attributes_t` with a sensible default. This lets the caller choose a more flexible, or just different usage policy, unlike the default-then-copy approach which only allows restricting the policy.
+
+This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases.
+
+[ACTION] [#8708](https://github.com/Mbed-TLS/mbedtls/issues/8708) Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`.
+
+```
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+ psa_key_usage_flags_t usage,
+ psa_key_attributes_t *attributes);
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *key_id);
+```
+
+* `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default).
+ * [OPEN] Or should it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OPAQUE`. But that's an uncommon use case. It's probably less surprising if this function leaves the lifetime-related alone, since its job is to set the type-related and policy-related attributes.
+* `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context.
+ * The key type is a key pair if the context contains a private key and the indicated usage is a private-key usage. The key type is a public key if the context only contains a public key, in which case a private-key usage is an error.
+* `mbedtls_pk_get_psa_attributes` sets the usage flags based on the `usage` parameter. It extends the usage to other usage that is possible:
+ * `EXPORT` and `COPY` are always set.
+ * If `SIGN_{HASH,MESSAGE}` is set then so is `VERIFY_{HASH,MESSAGE}`.
+ * If `DECRYPT` is set then so is `ENCRYPT`.
+ * It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type.
+* `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`.
+ * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage.
+ * For an RSA key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.)
+ * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`.
+ * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`.
+ * For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed.
+ * Public-key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key type, and remove private-key usage flags from the usage flags read from the existing key.
+* `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key).
+ * The key type can be a public key even if the private key is available.
+* `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks.
+* `mbedtls_pk_import_into_psa` does not check that the policy in the attributes is sensible. That's on the user.
+
+#### API to copy a PSA key to a PK context
+
+Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
+
+[ACTION] [#8709](https://github.com/Mbed-TLS/mbedtls/issues/8709) Implement `mbedtls_pk_copy_from_psa` as described below.
+
+```
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk);
+```
+
+* `pk` must be initialized, but not set up.
+* It is an error if the key is neither a key pair nor a public key.
+* It is an error if the key is not exportable.
+* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse).
+* Once this function returns, the pk object is completely independent of the PSA key.
+* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`) if that is a matching operation type (sign/verify, encrypt/decrypt), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`).
+ * For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today.
+ * For an RSA key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode.
+ * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation.
+
+#### API to create a PK object that wraps a PSA key
+
+Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
+
+[ACTION] [#8712](https://github.com/Mbed-TLS/mbedtls/issues/8712) Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`.
+
+[ACTION] [#8710](https://github.com/Mbed-TLS/mbedtls/issues/8710) Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly.
+
+[OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`?
+
+#### API to convert between signature formats
+
+Based on the [gap analysis](#signature-formats):
+
+[ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below.
+
+```
+int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len,
+ unsigned char *der, size_t der_size, size_t *der_len,
+ size_t bits);
+int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len,
+ unsigned char *raw, size_t raw_size, size_t *raw_len,
+ size_t bits);
+```
+
+* These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`.
+* The input and output buffers can overlap.
+* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is not needed in the raw-to-DER direction, but [it can help catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971) and the information is readily available in practice.
+* Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015).
diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index f085471..f59420e 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md
@@ -16,6 +16,7 @@
In order to have some mechanism provided only by a driver, you'll want
the following compile-time configuration options enabled:
+
- `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto.
- `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and
TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS
@@ -28,6 +29,7 @@
TLS](proposed/psa-conditional-inclusion-c.md) for details.
In addition, for each mechanism you want provided only by your driver:
+
- Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this
means the algorithm will be available in the PSA Crypto API.
- Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be
@@ -52,9 +54,12 @@
------------------
For now, only the following (families of) mechanisms are supported:
+
- hashes: SHA-3, SHA-2, SHA-1, MD5, etc.
- elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types.
- finite-field Diffie-Hellman: FFDH algorithm, DH key types.
+- RSA: PKCS#1 v1.5 and v2.1 signature and encryption algorithms, RSA key types
+ (for now, only crypto, no X.509 or TLS support).
- AEADs:
- GCM and CCM with AES, ARIA and Camellia key types
- ChachaPoly with ChaCha20 Key type
@@ -71,15 +76,13 @@
in the "Limitations" sub-sections of the sections dedicated to each family
below.
-Currently (mid-2023) we don't have plans to extend this to RSA. If
-you're interested in driver-only support for RSA, please let us know.
-
Hashes
------
It is possible to have all hash operations provided only by a driver.
More precisely:
+
- you can enable `PSA_WANT_ALG_SHA_256` without `MBEDTLS_SHA256_C`, provided
you have `MBEDTLS_PSA_ACCEL_ALG_SHA_256` enabled;
- and similarly for all supported hash algorithms: `MD5`, `RIPEMD160`,
@@ -98,6 +101,7 @@
If you want to check at compile-time whether a certain hash algorithm is
available in the present build of Mbed TLS, regardless of whether it's
provided by a driver or built-in, you should use the following macros:
+
- for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from
`psa/crypto.h`;
- for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from
@@ -107,10 +111,12 @@
---------------------------------
It is possible to have most ECC operations provided only by a driver:
+
- the ECDH, ECDSA and EC J-PAKE algorithms;
- key import, export, and random generation.
More precisely, if:
+
- you have driver support for ECC public and using private keys (that is,
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY` and
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC` are enabled), and
@@ -119,6 +125,7 @@
`MBEDTLS_PSA_ACCEL_ECC_xxx` macros is enabled as well);
then you can:
+
- enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C`, provided
`MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled
- enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C`, provided
@@ -127,6 +134,7 @@
`MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled.
In addition, if:
+
- none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, `MBEDTLS_ECJPAKE_C` are enabled
(see conditions above), and
- you have driver support for all enabled ECC key pair operations - that is,
@@ -138,9 +146,11 @@
still be included in the build, see limitations sub-section below.
In addition, if:
-- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below), and
-- support for RSA key types and algorithms is fully disabled, and
-- support for DH key types and the FFDH algorithm is either disabled, or
+
+- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below),
+- and support for RSA key types and algorithms is either fully disabled or
+ fully provided by a driver,
+- and support for DH key types and the FFDH algorithm is either disabled or
fully provided by a driver,
then you can also disable `MBEDTLS_BIGNUM_C`.
@@ -148,6 +158,7 @@
In such builds, all crypto operations via the PSA Crypto API will work as
usual, as well as the PK, X.509 and TLS modules if `MBEDTLS_USE_PSA_CRYPTO` is
enabled, with the following exceptions:
+
- direct calls to APIs from the disabled modules are not possible;
- PK, X.509 and TLS will not support restartable ECC operations (see
limitation sub-section below).
@@ -155,6 +166,7 @@
If you want to check at compile-time whether a certain curve is available in
the present build of Mbed TLS, regardless of whether ECC is provided by a
driver or built-in, you should use the following macros:
+
- for code that uses only the PSA Crypto API: `PSA_WANT_ECC_xxx` from
`psa/crypto.h`;
- for code that may also use non-PSA crypto APIs: `MBEDTLS_ECP_HAVE_xxx` from
@@ -170,6 +182,7 @@
A limited subset of `ecp.c` will still be automatically re-enabled if any of
the following is enabled:
+
- `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the
public part is in compressed format;
- `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the
@@ -243,12 +256,37 @@
`[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
removing builtin support (i.e. `MBEDTLS_DHM_C`).
+RSA
+---
+
+It is possible for all RSA operations to be provided only by a driver.
+
+More precisely, if:
+
+- all the RSA algorithms that are enabled (`PSA_WANT_ALG_RSA_*`) are also
+ accelerated (`MBEDTLS_PSA_ACCEL_ALG_RSA_*`),
+- and all the RSA key types that are enabled (`PSA_WANT_KEY_TYPE_RSA_*`) are
+ also accelerated (`MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_*`),
+
+then you can disable `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15` and
+`MBEDTLS_PKCS1_V21`, and RSA will still work in PSA Crypto.
+
+### Limitations on RSA acceleration
+
+Unlike other mechanisms, for now in configurations with driver-only RSA, only
+PSA Crypto works. In particular, PK, X.509 and TLS will _not_ work with
+driver-only RSA even if `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+
+Currently (early 2024) we don't have plans to extend this support. If you're
+interested in wider driver-only support for RSA, please let us know.
+
Ciphers (unauthenticated and AEAD)
----------------------------------
It is possible to have all ciphers and AEAD operations provided only by a
driver. More precisely, for each desired combination of key type and
algorithm/mode you can:
+
- Enable desired PSA key type(s):
- `PSA_WANT_KEY_TYPE_AES`,
- `PSA_WANT_KEY_TYPE_ARIA`,
@@ -305,6 +343,7 @@
Some legacy modules can't take advantage of PSA drivers yet, and will either
need to be disabled, or have reduced features when the built-in implementations
of some ciphers are removed:
+
- `MBEDTLS_NIST_KW_C` needs built-in AES: it must be disabled when
`MBEDTLS_AES_C` is disabled.
- `MBEDTLS_CMAC_C` needs built-in AES/DES: it must be disabled when
@@ -329,6 +368,7 @@
Note that the relationship between legacy (i.e. `MBEDTLS_xxx_C`) and PSA
(i.e. `PSA_WANT_xxx`) symbols is not always 1:1. For example:
+
- ECB mode is always enabled in the legacy configuration for each key type that
allows it (AES, ARIA, Camellia, DES), whereas it must be explicitly enabled
in PSA with `PSA_WANT_ALG_ECB_NO_PADDING`.
@@ -349,9 +389,12 @@
ECB mode (`PSA_WANT_ALG_ECB_NO_PADDING` + `MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING`)
together with desired key type(s) (`PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` +
`MBEDTLS_PSA_ACCEL_KEY_TYPE_[AES|ARIA|CAMELLIA]`).
+
In such configurations it is possible to:
+
- Use CCM and GCM via the PSA Crypto APIs.
-- Use CCM and GCM via legacy functions (`mbedtls_[ccm|gcm]_xxx()`).
+- Use CCM and GCM via legacy functions `mbedtls_[ccm|gcm]_xxx()` (but not the
+ legacy functions `mbedtls_cipher_xxx()`).
- Disable legacy key types (`MBEDTLS_[AES|ARIA|CAMELLIA]_C`) if there is no
other dependency requiring them.
@@ -362,6 +405,7 @@
The legacy CTR-DRBG module (enabled by `MBEDTLS_CTR_DRBG_C`) can also benefit
from PSA acceleration if both of the following conditions are met:
+
- The legacy AES module (`MBEDTLS_AES_C`) is not enabled and
- AES is supported on the PSA side together with ECB mode, i.e.
`PSA_WANT_KEY_TYPE_AES` + `PSA_WANT_ALG_ECB_NO_PADDING`.
@@ -370,6 +414,7 @@
It is possible to save code size by disabling MBEDTLS_CIPHER_C when all of the
following conditions are met:
+
- The application is not using the `mbedtls_cipher_` API.
- In PSA, all unauthenticated (that is, non-AEAD) ciphers are either disabled or
fully accelerated (that is, all compatible key types are accelerated too).
@@ -379,6 +424,7 @@
a driver.)
In such a build, everything will work as usual except for the following:
+
- Encryption/decryption functions from the PKCS5 and PKCS12 module will not be
available (only key derivation functions).
- Parsing of PKCS5- or PKCS12-encrypted keys in PK parse will fail.
diff --git a/docs/psa-transition.md b/docs/psa-transition.md
index 067ffaf..e89128c 100644
--- a/docs/psa-transition.md
+++ b/docs/psa-transition.md
@@ -443,6 +443,10 @@
| `MBEDTLS_MD_SHA3_384` | `PSA_ALG_SHA3_384` |
| `MBEDTLS_MD_SHA3_512` | `PSA_ALG_SHA3_512` |
+The following helper functions can be used to convert between the 2 types:
+- `mbedtls_md_psa_alg_from_type()` converts from legacy `mbedtls_md_type_t` to PSA's `psa_algorithm_t`.
+- `mbedtls_md_type_from_psa_alg()` converts from PSA's `psa_algorithm_t` to legacy `mbedtls_md_type_t`.
+
### MAC mechanism selection
PSA Crypto has a generic API with the same functions for all MAC mechanisms. The mechanism is determined by a combination of an algorithm value of type [`psa_algorithm_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac2e4d47f1300d73c2f829a6d99252d69) and a key type value of type [`psa_key_type_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga63fce6880ca5933b5d6baa257febf1f6).
@@ -725,7 +729,11 @@
An ECC key pair has the type [`PSA_KEY_TYPE_ECC_KEY_PAIR(curve)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0b6f5d4d5037c54ffa850d8059c32df0) where `curve` is a curve family identifier. A key with this type can be used both for private-key and public-key operations (there is no separate key type for a private key without the corresponding public key).
You can always use a private key for operations on the corresponding public key (as long as the policy permits it).
-A curve is fully determined by a curve family identifier and the private key size in bits. The following table gives the correspondence between legacy and PSA elliptic curve designations.
+A curve is fully determined by a curve family identifier and the private key size in bits. You can use the following functions to convert between the PSA and legacy elliptic curve designations:
+- [`mbedtls_ecc_group_to_psa()`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__psa__tls__helpers/#group__psa__tls__helpers_1ga9c83c095adfec7da99401cf81e164f99) converts from the legacy curve type identifier to PSA curve family and bit-size.
+- [`mbedtls_ecc_group_from_psa()`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__psa__tls__helpers/#group__psa__tls__helpers_1ga6243eb619d5b2f5fe4667811adeb8a12) converts from PSA curve family and bit-size to the legacy identifier.
+
+The following table gives the correspondence between legacy and PSA elliptic curve designations.
| Mbed TLS legacy curve identifier | PSA curve family | Curve bit-size |
| -------------------------------- | ---------------- | -------------- |
diff --git a/docs/redirects.yaml b/docs/redirects.yaml
index 7ea1d95..969ffe4 100644
--- a/docs/redirects.yaml
+++ b/docs/redirects.yaml
@@ -7,5 +7,5 @@
# expose it.
- type: exact
- from_url: /projects/api/en/latest/$rest
- to_url: /projects/api/en/development/
+ from_url: /projects/api/en/latest/*
+ to_url: /projects/api/en/development/:splat
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index c391c59..17762d7 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -10,7 +10,7 @@
*/
/**
- * @mainpage Mbed TLS v3.5.1 API Documentation
+ * @mainpage Mbed TLS v3.5.2 API Documentation
*
* This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 89048f2..f2695a1 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -1,4 +1,4 @@
-PROJECT_NAME = "Mbed TLS v3.5.1"
+PROJECT_NAME = "Mbed TLS v3.5.2"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
@@ -6,7 +6,7 @@
EXTRACT_PRIVATE = YES
EXTRACT_STATIC = YES
CASE_SENSE_NAMES = NO
-INPUT = ../include input
+INPUT = ../include input ../tests/include/alt-dummy
FILE_PATTERNS = *.h
RECURSIVE = YES
EXCLUDE_SYMLINKS = YES
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 7a70e25..2f336ba 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -26,16 +26,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 3
#define MBEDTLS_VERSION_MINOR 5
-#define MBEDTLS_VERSION_PATCH 1
+#define MBEDTLS_VERSION_PATCH 2
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x03050100
-#define MBEDTLS_VERSION_STRING "3.5.1"
-#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.1"
+#define MBEDTLS_VERSION_NUMBER 0x03050200
+#define MBEDTLS_VERSION_STRING "3.5.2"
+#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.2"
/* Macros for build-time platform detection */
@@ -83,6 +83,14 @@
#endif
#endif
+#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
+ && !defined(__llvm__) && !defined(__INTEL_COMPILER)
+/* Defined if the compiler really is gcc and not clang, etc */
+#define MBEDTLS_COMPILER_IS_GCC
+#define MBEDTLS_GCC_VERSION \
+ (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
+#endif
+
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
#define _CRT_SECURE_NO_DEPRECATE 1
#endif
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index 815b5bb..1dc31c9 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -678,7 +678,6 @@
static inline unsigned int mbedtls_cipher_get_block_size(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return 0;
}
@@ -698,7 +697,6 @@
static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return MBEDTLS_MODE_NONE;
}
@@ -719,7 +717,6 @@
static inline int mbedtls_cipher_get_iv_size(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return 0;
}
@@ -743,8 +740,6 @@
static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(
- ctx != NULL, MBEDTLS_CIPHER_NONE);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return MBEDTLS_CIPHER_NONE;
}
@@ -764,7 +759,6 @@
static inline const char *mbedtls_cipher_get_name(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return 0;
}
@@ -784,8 +778,6 @@
static inline int mbedtls_cipher_get_key_bitlen(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(
- ctx != NULL, MBEDTLS_KEY_LENGTH_NONE);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return MBEDTLS_KEY_LENGTH_NONE;
}
@@ -805,8 +797,6 @@
static inline mbedtls_operation_t mbedtls_cipher_get_operation(
const mbedtls_cipher_context_t *ctx)
{
- MBEDTLS_INTERNAL_VALIDATE_RET(
- ctx != NULL, MBEDTLS_OPERATION_NONE);
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
return MBEDTLS_OPERATION_NONE;
}
diff --git a/include/mbedtls/config_adjust_ssl.h b/include/mbedtls/config_adjust_ssl.h
index 8415f3e..5dd331c 100644
--- a/include/mbedtls/config_adjust_ssl.h
+++ b/include/mbedtls/config_adjust_ssl.h
@@ -65,6 +65,7 @@
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
#undef MBEDTLS_SSL_EARLY_DATA
+#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h
index 922e5be..424ed4b 100644
--- a/include/mbedtls/debug.h
+++ b/include/mbedtls/debug.h
@@ -149,165 +149,8 @@
*/
void mbedtls_debug_set_threshold(int threshold);
-/**
- * \brief Print a message to the debug output. This function is always used
- * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
- * context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the message has occurred in
- * \param line line number the message has occurred at
- * \param format format specifier, in printf format
- * \param ... variables used by the format specifier
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
-
-/**
- * \brief Print the return value of a function to the debug output. This
- * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
- * which supplies the ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text the name of the function that returned the error
- * \param ret the return code value
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, int ret);
-
-/**
- * \brief Output a buffer of size len bytes to the debug output. This function
- * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
- * which supplies the ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the buffer being dumped. Normally the
- * variable or buffer name
- * \param buf the buffer to be outputted
- * \param len length of the buffer
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line, const char *text,
- const unsigned char *buf, size_t len);
-
-#if defined(MBEDTLS_BIGNUM_C)
-/**
- * \brief Print a MPI variable to the debug output. This function is always
- * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
- * ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the MPI being output. Normally the
- * variable name
- * \param X the MPI variable
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_mpi *X);
-#endif
-
-#if defined(MBEDTLS_ECP_LIGHT)
-/**
- * \brief Print an ECP point to the debug output. This function is always
- * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
- * ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the ECP point being output. Normally the
- * variable name
- * \param X the ECP point
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_ecp_point *X);
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
-/**
- * \brief Print a X.509 certificate structure to the debug output. This
- * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
- * which supplies the ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the certificate being output
- * \param crt X.509 certificate structure
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_x509_crt *crt);
-#endif
-
-/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function
- only works for the built-in implementation. */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
- defined(MBEDTLS_ECDH_C)
-typedef enum {
- MBEDTLS_DEBUG_ECDH_Q,
- MBEDTLS_DEBUG_ECDH_QP,
- MBEDTLS_DEBUG_ECDH_Z,
-} mbedtls_debug_ecdh_attr;
-
-/**
- * \brief Print a field of the ECDH structure in the SSL context to the debug
- * output. This function is always used through the
- * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
- * and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param ecdh the ECDH context
- * \param attr the identifier of the attribute being output
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const mbedtls_ecdh_context *ecdh,
- mbedtls_debug_ecdh_attr attr);
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
- MBEDTLS_ECDH_C */
-
#ifdef __cplusplus
}
#endif
-#endif /* debug.h */
+#endif /* MBEDTLS_DEBUG_H */
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 7f5e880..76aef32 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -1259,9 +1259,56 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
+/** \brief Set the public key in a key pair object.
+ *
+ * \note This function does not check that the point actually
+ * belongs to the given group. Call mbedtls_ecp_check_pubkey()
+ * on \p Q before calling this function to check that.
+ *
+ * \note This function does not check that the public key matches
+ * the private key that is already in \p key, if any.
+ * To check the consistency of the resulting key pair object,
+ * call mbedtls_ecp_check_pub_priv() after setting both
+ * the public key and the private key.
+ *
+ * \param grp_id The ECP group identifier.
+ * \param key The key pair object. It must be initialized.
+ * If its group has already been set, it must match \p grp_id.
+ * If its group has not been set, it will be set to \p grp_id.
+ * If the public key has already been set, it is overwritten.
+ * \param Q The public key to copy. This must be a point on the
+ * curve indicated by \p grp_id.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not
+ * match \p grp_id.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ * the group is not implemented.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
+ mbedtls_ecp_keypair *key,
+ const mbedtls_ecp_point *Q);
+
/**
* \brief This function reads an elliptic curve private key.
*
+ * \note This function does not set the public key in the
+ * key pair object. Without a public key, the key pair object
+ * cannot be used with operations that require the public key.
+ * Call mbedtls_ecp_keypair_calc_public() to set the public
+ * key from the private key. Alternatively, you can call
+ * mbedtls_ecp_set_public_key() to set the public key part,
+ * and then optionally mbedtls_ecp_check_pub_priv() to check
+ * that the private and public parts are consistent.
+ *
+ * \note If a public key has already been set in the key pair
+ * object, this function does not check that it is consistent
+ * with the private key. Call mbedtls_ecp_check_pub_priv()
+ * after setting both the public key and the private key
+ * to make that check.
+ *
* \param grp_id The ECP group identifier.
* \param key The destination key.
* \param buf The buffer containing the binary representation of the
@@ -1300,6 +1347,32 @@
unsigned char *buf, size_t buflen);
/**
+ * \brief This function exports an elliptic curve public key.
+ *
+ * \param key The public key.
+ * \param format The point format. This must be either
+ * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * (For groups without these formats, this parameter is
+ * ignored. But it still has to be either of the above
+ * values.)
+ * \param olen The address at which to store the length of
+ * the output in Bytes. This must not be \c NULL.
+ * \param buf The output buffer. This must be a writable buffer
+ * of length \p buflen Bytes.
+ * \param buflen The length of the output buffer \p buf in Bytes.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ * is too small to hold the point.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ * or the export for the given group is not implemented.
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
+ int format, size_t *olen,
+ unsigned char *buf, size_t buflen);
+
+/**
* \brief This function checks that the keypair objects
* \p pub and \p prv have the same group and the
* same public point, and that the private key in
@@ -1323,16 +1396,48 @@
const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+/** \brief Calculate the public key from a private key in a key pair.
+ *
+ * \param key A keypair structure. It must have a private key set.
+ * If the public key is set, it will be overwritten.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be \c
+ * NULL if \p f_rng doesn't need a context.
+ *
+ * \return \c 0 on success. The key pair object can be used for
+ * operations that require the public key.
+ * \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ * error code on calculation failure.
+ */
+int mbedtls_ecp_keypair_calc_public(
+ mbedtls_ecp_keypair *key,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/** \brief Query the group that a key pair belongs to.
+ *
+ * \param key The key pair to query.
+ *
+ * \return The group ID for the group registered in the key pair
+ * object.
+ * This is \c MBEDTLS_ECP_DP_NONE if no group has been set
+ * in the key pair object.
+ */
+mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
+ const mbedtls_ecp_keypair *key);
+
/**
* \brief This function exports generic key-pair parameters.
*
+ * Each of the output parameters can be a null pointer
+ * if you do not need that parameter.
+ *
* \param key The key pair to export from.
* \param grp Slot for exported ECP group.
- * It must point to an initialized ECP group.
+ * It must either be null or point to an initialized ECP group.
* \param d Slot for the exported secret value.
- * It must point to an initialized mpi.
+ * It must either be null or point to an initialized mpi.
* \param Q Slot for the exported public value.
- * It must point to an initialized ECP point.
+ * It must either be null or point to an initialized ECP point.
*
* \return \c 0 on success,
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 27768bd..66f3901 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -28,7 +28,7 @@
#include "mbedtls/ecdsa.h"
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include "psa/crypto.h"
#endif
@@ -253,6 +253,8 @@
* inside the ecp_keypair structure
* - the following fields are used for all public key operations: signature
* verify, key pair check and key write.
+ * - For a key pair, priv_id contains the private key. For a public key,
+ * priv_id is null.
* Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy
* ecp_keypair structure is used for storing the public key and performing
* all the operations.
@@ -484,6 +486,121 @@
psa_key_usage_t usage);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+/**
+ * \brief Determine valid PSA attributes that can be used to
+ * import a key into PSA.
+ *
+ * The attributes determined by this function are suitable
+ * for calling mbedtls_pk_import_into_psa() to create
+ * a PSA key with the same key material.
+ *
+ * The typical flow of operations involving this function is
+ * ```
+ * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ * int ret = mbedtls_pk_get_psa_attributes(pk, &attributes);
+ * if (ret != 0) ...; // error handling omitted
+ * // Tweak attributes if desired
+ * psa_key_id_t key_id = 0;
+ * ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id);
+ * if (ret != 0) ...; // error handling omitted
+ * ```
+ *
+ * \note This function does not support RSA-alt contexts
+ * (set up with mbedtls_pk_setup_rsa_alt()).
+ *
+ * \param[in] pk The PK context to use. It must have been set up.
+ * It can either contain a key pair or just a public key.
+ * \param usage A single `PSA_KEY_USAGE_xxx` flag among the following:
+ * - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a
+ * key pair. The output \p attributes will contain a
+ * key pair type, and the usage policy will allow
+ * #PSA_KEY_USAGE_ENCRYPT as well as
+ * #PSA_KEY_USAGE_DECRYPT.
+ * - #PSA_KEY_USAGE_DERIVE: \p pk must contain a
+ * key pair. The output \p attributes will contain a
+ * key pair type.
+ * - #PSA_KEY_USAGE_ENCRYPT: The output
+ * \p attributes will contain a public key type.
+ * - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a
+ * key pair. The output \p attributes will contain a
+ * key pair type, and the usage policy will allow
+ * #PSA_KEY_USAGE_VERIFY_HASH as well as
+ * #PSA_KEY_USAGE_SIGN_HASH.
+ * - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a
+ * key pair. The output \p attributes will contain a
+ * key pair type, and the usage policy will allow
+ * #PSA_KEY_USAGE_VERIFY_MESSAGE as well as
+ * #PSA_KEY_USAGE_SIGN_MESSAGE.
+ * - #PSA_KEY_USAGE_VERIFY_HASH: The output
+ * \p attributes will contain a public key type.
+ * - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output
+ * \p attributes will contain a public key type.
+ * \param[out] attributes
+ * On success, valid attributes to import the key into PSA.
+ * - The lifetime and key identifier are unchanged. If the
+ * attribute structure was initialized or reset before
+ * calling this function, this will result in a volatile
+ * key. Call psa_set_key_identifier() before or after this
+ * function if you wish to create a persistent key. Call
+ * psa_set_key_lifetime() before or after this function if
+ * you wish to import the key in a secure element.
+ * - The key type and bit-size are determined by the contents
+ * of the PK context. If the PK context contains a key
+ * pair, the key type can be either a key pair type or
+ * the corresponding public key type, depending on
+ * \p usage. If the PK context contains a public key,
+ * the key type is a public key type.
+ * - The key's policy is determined by the key type and
+ * the \p usage parameter. The usage always allows
+ * \p usage, exporting and copying the key, and
+ * possibly other permissions as documented for the
+ * \p usage parameter.
+ * The permitted algorithm policy is determined as follows
+ * based on the #mbedtls_pk_type_t type of \p pk,
+ * the chosen \p usage and other factors:
+ * - #MBEDTLS_PK_RSA whose underlying
+ * #mbedtls_rsa_context has the padding mode
+ * #MBEDTLS_RSA_PKCS_V15:
+ * #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH)
+ * if \p usage is SIGN/VERIFY, and
+ * #PSA_ALG_RSA_PKCS1V15_CRYPT
+ * if \p usage is ENCRYPT/DECRYPT.
+ * - #MBEDTLS_PK_RSA whose underlying
+ * #mbedtls_rsa_context has the padding mode
+ * #MBEDTLS_RSA_PKCS_V21 and the digest type
+ * corresponding to the PSA algorithm \c hash:
+ * #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH)
+ * if \p usage is SIGN/VERIFY, and
+ * #PSA_ALG_RSA_OAEP(\c hash)
+ * if \p usage is ENCRYPT/DECRYPT.
+ * - #MBEDTLS_PK_RSA_ALT: not supported.
+ * - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY
+ * if \p usage is SIGN/VERIFY:
+ * #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH)
+ * if #MBEDTLS_ECDSA_DETERMINISTIC is enabled,
+ * otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH).
+ * - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY
+ * if \p usage is DERIVE:
+ * #PSA_ALG_ECDH.
+ * - #MBEDTLS_PK_OPAQUE: same as the primary algorithm
+ * set for the underlying PSA key, except that
+ * sign/decrypt flags are removed if the type is
+ * set to a public key type.
+ * The underlying key must allow \p usage.
+ * Note that the enrollment algorithm set with
+ * psa_set_key_enrollment_algorithm() is not copied.
+ *
+ * \return 0 on success.
+ * #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain
+ * a key of the type identified in \p attributes.
+ * Another error code on other failures.
+ */
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+ psa_key_usage_t usage,
+ psa_key_attributes_t *attributes);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
/**
* \brief Verify signature (including padding if relevant).
*
@@ -1042,14 +1159,6 @@
const mbedtls_pk_context *key);
#endif /* MBEDTLS_PK_WRITE_C */
-/*
- * Internal module functions. You probably do not want to use these unless you
- * know you do.
- */
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
-#endif
-
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/**
* \brief Turn an EC or RSA key into an opaque one.
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 70b25a9..e9b4822 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -41,7 +41,6 @@
#include "mbedtls/build_info.h"
#include "mbedtls/asn1.h"
-#include "mbedtls/x509.h"
#include "mbedtls/x509_crt.h"
/**
diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h
index cba02ab..1b371ef 100644
--- a/include/mbedtls/platform_util.h
+++ b/include/mbedtls/platform_util.h
@@ -23,10 +23,6 @@
extern "C" {
#endif
-/* Internal macros meant to be called only from within the library. */
-#define MBEDTLS_INTERNAL_VALIDATE_RET(cond, ret) do { } while (0)
-#define MBEDTLS_INTERNAL_VALIDATE(cond) do { } while (0)
-
/* Internal helper macros for deprecating API constants. */
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index 5f6a053..47724c6 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -110,44 +110,72 @@
/** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
*
- * \note This function is provided solely for the convenience of
- * Mbed TLS and may be removed at any time without notice.
- *
* \param grpid An Mbed TLS elliptic curve identifier
* (`MBEDTLS_ECP_DP_xxx`).
- * \param[out] bits On success, the bit size of the curve.
+ * \param[out] bits On success the bit size of the curve; 0 on failure.
*
- * \return The corresponding PSA elliptic curve identifier
- * (`PSA_ECC_FAMILY_xxx`).
- * \return \c 0 on failure (\p grpid is not recognized).
+ * \return If the curve is supported in the PSA API, this function
+ * returns the proper PSA curve identifier
+ * (`PSA_ECC_FAMILY_xxx`). This holds even if the curve is
+ * not supported by the ECP module.
+ * \return \c 0 if the curve is not supported in the PSA API.
*/
psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
size_t *bits);
/** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
*
- * \note This function is provided solely for the convenience of
- * Mbed TLS and may be removed at any time without notice.
- *
- * \param curve A PSA elliptic curve identifier
+ * \param family A PSA elliptic curve family identifier
* (`PSA_ECC_FAMILY_xxx`).
* \param bits The bit-length of a private key on \p curve.
- * \param bits_is_sloppy If true, \p bits may be the bit-length rounded up
- * to the nearest multiple of 8. This allows the caller
- * to infer the exact curve from the length of a key
- * which is supplied as a byte string.
*
- * \return The corresponding Mbed TLS elliptic curve identifier
- * (`MBEDTLS_ECP_DP_xxx`).
- * \return #MBEDTLS_ECP_DP_NONE if \c curve is not recognized.
- * \return #MBEDTLS_ECP_DP_NONE if \p bits is not
- * correct for \p curve.
+ * \return If the curve is supported in the PSA API, this function
+ * returns the corresponding Mbed TLS elliptic curve
+ * identifier (`MBEDTLS_ECP_DP_xxx`).
+ * \return #MBEDTLS_ECP_DP_NONE if the combination of \c curve
+ * and \p bits is not supported.
*/
-mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
- size_t bits,
- int bits_is_sloppy);
+mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
+ size_t bits);
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+/**
+ * \brief This function returns the PSA algorithm identifier
+ * associated with the given digest type.
+ *
+ * \param md_type The type of digest to search for. Must not be NONE.
+ *
+ * \warning If \p md_type is \c MBEDTLS_MD_NONE, this function will
+ * not return \c PSA_ALG_NONE, but an invalid algorithm.
+ *
+ * \warning This function does not check if the algorithm is
+ * supported, it always returns the corresponding identifier.
+ *
+ * \return The PSA algorithm identifier associated with \p md_type,
+ * regardless of whether it is supported or not.
+ */
+static inline psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
+{
+ return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) md_type;
+}
+
+/**
+ * \brief This function returns the given digest type
+ * associated with the PSA algorithm identifier.
+ *
+ * \param psa_alg The PSA algorithm identifier to search for.
+ *
+ * \warning This function does not check if the algorithm is
+ * supported, it always returns the corresponding identifier.
+ *
+ * \return The MD type associated with \p psa_alg,
+ * regardless of whether it is supported or not.
+ */
+static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
+{
+ return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK);
+}
+
/**@}*/
#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index e5e172f..9136375 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -684,6 +684,10 @@
* It is the generic wrapper for performing a PKCS#1 decryption
* operation.
*
+ * \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15,
+ * mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an
+ * inherently dangerous function (CWE-242).
+ *
* \note The output buffer length \c output_max_len should be
* as large as the size \p ctx->len of \p ctx->N (for example,
* 128 Bytes if RSA-1024 is used) to be able to hold an
@@ -720,6 +724,11 @@
* \brief This function performs a PKCS#1 v1.5 decryption
* operation (RSAES-PKCS1-v1_5-DECRYPT).
*
+ * \warning This is an inherently dangerous function (CWE-242). Unless
+ * it is used in a side channel free and safe way (eg.
+ * implementing the TLS protocol as per 7.4.7.1 of RFC 5246),
+ * the calling code is vulnerable.
+ *
* \note The output buffer length \c output_max_len should be
* as large as the size \p ctx->len of \p ctx->N, for example,
* 128 Bytes if RSA-1024 is used, to be able to hold an
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 3192e2a..e0cd79d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -90,8 +90,18 @@
#define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00
/** Not possible to read early data */
#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80
+/**
+ * Early data has been received as part of an on-going handshake.
+ * This error code can be returned only on server side if and only if early
+ * data has been enabled by means of the mbedtls_ssl_conf_early_data() API.
+ * This error code can then be returned by mbedtls_ssl_handshake(),
+ * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if
+ * early data has been received as part of the handshake sequence they
+ * triggered. To read the early data, call mbedtls_ssl_read_early_data().
+ */
+#define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA -0x7C00
/** Not possible to write early data */
-#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C00
+#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C80
/* Error space gap */
/* Error space gap */
/* Error space gap */
@@ -343,6 +353,26 @@
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN 1000
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX 60000
+/*
+ * Whether early data record should be discarded or not and how.
+ *
+ * The client has indicated early data and the server has rejected them.
+ * The server has then to skip past early data by either:
+ * - attempting to deprotect received records using the handshake traffic
+ * key, discarding records which fail deprotection (up to the configured
+ * max_early_data_size). Once a record is deprotected successfully,
+ * it is treated as the start of the client's second flight and the
+ * server proceeds as with an ordinary 1-RTT handshake.
+ * - skipping all records with an external content type of
+ * "application_data" (indicating that they are encrypted), up to the
+ * configured max_early_data_size. This is the expected behavior if the
+ * server has sent an HelloRetryRequest message. The server ignores
+ * application data message before 2nd ClientHello.
+ */
+#define MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 0
+#define MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1
+#define MBEDTLS_SSL_EARLY_DATA_DISCARD 2
+
/**
* \name SECTION: Module settings
*
@@ -447,7 +477,7 @@
/*
* TLS 1.3 signature algorithms
- * RFC 8446, Section 4.2.2
+ * RFC 8446, Section 4.2.3
*/
/* RSASSA-PKCS1-v1_5 algorithms */
@@ -1644,6 +1674,18 @@
*/
mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+ /**
+ * Status of the negotiation of the use of early data.
+ * See the documentation of mbedtls_ssl_get_early_data_status() for more
+ * information.
+ *
+ * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT when the context is
+ * reset.
+ */
+ int MBEDTLS_PRIVATE(early_data_status);
+#endif
+
unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -1760,6 +1802,16 @@
* within a single datagram. */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * One of:
+ * MBEDTLS_SSL_EARLY_DATA_NO_DISCARD
+ * MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD
+ * MBEDTLS_SSL_EARLY_DATA_DISCARD
+ */
+ uint8_t MBEDTLS_PRIVATE(discard_early_data_record);
+#endif
+
/*
* Record layer (outgoing data)
*/
@@ -1841,10 +1893,6 @@
* and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- int MBEDTLS_PRIVATE(early_data_status);
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
-
/** Callback to export key block and master secret */
mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
@@ -1993,7 +2041,7 @@
*/
void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode);
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
/**
* \brief Set the early data mode
* Default: disabled on server and client
@@ -2001,14 +2049,24 @@
* \param conf The SSL configuration to use.
* \param early_data_enabled can be:
*
- * MBEDTLS_SSL_EARLY_DATA_DISABLED: early data functionality is disabled
- * This is the default on client and server.
+ * MBEDTLS_SSL_EARLY_DATA_DISABLED:
+ * Early data functionality is disabled. This is the default on client and
+ * server.
*
- * MBEDTLS_SSL_EARLY_DATA_ENABLED: early data functionality is enabled and
- * may be negotiated in the handshake. Application using
- * early data functionality needs to be aware of the
- * lack of replay protection of the early data application
- * payloads.
+ * MBEDTLS_SSL_EARLY_DATA_ENABLED:
+ * Early data functionality is enabled and may be negotiated in the handshake.
+ * Application using early data functionality needs to be aware that the
+ * security properties for early data (also refered to as 0-RTT data) are
+ * weaker than those for other kinds of TLS data. See the documentation of
+ * mbedtls_ssl_write_early_data() and mbedtls_ssl_read_early_data() for more
+ * information.
+ * When early data functionality is enabled on server and only in that case,
+ * the call to one of the APIs that trigger or resume an handshake sequence,
+ * namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
+ * mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code
+ * MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have
+ * been received. To read the early data, call mbedtls_ssl_read_early_data()
+ * before calling the original function again.
*
* \warning This interface is experimental and may change without notice.
*
@@ -2048,7 +2106,7 @@
mbedtls_ssl_config *conf, uint32_t max_early_data_size);
#endif /* MBEDTLS_SSL_SRV_C */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
@@ -3756,6 +3814,8 @@
* used for certificate signature are controlled by the
* verification profile, see \c mbedtls_ssl_conf_cert_profile().
*
+ * \deprecated Superseded by mbedtls_ssl_conf_sig_algs().
+ *
* \note This list should be ordered by decreasing preference
* (preferred hash first).
*
@@ -3780,13 +3840,16 @@
#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
/**
- * \brief Configure allowed signature algorithms for use in TLS 1.3
+ * \brief Configure allowed signature algorithms for use in TLS
*
* \param conf The SSL configuration to use.
* \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms,
- * terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain
- * available throughout the lifetime of the conf object. Supported
- * values are available as \c MBEDTLS_TLS1_3_SIG_XXXX
+ * terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain
+ * available throughout the lifetime of the conf object.
+ * - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be
+ * used.
+ * - For TLS 1.2, values should be given as
+ * "(HashAlgorithm << 8) | SignatureAlgorithm".
*/
void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
const uint16_t *sig_algs);
@@ -4728,6 +4791,13 @@
* \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
* and the client did not demonstrate reachability yet - in
* this case you must stop using the context (see below).
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ * defined in RFC 8446 (TLS 1.3 specification), has been
+ * received as part of the handshake. This is server specific
+ * and may occur only if the early data feature has been
+ * enabled on server (see mbedtls_ssl_conf_early_data()
+ * documentation). You must call mbedtls_ssl_read_early_data()
+ * to read the early data before resuming the handshake.
* \return Another SSL error code - in this case you must stop using
* the context (see below).
*
@@ -4736,7 +4806,8 @@
* #MBEDTLS_ERR_SSL_WANT_READ,
* #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
* on it before re-using it for a new connection; the current
@@ -4805,8 +4876,9 @@
*
* \warning If this function returns something other than \c 0,
* #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
- * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using
* the SSL context for reading or writing, and either free it
* or call \c mbedtls_ssl_session_reset() on it before
* re-using it for a new connection; the current connection
@@ -4874,6 +4946,13 @@
* \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
* side of a DTLS connection and the client is initiating a
* new connection using the same source port. See below.
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ * defined in RFC 8446 (TLS 1.3 specification), has been
+ * received as part of the handshake. This is server specific
+ * and may occur only if the early data feature has been
+ * enabled on server (see mbedtls_ssl_conf_early_data()
+ * documentation). You must call mbedtls_ssl_read_early_data()
+ * to read the early data before resuming the handshake.
* \return Another SSL error code - in this case you must stop using
* the context (see below).
*
@@ -4882,8 +4961,9 @@
* #MBEDTLS_ERR_SSL_WANT_READ,
* #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
* on it before re-using it for a new connection; the current
@@ -4948,6 +5028,13 @@
* operation is in progress (see mbedtls_ecp_set_max_ops()) -
* in this case you must call this function again to complete
* the handshake when you're done attending other tasks.
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ * defined in RFC 8446 (TLS 1.3 specification), has been
+ * received as part of the handshake. This is server specific
+ * and may occur only if the early data feature has been
+ * enabled on server (see mbedtls_ssl_conf_early_data()
+ * documentation). You must call mbedtls_ssl_read_early_data()
+ * to read the early data before resuming the handshake.
* \return Another SSL error code - in this case you must stop using
* the context (see below).
*
@@ -4955,8 +5042,9 @@
* a non-negative value,
* #MBEDTLS_ERR_SSL_WANT_READ,
* #MBEDTLS_ERR_SSL_WANT_WRITE,
- * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
* on it before re-using it for a new connection; the current
@@ -5024,48 +5112,46 @@
#if defined(MBEDTLS_SSL_SRV_C)
/**
- * \brief Read at most 'len' application data bytes while performing
- * the handshake (early data).
+ * \brief Read at most 'len' bytes of early data
*
- * \note This function behaves mainly as mbedtls_ssl_read(). The
- * specification of mbedtls_ssl_read() relevant to TLS 1.3
- * (thus not the parts specific to (D)TLS 1.2) applies to this
- * function and the present documentation is restricted to the
- * differences with mbedtls_ssl_read().
+ * \note This API is server specific.
*
- * \param ssl SSL context
+ * \warning Early data is defined in the TLS 1.3 specification, RFC 8446.
+ * IMPORTANT NOTE from section 2.3 of the specification:
+ *
+ * The security properties for 0-RTT data are weaker than
+ * those for other kinds of TLS data. Specifically:
+ * - This data is not forward secret, as it is encrypted
+ * solely under keys derived using the offered PSK.
+ * - There are no guarantees of non-replay between connections.
+ * Protection against replay for ordinary TLS 1.3 1-RTT data
+ * is provided via the server's Random value, but 0-RTT data
+ * does not depend on the ServerHello and therefore has
+ * weaker guarantees. This is especially relevant if the
+ * data is authenticated either with TLS client
+ * authentication or inside the application protocol. The
+ * same warnings apply to any use of the
+ * early_exporter_master_secret.
+ *
+ * \note This function is used in conjunction with
+ * mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
+ * mbedtls_ssl_read() and mbedtls_ssl_write() to read early
+ * data when these functions return
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA.
+ *
+ * \param ssl SSL context, it must have been initialized and set up.
* \param buf buffer that will hold the data
* \param len maximum number of bytes to read
*
- * \return One additional specific return value:
- * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA.
- *
- * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it
- * is not possible to read early data for the SSL context
- * \p ssl.
- *
- * It may have been possible and it is not possible
- * anymore because the server received the End of Early Data
- * message or the maximum number of allowed early data for the
- * PSK in use has been reached.
- *
- * It may never have been possible and will never be possible
- * for the SSL context \p ssl because the use of early data
- * is disabled for that context or more generally the context
- * is not suitably configured to enable early data or the
- * client does not use early data or the first call to the
- * function was done while the handshake was already too
- * advanced to gather and accept early data.
- *
- * It is not possible to read early data for the SSL context
- * \p ssl but this does not preclude for using it with
- * mbedtls_ssl_write(), mbedtls_ssl_read() or
- * mbedtls_ssl_handshake().
- *
- * \note When a server wants to retrieve early data, it is expected
- * that this function starts the handshake for the SSL context
- * \p ssl. But this is not mandatory.
- *
+ * \return The (positive) number of bytes read if successful.
+ * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not
+ * possible to read early data for the SSL context \p ssl. Note
+ * that this function is intended to be called for an SSL
+ * context \p ssl only after a call to mbedtls_ssl_handshake(),
+ * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or
+ * mbedtls_ssl_write() for \p ssl that has returned
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA.
*/
int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
unsigned char *buf, size_t len);
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index 8cecbb6..f755ef3 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -463,18 +463,6 @@
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(const char *ciphersuite_name);
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite_id);
-#if defined(MBEDTLS_PK_C)
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
-psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
-#endif
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
-#endif
-
-int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
-int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
-
static inline const char *mbedtls_ssl_ciphersuite_get_name(const mbedtls_ssl_ciphersuite_t *info)
{
return info->MBEDTLS_PRIVATE(name);
@@ -482,133 +470,6 @@
size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info);
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_PSK:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
-
-static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return 1;
-
- default:
- return 0;
- }
-}
-
-static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return 1;
-
- default:
- return 0;
- }
-}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
- const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->MBEDTLS_PRIVATE(key_exchange)) {
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
-
#ifdef __cplusplus
}
#endif
diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h
index b504233..b4e0502 100644
--- a/include/mbedtls/threading.h
+++ b/include/mbedtls/threading.h
@@ -100,6 +100,20 @@
extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+/*
+ * A mutex used to make the PSA subsystem thread safe.
+ *
+ * key_slot_mutex protects the registered_readers and
+ * state variable for all key slots in &global_data.key_slots.
+ *
+ * This mutex must be held when any read from or write to a state or
+ * registered_readers field is performed, i.e. when calling functions:
+ * psa_key_slot_state_transition(), psa_register_read(), psa_unregister_read(),
+ * psa_key_slot_has_readers() and psa_wipe_key_slot(). */
+extern mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex;
+#endif
+
#endif /* MBEDTLS_THREADING_C */
#ifdef __cplusplus
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index e2e0667..be63612 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -307,6 +307,7 @@
mbedtls_x509_san_list;
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
+/** \} addtogroup x509_module */
/**
* \brief Store the certificate DN in printable form into buf;
@@ -321,201 +322,7 @@
*/
int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
-/**
- * \brief Return the next relative DN in an X509 name.
- *
- * \note Intended use is to compare function result to dn->next
- * in order to detect boundaries of multi-valued RDNs.
- *
- * \param dn Current node in the X509 name
- *
- * \return Pointer to the first attribute-value pair of the
- * next RDN in sequence, or NULL if end is reached.
- */
-static inline mbedtls_x509_name *mbedtls_x509_dn_get_next(
- mbedtls_x509_name *dn)
-{
- while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) {
- dn = dn->next;
- }
- return dn->next;
-}
-
-/**
- * \brief Store the certificate serial in printable form into buf;
- * no more than size characters will be written.
- *
- * \param buf Buffer to write to
- * \param size Maximum size of buffer
- * \param serial The X509 serial to represent
- *
- * \return The length of the string written (not including the
- * terminated nul byte), or a negative error code.
- */
-int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial);
-
-/**
- * \brief Compare pair of mbedtls_x509_time.
- *
- * \param t1 mbedtls_x509_time to compare
- * \param t2 mbedtls_x509_time to compare
- *
- * \return < 0 if t1 is before t2
- * 0 if t1 equals t2
- * > 0 if t1 is after t2
- */
-int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2);
-
-#if defined(MBEDTLS_HAVE_TIME_DATE)
-/**
- * \brief Fill mbedtls_x509_time with provided mbedtls_time_t.
- *
- * \param tt mbedtls_time_t to convert
- * \param now mbedtls_x509_time to fill with converted mbedtls_time_t
- *
- * \return \c 0 on success
- * \return A non-zero return value on failure.
- */
-int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now);
-#endif /* MBEDTLS_HAVE_TIME_DATE */
-
-/**
- * \brief Check a given mbedtls_x509_time against the system time
- * and tell if it's in the past.
- *
- * \note Intended usage is "if( is_past( valid_to ) ) ERROR".
- * Hence the return value of 1 if on internal errors.
- *
- * \param to mbedtls_x509_time to check
- *
- * \return 1 if the given time is in the past or an error occurred,
- * 0 otherwise.
- */
-int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
-
-/**
- * \brief Check a given mbedtls_x509_time against the system time
- * and tell if it's in the future.
- *
- * \note Intended usage is "if( is_future( valid_from ) ) ERROR".
- * Hence the return value of 1 if on internal errors.
- *
- * \param from mbedtls_x509_time to check
- *
- * \return 1 if the given time is in the future or an error occurred,
- * 0 otherwise.
- */
-int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
-
-/**
- * \brief This function parses an item in the SubjectAlternativeNames
- * extension. Please note that this function might allocate
- * additional memory for a subject alternative name, thus
- * mbedtls_x509_free_subject_alt_name has to be called
- * to dispose of this additional memory afterwards.
- *
- * \param san_buf The buffer holding the raw data item of the subject
- * alternative name.
- * \param san The target structure to populate with the parsed presentation
- * of the subject alternative name encoded in \p san_buf.
- *
- * \note Supported GeneralName types, as defined in RFC 5280:
- * "rfc822Name", "dnsName", "directoryName",
- * "uniformResourceIdentifier" and "hardware_module_name"
- * of type "otherName", as defined in RFC 4108.
- *
- * \note This function should be called on a single raw data of
- * subject alternative name. For example, after successful
- * certificate parsing, one must iterate on every item in the
- * \c crt->subject_alt_names sequence, and pass it to
- * this function.
- *
- * \warning The target structure contains pointers to the raw data of the
- * parsed certificate, and its lifetime is restricted by the
- * lifetime of the certificate.
- *
- * \return \c 0 on success
- * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
- * SAN type.
- * \return Another negative value for any other failure.
- */
-int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
- mbedtls_x509_subject_alternative_name *san);
-/**
- * \brief Unallocate all data related to subject alternative name
- *
- * \param san SAN structure - extra memory owned by this structure will be freed
- */
-void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san);
-
-/** \} addtogroup x509_module */
-
-/*
- * Internal module functions. You probably do not want to use these unless you
- * know you do.
- */
-int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
- mbedtls_x509_name *cur);
-int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
- mbedtls_x509_buf *alg);
-int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
- mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
- mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
- int *salt_len);
-#endif
-int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
-int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
- mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
- void **sig_opts);
-int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
- mbedtls_x509_time *t);
-int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
- mbedtls_x509_buf *serial);
-int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
- mbedtls_x509_buf *ext, int tag);
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
- mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
- const void *sig_opts);
-#endif
-int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
-int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
- int critical, const unsigned char *val,
- size_t val_len);
-int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
- mbedtls_asn1_named_data *first);
-int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
- mbedtls_asn1_named_data *first);
-int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
- const char *oid, size_t oid_len,
- unsigned char *sig, size_t size,
- mbedtls_pk_type_t pk_alg);
-int mbedtls_x509_get_ns_cert_type(unsigned char **p,
- const unsigned char *end,
- unsigned char *ns_cert_type);
-int mbedtls_x509_get_key_usage(unsigned char **p,
- const unsigned char *end,
- unsigned int *key_usage);
-int mbedtls_x509_get_subject_alt_name(unsigned char **p,
- const unsigned char *end,
- mbedtls_x509_sequence *subject_alt_name);
-int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
- const unsigned char *end,
- mbedtls_x509_sequence *subject_alt_name);
-int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
- const mbedtls_x509_sequence
- *subject_alt_name,
- const char *prefix);
-int mbedtls_x509_info_cert_type(char **buf, size_t *size,
- unsigned char ns_cert_type);
-int mbedtls_x509_info_key_usage(char **buf, size_t *size,
- unsigned int key_usage);
-
-int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
- const mbedtls_x509_san_list *san_list);
/**
* \brief This function parses a CN string as an IP address.
@@ -547,4 +354,4 @@
}
#endif
-#endif /* x509.h */
+#endif /* MBEDTLS_X509_H */
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 3a19618..ca264e3 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -239,18 +239,28 @@
psa_key_type_t MBEDTLS_PRIVATE(type);
psa_key_bits_t MBEDTLS_PRIVATE(bits);
psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime);
- mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
psa_key_policy_t MBEDTLS_PRIVATE(policy);
psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags);
+ /* This type has a different layout in the client view wrt the
+ * service view of the key id, i.e. in service view usually is
+ * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined
+ * thus adding an owner field to the standard psa_key_id_t. For
+ * implementations with client/service separation, this means the
+ * object will be marshalled through a transport channel and
+ * interpreted differently at each side of the transport. Placing
+ * it at the end of structures allows to interpret the structure
+ * at the client without reorganizing the memory layout of the
+ * struct
+ */
+ mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
} psa_core_key_attributes_t;
#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0, \
PSA_KEY_LIFETIME_VOLATILE, \
- MBEDTLS_SVC_KEY_ID_INIT, \
- PSA_KEY_POLICY_INIT, 0 }
+ PSA_KEY_POLICY_INIT, 0, \
+ MBEDTLS_SVC_KEY_ID_INIT }
struct psa_key_attributes_s {
- psa_core_key_attributes_t MBEDTLS_PRIVATE(core);
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@@ -268,12 +278,19 @@
*/
void *MBEDTLS_PRIVATE(domain_parameters);
size_t MBEDTLS_PRIVATE(domain_parameters_size);
+ /* With client/service separation, struct psa_key_attributes_s is
+ * marshalled through a transport channel between the client and
+ * service side implementation of the PSA Crypto APIs, thus having
+ * the mbedtls_svc_key_id_t id as the last field of this structure
+ * allows for a more efficient marshalling/unmarshalling of parameters
+ */
+ psa_core_key_attributes_t MBEDTLS_PRIVATE(core);
};
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0 }
+#define PSA_KEY_ATTRIBUTES_INIT { 0, NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT }
#else
-#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0 }
+#define PSA_KEY_ATTRIBUTES_INIT { NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT }
#endif
static inline struct psa_key_attributes_s psa_key_attributes_init(void)
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 8d30bf0..f311acb 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -279,6 +279,11 @@
* to read from a resource. */
#define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)
+/** This can be returned if a function can no longer operate correctly.
+ * For example, if an essential initialization operation failed or
+ * a mutex operation failed. */
+#define PSA_ERROR_SERVICE_FAILURE ((psa_status_t)-144)
+
/** The key identifier is not valid. See also :ref:\`key-handles\`.
*/
#define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)
@@ -1751,6 +1756,13 @@
0)
/** RSA PKCS#1 v1.5 encryption.
+ *
+ * \warning Calling psa_asymmetric_decrypt() with this algorithm as a
+ * parameter is considered an inherently dangerous function
+ * (CWE-242). Unless it is used in a side channel free and safe
+ * way (eg. implementing the TLS protocol as per 7.4.7.1 of
+ * RFC 5246), the calling code is vulnerable.
+ *
*/
#define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t) 0x07000200)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5c297e0..b6ea73e 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -297,7 +297,7 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.1 SOVERSION 15)
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.2 SOVERSION 15)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET ${everest_target})
@@ -309,11 +309,11 @@
endif()
add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.1 SOVERSION 6)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.2 SOVERSION 6)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.1 SOVERSION 20)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.2 SOVERSION 20)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/aes.c b/library/aes.c
index f4b9739..b1a5c3e 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -53,6 +53,7 @@
#endif
#include "mbedtls/platform.h"
+#include "ctr.h"
/*
* This is a convenience shorthand macro to check if we need reverse S-box and
@@ -1441,36 +1442,38 @@
const unsigned char *input,
unsigned char *output)
{
- int c, i;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t n;
- n = *nc_off;
+ size_t offset = *nc_off;
- if (n > 0x0F) {
+ if (offset > 0x0F) {
return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
}
- while (length--) {
- if (n == 0) {
+ for (size_t i = 0; i < length;) {
+ size_t n = 16;
+ if (offset == 0) {
ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
if (ret != 0) {
goto exit;
}
-
- for (i = 16; i > 0; i--) {
- if (++nonce_counter[i - 1] != 0) {
- break;
- }
- }
+ mbedtls_ctr_increment_counter(nonce_counter);
+ } else {
+ n -= offset;
}
- c = *input++;
- *output++ = (unsigned char) (c ^ stream_block[n]);
- n = (n + 1) & 0x0F;
+ if (n > (length - i)) {
+ n = (length - i);
+ }
+ mbedtls_xor(&output[i], &input[i], &stream_block[offset], n);
+ // offset might be non-zero for the last block, but in that case, we don't use it again
+ offset = 0;
+ i += n;
}
- *nc_off = n;
+ // capture offset for future resumption
+ *nc_off = (*nc_off + length) % 16;
+
ret = 0;
exit:
diff --git a/library/alignment.h b/library/alignment.h
index 9e1e044..248f29b 100644
--- a/library/alignment.h
+++ b/library/alignment.h
@@ -37,6 +37,52 @@
#define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS
#endif
+#if defined(__IAR_SYSTEMS_ICC__) && \
+ (defined(MBEDTLS_ARCH_IS_ARM64) || defined(MBEDTLS_ARCH_IS_ARM32) \
+ || defined(__ICCRX__) || defined(__ICCRL78__) || defined(__ICCRISCV__))
+#pragma language=save
+#pragma language=extended
+#define MBEDTLS_POP_IAR_LANGUAGE_PRAGMA
+/* IAR recommend this technique for accessing unaligned data in
+ * https://www.iar.com/knowledge/support/technical-notes/compiler/accessing-unaligned-data
+ * This results in a single load / store instruction (if unaligned access is supported).
+ * According to that document, this is only supported on certain architectures.
+ */
+ #define UINT_UNALIGNED
+typedef uint16_t __packed mbedtls_uint16_unaligned_t;
+typedef uint32_t __packed mbedtls_uint32_unaligned_t;
+typedef uint64_t __packed mbedtls_uint64_unaligned_t;
+#elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \
+ ((MBEDTLS_GCC_VERSION < 90300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)))
+/*
+ * Old versions of gcc, depending on how the target is specified, may generate a branch to memcpy
+ * for calls like `memcpy(dest, src, 4)` rather than generating some LDR or LDRB instructions
+ * (similar for stores).
+ * Recent versions where unaligned access is not enabled also do this.
+ *
+ * For performance (and code size, in some cases), we want to avoid the branch and just generate
+ * some inline load/store instructions since the access is small and constant-size.
+ *
+ * The manual states:
+ * "The aligned attribute specifies a minimum alignment for the variable or structure field,
+ * measured in bytes."
+ * https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html
+ *
+ * Tested with several versions of GCC from 4.5.0 up to 9.3.0
+ * We don't enable for older than 4.5.0 as this has not been tested.
+ */
+ #define UINT_UNALIGNED
+typedef uint16_t __attribute__((__aligned__(1))) mbedtls_uint16_unaligned_t;
+typedef uint32_t __attribute__((__aligned__(1))) mbedtls_uint32_unaligned_t;
+typedef uint64_t __attribute__((__aligned__(1))) mbedtls_uint64_unaligned_t;
+ #endif
+
+/*
+ * We try to force mbedtls_(get|put)_unaligned_uintXX to be always inline, because this results
+ * in code that is both smaller and faster. IAR and gcc both benefit from this when optimising
+ * for size.
+ */
+
/**
* Read the unsigned 16 bits integer from the given address, which need not
* be aligned.
@@ -44,10 +90,20 @@
* \param p pointer to 2 bytes of data
* \return Data at the given address
*/
-inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
{
uint16_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ r = *p16;
+#else
memcpy(&r, p, sizeof(r));
+#endif
return r;
}
@@ -58,9 +114,19 @@
* \param p pointer to 2 bytes of data
* \param x data to write
*/
-inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ *p16 = x;
+#else
memcpy(p, &x, sizeof(x));
+#endif
}
/**
@@ -70,10 +136,20 @@
* \param p pointer to 4 bytes of data
* \return Data at the given address
*/
-inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
{
uint32_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ r = *p32;
+#else
memcpy(&r, p, sizeof(r));
+#endif
return r;
}
@@ -84,9 +160,19 @@
* \param p pointer to 4 bytes of data
* \param x data to write
*/
-inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ *p32 = x;
+#else
memcpy(p, &x, sizeof(x));
+#endif
}
/**
@@ -96,10 +182,20 @@
* \param p pointer to 8 bytes of data
* \return Data at the given address
*/
-inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
{
uint64_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ r = *p64;
+#else
memcpy(&r, p, sizeof(r));
+#endif
return r;
}
@@ -110,11 +206,25 @@
* \param p pointer to 8 bytes of data
* \param x data to write
*/
-inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ *p64 = x;
+#else
memcpy(p, &x, sizeof(x));
+#endif
}
+#if defined(MBEDTLS_POP_IAR_LANGUAGE_PRAGMA)
+#pragma language=restore
+#endif
+
/** Byte Reading Macros
*
* Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
diff --git a/library/aria.c b/library/aria.c
index ba12578..d9f84cc 100644
--- a/library/aria.c
+++ b/library/aria.c
@@ -25,12 +25,6 @@
#include "mbedtls/platform_util.h"
-/* Parameter validation macros */
-#define ARIA_VALIDATE_RET(cond) \
- MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
-#define ARIA_VALIDATE(cond) \
- MBEDTLS_INTERNAL_VALIDATE(cond)
-
/*
* modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
*
@@ -363,8 +357,6 @@
int i;
uint32_t w[4][4], *w2;
- ARIA_VALIDATE_RET(ctx != NULL);
- ARIA_VALIDATE_RET(key != NULL);
if (keybits != 128 && keybits != 192 && keybits != 256) {
return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
@@ -418,8 +410,6 @@
const unsigned char *key, unsigned int keybits)
{
int i, j, k, ret;
- ARIA_VALIDATE_RET(ctx != NULL);
- ARIA_VALIDATE_RET(key != NULL);
ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
if (ret != 0) {
@@ -455,9 +445,6 @@
int i;
uint32_t a, b, c, d;
- ARIA_VALIDATE_RET(ctx != NULL);
- ARIA_VALIDATE_RET(input != NULL);
- ARIA_VALIDATE_RET(output != NULL);
a = MBEDTLS_GET_UINT32_LE(input, 0);
b = MBEDTLS_GET_UINT32_LE(input, 4);
@@ -505,7 +492,6 @@
/* Initialize context */
void mbedtls_aria_init(mbedtls_aria_context *ctx)
{
- ARIA_VALIDATE(ctx != NULL);
memset(ctx, 0, sizeof(mbedtls_aria_context));
}
@@ -532,12 +518,9 @@
{
unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
- ARIA_VALIDATE_RET(ctx != NULL);
- ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
- mode == MBEDTLS_ARIA_DECRYPT);
- ARIA_VALIDATE_RET(length == 0 || input != NULL);
- ARIA_VALIDATE_RET(length == 0 || output != NULL);
- ARIA_VALIDATE_RET(iv != NULL);
+ if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
if (length % MBEDTLS_ARIA_BLOCKSIZE) {
return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
@@ -588,19 +571,14 @@
unsigned char c;
size_t n;
- ARIA_VALIDATE_RET(ctx != NULL);
- ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
- mode == MBEDTLS_ARIA_DECRYPT);
- ARIA_VALIDATE_RET(length == 0 || input != NULL);
- ARIA_VALIDATE_RET(length == 0 || output != NULL);
- ARIA_VALIDATE_RET(iv != NULL);
- ARIA_VALIDATE_RET(iv_off != NULL);
+ if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
n = *iv_off;
/* An overly large value of n can lead to an unlimited
- * buffer overflow. Therefore, guard against this
- * outside of parameter validation. */
+ * buffer overflow. */
if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
}
@@ -650,17 +628,9 @@
int c, i;
size_t n;
- ARIA_VALIDATE_RET(ctx != NULL);
- ARIA_VALIDATE_RET(length == 0 || input != NULL);
- ARIA_VALIDATE_RET(length == 0 || output != NULL);
- ARIA_VALIDATE_RET(nonce_counter != NULL);
- ARIA_VALIDATE_RET(stream_block != NULL);
- ARIA_VALIDATE_RET(nc_off != NULL);
-
n = *nc_off;
/* An overly large value of n can lead to an unlimited
- * buffer overflow. Therefore, guard against this
- * outside of parameter validation. */
+ * buffer overflow. */
if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
}
diff --git a/library/bignum.c b/library/bignum.c
index 1869137..d3d72ab 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -37,11 +37,6 @@
#include "mbedtls/platform.h"
-#define MPI_VALIDATE_RET(cond) \
- MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA)
-#define MPI_VALIDATE(cond) \
- MBEDTLS_INTERNAL_VALIDATE(cond)
-
/*
* Compare signed values in constant time
*/
@@ -51,10 +46,6 @@
{
mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(Y != NULL);
- MPI_VALIDATE_RET(ret != NULL);
-
if (X->n != Y->n) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
}
@@ -115,8 +106,6 @@
unsigned char assign)
{
int ret = 0;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(Y != NULL);
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
@@ -149,8 +138,6 @@
{
int ret = 0;
int s;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(Y != NULL);
if (X == Y) {
return 0;
@@ -179,8 +166,6 @@
*/
void mbedtls_mpi_init(mbedtls_mpi *X)
{
- MPI_VALIDATE(X != NULL);
-
X->s = 1;
X->n = 0;
X->p = NULL;
@@ -210,7 +195,6 @@
int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
{
mbedtls_mpi_uint *p;
- MPI_VALIDATE_RET(X != NULL);
if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
return MBEDTLS_ERR_MPI_ALLOC_FAILED;
@@ -243,7 +227,6 @@
{
mbedtls_mpi_uint *p;
size_t i;
- MPI_VALIDATE_RET(X != NULL);
if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
return MBEDTLS_ERR_MPI_ALLOC_FAILED;
@@ -312,8 +295,6 @@
{
int ret = 0;
size_t i;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(Y != NULL);
if (X == Y) {
return 0;
@@ -355,8 +336,6 @@
void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
{
mbedtls_mpi T;
- MPI_VALIDATE(X != NULL);
- MPI_VALIDATE(Y != NULL);
memcpy(&T, X, sizeof(mbedtls_mpi));
memcpy(X, Y, sizeof(mbedtls_mpi));
@@ -385,7 +364,6 @@
int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- MPI_VALIDATE_RET(X != NULL);
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
memset(X->p, 0, X->n * ciL);
@@ -403,8 +381,6 @@
*/
int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
{
- MPI_VALIDATE_RET(X != NULL);
-
if (X->n * biL <= pos) {
return 0;
}
@@ -420,7 +396,6 @@
int ret = 0;
size_t off = pos / biL;
size_t idx = pos % biL;
- MPI_VALIDATE_RET(X != NULL);
if (val != 0 && val != 1) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -448,7 +423,6 @@
size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
{
size_t i;
- MBEDTLS_INTERNAL_VALIDATE_RET(X != NULL, 0);
#if defined(__has_builtin)
#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
@@ -530,8 +504,6 @@
int sign = 1;
mbedtls_mpi_uint d;
mbedtls_mpi T;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(s != NULL);
if (radix < 2 || radix > 16) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -634,9 +606,6 @@
size_t n;
char *p;
mbedtls_mpi T;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(olen != NULL);
- MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
if (radix < 2 || radix > 16) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -726,9 +695,6 @@
*/
char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(fin != NULL);
-
if (radix < 2 || radix > 16) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
}
@@ -772,7 +738,6 @@
* newline characters and '\0'
*/
char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
- MPI_VALIDATE_RET(X != NULL);
if (radix < 2 || radix > 16) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -844,9 +809,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const size_t limbs = CHARS_TO_LIMBS(buflen);
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
-
/* Ensure that target MPI has exactly the necessary number of limbs */
MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
@@ -887,7 +849,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
- MPI_VALIDATE_RET(X != NULL);
i = mbedtls_mpi_bitlen(X) + count;
@@ -908,7 +869,6 @@
*/
int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
{
- MPI_VALIDATE_RET(X != NULL);
if (X->n != 0) {
mbedtls_mpi_core_shift_r(X->p, X->n, count);
}
@@ -921,8 +881,6 @@
int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)
{
size_t i, j;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(Y != NULL);
for (i = X->n; i > 0; i--) {
if (X->p[i - 1] != 0) {
@@ -964,8 +922,6 @@
int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
{
size_t i, j;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(Y != NULL);
for (i = X->n; i > 0; i--) {
if (X->p[i - 1] != 0) {
@@ -1016,7 +972,6 @@
{
mbedtls_mpi Y;
mbedtls_mpi_uint p[1];
- MPI_VALIDATE_RET(X != NULL);
*p = mpi_sint_abs(z);
Y.s = TO_SIGN(z);
@@ -1035,9 +990,6 @@
size_t j;
mbedtls_mpi_uint *p;
mbedtls_mpi_uint c;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
if (X == B) {
const mbedtls_mpi *T = A; A = X; B = T;
@@ -1098,9 +1050,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
mbedtls_mpi_uint carry;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
for (n = B->n; n > 0; n--) {
if (B->p[n - 1] != 0) {
@@ -1152,9 +1101,6 @@
int flip_B)
{
int ret, s;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
s = A->s;
if (A->s * B->s * flip_B < 0) {
@@ -1203,8 +1149,6 @@
{
mbedtls_mpi B;
mbedtls_mpi_uint p[1];
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
p[0] = mpi_sint_abs(b);
B.s = TO_SIGN(b);
@@ -1221,8 +1165,6 @@
{
mbedtls_mpi B;
mbedtls_mpi_uint p[1];
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
p[0] = mpi_sint_abs(b);
B.s = TO_SIGN(b);
@@ -1241,9 +1183,6 @@
size_t i, j;
mbedtls_mpi TA, TB;
int result_is_zero = 0;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
mbedtls_mpi_init(&TA);
mbedtls_mpi_init(&TB);
@@ -1300,9 +1239,6 @@
*/
int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)
{
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
-
size_t n = A->n;
while (n > 0 && A->p[n - 1] == 0) {
--n;
@@ -1448,8 +1384,6 @@
size_t i, n, t, k;
mbedtls_mpi X, Y, Z, T1, T2;
mbedtls_mpi_uint TP2[3];
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
if (mbedtls_mpi_cmp_int(B, 0) == 0) {
return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
@@ -1572,7 +1506,6 @@
{
mbedtls_mpi B;
mbedtls_mpi_uint p[1];
- MPI_VALIDATE_RET(A != NULL);
p[0] = mpi_sint_abs(b);
B.s = TO_SIGN(b);
@@ -1588,9 +1521,6 @@
int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- MPI_VALIDATE_RET(R != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
if (mbedtls_mpi_cmp_int(B, 0) < 0) {
return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
@@ -1618,8 +1548,6 @@
{
size_t i;
mbedtls_mpi_uint x, y, z;
- MPI_VALIDATE_RET(r != NULL);
- MPI_VALIDATE_RET(A != NULL);
if (b == 0) {
return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
@@ -1763,11 +1691,6 @@
mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos;
int neg;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(E != NULL);
- MPI_VALIDATE_RET(N != NULL);
-
if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
}
@@ -2054,10 +1977,6 @@
size_t lz, lzt;
mbedtls_mpi TA, TB;
- MPI_VALIDATE_RET(G != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(B != NULL);
-
mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
@@ -2168,9 +2087,6 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const size_t limbs = CHARS_TO_LIMBS(size);
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(f_rng != NULL);
-
/* Ensure that target MPI has exactly the necessary number of limbs */
MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
if (size == 0) {
@@ -2214,9 +2130,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(A != NULL);
- MPI_VALIDATE_RET(N != NULL);
if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
@@ -2372,9 +2285,6 @@
size_t i, j, k, s;
mbedtls_mpi W, R, T, A, RR;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(f_rng != NULL);
-
mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
mbedtls_mpi_init(&RR);
@@ -2462,8 +2372,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi XX;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(f_rng != NULL);
XX.s = 1;
XX.n = X->n;
@@ -2513,9 +2421,6 @@
mbedtls_mpi_uint r;
mbedtls_mpi Y;
- MPI_VALIDATE_RET(X != NULL);
- MPI_VALIDATE_RET(f_rng != NULL);
-
if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
}
diff --git a/library/common.h b/library/common.h
index e532777..3936ffd 100644
--- a/library/common.h
+++ b/library/common.h
@@ -27,15 +27,6 @@
#define MBEDTLS_HAVE_NEON_INTRINSICS
#endif
-
-#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
- && !defined(__llvm__) && !defined(__INTEL_COMPILER)
-/* Defined if the compiler really is gcc and not clang, etc */
-#define MBEDTLS_COMPILER_IS_GCC
-#define MBEDTLS_GCC_VERSION \
- (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
-#endif
-
/** Helper to define a function as static except when building invasive tests.
*
* If a function is only used inside its own source file and should be
@@ -167,6 +158,12 @@
return p == NULL ? NULL : p + n;
}
+/* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
/**
* Perform a fast block XOR operation, such that
* r[i] = a[i] ^ b[i] where 0 <= i < n
@@ -177,8 +174,19 @@
* \param a Pointer to input (buffer of at least \p n bytes)
* \param b Pointer to input (buffer of at least \p n bytes)
* \param n Number of bytes to process.
+ *
+ * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
+ * mbedtls_xor_no_simd() (these are functionally equivalent).
+ * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ * For targets without SIMD support, they will behave the same.
*/
-inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
+static inline void mbedtls_xor(unsigned char *r,
+ const unsigned char *a,
+ const unsigned char *b,
+ size_t n)
{
size_t i = 0;
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
@@ -191,17 +199,36 @@
uint8x16_t x = veorq_u8(v1, v2);
vst1q_u8(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+ * where n is a constant multiple of 16.
+ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+ * constant, and is a very small perf regression if n is not a compile-time constant. */
+ if (n % 16 == 0) {
+ return;
+ }
+#endif
#elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
/* This codepath probably only makes sense on architectures with 64-bit registers */
for (; (i + 8) <= n; i += 8) {
uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
mbedtls_put_unaligned_uint64(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 8 == 0) {
+ return;
+ }
+#endif
#else
for (; (i + 4) <= n; i += 4) {
uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
mbedtls_put_unaligned_uint32(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 4 == 0) {
+ return;
+ }
+#endif
#endif
#endif
for (; i < n; i++) {
@@ -209,11 +236,18 @@
}
}
+/* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
+ * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
/**
* Perform a fast block XOR operation, such that
* r[i] = a[i] ^ b[i] where 0 <= i < n
*
- * In some situations, this can perform better than mbedtls_xor (e.g., it's about 5%
+ * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
* better in AES-CBC).
*
* \param r Pointer to result (buffer of at least \p n bytes). \p r
@@ -222,6 +256,14 @@
* \param a Pointer to input (buffer of at least \p n bytes)
* \param b Pointer to input (buffer of at least \p n bytes)
* \param n Number of bytes to process.
+ *
+ * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
+ * mbedtls_xor_no_simd() (these are functionally equivalent).
+ * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ * For targets without SIMD support, they will behave the same.
*/
static inline void mbedtls_xor_no_simd(unsigned char *r,
const unsigned char *a,
@@ -236,11 +278,25 @@
uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
mbedtls_put_unaligned_uint64(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+ * where n is a constant multiple of 8.
+ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+ * constant, and is a very small perf regression if n is not a compile-time constant. */
+ if (n % 8 == 0) {
+ return;
+ }
+#endif
#else
for (; (i + 4) <= n; i += 4) {
uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
mbedtls_put_unaligned_uint32(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 4 == 0) {
+ return;
+ }
+#endif
#endif
#endif
for (; i < n; i++) {
diff --git a/library/ctr.h b/library/ctr.h
new file mode 100644
index 0000000..aa48fb9
--- /dev/null
+++ b/library/ctr.h
@@ -0,0 +1,35 @@
+/**
+ * \file ctr.h
+ *
+ * \brief This file contains common functionality for counter algorithms.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CTR_H
+#define MBEDTLS_CTR_H
+
+#include "common.h"
+
+/**
+ * \brief Increment a big-endian 16-byte value.
+ * This is quite performance-sensitive for AES-CTR and CTR-DRBG.
+ *
+ * \param n A 16-byte value to be incremented.
+ */
+static inline void mbedtls_ctr_increment_counter(uint8_t n[16])
+{
+ // The 32-bit version seems to perform about the same as a 64-bit version
+ // on 64-bit architectures, so no need to define a 64-bit version.
+ for (int i = 3;; i--) {
+ uint32_t x = MBEDTLS_GET_UINT32_BE(n, i << 2);
+ x += 1;
+ MBEDTLS_PUT_UINT32_BE(x, n, i << 2);
+ if (x != 0 || i == 0) {
+ break;
+ }
+ }
+}
+
+#endif /* MBEDTLS_CTR_H */
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index da34f95..66d9d28 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -14,6 +14,7 @@
#if defined(MBEDTLS_CTR_DRBG_C)
+#include "ctr.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@@ -333,7 +334,7 @@
{
unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
unsigned char *p = tmp;
- int i, j;
+ int j;
int ret = 0;
#if !defined(MBEDTLS_AES_C)
psa_status_t status;
@@ -346,11 +347,7 @@
/*
* Increase counter
*/
- for (i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i--) {
- if (++ctx->counter[i - 1] != 0) {
- break;
- }
- }
+ mbedtls_ctr_increment_counter(ctx->counter);
/*
* Crypt counter block
@@ -372,9 +369,7 @@
p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
}
- for (i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++) {
- tmp[i] ^= data[i];
- }
+ mbedtls_xor(tmp, tmp, data, MBEDTLS_CTR_DRBG_SEEDLEN);
/*
* Update key and counter
@@ -617,10 +612,11 @@
{
int ret = 0;
mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
- unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
unsigned char *p = output;
- unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
- int i;
+ struct {
+ unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+ unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+ } locals;
size_t use_len;
if (output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST) {
@@ -631,7 +627,7 @@
return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
}
- memset(add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
+ memset(locals.add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
if (ctx->reseed_counter > ctx->reseed_interval ||
ctx->prediction_resistance) {
@@ -642,30 +638,26 @@
}
if (add_len > 0) {
- if ((ret = block_cipher_df(add_input, additional, add_len)) != 0) {
+ if ((ret = block_cipher_df(locals.add_input, additional, add_len)) != 0) {
goto exit;
}
- if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
+ if ((ret = ctr_drbg_update_internal(ctx, locals.add_input)) != 0) {
goto exit;
}
}
while (output_len > 0) {
/*
- * Increase counter
+ * Increase counter (treat it as a 128-bit big-endian integer).
*/
- for (i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i--) {
- if (++ctx->counter[i - 1] != 0) {
- break;
- }
- }
+ mbedtls_ctr_increment_counter(ctx->counter);
/*
* Crypt counter block
*/
#if defined(MBEDTLS_AES_C)
if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
- ctx->counter, tmp)) != 0) {
+ ctx->counter, locals.tmp)) != 0) {
goto exit;
}
#else
@@ -673,7 +665,7 @@
size_t tmp_len;
status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
- tmp, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+ locals.tmp, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
if (status != PSA_SUCCESS) {
ret = psa_generic_status_to_mbedtls(status);
goto exit;
@@ -685,20 +677,19 @@
/*
* Copy random block to destination
*/
- memcpy(p, tmp, use_len);
+ memcpy(p, locals.tmp, use_len);
p += use_len;
output_len -= use_len;
}
- if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
+ if ((ret = ctr_drbg_update_internal(ctx, locals.add_input)) != 0) {
goto exit;
}
ctx->reseed_counter++;
exit:
- mbedtls_platform_zeroize(add_input, sizeof(add_input));
- mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ mbedtls_platform_zeroize(&locals, sizeof(locals));
return ret;
}
diff --git a/library/debug.c b/library/debug.c
index a9d58e5..c36ed3c 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -11,7 +11,7 @@
#include "mbedtls/platform.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include <stdarg.h>
diff --git a/library/debug_internal.h b/library/debug_internal.h
new file mode 100644
index 0000000..4523b46
--- /dev/null
+++ b/library/debug_internal.h
@@ -0,0 +1,172 @@
+/**
+ * \file debug_internal.h
+ *
+ * \brief Internal part of the public "debug.h".
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_DEBUG_INTERNAL_H
+#define MBEDTLS_DEBUG_INTERNAL_H
+
+#include "mbedtls/debug.h"
+
+/**
+ * \brief Print a message to the debug output. This function is always used
+ * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ * context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the message has occurred in
+ * \param line line number the message has occurred at
+ * \param format format specifier, in printf format
+ * \param ... variables used by the format specifier
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
+
+/**
+ * \brief Print the return value of a function to the debug output. This
+ * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text the name of the function that returned the error
+ * \param ret the return code value
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, int ret);
+
+/**
+ * \brief Output a buffer of size len bytes to the debug output. This function
+ * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the buffer being dumped. Normally the
+ * variable or buffer name
+ * \param buf the buffer to be outputted
+ * \param len length of the buffer
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line, const char *text,
+ const unsigned char *buf, size_t len);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief Print a MPI variable to the debug output. This function is always
+ * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ * ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the MPI being output. Normally the
+ * variable name
+ * \param X the MPI variable
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_mpi *X);
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+/**
+ * \brief Print an ECP point to the debug output. This function is always
+ * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ * ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the ECP point being output. Normally the
+ * variable name
+ * \param X the ECP point
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_ecp_point *X);
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
+/**
+ * \brief Print a X.509 certificate structure to the debug output. This
+ * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the certificate being output
+ * \param crt X.509 certificate structure
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_x509_crt *crt);
+#endif
+
+/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function
+ only works for the built-in implementation. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
+ defined(MBEDTLS_ECDH_C)
+typedef enum {
+ MBEDTLS_DEBUG_ECDH_Q,
+ MBEDTLS_DEBUG_ECDH_QP,
+ MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief Print a field of the ECDH structure in the SSL context to the debug
+ * output. This function is always used through the
+ * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ * and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param ecdh the ECDH context
+ * \param attr the identifier of the attribute being output
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const mbedtls_ecdh_context *ecdh,
+ mbedtls_debug_ecdh_attr attr);
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
+ MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_INTERNAL_H */
diff --git a/library/ecp.c b/library/ecp.c
index ee86cbc..758d54b 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -3198,6 +3198,25 @@
}
#endif /* MBEDTLS_ECP_C */
+int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
+ mbedtls_ecp_keypair *key,
+ const mbedtls_ecp_point *Q)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (key->grp.id == MBEDTLS_ECP_DP_NONE) {
+ /* Group not set yet */
+ if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+ return ret;
+ }
+ } else if (key->grp.id != grp_id) {
+ /* Group mismatch */
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ return mbedtls_ecp_copy(&key->Q, Q);
+}
+
+
#define ECP_CURVE25519_KEY_SIZE 32
#define ECP_CURVE448_KEY_SIZE 56
/*
@@ -3314,6 +3333,18 @@
return ret;
}
+/*
+ * Write a public key.
+ */
+int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
+ int format, size_t *olen,
+ unsigned char *buf, size_t buflen)
+{
+ return mbedtls_ecp_point_write_binary(&key->grp, &key->Q,
+ format, olen, buf, buflen);
+}
+
+
#if defined(MBEDTLS_ECP_C)
/*
* Check a public-private key pair
@@ -3355,8 +3386,22 @@
return ret;
}
+
+int mbedtls_ecp_keypair_calc_public(mbedtls_ecp_keypair *key,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return mbedtls_ecp_mul(&key->grp, &key->Q, &key->d, &key->grp.G,
+ f_rng, p_rng);
+}
#endif /* MBEDTLS_ECP_C */
+mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
+ const mbedtls_ecp_keypair *key)
+{
+ return key->grp.id;
+}
+
/*
* Export generic key-pair parameters.
*/
@@ -3365,15 +3410,15 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if ((ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
+ if (grp != NULL && (ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
return ret;
}
- if ((ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
+ if (d != NULL && (ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
return ret;
}
- if ((ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
+ if (Q != NULL && (ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
return ret;
}
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 577e23b..d295709 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -23,12 +23,6 @@
#if !defined(MBEDTLS_ECP_ALT)
-/* Parameter validation macros based on platform_util.h */
-#define ECP_VALIDATE_RET(cond) \
- MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA)
-#define ECP_VALIDATE(cond) \
- MBEDTLS_INTERNAL_VALIDATE(cond)
-
#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
#define ECP_MPI_INIT_ARRAY(x) \
@@ -4722,7 +4716,6 @@
*/
int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
{
- ECP_VALIDATE_RET(grp != NULL);
mbedtls_ecp_group_free(grp);
mbedtls_ecp_group_init(grp);
diff --git a/library/ecp_curves_new.c b/library/ecp_curves_new.c
index 4ee0f58..035b23a 100644
--- a/library/ecp_curves_new.c
+++ b/library/ecp_curves_new.c
@@ -28,12 +28,6 @@
#if !defined(MBEDTLS_ECP_ALT)
-/* Parameter validation macros based on platform_util.h */
-#define ECP_VALIDATE_RET(cond) \
- MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA)
-#define ECP_VALIDATE(cond) \
- MBEDTLS_INTERNAL_VALIDATE(cond)
-
#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
#define ECP_MPI_INIT_ARRAY(x) \
@@ -4764,7 +4758,6 @@
*/
int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
{
- ECP_VALIDATE_RET(grp != NULL);
mbedtls_ecp_group_free(grp);
mbedtls_ecp_group_init(grp);
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index de2e038..794ee03 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -5,7 +5,7 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#if defined(__linux__) && !defined(_GNU_SOURCE)
+#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE)
/* Ensure that syscall() is available even when compiling with -std=c99 */
#define _GNU_SOURCE
#endif
@@ -29,7 +29,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__) && !defined(__midipix__)
+ !defined(__HAIKU__) && !defined(__midipix__) && !defined(__MVS__)
#error \
"Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h"
#endif
diff --git a/library/gcm.c b/library/gcm.c
index 20d55c0..033cb59 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -354,9 +354,17 @@
{
const unsigned char *p;
size_t use_len, offset;
+ uint64_t new_add_len;
- /* IV is limited to 2^64 bits, so 2^61 bytes */
- if ((uint64_t) add_len >> 61 != 0) {
+ /* AD is limited to 2^64 bits, ie 2^61 bytes
+ * Also check for possible overflow */
+#if SIZE_MAX > 0xFFFFFFFFFFFFFFFFULL
+ if (add_len > 0xFFFFFFFFFFFFFFFFULL) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+#endif
+ new_add_len = ctx->add_len + (uint64_t) add_len;
+ if (new_add_len < ctx->add_len || new_add_len >> 61 != 0) {
return MBEDTLS_ERR_GCM_BAD_INPUT;
}
@@ -401,12 +409,9 @@
/* Increment the counter. */
static void gcm_incr(unsigned char y[16])
{
- size_t i;
- for (i = 16; i > 12; i--) {
- if (++y[i - 1] != 0) {
- break;
- }
- }
+ uint32_t x = MBEDTLS_GET_UINT32_BE(y, 12);
+ x++;
+ MBEDTLS_PUT_UINT32_BE(x, y, 12);
}
/* Calculate and apply the encryption mask. Process use_len bytes of data,
@@ -542,6 +547,9 @@
(void) output_size;
*output_length = 0;
+ /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+ * and AD length is restricted to 2^64 bits, ie 2^61 bytes so neither of
+ * the two multiplications would overflow. */
orig_len = ctx->len * 8;
orig_add_len = ctx->add_len * 8;
diff --git a/library/md_psa.h b/library/md_psa.h
index b201263..028ba24 100644
--- a/library/md_psa.h
+++ b/library/md_psa.h
@@ -15,43 +15,6 @@
#include "mbedtls/md.h"
#include "psa/crypto.h"
-/**
- * \brief This function returns the PSA algorithm identifier
- * associated with the given digest type.
- *
- * \param md_type The type of digest to search for. Must not be NONE.
- *
- * \warning If \p md_type is \c MBEDTLS_MD_NONE, this function will
- * not return \c PSA_ALG_NONE, but an invalid algorithm.
- *
- * \warning This function does not check if the algorithm is
- * supported, it always returns the corresponding identifier.
- *
- * \return The PSA algorithm identifier associated with \p md_type,
- * regardless of whether it is supported or not.
- */
-static inline psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
-{
- return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) md_type;
-}
-
-/**
- * \brief This function returns the given digest type
- * associated with the PSA algorithm identifier.
- *
- * \param psa_alg The PSA algorithm identifier to search for.
- *
- * \warning This function does not check if the algorithm is
- * supported, it always returns the corresponding identifier.
- *
- * \return The MD type associated with \p psa_alg,
- * regardless of whether it is supported or not.
- */
-static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
-{
- return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK);
-}
-
/** Convert PSA status to MD error code.
*
* \param status PSA status.
diff --git a/library/pk.c b/library/pk.c
index 61ac0df..1b481e1 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -29,9 +29,9 @@
#include "mbedtls/ecdsa.h"
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#endif
#include <limits.h>
@@ -378,6 +378,209 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_RSA_C)
+static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa,
+ int want_crypt)
+{
+ if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+ if (want_crypt) {
+ mbedtls_md_type_t md_type = mbedtls_rsa_get_md_alg(rsa);
+ return PSA_ALG_RSA_OAEP(mbedtls_md_psa_alg_from_type(md_type));
+ } else {
+ return PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH);
+ }
+ } else {
+ if (want_crypt) {
+ return PSA_ALG_RSA_PKCS1V15_CRYPT;
+ } else {
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH);
+ }
+ }
+}
+#endif /* MBEDTLS_RSA_C */
+
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+ psa_key_usage_t usage,
+ psa_key_attributes_t *attributes)
+{
+ mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk);
+
+ psa_key_usage_t more_usage = usage;
+ if (usage == PSA_KEY_USAGE_SIGN_MESSAGE) {
+ more_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+ } else if (usage == PSA_KEY_USAGE_SIGN_HASH) {
+ more_usage |= PSA_KEY_USAGE_VERIFY_HASH;
+ } else if (usage == PSA_KEY_USAGE_DECRYPT) {
+ more_usage |= PSA_KEY_USAGE_ENCRYPT;
+ }
+ more_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
+
+ int want_private = !(usage == PSA_KEY_USAGE_VERIFY_MESSAGE ||
+ usage == PSA_KEY_USAGE_VERIFY_HASH ||
+ usage == PSA_KEY_USAGE_ENCRYPT);
+
+ switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_PK_RSA:
+ {
+ int want_crypt = 0; /* 0: sign/verify; 1: encrypt/decrypt */
+ switch (usage) {
+ case PSA_KEY_USAGE_SIGN_MESSAGE:
+ case PSA_KEY_USAGE_SIGN_HASH:
+ case PSA_KEY_USAGE_VERIFY_MESSAGE:
+ case PSA_KEY_USAGE_VERIFY_HASH:
+ /* Nothing to do. */
+ break;
+ case PSA_KEY_USAGE_DECRYPT:
+ case PSA_KEY_USAGE_ENCRYPT:
+ want_crypt = 1;
+ break;
+ default:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ /* Detect the presence of a private key in a way that works both
+ * in CRT and non-CRT configurations. */
+ mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
+ int has_private = (mbedtls_rsa_check_privkey(rsa) == 0);
+ if (want_private && !has_private) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_set_key_type(attributes, (want_private ?
+ PSA_KEY_TYPE_RSA_KEY_PAIR :
+ PSA_KEY_TYPE_RSA_PUBLIC_KEY));
+ psa_set_key_bits(attributes, mbedtls_pk_get_bitlen(pk));
+ psa_set_key_algorithm(attributes,
+ psa_algorithm_for_rsa(rsa, want_crypt));
+ break;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ {
+ int sign_ok = (pk_type != MBEDTLS_PK_ECKEY_DH);
+ int derive_ok = (pk_type != MBEDTLS_PK_ECDSA);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_ecc_family_t family = pk->ec_family;
+ size_t bits = pk->ec_bits;
+ int has_private = 0;
+ if (pk->priv_id != MBEDTLS_SVC_KEY_ID_INIT) {
+ has_private = 1;
+ }
+#else
+ const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+ int has_private = (ec->d.n != 0);
+ size_t bits = 0;
+ psa_ecc_family_t family =
+ mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
+#endif
+ psa_algorithm_t alg = 0;
+ switch (usage) {
+ case PSA_KEY_USAGE_SIGN_MESSAGE:
+ case PSA_KEY_USAGE_SIGN_HASH:
+ case PSA_KEY_USAGE_VERIFY_MESSAGE:
+ case PSA_KEY_USAGE_VERIFY_HASH:
+ if (!sign_ok) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH);
+#else
+ alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+#endif
+ break;
+ case PSA_KEY_USAGE_DERIVE:
+ alg = PSA_ALG_ECDH;
+ if (!derive_ok) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ default:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ if (want_private && !has_private) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_set_key_type(attributes, (want_private ?
+ PSA_KEY_TYPE_ECC_KEY_PAIR(family) :
+ PSA_KEY_TYPE_ECC_PUBLIC_KEY(family)));
+ psa_set_key_bits(attributes, bits);
+ psa_set_key_algorithm(attributes, alg);
+ break;
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+ case MBEDTLS_PK_RSA_ALT:
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ case MBEDTLS_PK_OPAQUE:
+ {
+ psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ status = psa_get_key_attributes(pk->priv_id, &old_attributes);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+ switch (usage) {
+ case PSA_KEY_USAGE_SIGN_MESSAGE:
+ case PSA_KEY_USAGE_SIGN_HASH:
+ case PSA_KEY_USAGE_VERIFY_MESSAGE:
+ case PSA_KEY_USAGE_VERIFY_HASH:
+ if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type) ||
+ old_type == PSA_KEY_TYPE_RSA_KEY_PAIR)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ case PSA_KEY_USAGE_DECRYPT:
+ case PSA_KEY_USAGE_ENCRYPT:
+ if (old_type != PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ case PSA_KEY_USAGE_DERIVE:
+ if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type))) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ default:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_key_type_t new_type = old_type;
+ /* Opaque keys are always key pairs, so we don't need a check
+ * on the input if the required usage is private. We just need
+ * to adjust the type correctly if the required usage is public. */
+ if (!want_private) {
+ new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type);
+ }
+ more_usage = psa_get_key_usage_flags(&old_attributes);
+ if ((usage & more_usage) == 0) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_set_key_type(attributes, new_type);
+ psa_set_key_bits(attributes, psa_get_key_bits(&old_attributes));
+ psa_set_key_algorithm(attributes, psa_get_key_algorithm(&old_attributes));
+ break;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ default:
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_usage_flags(attributes, more_usage);
+ psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE);
+
+ return 0;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
/*
* Helper for mbedtls_pk_sign and mbedtls_pk_verify
*/
diff --git a/library/pk_internal.h b/library/pk_internal.h
index 025ee8b..da6c7f1 100644
--- a/library/pk_internal.h
+++ b/library/pk_internal.h
@@ -98,13 +98,13 @@
}
opaque_key_type = psa_get_key_type(&opaque_attrs);
curve = PSA_KEY_TYPE_ECC_GET_FAMILY(opaque_key_type);
- id = mbedtls_ecc_group_of_psa(curve, psa_get_key_bits(&opaque_attrs), 0);
+ id = mbedtls_ecc_group_from_psa(curve, psa_get_key_bits(&opaque_attrs));
psa_reset_key_attributes(&opaque_attrs);
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
+ id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
id = mbedtls_pk_ec_ro(*pk)->grp.id;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
@@ -144,4 +144,8 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
#endif
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
+#endif
+
#endif /* MBEDTLS_PK_INTERNAL_H */
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 9247945..c232650 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -13,7 +13,7 @@
#include "pk_wrap.h"
#include "pk_internal.h"
#include "mbedtls/error.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
/* Even if RSA not activated, for the sake of RSA-alt */
#include "mbedtls/rsa.h"
diff --git a/library/pkcs7.c b/library/pkcs7.c
index 0869c2e..3aac662 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -7,7 +7,7 @@
#include "mbedtls/build_info.h"
#if defined(MBEDTLS_PKCS7_C)
#include "mbedtls/pkcs7.h"
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
#include "mbedtls/asn1.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_crl.h"
diff --git a/library/pkparse.c b/library/pkparse.c
index d36fa3f..5f95545 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -250,7 +250,7 @@
mbedtls_ecp_group_id ecp_group_id;
int ret;
- ecp_group_id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
+ ecp_group_id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
mbedtls_ecp_keypair_init(&ecp_key);
ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
diff --git a/library/platform_util.c b/library/platform_util.c
index 63643d2..0741bf5 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -93,8 +93,6 @@
void mbedtls_platform_zeroize(void *buf, size_t len)
{
- MBEDTLS_INTERNAL_VALIDATE(len == 0 || buf != NULL);
-
if (len > 0) {
#if defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO)
explicit_bzero(buf, len);
@@ -151,10 +149,10 @@
#include <time.h>
#if !defined(_WIN32) && (defined(unix) || \
defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
- defined(__MACH__)))
+ defined(__MACH__)) || defined__midipix__)
#include <unistd.h>
#endif /* !_WIN32 && (unix || __unix || __unix__ ||
- * (__APPLE__ && __MACH__)) */
+ * (__APPLE__ && __MACH__) || __midipix__) */
#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) || \
(defined(_POSIX_THREAD_SAFE_FUNCTIONS) && \
@@ -217,35 +215,15 @@
void (*mbedtls_test_hook_test_fail)(const char *, int, const char *);
#endif /* MBEDTLS_TEST_HOOKS */
-/*
- * Provide external definitions of some inline functions so that the compiler
- * has the option to not inline them
- */
-extern inline void mbedtls_xor(unsigned char *r,
- const unsigned char *a,
- const unsigned char *b,
- size_t n);
-
-extern inline uint16_t mbedtls_get_unaligned_uint16(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x);
-
-extern inline uint32_t mbedtls_get_unaligned_uint32(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x);
-
-extern inline uint64_t mbedtls_get_unaligned_uint64(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x);
-
#if defined(MBEDTLS_HAVE_TIME) && !defined(MBEDTLS_PLATFORM_MS_TIME_ALT)
#include <time.h>
#if !defined(_WIN32) && \
(defined(unix) || defined(__unix) || defined(__unix__) || \
- (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__))
+ (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__) || defined(__midipix__))
#include <unistd.h>
-#endif /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__) */
+#endif \
+ /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__ || __midipix__) */
#if (defined(_POSIX_VERSION) && _POSIX_VERSION >= 199309L) || defined(__HAIKU__)
mbedtls_ms_time_t mbedtls_ms_time(void)
{
@@ -253,7 +231,7 @@
struct timespec tv;
mbedtls_ms_time_t current_ms;
-#if defined(__linux__) && defined(CLOCK_BOOTTIME)
+#if defined(__linux__) && defined(CLOCK_BOOTTIME) || defined(__midipix__)
ret = clock_gettime(CLOCK_BOOTTIME, &tv);
#else
ret = clock_gettime(CLOCK_MONOTONIC, &tv);
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 8e6a758..e203e16 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -70,7 +70,7 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
@@ -890,8 +890,9 @@
* In case of a persistent key, the function loads the description of the key
* into a key slot if not already done.
*
- * On success, the returned key slot is locked. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to call psa_unregister_read(slot)
+ * when they have finished reading the contents of the slot.
*/
static psa_status_t psa_get_and_lock_key_slot_with_policy(
mbedtls_svc_key_id_t key,
@@ -935,7 +936,7 @@
error:
*p_slot = NULL;
- psa_unlock_key_slot(slot);
+ psa_unregister_read(slot);
return status;
}
@@ -950,8 +951,9 @@
* psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
* for a cryptographic operation.
*
- * On success, the returned key slot is locked. It is the responsibility of the
- * caller to unlock the key slot when it does not access it anymore.
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to call psa_unregister_read(slot)
+ * when they have finished reading the contents of the slot.
*/
static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
mbedtls_svc_key_id_t key,
@@ -966,7 +968,7 @@
}
if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
- psa_unlock_key_slot(*p_slot);
+ psa_unregister_read(*p_slot);
*p_slot = NULL;
return PSA_ERROR_NOT_SUPPORTED;
}
@@ -994,15 +996,41 @@
/*
* As the return error code may not be handled in case of multiple errors,
- * do our best to report an unexpected lock counter. Assert with
- * MBEDTLS_TEST_HOOK_TEST_ASSERT that the lock counter is equal to one:
+ * do our best to report an unexpected amount of registered readers or
+ * an unexpected state.
+ * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for
+ * wiping.
* if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
* function is called as part of the execution of a test suite, the
* execution of the test suite is stopped in error if the assertion fails.
*/
- if (slot->lock_count != 1) {
- MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->lock_count == 1);
- status = PSA_ERROR_CORRUPTION_DETECTED;
+ switch (slot->state) {
+ case PSA_SLOT_FULL:
+ /* In this state psa_wipe_key_slot() must only be called if the
+ * caller is the last reader. */
+ case PSA_SLOT_PENDING_DELETION:
+ /* In this state psa_wipe_key_slot() must only be called if the
+ * caller is the last reader. */
+ if (slot->registered_readers != 1) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1);
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ break;
+ case PSA_SLOT_FILLING:
+ /* In this state registered_readers must be 0. */
+ if (slot->registered_readers != 0) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0);
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ break;
+ case PSA_SLOT_EMPTY:
+ /* The slot is already empty, it cannot be wiped. */
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY);
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ break;
+ default:
+ /* The slot's state is invalid. */
+ status = PSA_ERROR_CORRUPTION_DETECTED;
}
/* Multipart operations may still be using the key. This is safe
@@ -1012,7 +1040,8 @@
* key material can linger until all operations are completed. */
/* At this point, key material and other type-specific content has
* been wiped. Clear remaining metadata. We can call memset and not
- * zeroize because the metadata is not particularly sensitive. */
+ * zeroize because the metadata is not particularly sensitive.
+ * This memset also sets the slot's state to PSA_SLOT_EMPTY. */
memset(slot, 0, sizeof(*slot));
return status;
}
@@ -1031,28 +1060,26 @@
}
/*
- * Get the description of the key in a key slot. In case of a persistent
- * key, this will load the key description from persistent memory if not
- * done yet. We cannot avoid this loading as without it we don't know if
+ * Get the description of the key in a key slot, and register to read it.
+ * In the case of a persistent key, this will load the key description
+ * from persistent memory if not done yet.
+ * We cannot avoid this loading as without it we don't know if
* the key is operated by an SE or not and this information is needed by
- * the current implementation.
- */
+ * the current implementation. */
status = psa_get_and_lock_key_slot(key, &slot);
if (status != PSA_SUCCESS) {
return status;
}
- /*
- * If the key slot containing the key description is under access by the
- * library (apart from the present access), the key cannot be destroyed
- * yet. For the time being, just return in error. Eventually (to be
- * implemented), the key should be destroyed when all accesses have
- * stopped.
- */
- if (slot->lock_count > 1) {
- psa_unlock_key_slot(slot);
- return PSA_ERROR_GENERIC_ERROR;
- }
+ /* Set the key slot containing the key description's state to
+ * PENDING_DELETION. This stops new operations from registering
+ * to read the slot. Current readers can safely continue to access
+ * the key within the slot; the last registered reader will
+ * automatically wipe the slot when they call psa_unregister_read().
+ * If the key is persistent, we can now delete the copy of the key
+ * from memory. If the key is opaque, we require the driver to
+ * deal with the deletion. */
+ slot->state = PSA_SLOT_PENDING_DELETION;
if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
/* Refuse the destruction of a read-only key (which may or may not work
@@ -1100,6 +1127,9 @@
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+ /* Destroy the copy of the persistent key from storage.
+ * The slot will still hold a copy of the key until the last reader
+ * unregisters. */
status = psa_destroy_persistent_key(slot->attr.id);
if (overall_status == PSA_SUCCESS) {
overall_status = status;
@@ -1126,8 +1156,11 @@
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
exit:
- status = psa_wipe_key_slot(slot);
- /* Prioritize CORRUPTION_DETECTED from wiping over a storage error */
+ /* Unregister from reading the slot. If we are the last active reader
+ * then this will wipe the slot. */
+ status = psa_unregister_read(slot);
+ /* Prioritize CORRUPTION_DETECTED from unregistering over
+ * a storage error. */
if (status != PSA_SUCCESS) {
overall_status = status;
}
@@ -1252,7 +1285,7 @@
psa_reset_key_attributes(attributes);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -1348,7 +1381,7 @@
slot->key.data, slot->key.bytes,
data, data_size, data_length);
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -1462,7 +1495,7 @@
data, data_size, data_length);
exit:
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -1579,8 +1612,9 @@
* In case of failure at any step, stop the sequence and call
* psa_fail_key_creation().
*
- * On success, the key slot is locked. It is the responsibility of the caller
- * to unlock the key slot when it does not access it anymore.
+ * On success, the key slot's state is PSA_SLOT_FILLING.
+ * It is the responsibility of the caller to change the slot's state to
+ * PSA_SLOT_EMPTY/FULL once key creation has finished.
*
* \param method An identification of the calling function.
* \param[in] attributes Key attributes for the new key.
@@ -1611,7 +1645,7 @@
return status;
}
- status = psa_get_empty_key_slot(&volatile_key_id, p_slot);
+ status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
if (status != PSA_SUCCESS) {
return status;
}
@@ -1637,7 +1671,7 @@
/* Erase external-only flags from the internal copy. To access
* external-only flags, query `attributes`. Thanks to the check
* in psa_validate_key_attributes(), this leaves the dual-use
- * flags and any internal flag that psa_get_empty_key_slot()
+ * flags and any internal flag that psa_reserve_free_key_slot()
* may have set. */
slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY;
@@ -1689,8 +1723,6 @@
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
- slot->status = PSA_SLOT_OCCUPIED;
-
return PSA_SUCCESS;
}
@@ -1702,9 +1734,9 @@
* See the documentation of psa_start_key_creation() for the intended use
* of this function.
*
- * If the finalization succeeds, the function unlocks the key slot (it was
- * locked by psa_start_key_creation()) and the key slot cannot be accessed
- * anymore as part of the key creation process.
+ * If the finalization succeeds, the function sets the key slot's state to
+ * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the
+ * key creation process.
*
* \param[in,out] slot Pointer to the slot with key material.
* \param[in] driver The secure element driver for the key,
@@ -1780,7 +1812,8 @@
if (status == PSA_SUCCESS) {
*key = slot->attr.id;
- status = psa_unlock_key_slot(slot);
+ status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
if (status != PSA_SUCCESS) {
*key = MBEDTLS_SVC_KEY_ID_INIT;
}
@@ -1795,7 +1828,7 @@
* or after psa_finish_key_creation() fails. In other circumstances, this
* function may not clean up persistent storage.
* See the documentation of psa_start_key_creation() for the intended use
- * of this function.
+ * of this function. Sets the slot's state to PSA_SLOT_EMPTY.
*
* \param[in,out] slot Pointer to the slot with key material.
* \param[in] driver The secure element driver for the key,
@@ -2134,7 +2167,7 @@
psa_fail_key_creation(target_slot, driver);
}
- unlock_status = psa_unlock_key_slot(source_slot);
+ unlock_status = psa_unregister_read(source_slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -2455,7 +2488,7 @@
psa_mac_abort(operation);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -2641,7 +2674,7 @@
psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -2785,7 +2818,7 @@
psa_wipe_tag_output_buffer(signature, status, signature_size,
*signature_length);
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -2833,7 +2866,7 @@
signature, signature_length);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
@@ -3080,7 +3113,7 @@
return PSA_ERROR_INVALID_ARGUMENT;
}
- status = psa_get_and_lock_transparent_key_slot_with_policy(
+ status = psa_get_and_lock_key_slot_with_policy(
key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
if (status != PSA_SUCCESS) {
return status;
@@ -3100,7 +3133,7 @@
alg, input, input_length, salt, salt_length,
output, output_size, output_length);
exit:
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -3132,7 +3165,7 @@
return PSA_ERROR_INVALID_ARGUMENT;
}
- status = psa_get_and_lock_transparent_key_slot_with_policy(
+ status = psa_get_and_lock_key_slot_with_policy(
key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
if (status != PSA_SUCCESS) {
return status;
@@ -3152,7 +3185,7 @@
output, output_size, output_length);
exit:
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -3261,7 +3294,7 @@
psa_sign_hash_abort_internal(operation);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
if (unlock_status != PSA_SUCCESS) {
operation->error_occurred = 1;
@@ -3406,7 +3439,7 @@
psa_verify_hash_abort_internal(operation);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
if (unlock_status != PSA_SUCCESS) {
operation->error_occurred = 1;
@@ -3978,7 +4011,7 @@
psa_cipher_abort(operation);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -4223,7 +4256,7 @@
output_size - default_iv_length, output_length);
exit:
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
if (status == PSA_SUCCESS) {
status = unlock_status;
}
@@ -4284,7 +4317,7 @@
output, output_size, output_length);
exit:
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
if (status == PSA_SUCCESS) {
status = unlock_status;
}
@@ -4410,7 +4443,7 @@
}
exit:
- psa_unlock_key_slot(slot);
+ psa_unregister_read(slot);
return status;
}
@@ -4465,7 +4498,7 @@
}
exit:
- psa_unlock_key_slot(slot);
+ psa_unregister_read(slot);
return status;
}
@@ -4577,7 +4610,7 @@
operation->key_type = psa_get_key_type(&attributes);
exit:
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
if (status == PSA_SUCCESS) {
status = unlock_status;
@@ -5708,7 +5741,7 @@
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
slot->attr.type);
mbedtls_ecp_group_id grp_id =
- mbedtls_ecc_group_of_psa(curve, bits, 0);
+ mbedtls_ecc_group_from_psa(curve, bits);
if (grp_id == MBEDTLS_ECP_DP_NONE) {
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
@@ -6951,7 +6984,7 @@
slot->key.data,
slot->key.bytes);
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -7108,7 +7141,7 @@
}
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -7169,7 +7202,7 @@
*output_length = output_size;
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
@@ -7843,7 +7876,7 @@
if (status != PSA_SUCCESS) {
psa_pake_abort(operation);
}
- unlock_status = psa_unlock_key_slot(slot);
+ unlock_status = psa_unregister_read(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
}
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index ff01add..dc376d7 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -20,6 +20,9 @@
#include "psa/crypto.h"
#include "psa/crypto_se_driver.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
/**
* Tell if PSA is ready for this hash.
@@ -47,8 +50,10 @@
typedef enum {
PSA_SLOT_EMPTY = 0,
- PSA_SLOT_OCCUPIED,
-} psa_key_slot_status_t;
+ PSA_SLOT_FILLING,
+ PSA_SLOT_FULL,
+ PSA_SLOT_PENDING_DELETION,
+} psa_key_slot_state_t;
/** The data structure representing a key slot, containing key material
* and metadata for one key.
@@ -56,18 +61,37 @@
typedef struct {
psa_core_key_attributes_t attr;
- psa_key_slot_status_t status;
+ /*
+ * The current state of the key slot, as described in
+ * docs/architecture/psa-thread-safety/psa-thread-safety.md.
+ *
+ * Library functions can modify the state of a key slot by calling
+ * psa_key_slot_state_transition.
+ *
+ * The state variable is used to help determine whether library functions
+ * which operate on the slot succeed. For example, psa_finish_key_creation,
+ * which transfers the state of a slot from PSA_SLOT_FILLING to
+ * PSA_SLOT_FULL, must fail with error code PSA_ERROR_CORRUPTION_DETECTED
+ * if the state of the slot is not PSA_SLOT_FILLING.
+ *
+ * Library functions which traverse the array of key slots only consider
+ * slots that are in a suitable state for the function.
+ * For example, psa_get_and_lock_key_slot_in_memory, which finds a slot
+ * containing a given key ID, will only check slots whose state variable is
+ * PSA_SLOT_FULL. */
+ psa_key_slot_state_t state;
/*
- * Number of locks on the key slot held by the library.
+ * Number of functions registered as reading the material in the key slot.
*
- * This counter is incremented by one each time a library function
- * retrieves through one of the dedicated internal API a pointer to the
- * key slot.
+ * Library functions must not write directly to registered_readers
*
- * This counter is decremented by one each time a library function stops
- * accessing the key slot and states it by calling the
- * psa_unlock_key_slot() API.
+ * A function must call psa_register_read(slot) before reading the current
+ * contents of the slot for an operation.
+ * They then must call psa_unregister_read(slot) once they have finished
+ * reading the current contents of the slot.
+ * A function must call psa_key_slot_has_readers(slot) to check if
+ * the slot is in use for reading.
*
* This counter is used to prevent resetting the key slot while the library
* may access it. For example, such control is needed in the following
@@ -78,10 +102,9 @@
* the library cannot be reclaimed to free a key slot to load the
* persistent key.
* . In case of a multi-threaded application where one thread asks to close
- * or purge or destroy a key while it is in used by the library through
- * another thread.
- */
- size_t lock_count;
+ * or purge or destroy a key while it is in use by the library through
+ * another thread. */
+ size_t registered_readers;
/* Dynamically allocated key data buffer.
* Format as specified in psa_export_key(). */
@@ -91,36 +114,65 @@
} key;
} psa_key_slot_t;
+#if defined(MBEDTLS_THREADING_C)
+
+/** Perform a mutex operation and return immediately upon failure.
+ *
+ * Returns PSA_ERROR_SERVICE_FAILURE if the operation fails
+ * and status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ * psa_status_t status exists.
+ * f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_RET(f) \
+ do \
+ { \
+ if ((f) != 0) { \
+ if (status == PSA_SUCCESS) { \
+ return PSA_ERROR_SERVICE_FAILURE; \
+ } \
+ return status; \
+ } \
+ } while (0);
+
+/** Perform a mutex operation and goto exit on failure.
+ *
+ * Sets status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ * psa_status_t status exists.
+ * Label exit: exists.
+ * f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_GOTO_EXIT(f) \
+ do \
+ { \
+ if ((f) != 0) { \
+ if (status == PSA_SUCCESS) { \
+ status = PSA_ERROR_SERVICE_FAILURE; \
+ } \
+ goto exit; \
+ } \
+ } while (0);
+#endif
+
/* A mask of key attribute flags used only internally.
* Currently there aren't any. */
#define PSA_KA_MASK_INTERNAL_ONLY ( \
0)
-/** Test whether a key slot is occupied.
- *
- * A key slot is occupied iff the key type is nonzero. This works because
- * no valid key can have 0 as its key type.
+/** Test whether a key slot has any registered readers.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
*
* \param[in] slot The key slot to test.
*
- * \return 1 if the slot is occupied, 0 otherwise.
+ * \return 1 if the slot has any registered readers, 0 otherwise.
*/
-static inline int psa_is_key_slot_occupied(const psa_key_slot_t *slot)
+static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot)
{
- return slot->status == PSA_SLOT_OCCUPIED;
-}
-
-/** Test whether a key slot is locked.
- *
- * A key slot is locked iff its lock counter is strictly greater than 0.
- *
- * \param[in] slot The key slot to test.
- *
- * \return 1 if the slot is locked, 0 otherwise.
- */
-static inline int psa_is_key_slot_locked(const psa_key_slot_t *slot)
-{
- return slot->lock_count > 0;
+ return slot->registered_readers > 0;
}
/** Retrieve flags from psa_key_slot_t::attr::core::flags.
@@ -190,13 +242,20 @@
/** Completely wipe a slot in memory, including its policy.
*
* Persistent storage is not affected.
+ * Sets the slot's state to PSA_SLOT_EMPTY.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
*
* \param[in,out] slot The key slot to wipe.
*
* \retval #PSA_SUCCESS
- * Success. This includes the case of a key slot that was
- * already fully wiped.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * The slot has been successfully wiped.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The slot's state was PSA_SLOT_FULL or PSA_SLOT_PENDING_DELETION, and
+ * the amount of registered readers was not equal to 1. Or,
+ * the slot's state was PSA_SLOT_EMPTY. Or,
+ * the slot's state was PSA_SLOT_FILLING, and the amount
+ * of registered readers was not equal to 0.
*/
psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index e4a372d..db08541 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -14,7 +14,7 @@
#include "psa_crypto_core.h"
#include "psa_crypto_ecp.h"
#include "psa_crypto_random_impl.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#include <stdlib.h>
#include <string.h>
@@ -32,6 +32,61 @@
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+/* Helper function to verify if the provided EC's family and key bit size are valid.
+ *
+ * Note: "bits" parameter is used both as input and output and it might be updated
+ * in case provided input value is not multiple of 8 ("sloppy" bits).
+ */
+static int check_ecc_parameters(psa_ecc_family_t family, size_t *bits)
+{
+ switch (family) {
+ case PSA_ECC_FAMILY_SECP_R1:
+ switch (*bits) {
+ case 192:
+ case 224:
+ case 256:
+ case 384:
+ case 521:
+ return PSA_SUCCESS;
+ case 528:
+ *bits = 521;
+ return PSA_SUCCESS;
+ }
+ break;
+
+ case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+ switch (*bits) {
+ case 256:
+ case 384:
+ case 512:
+ return PSA_SUCCESS;
+ }
+ break;
+
+ case PSA_ECC_FAMILY_MONTGOMERY:
+ switch (*bits) {
+ case 448:
+ case 255:
+ return PSA_SUCCESS;
+ case 256:
+ *bits = 255;
+ return PSA_SUCCESS;
+ }
+ break;
+
+ case PSA_ECC_FAMILY_SECP_K1:
+ switch (*bits) {
+ case 192:
+ /* secp224k1 is not and will not be supported in PSA (#3541). */
+ case 256:
+ return PSA_SUCCESS;
+ }
+ break;
+ }
+
+ return PSA_ERROR_INVALID_ARGUMENT;
+}
+
psa_status_t mbedtls_psa_ecp_load_representation(
psa_key_type_t type, size_t curve_bits,
const uint8_t *data, size_t data_length,
@@ -82,16 +137,15 @@
}
mbedtls_ecp_keypair_init(ecp);
+ status = check_ecc_parameters(PSA_KEY_TYPE_ECC_GET_FAMILY(type), &curve_bits);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
/* Load the group. */
- grp_id = mbedtls_ecc_group_of_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
- curve_bits, !explicit_bits);
+ grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
+ curve_bits);
if (grp_id == MBEDTLS_ECP_DP_NONE) {
- /* We can't distinguish between a nonsensical family/size combination
- * (which would warrant PSA_ERROR_INVALID_ARGUMENT) and a
- * well-regarded curve that Mbed TLS just doesn't know about (which
- * would warrant PSA_ERROR_NOT_SUPPORTED). For uniformity with how
- * curves that Mbed TLS knows about but for which support is disabled
- * at build time, return NOT_SUPPORTED. */
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
@@ -285,7 +339,7 @@
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
attributes->core.type);
mbedtls_ecp_group_id grp_id =
- mbedtls_ecc_group_of_psa(curve, attributes->core.bits, 0);
+ mbedtls_ecc_group_from_psa(curve, attributes->core.bits);
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(grp_id);
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
index 0679f41..7b58ea2 100644
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@@ -16,7 +16,7 @@
#include "psa_crypto_random_impl.h"
#include "psa_crypto_rsa.h"
#include "psa_crypto_hash.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#include <stdlib.h>
#include <string.h>
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index 5ecc3a7..47ace35 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -23,6 +23,9 @@
#include <stdlib.h>
#include <string.h>
#include "mbedtls/platform.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
typedef struct {
psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
@@ -108,7 +111,9 @@
for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
slot = &global_data.key_slots[slot_idx];
- if (mbedtls_svc_key_id_equal(key, slot->attr.id)) {
+ /* Only consider slots which are in a full state. */
+ if ((slot->state == PSA_SLOT_FULL) &&
+ (mbedtls_svc_key_id_equal(key, slot->attr.id))) {
break;
}
}
@@ -117,7 +122,7 @@
}
if (status == PSA_SUCCESS) {
- status = psa_lock_key_slot(slot);
+ status = psa_register_read(slot);
if (status == PSA_SUCCESS) {
*p_slot = slot;
}
@@ -141,36 +146,38 @@
for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
- slot->lock_count = 1;
+ slot->registered_readers = 1;
+ slot->state = PSA_SLOT_PENDING_DELETION;
(void) psa_wipe_key_slot(slot);
}
global_data.key_slots_initialized = 0;
}
-psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
- psa_key_slot_t **p_slot)
+psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
+ psa_key_slot_t **p_slot)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t slot_idx;
- psa_key_slot_t *selected_slot, *unlocked_persistent_key_slot;
+ psa_key_slot_t *selected_slot, *unused_persistent_key_slot;
if (!global_data.key_slots_initialized) {
status = PSA_ERROR_BAD_STATE;
goto error;
}
- selected_slot = unlocked_persistent_key_slot = NULL;
+ selected_slot = unused_persistent_key_slot = NULL;
for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
- if (!psa_is_key_slot_occupied(slot)) {
+ if (slot->state == PSA_SLOT_EMPTY) {
selected_slot = slot;
break;
}
- if ((unlocked_persistent_key_slot == NULL) &&
- (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
- (!psa_is_key_slot_locked(slot))) {
- unlocked_persistent_key_slot = slot;
+ if ((unused_persistent_key_slot == NULL) &&
+ (slot->state == PSA_SLOT_FULL) &&
+ (!psa_key_slot_has_readers(slot)) &&
+ (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime))) {
+ unused_persistent_key_slot = slot;
}
}
@@ -182,14 +189,18 @@
* storage.
*/
if ((selected_slot == NULL) &&
- (unlocked_persistent_key_slot != NULL)) {
- selected_slot = unlocked_persistent_key_slot;
- selected_slot->lock_count = 1;
- psa_wipe_key_slot(selected_slot);
+ (unused_persistent_key_slot != NULL)) {
+ selected_slot = unused_persistent_key_slot;
+ psa_register_read(selected_slot);
+ status = psa_wipe_key_slot(selected_slot);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
}
if (selected_slot != NULL) {
- status = psa_lock_key_slot(selected_slot);
+ status = psa_key_slot_state_transition(selected_slot, PSA_SLOT_EMPTY,
+ PSA_SLOT_FILLING);
if (status != PSA_SUCCESS) {
goto error;
}
@@ -239,7 +250,8 @@
slot, data->slot_number, sizeof(data->slot_number));
if (status == PSA_SUCCESS) {
- slot->status = PSA_SLOT_OCCUPIED;
+ status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
}
goto exit;
}
@@ -250,7 +262,8 @@
goto exit;
}
- slot->status = PSA_SLOT_OCCUPIED;
+ status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
exit:
psa_free_persistent_key_data(key_data, key_data_length);
@@ -324,8 +337,9 @@
/* Copy actual key length and core attributes into the slot on success */
slot->key.bytes = key_buffer_length;
slot->attr = attributes.core;
- slot->status = PSA_SLOT_OCCUPIED;
+ status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
exit:
if (status != PSA_SUCCESS) {
psa_remove_key_data_from_memory(slot);
@@ -358,7 +372,7 @@
defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
psa_key_id_t volatile_key_id;
- status = psa_get_empty_key_slot(&volatile_key_id, p_slot);
+ status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
if (status != PSA_SUCCESS) {
return status;
}
@@ -380,12 +394,17 @@
if (status != PSA_SUCCESS) {
psa_wipe_key_slot(*p_slot);
+
if (status == PSA_ERROR_DOES_NOT_EXIST) {
status = PSA_ERROR_INVALID_HANDLE;
}
} else {
/* Add implicit usage flags. */
psa_extend_key_usage_flags(&(*p_slot)->attr.policy.usage);
+
+ psa_key_slot_state_transition((*p_slot), PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
+ status = psa_register_read(*p_slot);
}
return status;
@@ -394,26 +413,37 @@
#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
}
-psa_status_t psa_unlock_key_slot(psa_key_slot_t *slot)
+psa_status_t psa_unregister_read(psa_key_slot_t *slot)
{
if (slot == NULL) {
return PSA_SUCCESS;
}
+ if ((slot->state != PSA_SLOT_FULL) &&
+ (slot->state != PSA_SLOT_PENDING_DELETION)) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
- if (slot->lock_count > 0) {
- slot->lock_count--;
+ /* If we are the last reader and the slot is marked for deletion,
+ * we must wipe the slot here. */
+ if ((slot->state == PSA_SLOT_PENDING_DELETION) &&
+ (slot->registered_readers == 1)) {
+ return psa_wipe_key_slot(slot);
+ }
+
+ if (psa_key_slot_has_readers(slot)) {
+ slot->registered_readers--;
return PSA_SUCCESS;
}
/*
* As the return error code may not be handled in case of multiple errors,
- * do our best to report if the lock counter is equal to zero. Assert with
- * MBEDTLS_TEST_HOOK_TEST_ASSERT that the lock counter is strictly greater
- * than zero: if the MBEDTLS_TEST_HOOKS configuration option is enabled and
+ * do our best to report if there are no registered readers. Assert with
+ * MBEDTLS_TEST_HOOK_TEST_ASSERT that there are registered readers:
+ * if the MBEDTLS_TEST_HOOKS configuration option is enabled and
* the function is called as part of the execution of a test suite, the
* execution of the test suite is stopped in error if the assertion fails.
*/
- MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->lock_count > 0);
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(psa_key_slot_has_readers(slot));
return PSA_ERROR_CORRUPTION_DETECTED;
}
@@ -480,7 +510,7 @@
*handle = key;
- return psa_unlock_key_slot(slot);
+ return psa_unregister_read(slot);
#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
(void) key;
@@ -506,10 +536,10 @@
return status;
}
- if (slot->lock_count <= 1) {
+ if (slot->registered_readers == 1) {
return psa_wipe_key_slot(slot);
} else {
- return psa_unlock_key_slot(slot);
+ return psa_unregister_read(slot);
}
}
@@ -524,10 +554,10 @@
}
if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
- (slot->lock_count <= 1)) {
+ (slot->registered_readers == 1)) {
return psa_wipe_key_slot(slot);
} else {
- return psa_unlock_key_slot(slot);
+ return psa_unregister_read(slot);
}
}
@@ -539,10 +569,10 @@
for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
const psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
- if (psa_is_key_slot_locked(slot)) {
+ if (psa_key_slot_has_readers(slot)) {
++stats->locked_slots;
}
- if (!psa_is_key_slot_occupied(slot)) {
+ if (slot->state == PSA_SLOT_EMPTY) {
++stats->empty_slots;
continue;
}
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
index 6041a35..002429b 100644
--- a/library/psa_crypto_slot_management.h
+++ b/library/psa_crypto_slot_management.h
@@ -54,8 +54,9 @@
* In case of a persistent key, the function loads the description of the key
* into a key slot if not already done.
*
- * On success, the returned key slot is locked. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to call psa_unregister_read(slot)
+ * when they have finished reading the contents of the slot.
*
* \param key Key identifier to query.
* \param[out] p_slot On success, `*p_slot` contains a pointer to the
@@ -95,50 +96,92 @@
* This does not affect persistent storage. */
void psa_wipe_all_key_slots(void);
-/** Find a free key slot.
+/** Find a free key slot and reserve it to be filled with a key.
*
- * This function returns a key slot that is available for use and is in its
- * ground state (all-bits-zero). On success, the key slot is locked. It is
- * the responsibility of the caller to unlock the key slot when it does not
- * access it anymore.
+ * This function finds a key slot that is free,
+ * sets its state to PSA_SLOT_FILLING and then returns the slot.
+ *
+ * On success, the key slot's state is PSA_SLOT_FILLING.
+ * It is the responsibility of the caller to change the slot's state to
+ * PSA_SLOT_EMPTY/FULL once key creation has finished.
*
* \param[out] volatile_key_id On success, volatile key identifier
* associated to the returned slot.
* \param[out] p_slot On success, a pointer to the slot.
*
* \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There were no free key slots.
* \retval #PSA_ERROR_BAD_STATE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * This function attempted to operate on a key slot which was in an
+ * unexpected state.
*/
-psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
- psa_key_slot_t **p_slot);
+psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
+ psa_key_slot_t **p_slot);
-/** Lock a key slot.
+/** Change the state of a key slot.
*
- * This function increments the key slot lock counter by one.
+ * This function changes the state of the key slot from expected_state to
+ * new state. If the state of the slot was not expected_state, the state is
+ * unchanged.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot The key slot.
+ * \param[in] expected_state The current state of the slot.
+ * \param[in] new_state The new state of the slot.
+ *
+ * \retval #PSA_SUCCESS
+ The key slot's state variable is new_state.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The slot's state was not expected_state.
+ */
+static inline psa_status_t psa_key_slot_state_transition(
+ psa_key_slot_t *slot, psa_key_slot_state_t expected_state,
+ psa_key_slot_state_t new_state)
+{
+ if (slot->state != expected_state) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ slot->state = new_state;
+ return PSA_SUCCESS;
+}
+
+/** Register as a reader of a key slot.
+ *
+ * This function increments the key slot registered reader counter by one.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
*
* \param[in] slot The key slot.
*
* \retval #PSA_SUCCESS
- The key slot lock counter was incremented.
+ The key slot registered reader counter was incremented.
* \retval #PSA_ERROR_CORRUPTION_DETECTED
- * The lock counter already reached its maximum value and was not
- * increased.
+ * The reader counter already reached its maximum value and was not
+ * increased, or the slot's state was not PSA_SLOT_FULL.
*/
-static inline psa_status_t psa_lock_key_slot(psa_key_slot_t *slot)
+static inline psa_status_t psa_register_read(psa_key_slot_t *slot)
{
- if (slot->lock_count >= SIZE_MAX) {
+ if ((slot->state != PSA_SLOT_FULL) ||
+ (slot->registered_readers >= SIZE_MAX)) {
return PSA_ERROR_CORRUPTION_DETECTED;
}
-
- slot->lock_count++;
+ slot->registered_readers++;
return PSA_SUCCESS;
}
-/** Unlock a key slot.
+/** Unregister from reading a key slot.
*
- * This function decrements the key slot lock counter by one.
+ * This function decrements the key slot registered reader counter by one.
+ * If the state of the slot is PSA_SLOT_PENDING_DELETION,
+ * and there is only one registered reader (the caller),
+ * this function will call psa_wipe_key_slot().
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
*
* \note To ease the handling of errors in retrieving a key slot
* a NULL input pointer is valid, and the function returns
@@ -146,13 +189,16 @@
*
* \param[in] slot The key slot.
* \retval #PSA_SUCCESS
- * \p slot is NULL or the key slot lock counter has been
- * decremented successfully.
+ * \p slot is NULL or the key slot reader counter has been
+ * decremented (and potentially wiped) successfully.
* \retval #PSA_ERROR_CORRUPTION_DETECTED
- * The lock counter was equal to 0.
- *
+ * The slot's state was neither PSA_SLOT_FULL nor
+ * PSA_SLOT_PENDING_DELETION.
+ * Or a wipe was attempted and the slot's state was not
+ * PSA_SLOT_PENDING_DELETION.
+ * Or registered_readers was equal to 0.
*/
-psa_status_t psa_unlock_key_slot(psa_key_slot_t *slot);
+psa_status_t psa_unregister_read(psa_key_slot_t *slot);
/** Test whether a lifetime designates a key in an external cryptoprocessor.
*
diff --git a/library/psa_util.c b/library/psa_util.c
index 36b7175..41586e2 100644
--- a/library/psa_util.c
+++ b/library/psa_util.c
@@ -232,9 +232,7 @@
return PSA_ECC_FAMILY_SECP_K1;
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
- case MBEDTLS_ECP_DP_SECP224K1:
- *bits = 224;
- return PSA_ECC_FAMILY_SECP_K1;
+ /* secp224k1 is not and will not be supported in PSA (#3541). */
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
case MBEDTLS_ECP_DP_SECP256K1:
@@ -252,11 +250,10 @@
}
}
-mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
- size_t bits,
- int bits_is_sloppy)
+mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
+ size_t bits)
{
- switch (curve) {
+ switch (family) {
case PSA_ECC_FAMILY_SECP_R1:
switch (bits) {
#if defined(PSA_WANT_ECC_SECP_R1_192)
@@ -278,11 +275,6 @@
#if defined(PSA_WANT_ECC_SECP_R1_521)
case 521:
return MBEDTLS_ECP_DP_SECP521R1;
- case 528:
- if (bits_is_sloppy) {
- return MBEDTLS_ECP_DP_SECP521R1;
- }
- break;
#endif
}
break;
@@ -309,11 +301,6 @@
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
case 255:
return MBEDTLS_ECP_DP_CURVE25519;
- case 256:
- if (bits_is_sloppy) {
- return MBEDTLS_ECP_DP_CURVE25519;
- }
- break;
#endif
#if defined(PSA_WANT_ECC_MONTGOMERY_448)
case 448:
@@ -329,8 +316,7 @@
return MBEDTLS_ECP_DP_SECP192K1;
#endif
#if defined(PSA_WANT_ECC_SECP_K1_224)
- case 224:
- return MBEDTLS_ECP_DP_SECP224K1;
+ /* secp224k1 is not and will not be supported in PSA (#3541). */
#endif
#if defined(PSA_WANT_ECC_SECP_K1_256)
case 256:
@@ -340,7 +326,6 @@
break;
}
- (void) bits_is_sloppy;
return MBEDTLS_ECP_DP_NONE;
}
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
diff --git a/library/rsa.c b/library/rsa.c
index 2b9f85b..a90b83a 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -28,6 +28,7 @@
#if defined(MBEDTLS_RSA_C)
#include "mbedtls/rsa.h"
+#include "bignum_core.h"
#include "rsa_alt_helpers.h"
#include "rsa_internal.h"
#include "mbedtls/oid.h"
@@ -971,6 +972,45 @@
}
/*
+ * Unblind
+ * T = T * Vf mod N
+ */
+static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
+ const size_t nlimbs = N->n;
+ const size_t tlimbs = mbedtls_mpi_core_montmul_working_limbs(nlimbs);
+ mbedtls_mpi RR, M_T;
+
+ mbedtls_mpi_init(&RR);
+ mbedtls_mpi_init(&M_T);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
+
+ /* T = T * Vf mod N
+ * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
+ * Usually both operands are multiplied by R mod N beforehand (by calling
+ * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka
+ * "in the Montgomery domain"). Here we only multiply one operand by R mod
+ * N, so the result is directly what we want - no need to call
+ * `from_mont_rep()` on it. */
+ mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p);
+ mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p);
+
+cleanup:
+
+ mbedtls_mpi_free(&RR);
+ mbedtls_mpi_free(&M_T);
+
+ return ret;
+}
+
+/*
* Exponent blinding supposed to prevent side-channel attacks using multiple
* traces of measurements to recover the RSA key. The more collisions are there,
* the more bits of the key can be recovered. See [3].
@@ -1017,23 +1057,14 @@
/* Temporaries holding the blinded exponents for
* the mod p resp. mod q computation (if used). */
mbedtls_mpi DP_blind, DQ_blind;
-
- /* Pointers to actual exponents to be used - either the unblinded
- * or the blinded ones, depending on the presence of a PRNG. */
- mbedtls_mpi *DP = &ctx->DP;
- mbedtls_mpi *DQ = &ctx->DQ;
#else
/* Temporary holding the blinded exponent (if used). */
mbedtls_mpi D_blind;
-
- /* Pointer to actual exponent to be used - either the unblinded
- * or the blinded one, depending on the presence of a PRNG. */
- mbedtls_mpi *D = &ctx->D;
#endif /* MBEDTLS_RSA_NO_CRT */
/* Temporaries holding the initial input and the double
* checked result; should be the same in the end. */
- mbedtls_mpi I, C;
+ mbedtls_mpi input_blinded, check_result_blinded;
if (f_rng == NULL) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
@@ -1068,8 +1099,8 @@
mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
#endif
- mbedtls_mpi_init(&I);
- mbedtls_mpi_init(&C);
+ mbedtls_mpi_init(&input_blinded);
+ mbedtls_mpi_init(&check_result_blinded);
/* End of MPI initialization */
@@ -1079,8 +1110,6 @@
goto cleanup;
}
- MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
-
/*
* Blinding
* T = T * Vi mod N
@@ -1089,6 +1118,8 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T));
+
/*
* Exponent blinding
*/
@@ -1104,8 +1135,6 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
-
- D = &D_blind;
#else
/*
* DP_blind = ( P - 1 ) * R + DP
@@ -1116,8 +1145,6 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
&ctx->DP));
- DP = &DP_blind;
-
/*
* DQ_blind = ( Q - 1 ) * R + DQ
*/
@@ -1126,12 +1153,10 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
&ctx->DQ));
-
- DQ = &DQ_blind;
#endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_RSA_NO_CRT)
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN));
#else
/*
* Faster decryption using the CRT
@@ -1140,8 +1165,8 @@
* TQ = input ^ dQ mod Q
*/
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ));
/*
* T = (TP - TQ) * (Q^-1 mod P) mod P
@@ -1157,20 +1182,19 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
#endif /* MBEDTLS_RSA_NO_CRT */
+ /* Verify the result to prevent glitching attacks. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E,
+ &ctx->N, &ctx->RN));
+ if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) {
+ ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ goto cleanup;
+ }
+
/*
* Unblind
* T = T * Vf mod N
*/
- MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
- MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
-
- /* Verify the result to prevent glitching attacks. */
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
- &ctx->N, &ctx->RN));
- if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
- ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
- goto cleanup;
- }
+ MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
olen = ctx->len;
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
@@ -1199,8 +1223,8 @@
mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
#endif
- mbedtls_mpi_free(&C);
- mbedtls_mpi_free(&I);
+ mbedtls_mpi_free(&check_result_blinded);
+ mbedtls_mpi_free(&input_blinded);
if (ret != 0 && ret >= -0x007f) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
diff --git a/library/sha512.c b/library/sha512.c
index 6011254..6dcea8d 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -102,6 +102,14 @@
# if defined(__linux__)
/* Our preferred method of detection is getauxval() */
# include <sys/auxv.h>
+# if !defined(HWCAP_SHA512)
+/* The same header that declares getauxval() should provide the HWCAP_xxx
+ * constants to analyze its return value. However, the libc may be too
+ * old to have the constant that we need. So if it's missing, assume that
+ * the value is the same one used by the Linux kernel ABI.
+ */
+# define HWCAP_SHA512 (1 << 21)
+# endif
# endif
/* Use SIGILL on Unix, and fall back to it on Linux */
# include <signal.h>
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 6224ef2..23619a2 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -17,7 +17,7 @@
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#endif
#include <string.h>
diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h
new file mode 100644
index 0000000..27ff721
--- /dev/null
+++ b/library/ssl_ciphersuites_internal.h
@@ -0,0 +1,154 @@
+/**
+ * \file ssl_ciphersuites_internal.h
+ *
+ * \brief Internal part of the public "ssl_ciphersuites.h".
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H
+#define MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
+psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
+#endif /* MBEDTLS_PK_C */
+
+int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
+ const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H */
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 270db41..6d988a8 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -12,7 +12,7 @@
#include <string.h>
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
@@ -609,7 +609,7 @@
int ssl_write_supported_groups_ext_flags = 0;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
- if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+ if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
ssl_write_supported_groups_ext_flags |=
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
}
@@ -637,7 +637,7 @@
int write_sig_alg_ext = 0;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
write_sig_alg_ext = write_sig_alg_ext ||
- (propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl));
+ (propose_tls13 && mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl));
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
@@ -668,7 +668,7 @@
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
* MUST be the last extension in the ClientHello.
*/
- if (propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
+ if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
ssl, p, end, &output_len, binders_len);
if (ret != 0) {
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index ee81eb4..2772cac 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -24,7 +24,7 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index a8afd42..16cd62e 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -44,6 +44,8 @@
#endif
#include "mbedtls/pk.h"
+#include "ssl_ciphersuites_internal.h"
+#include "x509_internal.h"
#include "pk_internal.h"
#include "common.h"
@@ -650,6 +652,10 @@
/* Flag indicating if a CertificateRequest message has been sent
* to the client or not. */
uint8_t certificate_request_sent;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ /* Flag indicating if the server has accepted early data or not. */
+ uint8_t early_data_accepted;
+#endif
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
@@ -1914,89 +1920,89 @@
/*
* Helper functions around key exchange modes.
*/
-static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
- int kex_mode_mask)
+static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
+ int kex_mode_mask)
{
return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
}
-static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
{
- return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
}
-static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
{
- return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
}
-static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
{
- return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
}
-static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
{
- return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
}
-static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
{
- return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
}
#if defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
/**
* Given a list of key exchange modes, check if at least one of them is
- * supported.
+ * supported by peer.
*
* \param[in] ssl SSL context
* \param kex_modes_mask Mask of the key exchange modes to check
*
- * \return 0 if at least one of the key exchange modes is supported,
- * !=0 otherwise.
+ * \return Non-zero if at least one of the key exchange modes is supported by
+ * the peer, otherwise \c 0.
*/
-static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
- int kex_modes_mask)
+static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
+ int kex_modes_mask)
{
- return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0;
+ return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
}
-static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
{
- return !mbedtls_ssl_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
}
-static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
+static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
mbedtls_ssl_context *ssl)
{
- return !mbedtls_ssl_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
}
-static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
{
- return !mbedtls_ssl_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
}
-static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
{
- return !mbedtls_ssl_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
}
-static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
{
- return !mbedtls_ssl_tls13_check_kex_modes(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
}
#endif /* MBEDTLS_SSL_SRV_C &&
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
@@ -2130,12 +2136,6 @@
unsigned char *buf,
const unsigned char *end,
size_t *out_len);
-
-#if defined(MBEDTLS_SSL_SRV_C)
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED \
- MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT
-#endif /* MBEDTLS_SSL_SRV_C */
-
#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@@ -2704,12 +2704,18 @@
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
-#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len);
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
#if defined(MBEDTLS_SSL_ALPN)
@@ -2782,47 +2788,53 @@
#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
-static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
+static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
return session->ticket_flags &
(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
}
-static inline unsigned int mbedtls_ssl_session_check_ticket_flags(
+/**
+ * Check if at least one of the given flags is set in
+ * the session ticket. See the definition of
+ * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
+ * permitted flags.
+ */
+static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
- return mbedtls_ssl_session_get_ticket_flags(session, flags) == 0;
+ return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
}
-static inline unsigned int mbedtls_ssl_session_ticket_allow_psk(
+static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
mbedtls_ssl_session *session)
{
- return !mbedtls_ssl_session_check_ticket_flags(session,
- MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
+ return mbedtls_ssl_tls13_session_ticket_has_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
}
-static inline unsigned int mbedtls_ssl_session_ticket_allow_psk_ephemeral(
+static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
mbedtls_ssl_session *session)
{
- return !mbedtls_ssl_session_check_ticket_flags(session,
- MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
+ return mbedtls_ssl_tls13_session_ticket_has_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
}
-static inline unsigned int mbedtls_ssl_session_ticket_allow_early_data(
+static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
mbedtls_ssl_session *session)
{
- return !mbedtls_ssl_session_check_ticket_flags(session,
- MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+ return mbedtls_ssl_tls13_session_ticket_has_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
}
-static inline void mbedtls_ssl_session_set_ticket_flags(
+static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
}
-static inline void mbedtls_ssl_session_clear_ticket_flags(
+static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags)
{
session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 6579c96..c2e64c6 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -18,7 +18,7 @@
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
@@ -3985,6 +3985,31 @@
rec)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * Although the server rejected early data, it might receive early
+ * data as long as it has not received the client Finished message.
+ * It is encrypted with early keys and should be ignored as stated
+ * in section 4.2.10 of RFC 8446:
+ *
+ * "Ignore the extension and return a regular 1-RTT response. The
+ * server then skips past early data by attempting to deprotect
+ * received records using the handshake traffic key, discarding
+ * records which fail deprotection (up to the configured
+ * max_early_data_size). Once a record is deprotected successfully,
+ * it is treated as the start of the client's second flight and the
+ * server proceeds as with an ordinary 1-RTT handshake."
+ */
+ if ((old_msg_type == MBEDTLS_SSL_MSG_APPLICATION_DATA) &&
+ (ssl->discard_early_data_record ==
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("EarlyData: deprotect and discard app data records."));
+ /* TODO: Add max_early_data_size check here, see issue 6347 */
+ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
ssl->conf->ignore_unexpected_cid
@@ -3994,9 +4019,27 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ /*
+ * The decryption of the record failed, no reason to ignore it,
+ * return in error with the decryption error code.
+ */
return ret;
}
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * If the server were discarding protected records that it fails to
+ * deprotect because it has rejected early data, as we have just
+ * deprotected successfully a record, the server has to resume normal
+ * operation and fail the connection if the deprotection of a record
+ * fails.
+ */
+ if (ssl->discard_early_data_record ==
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD) {
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
if (old_msg_type != rec->type) {
MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d",
old_msg_type, rec->type));
@@ -4070,6 +4113,32 @@
}
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * Although the server rejected early data because it needed to send an
+ * HelloRetryRequest message, it might receive early data as long as it has
+ * not received the client Finished message.
+ * The early data is encrypted with early keys and should be ignored as
+ * stated in section 4.2.10 of RFC 8446 (second case):
+ *
+ * "The server then ignores early data by skipping all records with an
+ * external content type of "application_data" (indicating that they are
+ * encrypted), up to the configured max_early_data_size. Ignore application
+ * data message before 2nd ClientHello when early_data was received in 1st
+ * ClientHello."
+ */
+ if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
+ if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("EarlyData: Ignore application message before 2nd ClientHello"));
+ /* TODO: Add max_early_data_size check here, see issue 6347 */
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+ }
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
mbedtls_ssl_dtls_replay_update(ssl);
@@ -5648,12 +5717,53 @@
}
/*
+ * brief Read at most 'len' application data bytes from the input
+ * buffer.
+ *
+ * param ssl SSL context:
+ * - First byte of application data not read yet in the input
+ * buffer located at address `in_offt`.
+ * - The number of bytes of data not read yet is `in_msglen`.
+ * param buf buffer that will hold the data
+ * param len maximum number of bytes to read
+ *
+ * note The function updates the fields `in_offt` and `in_msglen`
+ * according to the number of bytes read.
+ *
+ * return The number of bytes read.
+ */
+static int ssl_read_application_data(
+ mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
+{
+ size_t n = (len < ssl->in_msglen) ? len : ssl->in_msglen;
+
+ if (len != 0) {
+ memcpy(buf, ssl->in_offt, n);
+ ssl->in_msglen -= n;
+ }
+
+ /* Zeroising the plaintext buffer to erase unused application data
+ from the memory. */
+ mbedtls_platform_zeroize(ssl->in_offt, n);
+
+ if (ssl->in_msglen == 0) {
+ /* all bytes consumed */
+ ssl->in_offt = NULL;
+ ssl->keep_current_message = 0;
+ } else {
+ /* more data available */
+ ssl->in_offt += n;
+ }
+
+ return (int) n;
+}
+
+/*
* Receive application data decrypted from the SSL layer
*/
int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t n;
if (ssl == NULL || ssl->conf == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -5817,32 +5927,34 @@
#endif /* MBEDTLS_SSL_PROTO_DTLS */
}
- n = (len < ssl->in_msglen)
- ? len : ssl->in_msglen;
-
- if (len != 0) {
- memcpy(buf, ssl->in_offt, n);
- ssl->in_msglen -= n;
- }
-
- /* Zeroising the plaintext buffer to erase unused application data
- from the memory. */
- mbedtls_platform_zeroize(ssl->in_offt, n);
-
- if (ssl->in_msglen == 0) {
- /* all bytes consumed */
- ssl->in_offt = NULL;
- ssl->keep_current_message = 0;
- } else {
- /* more data available */
- ssl->in_offt += n;
- }
+ ret = ssl_read_application_data(ssl, buf, len);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
- return (int) n;
+ return ret;
}
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ if (ssl == NULL || (ssl->conf == NULL)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * The server may receive early data only while waiting for the End of
+ * Early Data handshake message.
+ */
+ if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) ||
+ (ssl->in_offt == NULL)) {
+ return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA;
+ }
+
+ return ssl_read_application_data(ssl, buf, len);
+}
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */
+
/*
* Send application data to be encrypted by the SSL layer, taking care of max
* fragment length and buffer size.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f92e40a..8afedde 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -20,7 +20,7 @@
#include "ssl_debug_helpers.h"
#include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
@@ -29,6 +29,7 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
#include "md_psa.h"
#include "psa_util_internal.h"
#include "psa/crypto.h"
@@ -1097,6 +1098,15 @@
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_CLI_C)
+ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+#endif
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
/* Initialize structures */
mbedtls_ssl_session_init(ssl->session_negotiate);
ssl_handshake_params_init(ssl->handshake);
@@ -1342,7 +1352,7 @@
* bad config.
*
*/
- if (mbedtls_ssl_conf_tls13_ephemeral_enabled(
+ if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
(mbedtls_ssl_context *) ssl) &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
@@ -3521,15 +3531,15 @@
if (ssl->transform_out != NULL &&
ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- /* RFC 8449, section 4:
- *
- * This value [record_size_limit] is the length of the plaintext
- * of a protected record.
- * The value includes the content type and padding added in TLS 1.3
- * (that is, the complete length of TLSInnerPlaintext).
- *
- * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
- * and subtract 1 (for the content type that will be added later)
+ /*
+ * In TLS 1.3 case, when records are protected, `max_len` as computed
+ * above is the maximum length of the TLSInnerPlaintext structure that
+ * along the plaintext payload contains the inner content type (one byte)
+ * and some zero padding. Given the algorithm used for padding
+ * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
+ * the plaintext payload. Round down to a multiple of
+ * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
+ * subtract 1.
*/
max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
@@ -5118,23 +5128,17 @@
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
- defined(MBEDTLS_MD_CAN_SHA512)
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
-#endif \
- /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
+#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
- defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
-#endif \
- /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
+#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
- defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif \
- /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
+#endif
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
@@ -5154,42 +5158,47 @@
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
+
#if defined(MBEDTLS_MD_CAN_SHA512)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
#endif
-#endif /* MBEDTLS_MD_CAN_SHA512*/
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+
#if defined(MBEDTLS_MD_CAN_SHA384)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
#endif
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
#endif
-#endif /* MBEDTLS_MD_CAN_SHA256*/
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
MBEDTLS_TLS_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
/* NOTICE: see above */
static uint16_t ssl_preset_suiteb_sig_algs[] = {
@@ -5207,38 +5216,25 @@
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
- defined(MBEDTLS_MD_CAN_SHA256)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif \
- /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256*/
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256*/
-
MBEDTLS_TLS_SIG_NONE
};
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
+
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
#endif
-#if defined(MBEDTLS_RSA_C)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA256*/
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
#if defined(MBEDTLS_MD_CAN_SHA384)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
#endif
-#if defined(MBEDTLS_RSA_C)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA256*/
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
MBEDTLS_TLS_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 0c5af87..c1ca60c 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -14,7 +14,7 @@
#include "mbedtls/ssl.h"
#include "ssl_client.h"
#include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
@@ -2005,9 +2005,9 @@
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
-#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
-#endif /* MBEDTLS_ECP_C */
+#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
uint16_t tls_id = 0;
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 5a9f6ca..f242faa 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -13,7 +13,7 @@
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "constant_time_internal.h"
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 342ec52..f4987b3 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -11,7 +11,7 @@
#include <string.h>
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
@@ -19,7 +19,7 @@
#include "ssl_client.h"
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
/* Define a local translating function to save code size by not using too many
@@ -621,7 +621,7 @@
/* Skip writing extension if no PSK key exchange mode
* is enabled in the config.
*/
- if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
+ if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
return 0;
}
@@ -640,14 +640,14 @@
*/
p += 5;
- if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {
+ if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
ke_modes_len++;
MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
}
- if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {
+ if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
ke_modes_len++;
@@ -684,8 +684,8 @@
mbedtls_ssl_session *session = ssl->session_negotiate;
return ssl->handshake->resume &&
session != NULL && session->ticket != NULL &&
- mbedtls_ssl_conf_tls13_check_kex_modes(
- ssl, mbedtls_ssl_session_get_ticket_flags(
+ mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
+ ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
}
@@ -695,7 +695,7 @@
mbedtls_ssl_session *session = ssl->session_negotiate;
return ssl->handshake->resume &&
session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- mbedtls_ssl_session_ticket_allow_early_data(session) &&
+ mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
}
#endif
@@ -1160,8 +1160,17 @@
}
p += ext_len;
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
+ ssl, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+#endif
+
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
- if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+ if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
if (ret != 0) {
return ret;
@@ -1171,9 +1180,10 @@
#endif
#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
+ if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
ssl_tls13_early_data_has_valid_ticket(ssl) &&
- ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
+ ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
+ ssl->handshake->hello_retry_request_count == 0) {
ret = mbedtls_ssl_tls13_write_early_data_ext(
ssl, 0, p, end, &ext_len);
@@ -1227,10 +1237,6 @@
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
- mbedtls_ssl_handshake_set_state(
- ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
-#endif
MBEDTLS_SSL_DEBUG_MSG(
1, ("Set hs psk for early data when writing the first psk"));
@@ -1285,6 +1291,15 @@
return ret;
}
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
+#else
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to early data keys for outbound traffic"));
+ mbedtls_ssl_set_outbound_transform(
+ ssl, ssl->handshake->transform_earlydata);
+#endif
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
return 0;
@@ -1457,7 +1472,7 @@
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
buf, (size_t) (end - buf)));
- if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+ if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_reset_key_share(ssl);
if (ret != 0) {
return ret;
@@ -1499,7 +1514,7 @@
* in the ClientHello.
* In a PSK only key exchange that what we expect.
*/
- if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+ if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Unexpected HRR in pure PSK key exchange."));
MBEDTLS_SSL_PEND_FATAL_ALERT(
@@ -1776,7 +1791,7 @@
case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
- if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+ if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
goto cleanup;
}
@@ -1879,7 +1894,7 @@
goto cleanup;
}
- if (!mbedtls_ssl_conf_tls13_check_kex_modes(
+ if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
ssl, handshake->key_exchange_mode)) {
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
MBEDTLS_SSL_DEBUG_MSG(
@@ -2695,7 +2710,7 @@
MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
- mbedtls_ssl_session_set_ticket_flags(
+ mbedtls_ssl_tls13_session_set_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
MBEDTLS_SSL_DEBUG_MSG(
3, ("received max_early_data_size: %u",
@@ -2846,7 +2861,7 @@
session->ticket_len = ticket_len;
/* Clear all flags in ticket_flags */
- mbedtls_ssl_session_clear_ticket_flags(
+ mbedtls_ssl_tls13_session_clear_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
@@ -2933,7 +2948,7 @@
session->resumption_key_len);
/* Set ticket_flags depends on the selected key exchange modes */
- mbedtls_ssl_session_set_ticket_flags(
+ mbedtls_ssl_tls13_session_set_ticket_flags(
session, ssl->conf->tls13_kex_modes);
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
@@ -3058,19 +3073,19 @@
}
break;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
if (ret == 0) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
-#if defined(MBEDTLS_SSL_EARLY_DATA)
MBEDTLS_SSL_DEBUG_MSG(
1, ("Switch to early data keys for outbound traffic"));
mbedtls_ssl_set_outbound_transform(
ssl, ssl->handshake->transform_earlydata);
-#endif
}
break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index ecfaf8a..2666067 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -12,12 +12,12 @@
#include <string.h>
#include "mbedtls/error.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform.h"
#include "mbedtls/constant_time.h"
#include "psa/crypto.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#include "ssl_misc.h"
#include "ssl_tls13_invasive.h"
@@ -1698,6 +1698,7 @@
}
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
/* RFC 8449, section 4:
*
* The ExtensionData of the "record_size_limit" extension is
@@ -1738,6 +1739,8 @@
* as a fatal error and generate an "illegal_parameter" alert.
*/
if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes",
+ record_size_limit));
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
@@ -1749,6 +1752,36 @@
return 0;
}
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ *out_len = 0;
+
+ MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN,
+ "MBEDTLS_SSL_IN_CONTENT_LEN is less than the "
+ "minimum record size limit");
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH,
+ p, 2);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4);
+
+ *out_len = 6;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes",
+ MBEDTLS_SSL_IN_CONTENT_LEN));
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT);
+
+ return 0;
+}
+
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 9b775ec..739414e 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -13,7 +13,7 @@
#include <string.h>
#include "mbedtls/hkdf.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
@@ -22,7 +22,7 @@
#include "ssl_tls13_invasive.h"
#include "psa/crypto.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index a7c266b..62b117c 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -9,12 +9,12 @@
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
#include "mbedtls/constant_time.h"
#include "mbedtls/oid.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#include "ssl_misc.h"
#include "ssl_tls13_keys.h"
@@ -95,9 +95,9 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl);
+static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl);
+static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_offered_psks_check_identity_match_ticket(
@@ -175,12 +175,12 @@
MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
key_exchanges = 0;
- if (mbedtls_ssl_session_ticket_allow_psk_ephemeral(session) &&
- ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
+ if (mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(session) &&
+ ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
}
- if (mbedtls_ssl_session_ticket_allow_psk(session) &&
- ssl_tls13_check_psk_key_exchange(ssl)) {
+ if (mbedtls_ssl_tls13_session_ticket_allow_psk(session) &&
+ ssl_tls13_key_exchange_is_psk_available(ssl)) {
key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
}
@@ -1003,12 +1003,12 @@
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_ticket_permission_check(mbedtls_ssl_context *ssl,
- unsigned int kex_mode)
+static int ssl_tls13_ticket_is_kex_mode_permitted(mbedtls_ssl_context *ssl,
+ unsigned int kex_mode)
{
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->handshake->resume) {
- if (mbedtls_ssl_session_check_ticket_flags(
+ if (!mbedtls_ssl_tls13_session_ticket_has_flags(
ssl->session_negotiate, kex_mode)) {
return 0;
}
@@ -1022,10 +1022,10 @@
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
+static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
- return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
+ return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) &&
ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
#else
((void) ssl);
@@ -1034,13 +1034,13 @@
}
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
+static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
- return ssl_tls13_ticket_permission_check(
+ return ssl_tls13_ticket_is_kex_mode_permitted(
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
- mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
- mbedtls_ssl_tls13_psk_enabled(ssl) &&
+ mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) &&
+ mbedtls_ssl_tls13_is_psk_supported(ssl) &&
ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
#else
((void) ssl);
@@ -1049,13 +1049,13 @@
}
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
+static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
- return ssl_tls13_ticket_permission_check(
+ return ssl_tls13_ticket_is_kex_mode_permitted(
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
- mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
- mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
+ mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) &&
+ mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) &&
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
#else
((void) ssl);
@@ -1083,17 +1083,17 @@
ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
- if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
+ if (ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
} else
- if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {
+ if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) {
ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
} else
- if (ssl_tls13_check_psk_key_exchange(ssl)) {
+ if (ssl_tls13_key_exchange_is_psk_available(ssl)) {
ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
@@ -1533,6 +1533,12 @@
unsigned int extension_type;
size_t extension_data_len;
const unsigned char *extension_data_end;
+ uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH;
+
+ if (ssl->handshake->hello_retry_request_count > 0) {
+ /* Do not accept early data extension in 2nd ClientHello */
+ allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA);
+ }
/* RFC 8446, section 4.2.11
*
@@ -1560,7 +1566,7 @@
ret = mbedtls_ssl_tls13_check_received_extension(
ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
- MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
+ allowed_exts);
if (ret != 0) {
return ret;
}
@@ -1734,8 +1740,8 @@
* - The content up to but excluding the PSK extension, if present.
*/
/* If we've settled on a PSK-based exchange, parse PSK identity ext */
- if (ssl_tls13_check_psk_key_exchange(ssl) ||
- ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
+ if (ssl_tls13_key_exchange_is_psk_available(ssl) ||
+ ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
ret = handshake->update_checksum(ssl, buf,
pre_shared_key_ext - buf);
if (0 != ret) {
@@ -1780,25 +1786,15 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
-static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl)
+static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
- if ((handshake->received_extensions &
- MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) {
- MBEDTLS_SSL_DEBUG_MSG(
- 1, ("EarlyData: no early data extension received."));
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED;
- return;
- }
-
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
-
if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
MBEDTLS_SSL_DEBUG_MSG(
1,
("EarlyData: rejected, feature disabled in server configuration."));
- return;
+ return -1;
}
if (!handshake->resume) {
@@ -1807,7 +1803,7 @@
resumption. */
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, not a session resumption."));
- return;
+ return -1;
}
/* RFC 8446 4.2.10
@@ -1830,7 +1826,7 @@
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected key in "
"`pre_shared_key` is not the first one."));
- return;
+ return -1;
}
if (handshake->ciphersuite_info->id !=
@@ -1838,27 +1834,27 @@
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected ciphersuite is not the one "
"of the selected pre-shared key."));
- return;
+ return -1;
}
- if (!mbedtls_ssl_session_ticket_allow_early_data(ssl->session_negotiate)) {
+ if (!mbedtls_ssl_tls13_session_ticket_allow_early_data(ssl->session_negotiate)) {
MBEDTLS_SSL_DEBUG_MSG(
1,
("EarlyData: rejected, early_data not allowed in ticket "
"permission bits."));
- return;
+ return -1;
}
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
-
+ return 0;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
/* Update the handshake state machine */
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
+static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl,
+ int hrr_required)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1882,17 +1878,26 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
- /* There is enough information, update early data state. */
- ssl_tls13_update_early_data_status(ssl);
+ if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
+ ssl->handshake->early_data_accepted =
+ (!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0);
- if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
- ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(
- 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
- return ret;
+ if (ssl->handshake->early_data_accepted) {
+ ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
+ return ret;
+ }
+ } else {
+ ssl->discard_early_data_record =
+ hrr_required ?
+ MBEDTLS_SSL_EARLY_DATA_DISCARD :
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD;
}
}
+#else
+ ((void) hrr_required);
#endif /* MBEDTLS_SSL_EARLY_DATA */
return 0;
@@ -1925,19 +1930,31 @@
* by MBEDTLS_SSL_PROC_CHK_NEG. */
/*
- * Version 1.2 of the protocol has been chosen, set the
+ * Version 1.2 of the protocol has to be used for the handshake.
+ * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
* ssl->keep_current_message flag for the ClientHello to be kept and parsed
* as a TLS 1.2 ClientHello. We also change ssl->tls_version to
* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
* will dispatch to the TLS 1.2 state machine.
*/
if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
+ /* Check if server supports TLS 1.2 */
+ if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("TLS 1.2 not supported."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
return 0;
}
- MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
+ MBEDTLS_SSL_PROC_CHK(
+ ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret ==
+ SSL_CLIENT_HELLO_HRR_REQUIRED));
if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
@@ -2520,7 +2537,7 @@
#endif /* MBEDTLS_SSL_ALPN */
#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
+ if (ssl->handshake->early_data_accepted) {
ret = mbedtls_ssl_tls13_write_early_data_ext(
ssl, 0, p, end, &output_len);
if (ret != 0) {
@@ -2530,6 +2547,17 @@
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) {
+ ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
+ ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif
+
extensions_len = (p - p_extensions_len) - 2;
MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
@@ -2836,7 +2864,7 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
+ if (ssl->handshake->early_data_accepted) {
/* See RFC 8446 section A.2 for more information */
MBEDTLS_SSL_DEBUG_MSG(
1, ("Switch to early keys for inbound traffic. "
@@ -2890,6 +2918,17 @@
if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
+ /* RFC 8446 section 4.6.1
+ *
+ * A server receiving more than max_early_data_size bytes of 0-RTT data
+ * SHOULD terminate the connection with an "unexpected_message" alert.
+ *
+ * TODO: Add received data size check here.
+ */
+ if (ssl->in_offt == NULL) {
+ /* Set the reading pointer */
+ ssl->in_offt = ssl->in_msg;
+ }
return SSL_GOT_EARLY_DATA;
}
@@ -2915,37 +2954,6 @@
return 0;
}
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- /*
- * Output early data
- *
- * For the time being, we print received data via debug message.
- *
- * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready.
- */
- ssl->in_msg[ssl->in_msglen] = 0;
- MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg));
-
- /* RFC 8446 section 4.6.1
- *
- * A server receiving more than max_early_data_size bytes of 0-RTT data
- * SHOULD terminate the connection with an "unexpected_message" alert.
- *
- * TODO: Add received data size check here.
- */
-
- return 0;
-}
-
/*
* RFC 8446 section A.2
*
@@ -3016,7 +3024,8 @@
ssl_tls13_prepare_for_handshake_second_flight(ssl);
} else if (ret == SSL_GOT_EARLY_DATA) {
- MBEDTLS_SSL_PROC_CHK(ssl_tls13_process_early_application_data(ssl));
+ ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA;
+ goto cleanup;
} else {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -3069,7 +3078,7 @@
* expected to be resolved with issue#6395.
*/
/* Sent NewSessionTicket message only when client supports PSK */
- if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
+ if (mbedtls_ssl_tls13_is_some_psk_supported(ssl)) {
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
} else
@@ -3128,17 +3137,17 @@
#endif
/* Set ticket_flags depends on the advertised psk key exchange mode */
- mbedtls_ssl_session_clear_ticket_flags(
+ mbedtls_ssl_tls13_session_clear_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
- mbedtls_ssl_session_set_ticket_flags(
+ mbedtls_ssl_tls13_session_set_ticket_flags(
session, ssl->handshake->tls13_kex_modes);
#endif
#if defined(MBEDTLS_SSL_EARLY_DATA)
if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
ssl->conf->max_early_data_size > 0) {
- mbedtls_ssl_session_set_ticket_flags(
+ mbedtls_ssl_tls13_session_set_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
@@ -3318,7 +3327,7 @@
p += 2;
#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (mbedtls_ssl_session_ticket_allow_early_data(session)) {
+ if (mbedtls_ssl_tls13_session_ticket_allow_early_data(session)) {
size_t output_len;
if ((ret = mbedtls_ssl_tls13_write_early_data_ext(
diff --git a/library/threading.c b/library/threading.c
index 873b507..c28290f 100644
--- a/library/threading.c
+++ b/library/threading.c
@@ -148,6 +148,9 @@
#if defined(THREADING_USE_GMTIME)
mbedtls_mutex_init(&mbedtls_threading_gmtime_mutex);
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ mbedtls_mutex_init(&mbedtls_threading_key_slot_mutex);
+#endif
}
/*
@@ -161,6 +164,9 @@
#if defined(THREADING_USE_GMTIME)
mbedtls_mutex_free(&mbedtls_threading_gmtime_mutex);
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ mbedtls_mutex_free(&mbedtls_threading_key_slot_mutex);
+#endif
}
#endif /* MBEDTLS_THREADING_ALT */
@@ -176,5 +182,8 @@
#if defined(THREADING_USE_GMTIME)
mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex MUTEX_INIT;
+#endif
#endif /* MBEDTLS_THREADING_C */
diff --git a/library/x509.c b/library/x509.c
index b7b71f3..f97fb44 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -19,7 +19,7 @@
#if defined(MBEDTLS_X509_USE_C)
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
#include "mbedtls/asn1.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
diff --git a/library/x509_create.c b/library/x509_create.c
index 8f31c3b..839b5df 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -9,7 +9,7 @@
#if defined(MBEDTLS_X509_CREATE_C)
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
@@ -382,6 +382,10 @@
{
mbedtls_asn1_named_data *cur;
+ if (val_len > (SIZE_MAX - 1)) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
if ((cur = mbedtls_asn1_store_named_data(head, oid, oid_len,
NULL, val_len + 1)) == NULL) {
return MBEDTLS_ERR_X509_ALLOC_FAILED;
diff --git a/library/x509_crl.c b/library/x509_crl.c
index fdbad23..7901992 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -20,6 +20,7 @@
#if defined(MBEDTLS_X509_CRL_PARSE_C)
#include "mbedtls/x509_crl.h"
+#include "x509_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 4e7672e..7f0160a 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -22,6 +22,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
@@ -35,7 +36,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "pk_internal.h"
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 79b1589..813d644 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -20,6 +20,7 @@
#if defined(MBEDTLS_X509_CSR_PARSE_C)
#include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
diff --git a/library/x509_internal.h b/library/x509_internal.h
new file mode 100644
index 0000000..15e097a
--- /dev/null
+++ b/library/x509_internal.h
@@ -0,0 +1,213 @@
+/**
+ * \file x509.h
+ *
+ * \brief Internal part of the public "x509.h".
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_X509_INTERNAL_H
+#define MBEDTLS_X509_INTERNAL_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "pk_internal.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+/**
+ * \brief Return the next relative DN in an X509 name.
+ *
+ * \note Intended use is to compare function result to dn->next
+ * in order to detect boundaries of multi-valued RDNs.
+ *
+ * \param dn Current node in the X509 name
+ *
+ * \return Pointer to the first attribute-value pair of the
+ * next RDN in sequence, or NULL if end is reached.
+ */
+static inline mbedtls_x509_name *mbedtls_x509_dn_get_next(
+ mbedtls_x509_name *dn)
+{
+ while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) {
+ dn = dn->next;
+ }
+ return dn->next;
+}
+
+/**
+ * \brief Store the certificate serial in printable form into buf;
+ * no more than size characters will be written.
+ *
+ * \param buf Buffer to write to
+ * \param size Maximum size of buffer
+ * \param serial The X509 serial to represent
+ *
+ * \return The length of the string written (not including the
+ * terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial);
+
+/**
+ * \brief Compare pair of mbedtls_x509_time.
+ *
+ * \param t1 mbedtls_x509_time to compare
+ * \param t2 mbedtls_x509_time to compare
+ *
+ * \return < 0 if t1 is before t2
+ * 0 if t1 equals t2
+ * > 0 if t1 is after t2
+ */
+int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2);
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief Fill mbedtls_x509_time with provided mbedtls_time_t.
+ *
+ * \param tt mbedtls_time_t to convert
+ * \param now mbedtls_x509_time to fill with converted mbedtls_time_t
+ *
+ * \return \c 0 on success
+ * \return A non-zero return value on failure.
+ */
+int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now);
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+/**
+ * \brief Check a given mbedtls_x509_time against the system time
+ * and tell if it's in the past.
+ *
+ * \note Intended usage is "if( is_past( valid_to ) ) ERROR".
+ * Hence the return value of 1 if on internal errors.
+ *
+ * \param to mbedtls_x509_time to check
+ *
+ * \return 1 if the given time is in the past or an error occurred,
+ * 0 otherwise.
+ */
+int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
+
+/**
+ * \brief Check a given mbedtls_x509_time against the system time
+ * and tell if it's in the future.
+ *
+ * \note Intended usage is "if( is_future( valid_from ) ) ERROR".
+ * Hence the return value of 1 if on internal errors.
+ *
+ * \param from mbedtls_x509_time to check
+ *
+ * \return 1 if the given time is in the future or an error occurred,
+ * 0 otherwise.
+ */
+int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
+
+/**
+ * \brief This function parses an item in the SubjectAlternativeNames
+ * extension. Please note that this function might allocate
+ * additional memory for a subject alternative name, thus
+ * mbedtls_x509_free_subject_alt_name has to be called
+ * to dispose of this additional memory afterwards.
+ *
+ * \param san_buf The buffer holding the raw data item of the subject
+ * alternative name.
+ * \param san The target structure to populate with the parsed presentation
+ * of the subject alternative name encoded in \p san_buf.
+ *
+ * \note Supported GeneralName types, as defined in RFC 5280:
+ * "rfc822Name", "dnsName", "directoryName",
+ * "uniformResourceIdentifier" and "hardware_module_name"
+ * of type "otherName", as defined in RFC 4108.
+ *
+ * \note This function should be called on a single raw data of
+ * subject alternative name. For example, after successful
+ * certificate parsing, one must iterate on every item in the
+ * \c crt->subject_alt_names sequence, and pass it to
+ * this function.
+ *
+ * \warning The target structure contains pointers to the raw data of the
+ * parsed certificate, and its lifetime is restricted by the
+ * lifetime of the certificate.
+ *
+ * \return \c 0 on success
+ * \return #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
+ * SAN type.
+ * \return Another negative value for any other failure.
+ */
+int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
+ mbedtls_x509_subject_alternative_name *san);
+/**
+ * \brief Unallocate all data related to subject alternative name
+ *
+ * \param san SAN structure - extra memory owned by this structure will be freed
+ */
+void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san);
+
+int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_name *cur);
+int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *alg);
+int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
+ mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+ int *salt_len);
+#endif
+int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+ mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+ void **sig_opts);
+int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_time *t);
+int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *serial);
+int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *ext, int tag);
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+ mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+ const void *sig_opts);
+#endif
+int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
+int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+ int critical, const unsigned char *val,
+ size_t val_len);
+int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *first);
+int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *first);
+int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
+ const char *oid, size_t oid_len,
+ unsigned char *sig, size_t size,
+ mbedtls_pk_type_t pk_alg);
+int mbedtls_x509_get_ns_cert_type(unsigned char **p,
+ const unsigned char *end,
+ unsigned char *ns_cert_type);
+int mbedtls_x509_get_key_usage(unsigned char **p,
+ const unsigned char *end,
+ unsigned int *key_usage);
+int mbedtls_x509_get_subject_alt_name(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
+ const mbedtls_x509_sequence
+ *subject_alt_name,
+ const char *prefix);
+int mbedtls_x509_info_cert_type(char **buf, size_t *size,
+ unsigned char ns_cert_type);
+int mbedtls_x509_info_key_usage(char **buf, size_t *size,
+ unsigned int key_usage);
+
+int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
+ const mbedtls_x509_san_list *san_list);
+
+#endif /* MBEDTLS_X509_INTERNAL_H */
diff --git a/library/x509write.c b/library/x509write.c
index d434df5..4704900 100644
--- a/library/x509write.c
+++ b/library/x509write.c
@@ -8,6 +8,7 @@
#if defined(MBEDTLS_X509_CSR_WRITE_C) || defined(MBEDTLS_X509_CRT_WRITE_C)
#include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 44b6b17..72f5a10 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -16,6 +16,7 @@
#if defined(MBEDTLS_X509_CRT_WRITE_C)
#include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
@@ -33,7 +34,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index 254da69..d3ddbcc 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -14,7 +14,7 @@
#if defined(MBEDTLS_X509_CSR_WRITE_C)
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
#include "mbedtls/x509_csr.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
@@ -24,7 +24,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 0cb1562..165cee2 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -13,14 +13,13 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
- defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
- defined(MBEDTLS_MD_CAN_SHA1)
+ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
@@ -33,9 +32,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
- !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
- !defined(MBEDTLS_SHA1_C)
+ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
@@ -60,12 +58,14 @@
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
+ unsigned int mdlen;
size_t n, buflen;
mbedtls_net_context server_fd;
unsigned char *p, *end;
unsigned char buf[2048];
- unsigned char hash[32];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+ mbedtls_mpi N, E;
const char *pers = "dh_client";
mbedtls_entropy_context entropy;
@@ -78,6 +78,8 @@
mbedtls_dhm_init(&dhm);
mbedtls_aes_init(&aes);
mbedtls_ctr_drbg_init(&ctr_drbg);
+ mbedtls_mpi_init(&N);
+ mbedtls_mpi_init(&E);
/*
* 1. Setup the RNG
@@ -106,16 +108,13 @@
}
mbedtls_rsa_init(&rsa);
-
- if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
- (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
+ if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
+ (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
+ (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
-
- rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
-
fclose(f);
/*
@@ -182,18 +181,24 @@
p += 2;
- if ((n = (size_t) (end - p)) != rsa.MBEDTLS_PRIVATE(len)) {
+ if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n");
goto exit;
}
- if ((ret = mbedtls_sha1(buf, (int) (p - 2 - buf), hash)) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret);
+ mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
+ if (mdlen == 0) {
+ mbedtls_printf(" failed\n ! Invalid digest type\n\n");
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
- 32, hash, p)) != 0) {
+ mdlen, hash, p)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
goto exit;
}
@@ -273,6 +278,8 @@
mbedtls_dhm_free(&dhm);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+ mbedtls_mpi_free(&N);
+ mbedtls_mpi_free(&E);
mbedtls_exit(exit_code);
}
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index adddbf2..91bac0e 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -13,14 +13,13 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
- defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
- defined(MBEDTLS_MD_CAN_SHA1)
+ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
@@ -33,9 +32,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
- !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
- !defined(MBEDTLS_SHA1_C)
+ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
@@ -53,11 +51,12 @@
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
+ unsigned int mdlen;
size_t n, buflen;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[2048];
- unsigned char hash[32];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
unsigned char buf2[2];
const char *pers = "dh_server";
@@ -186,21 +185,30 @@
/*
* 5. Sign the parameters and send them
*/
- if ((ret = mbedtls_sha1(buf, n, hash)) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret);
+
+ mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
+ if (mdlen == 0) {
+ mbedtls_printf(" failed\n ! Invalid digest type\n\n");
goto exit;
}
- buf[n] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len) >> 8);
- buf[n + 1] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len));
+ if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret);
+ goto exit;
+ }
- if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, NULL, NULL, MBEDTLS_MD_SHA256,
- 32, hash, buf + n + 2)) != 0) {
+ const size_t rsa_key_len = mbedtls_rsa_get_len(&rsa);
+ buf[n] = (unsigned char) (rsa_key_len >> 8);
+ buf[n + 1] = (unsigned char) (rsa_key_len);
+
+ if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg,
+ MBEDTLS_MD_SHA256, mdlen,
+ hash, buf + n + 2)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret);
goto exit;
}
- buflen = n + 2 + rsa.MBEDTLS_PRIVATE(len);
+ buflen = n + 2 + rsa_key_len;
buf2[0] = (unsigned char) (buflen >> 8);
buf2[1] = (unsigned char) (buflen);
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index afd6fb3..5664b8c 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -60,8 +60,8 @@
unsigned char buf[300];
size_t len;
- if (mbedtls_ecp_point_write_binary(&key->MBEDTLS_PRIVATE(grp), &key->MBEDTLS_PRIVATE(Q),
- MBEDTLS_ECP_PF_UNCOMPRESSED, &len, buf, sizeof(buf)) != 0) {
+ if (mbedtls_ecp_write_public_key(key, MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &len, buf, sizeof(buf)) != 0) {
mbedtls_printf("internal error\n");
return;
}
@@ -79,6 +79,8 @@
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ecdsa_context ctx_sign, ctx_verify;
+ mbedtls_ecp_point Q;
+ mbedtls_ecp_point_init(&Q);
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char message[100];
@@ -128,7 +130,10 @@
goto exit;
}
- mbedtls_printf(" ok (key size: %d bits)\n", (int) ctx_sign.MBEDTLS_PRIVATE(grp).pbits);
+ mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(&ctx_sign);
+ const mbedtls_ecp_curve_info *curve_info =
+ mbedtls_ecp_curve_info_from_grp_id(grp_id);
+ mbedtls_printf(" ok (key size: %d bits)\n", (int) curve_info->bit_size);
dump_pubkey(" + Public key: ", &ctx_sign);
@@ -174,16 +179,13 @@
mbedtls_printf(" . Preparing verification context...");
fflush(stdout);
- if ((ret =
- mbedtls_ecp_group_copy(&ctx_verify.MBEDTLS_PRIVATE(grp),
- &ctx_sign.MBEDTLS_PRIVATE(grp))) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_ecp_group_copy returned %d\n", ret);
+ if ((ret = mbedtls_ecp_export(&ctx_sign, NULL, NULL, &Q)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_ecp_export returned %d\n", ret);
goto exit;
}
- if ((ret =
- mbedtls_ecp_copy(&ctx_verify.MBEDTLS_PRIVATE(Q), &ctx_sign.MBEDTLS_PRIVATE(Q))) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_ecp_copy returned %d\n", ret);
+ if ((ret = mbedtls_ecp_set_public_key(grp_id, &ctx_verify, &Q)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_ecp_set_public_key returned %d\n", ret);
goto exit;
}
@@ -208,6 +210,7 @@
mbedtls_ecdsa_free(&ctx_verify);
mbedtls_ecdsa_free(&ctx_sign);
+ mbedtls_ecp_point_free(&Q);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index f6bb237..6914c93 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -9,8 +9,19 @@
#include "mbedtls/platform.h"
-#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_FS_IO) && \
- defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
+#if !defined(MBEDTLS_PK_WRITE_C) || !defined(MBEDTLS_PEM_WRITE_C) || \
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \
+ !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_BIGNUM_C)
+int main(void)
+{
+ mbedtls_printf("MBEDTLS_PK_WRITE_C and/or MBEDTLS_FS_IO and/or "
+ "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
+ "MBEDTLS_PEM_WRITE_C and/or MBEDTLS_BIGNUM_C "
+ "not defined.\n");
+ mbedtls_exit(0);
+}
+#else
+
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/ecdsa.h"
@@ -61,7 +72,6 @@
return 0;
}
#endif /* !_WIN32 */
-#endif
#if defined(MBEDTLS_ECP_C)
#define DFL_EC_CURVE mbedtls_ecp_curve_list()->grp_id
@@ -96,19 +106,6 @@
USAGE_DEV_RANDOM \
"\n"
-#if !defined(MBEDTLS_PK_WRITE_C) || !defined(MBEDTLS_PEM_WRITE_C) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \
- !defined(MBEDTLS_CTR_DRBG_C)
-int main(void)
-{
- mbedtls_printf("MBEDTLS_PK_WRITE_C and/or MBEDTLS_FS_IO and/or "
- "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
- "MBEDTLS_PEM_WRITE_C"
- "not defined.\n");
- mbedtls_exit(0);
-}
-#else
-
/*
* global options
@@ -160,6 +157,71 @@
return 0;
}
+#if defined(MBEDTLS_ECP_C)
+static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
+{
+ int ret = 0;
+
+ const mbedtls_ecp_curve_info *curve_info =
+ mbedtls_ecp_curve_info_from_grp_id(
+ mbedtls_ecp_keypair_get_group_id(ecp));
+ mbedtls_printf("curve: %s\n", curve_info->name);
+
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_mpi D;
+ mbedtls_mpi_init(&D);
+ mbedtls_ecp_point pt;
+ mbedtls_ecp_point_init(&pt);
+ mbedtls_mpi X, Y;
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
+ (has_private ? &D : NULL),
+ &pt));
+
+ unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
+ size_t len = 0;
+ MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
+ &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &len, point_bin, sizeof(point_bin)));
+ switch (mbedtls_ecp_get_type(&grp)) {
+ case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+ if ((len & 1) == 0 || point_bin[0] != 0x04) {
+ /* Point in an unxepected format. This shouldn't happen. */
+ ret = -1;
+ goto cleanup;
+ }
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
+ mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
+ mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL);
+ break;
+ case MBEDTLS_ECP_TYPE_MONTGOMERY:
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
+ mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
+ break;
+ default:
+ mbedtls_printf(
+ "This program does not yet support listing coordinates for this curve type.\n");
+ break;
+ }
+
+ if (has_private) {
+ mbedtls_mpi_write_file("D: ", &D, 16, NULL);
+ }
+
+cleanup:
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_mpi_free(&D);
+ mbedtls_ecp_point_free(&pt);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
+ return ret;
+}
+#endif
+
int main(int argc, char *argv[])
{
int ret = 1;
@@ -365,12 +427,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
- mbedtls_printf("curve: %s\n",
- mbedtls_ecp_curve_info_from_grp_id(ecp->MBEDTLS_PRIVATE(grp).id)->name);
- mbedtls_mpi_write_file("X_Q: ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL);
- mbedtls_mpi_write_file("Y_Q: ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL);
- mbedtls_mpi_write_file("D: ", &ecp->MBEDTLS_PRIVATE(d), 16, NULL);
+ if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) {
+ mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
+ goto exit;
+ }
} else
#endif
mbedtls_printf(" ! key type not supported\n");
@@ -415,5 +475,4 @@
mbedtls_exit(exit_code);
}
-#endif /* MBEDTLS_PK_WRITE_C && MBEDTLS_PEM_WRITE_C && MBEDTLS_FS_IO &&
- * MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#endif /* program viability conditions */
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index 194c410..e3a6966 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -53,6 +53,71 @@
#else
+#if defined(MBEDTLS_ECP_C)
+static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
+{
+ int ret = 0;
+
+ const mbedtls_ecp_curve_info *curve_info =
+ mbedtls_ecp_curve_info_from_grp_id(
+ mbedtls_ecp_keypair_get_group_id(ecp));
+ mbedtls_printf("curve: %s\n", curve_info->name);
+
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_mpi D;
+ mbedtls_mpi_init(&D);
+ mbedtls_ecp_point pt;
+ mbedtls_ecp_point_init(&pt);
+ mbedtls_mpi X, Y;
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
+ (has_private ? &D : NULL),
+ &pt));
+
+ unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
+ size_t len = 0;
+ MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
+ &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &len, point_bin, sizeof(point_bin)));
+ switch (mbedtls_ecp_get_type(&grp)) {
+ case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+ if ((len & 1) == 0 || point_bin[0] != 0x04) {
+ /* Point in an unxepected format. This shouldn't happen. */
+ ret = -1;
+ goto cleanup;
+ }
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
+ mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
+ mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL);
+ break;
+ case MBEDTLS_ECP_TYPE_MONTGOMERY:
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
+ mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
+ break;
+ default:
+ mbedtls_printf(
+ "This program does not yet support listing coordinates for this curve type.\n");
+ break;
+ }
+
+ if (has_private) {
+ mbedtls_mpi_write_file("D: ", &D, 16, NULL);
+ }
+
+cleanup:
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_mpi_free(&D);
+ mbedtls_ecp_point_free(&pt);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
+ return ret;
+}
+#endif
+
/*
* global options
*/
@@ -219,17 +284,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(X): ",
- &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16,
- NULL));
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Y): ",
- &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16,
- NULL));
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Z): ",
- &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16,
- NULL));
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("D : ", &ecp->MBEDTLS_PRIVATE(d), 16, NULL));
+ if (show_ecp_key(mbedtls_pk_ec(pk), 1) != 0) {
+ mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
+ goto cleanup;
+ }
} else
#endif
{
@@ -269,16 +327,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(X): ",
- &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16,
- NULL));
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Y): ",
- &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16,
- NULL));
- MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Z): ",
- &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16,
- NULL));
+ if (show_ecp_key(mbedtls_pk_ec(pk), 0) != 0) {
+ mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
+ goto cleanup;
+ }
} else
#endif
{
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index c07c564..60f992e 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -9,9 +9,21 @@
#include "mbedtls/platform.h"
-#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \
- defined(MBEDTLS_FS_IO) && \
- defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
+#if !defined(MBEDTLS_PK_PARSE_C) || \
+ !defined(MBEDTLS_PK_WRITE_C) || \
+ !defined(MBEDTLS_FS_IO) || \
+ !defined(MBEDTLS_ENTROPY_C) || \
+ !defined(MBEDTLS_CTR_DRBG_C) || \
+ !defined(MBEDTLS_BIGNUM_C)
+int main(void)
+{
+ mbedtls_printf("MBEDTLS_PK_PARSE_C and/or MBEDTLS_PK_WRITE_C and/or "
+ "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
+ "MBEDTLS_FS_IO and/or MBEDTLS_BIGNUM_C not defined.\n");
+ mbedtls_exit(0);
+}
+#else
+
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/error.h"
@@ -21,7 +33,6 @@
#include <stdio.h>
#include <string.h>
-#endif
#if defined(MBEDTLS_PEM_WRITE_C)
#define USAGE_OUT \
@@ -66,20 +77,6 @@
USAGE_OUT \
"\n"
-#if !defined(MBEDTLS_PK_PARSE_C) || \
- !defined(MBEDTLS_PK_WRITE_C) || \
- !defined(MBEDTLS_FS_IO) || \
- !defined(MBEDTLS_ENTROPY_C) || \
- !defined(MBEDTLS_CTR_DRBG_C)
-int main(void)
-{
- mbedtls_printf("MBEDTLS_PK_PARSE_C and/or MBEDTLS_PK_WRITE_C and/or "
- "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
- "MBEDTLS_FS_IO not defined.\n");
- mbedtls_exit(0);
-}
-#else
-
/*
* global options
@@ -176,6 +173,71 @@
return 0;
}
+#if defined(MBEDTLS_ECP_C)
+static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
+{
+ int ret = 0;
+
+ const mbedtls_ecp_curve_info *curve_info =
+ mbedtls_ecp_curve_info_from_grp_id(
+ mbedtls_ecp_keypair_get_group_id(ecp));
+ mbedtls_printf("curve: %s\n", curve_info->name);
+
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_mpi D;
+ mbedtls_mpi_init(&D);
+ mbedtls_ecp_point pt;
+ mbedtls_ecp_point_init(&pt);
+ mbedtls_mpi X, Y;
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
+ (has_private ? &D : NULL),
+ &pt));
+
+ unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
+ size_t len = 0;
+ MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
+ &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &len, point_bin, sizeof(point_bin)));
+ switch (mbedtls_ecp_get_type(&grp)) {
+ case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+ if ((len & 1) == 0 || point_bin[0] != 0x04) {
+ /* Point in an unxepected format. This shouldn't happen. */
+ ret = -1;
+ goto cleanup;
+ }
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
+ mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
+ mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL);
+ break;
+ case MBEDTLS_ECP_TYPE_MONTGOMERY:
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
+ mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL);
+ break;
+ default:
+ mbedtls_printf(
+ "This program does not yet support listing coordinates for this curve type.\n");
+ break;
+ }
+
+ if (has_private) {
+ mbedtls_mpi_write_file("D: ", &D, 16, NULL);
+ }
+
+cleanup:
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_mpi_free(&D);
+ mbedtls_ecp_point_free(&pt);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
+ return ret;
+}
+#endif
+
int main(int argc, char *argv[])
{
int ret = 1;
@@ -338,11 +400,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
- mbedtls_mpi_write_file("Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL);
- mbedtls_mpi_write_file("Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL);
- mbedtls_mpi_write_file("Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL);
- mbedtls_mpi_write_file("D : ", &ecp->MBEDTLS_PRIVATE(d), 16, NULL);
+ if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) {
+ mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
+ goto exit;
+ }
} else
#endif
mbedtls_printf("key type not supported yet\n");
@@ -384,10 +445,10 @@
#endif
#if defined(MBEDTLS_ECP_C)
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
- mbedtls_mpi_write_file("Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL);
- mbedtls_mpi_write_file("Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL);
- mbedtls_mpi_write_file("Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL);
+ if (show_ecp_key(mbedtls_pk_ec(key), 0) != 0) {
+ mbedtls_printf(" failed\n ! could not export ECC parameters\n\n");
+ goto exit;
+ }
} else
#endif
mbedtls_printf("key type not supported yet\n");
@@ -431,5 +492,4 @@
mbedtls_exit(exit_code);
}
-#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C && MBEDTLS_FS_IO &&
- MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#endif /* program viability conditions */
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index 76bfddf..a84af50 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -133,7 +133,7 @@
fclose(f);
- if (i != rsa.MBEDTLS_PRIVATE(len)) {
+ if (i != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf("\n ! Invalid RSA signature format\n\n");
goto exit;
}
diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c
index 4bbb54e..6538f8a 100644
--- a/programs/pkey/rsa_encrypt.c
+++ b/programs/pkey/rsa_encrypt.c
@@ -126,7 +126,7 @@
goto exit;
}
- for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) {
+ for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index 9d8ebe3..e14953b 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -131,7 +131,7 @@
goto exit;
}
- for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) {
+ for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index e7d72fd..4a9af77 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -37,11 +37,14 @@
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
+ mbedtls_mpi N, E;
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
mbedtls_rsa_init(&rsa);
+ mbedtls_mpi_init(&N);
+ mbedtls_mpi_init(&E);
if (argc != 2) {
mbedtls_printf("usage: rsa_verify <filename>\n");
@@ -62,15 +65,13 @@
goto exit;
}
- if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
- (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
+ if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
+ (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
+ (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
-
- rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
-
fclose(f);
/*
@@ -91,7 +92,7 @@
fclose(f);
- if (i != rsa.MBEDTLS_PRIVATE(len)) {
+ if (i != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf("\n ! Invalid RSA signature format\n\n");
goto exit;
}
@@ -124,6 +125,8 @@
exit:
mbedtls_rsa_free(&rsa);
+ mbedtls_mpi_free(&N);
+ mbedtls_mpi_free(&E);
mbedtls_exit(exit_code);
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 598d38c..48b2282 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1612,6 +1612,7 @@
#if defined(MBEDTLS_SSL_EARLY_DATA)
int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED;
#endif
+
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
#if defined(MBEDTLS_MEMORY_DEBUG)
@@ -3450,6 +3451,19 @@
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
+ memset(buf, 0, opt.buffer_size);
+ ret = mbedtls_ssl_read_early_data(&ssl, buf, opt.buffer_size);
+ if (ret > 0) {
+ buf[ret] = '\0';
+ mbedtls_printf(" %d early data bytes read\n\n%s\n",
+ ret, (char *) buf);
+ }
+ continue;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL) {
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index 755a731..6f7f69b 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -507,7 +507,7 @@
char md5, ripemd160, sha1, sha256, sha512,
sha3_224, sha3_256, sha3_384, sha3_512,
des3, des,
- aes_cbc, aes_cfb128, aes_cfb8, aes_gcm, aes_ccm, aes_xts, chachapoly,
+ aes_cbc, aes_cfb128, aes_cfb8, aes_ctr, aes_gcm, aes_ccm, aes_xts, chachapoly,
aes_cmac, des3_cmac,
aria, camellia, chacha20,
poly1305,
@@ -571,6 +571,8 @@
todo.aes_cfb128 = 1;
} else if (strcmp(argv[i], "aes_cfb8") == 0) {
todo.aes_cfb8 = 1;
+ } else if (strcmp(argv[i], "aes_ctr") == 0) {
+ todo.aes_ctr = 1;
} else if (strcmp(argv[i], "aes_xts") == 0) {
todo.aes_xts = 1;
} else if (strcmp(argv[i], "aes_gcm") == 0) {
@@ -774,6 +776,31 @@
mbedtls_aes_free(&aes);
}
#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ if (todo.aes_ctr) {
+ int keysize;
+ mbedtls_aes_context aes;
+
+ uint8_t stream_block[16];
+ size_t nc_off;
+
+ mbedtls_aes_init(&aes);
+ for (keysize = 128; keysize <= 256; keysize += 64) {
+ mbedtls_snprintf(title, sizeof(title), "AES-CTR-%d", keysize);
+
+ memset(buf, 0, sizeof(buf));
+ memset(tmp, 0, sizeof(tmp));
+ memset(stream_block, 0, sizeof(stream_block));
+ nc_off = 0;
+
+ CHECK_AND_CONTINUE(mbedtls_aes_setkey_enc(&aes, tmp, keysize));
+
+ TIME_AND_TSC(title, mbedtls_aes_crypt_ctr(&aes, BUFSIZE, &nc_off, tmp, stream_block,
+ buf, buf));
+ }
+ mbedtls_aes_free(&aes);
+ }
+#endif
#if defined(MBEDTLS_CIPHER_MODE_XTS)
if (todo.aes_xts) {
int keysize;
diff --git a/scripts/config.py b/scripts/config.py
index d5fb85e..ab0e5ea 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -207,7 +207,6 @@
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_A_CRYPTO_IF_PRESENT
'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT
'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # setting *_USE_ARMV8_A_CRYPTO is sufficient
- 'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests
'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_X509_REMOVE_INFO', # removes a feature
diff --git a/tests/data_files/tls13_early_data.txt b/tests/data_files/tls13_early_data.txt
index 0c84b07..95811fd 100644
--- a/tests/data_files/tls13_early_data.txt
+++ b/tests/data_files/tls13_early_data.txt
@@ -1,3 +1,4 @@
EarlyData context: line 0 lf
EarlyData context: line 1 lf
+EarlyData context: line 2 lf
EarlyData context: If it appears, that means early_data received.
diff --git a/tests/include/test/drivers/key_management.h b/tests/include/test/drivers/key_management.h
index 526adbb..7b5c4c7 100644
--- a/tests/include/test/drivers/key_management.h
+++ b/tests/include/test/drivers/key_management.h
@@ -67,6 +67,10 @@
psa_status_t mbedtls_test_opaque_init(void);
void mbedtls_test_opaque_free(void);
+psa_status_t mbedtls_test_opaque_unwrap_key(
+ const uint8_t *wrapped_key, size_t wrapped_key_length, uint8_t *key_buffer,
+ size_t key_buffer_size, size_t *key_buffer_length);
+
psa_status_t mbedtls_test_transparent_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key, size_t key_size, size_t *key_length);
diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
index 8de9c4d..a73e06f 100644
--- a/tests/include/test/macros.h
+++ b/tests/include/test/macros.h
@@ -125,8 +125,8 @@
do { \
TEST_ASSERT((pointer) == NULL); \
if ((item_count) != 0) { \
- (pointer) = mbedtls_calloc(sizeof(*(pointer)), \
- (item_count)); \
+ (pointer) = mbedtls_calloc((item_count), \
+ sizeof(*(pointer))); \
TEST_ASSERT((pointer) != NULL); \
} \
} while (0)
@@ -155,8 +155,8 @@
#define TEST_CALLOC_NONNULL(pointer, item_count) \
do { \
TEST_ASSERT((pointer) == NULL); \
- (pointer) = mbedtls_calloc(sizeof(*(pointer)), \
- (item_count)); \
+ (pointer) = mbedtls_calloc((item_count), \
+ sizeof(*(pointer))); \
if (((pointer) == NULL) && ((item_count) == 0)) { \
(pointer) = mbedtls_calloc(1, 1); \
} \
@@ -175,8 +175,8 @@
do { \
TEST_ASSERT((pointer) == NULL); \
if ((item_count) != 0) { \
- (pointer) = mbedtls_calloc(sizeof(*(pointer)), \
- (item_count)); \
+ (pointer) = mbedtls_calloc((item_count), \
+ sizeof(*(pointer))); \
TEST_ASSUME((pointer) != NULL); \
} \
} while (0)
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index d03c624..1f41966 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -589,6 +589,16 @@
int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args);
#endif /* MBEDTLS_TEST_HOOKS */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_test_ticket_write(
+ void *p_ticket, const mbedtls_ssl_session *session,
+ unsigned char *start, const unsigned char *end,
+ size_t *tlen, uint32_t *ticket_lifetime);
+
+int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+ unsigned char *buf, size_t len);
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
#define ECJPAKE_TEST_PWD "bla"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index c1682e3..4e6bf87 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -502,8 +502,11 @@
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL:+KX-ALL \
-d 10 -r --earlydata $EARLY_DATA_INPUT " \
0 \
- -s "NewSessionTicket: early_data(42) extension exists." \
-s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN" \
+ -s "NewSessionTicket: early_data(42) extension exists." \
-s "ClientHello: early_data(42) extension exists." \
-s "EncryptedExtensions: early_data(42) extension exists." \
- -s "$( tail -1 $EARLY_DATA_INPUT )"
+ -s "$( head -1 $EARLY_DATA_INPUT )" \
+ -s "$( tail -1 $EARLY_DATA_INPUT )" \
+ -s "200 early data bytes read" \
+ -s "106 early data bytes read"
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 2e1258d..8d3b46e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -74,6 +74,7 @@
# * component_check_XXX: quick tests that aren't worth parallelizing.
# * component_build_XXX: build things but don't run them.
# * component_test_XXX: build and test.
+# * component_release_XXX: tests that the CI should skip during PR testing.
# * support_XXX: if support_XXX exists and returns false then
# component_XXX is not run by default.
# * post_XXX: things to do after running the tests.
@@ -750,7 +751,7 @@
# Require OpenSSL and GnuTLS if running any tests (as opposed to
# only doing builds). Not all tests run OpenSSL and GnuTLS, but this
# is a good enough approximation in practice.
- *" test_"*)
+ *" test_"* | *" release_test_"*)
# To avoid setting OpenSSL and GnuTLS for each call to compat.sh
# and ssl-opt.sh, we just export the variables they require.
export OPENSSL="$OPENSSL"
@@ -820,6 +821,14 @@
fi
}
+clang_version() {
+ if command -v clang > /dev/null ; then
+ clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#'
+ else
+ echo 0 # report version 0 for "no clang"
+ fi
+}
+
################################################################
#### Helpers for components using libtestdriver1
################################################################
@@ -1540,7 +1549,7 @@
make test
}
-component_test_full_no_cipher () {
+component_test_full_no_cipher_no_psa_crypto () {
msg "build: full no CIPHER no PSA_CRYPTO_C"
scripts/config.py full
scripts/config.py unset MBEDTLS_CIPHER_C
@@ -1551,6 +1560,7 @@
scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_NIST_KW_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT
scripts/config.py unset MBEDTLS_SSL_TLS_C
scripts/config.py unset MBEDTLS_SSL_TICKET_C
# Disable features that depend on PSA_CRYPTO_C
@@ -1565,8 +1575,8 @@
}
# This is a common configurator and test function that is used in:
-# - component_test_full_no_cipher_with_crypto
-# - component_test_full_no_cipher_with_crypto_config
+# - component_test_full_no_cipher_with_psa_crypto
+# - component_test_full_no_cipher_with_psa_crypto_config
# It accepts 2 input parameters:
# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG
# - $2: a text string which describes the test component
@@ -1614,11 +1624,11 @@
make test
}
-component_test_full_no_cipher_with_crypto() {
+component_test_full_no_cipher_with_psa_crypto() {
common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG"
}
-component_test_full_no_cipher_with_crypto_config() {
+component_test_full_no_cipher_with_psa_crypto_config() {
common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER"
}
@@ -2429,11 +2439,12 @@
make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
}
-component_test_no_use_psa_crypto_full_cmake_asan() {
- # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
- msg "build: cmake, full config minus MBEDTLS_USE_PSA_CRYPTO, ASan"
+component_test_no_psa_crypto_full_cmake_asan() {
+ # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh
+ msg "build: cmake, full config minus PSA crypto, ASan"
scripts/config.py full
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
@@ -2444,22 +2455,22 @@
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)"
+ msg "test: main suites (full minus PSA crypto)"
make test
# Note: ssl-opt.sh has some test cases that depend on
# MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO
# This is the only component where those tests are not skipped.
- msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
+ msg "test: ssl-opt.sh (full minus PSA crypto)"
tests/ssl-opt.sh
- msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
+ msg "test: compat.sh default (full minus PSA crypto)"
tests/compat.sh
- msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
+ msg "test: compat.sh NULL (full minus PSA crypto)"
tests/compat.sh -f 'NULL'
- msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
+ msg "test: compat.sh ARIA + ChachaPoly (full minus PSA crypto)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
@@ -3741,9 +3752,9 @@
}
# This is a common configuration function used in:
-# - component_test_psa_crypto_config_accel_cipher_aead
-# - component_test_psa_crypto_config_reference_cipher_aead
-common_psa_crypto_config_accel_cipher_aead() {
+# - component_test_psa_crypto_config_accel_cipher_aead_cmac
+# - component_test_psa_crypto_config_reference_cipher_aead_cmac
+common_psa_crypto_config_accel_cipher_aead_cmac() {
# Start from the full config
helper_libtestdriver1_adjust_config "full"
@@ -3751,12 +3762,12 @@
}
# The 2 following test components, i.e.
-# - component_test_psa_crypto_config_accel_cipher_aead
-# - component_test_psa_crypto_config_reference_cipher_aead
+# - component_test_psa_crypto_config_accel_cipher_aead_cmac
+# - component_test_psa_crypto_config_reference_cipher_aead_cmac
# are meant to be used together in analyze_outcomes.py script in order to test
# driver's coverage for ciphers and AEADs.
-component_test_psa_crypto_config_accel_cipher_aead () {
- msg "build: full config with accelerated cipher and AEAD"
+component_test_psa_crypto_config_accel_cipher_aead_cmac () {
+ msg "build: full config with accelerated cipher inc. AEAD and CMAC"
loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
@@ -3766,7 +3777,7 @@
# Configure
# ---------
- common_psa_crypto_config_accel_cipher_aead
+ common_psa_crypto_config_accel_cipher_aead_cmac
# Disable the things that are being accelerated
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
@@ -3810,29 +3821,29 @@
# Run the tests
# -------------
- msg "test: full config with accelerated cipher and AEAD"
+ msg "test: full config with accelerated cipher inc. AEAD and CMAC"
make test
- msg "ssl-opt: full config with accelerated cipher and AEAD"
+ msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC"
tests/ssl-opt.sh
- msg "compat.sh: full config with accelerated cipher and AEAD"
+ msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC"
tests/compat.sh -V NO -p mbedTLS
}
-component_test_psa_crypto_config_reference_cipher_aead () {
- msg "build: full config with non-accelerated cipher and AEAD"
- common_psa_crypto_config_accel_cipher_aead
+component_test_psa_crypto_config_reference_cipher_aead_cmac () {
+ msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
+ common_psa_crypto_config_accel_cipher_aead_cmac
make
- msg "test: full config with non-accelerated cipher and AEAD"
+ msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
make test
- msg "ssl-opt: full config with non-accelerated cipher and AEAD"
+ msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC"
tests/ssl-opt.sh
- msg "compat.sh: full config with non-accelerated cipher and AEAD"
+ msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC"
tests/compat.sh -V NO -p mbedTLS
}
@@ -4691,14 +4702,8 @@
}
support_test_aesni_m32_clang() {
- support_test_aesni_m32 && if command -v clang > /dev/null ; then
- # clang >= 4 is required to build with target attributes
- clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')"
- [[ "${clang_ver}" -ge 4 ]]
- else
- # clang not available
- false
- fi
+ # clang >= 4 is required to build with target attributes
+ support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]]
}
component_test_aesni_m32_clang() {
@@ -4749,9 +4754,8 @@
}
support_build_aes_armce() {
- # clang >= 4 is required to build with AES extensions
- ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')"
- [ "${ver}" -ge 11 ]
+ # clang >= 11 is required to build with AES extensions
+ [[ $(clang_version) -ge 11 ]]
}
component_build_aes_armce () {
@@ -4806,15 +4810,8 @@
}
support_build_sha_armce() {
- if command -v clang > /dev/null ; then
- # clang >= 4 is required to build with SHA extensions
- clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')"
-
- [[ "${clang_ver}" -ge 4 ]]
- else
- # clang not available
- false
- fi
+ # clang >= 4 is required to build with SHA extensions
+ [[ $(clang_version) -ge 4 ]]
}
component_build_sha_armce () {
@@ -5645,6 +5642,7 @@
component_test_tls13_only () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
+ scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test: TLS 1.3 only, all key exchange modes enabled"
@@ -5807,18 +5805,6 @@
tests/ssl-opt.sh
}
-component_test_tls13_only_record_size_limit () {
- msg "build: TLS 1.3 only from default, record size limit extension enabled"
- scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
- make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
-
- msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
- cd tests; ./test_suite_ssl; cd ..
-
- msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension enabled)"
- tests/ssl-opt.sh
-}
-
component_build_mingw () {
msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 3b11ca2..6503f9a 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -240,16 +240,16 @@
}
}
},
- 'analyze_driver_vs_reference_cipher_aead': {
+ 'analyze_driver_vs_reference_cipher_aead_cmac': {
'test_function': do_analyze_driver_vs_reference,
'args': {
- 'component_ref': 'test_psa_crypto_config_reference_cipher_aead',
- 'component_driver': 'test_psa_crypto_config_accel_cipher_aead',
+ 'component_ref': 'test_psa_crypto_config_reference_cipher_aead_cmac',
+ 'component_driver': 'test_psa_crypto_config_accel_cipher_aead_cmac',
# Modules replaced by drivers.
'ignored_suites': [
# low-level (block/stream) cipher modules
'aes', 'aria', 'camellia', 'des', 'chacha20',
- # AEAD modes
+ # AEAD modes and CMAC
'ccm', 'chachapoly', 'cmac', 'gcm',
# The Cipher abstraction layer
'cipher',
@@ -325,6 +325,7 @@
# is required.
'test_suite_ecp': [
re.compile(r'ECP check public-private .*'),
+ re.compile(r'ECP calculate public: .*'),
re.compile(r'ECP gen keypair .*'),
re.compile(r'ECP point muladd .*'),
re.compile(r'ECP point multiplication .*'),
diff --git a/tests/src/drivers/test_driver_asymmetric_encryption.c b/tests/src/drivers/test_driver_asymmetric_encryption.c
index ff46387..4fc8c9d 100644
--- a/tests/src/drivers/test_driver_asymmetric_encryption.c
+++ b/tests/src/drivers/test_driver_asymmetric_encryption.c
@@ -13,11 +13,15 @@
#include "psa_crypto_rsa.h"
#include "string.h"
#include "test/drivers/asymmetric_encryption.h"
+#include "test/drivers/key_management.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
#include "libtestdriver1/library/psa_crypto_rsa.h"
#endif
+#define PSA_RSA_KEY_PAIR_MAX_SIZE \
+ PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
+
mbedtls_test_driver_asymmetric_encryption_hooks_t mbedtls_test_driver_asymmetric_encryption_hooks =
MBEDTLS_TEST_DRIVER_ASYMMETRIC_ENCRYPTION_INIT;
@@ -104,7 +108,7 @@
}
/*
- * opaque versions - TODO
+ * opaque versions
*/
psa_status_t mbedtls_test_opaque_asymmetric_encrypt(
const psa_key_attributes_t *attributes, const uint8_t *key,
@@ -112,17 +116,31 @@
size_t input_length, const uint8_t *salt, size_t salt_length,
uint8_t *output, size_t output_size, size_t *output_length)
{
- (void) attributes;
- (void) key;
- (void) key_length;
- (void) alg;
- (void) input;
- (void) input_length;
- (void) salt;
- (void) salt_length;
- (void) output;
- (void) output_size;
- (void) output_length;
+ unsigned char unwrapped_key[PSA_RSA_KEY_PAIR_MAX_SIZE];
+ size_t unwrapped_key_length;
+ psa_status_t status;
+
+ status = mbedtls_test_opaque_unwrap_key(key, key_length,
+ unwrapped_key, sizeof(unwrapped_key),
+ &unwrapped_key_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ (defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT))
+ return libtestdriver1_mbedtls_psa_asymmetric_encrypt(
+ (const libtestdriver1_psa_key_attributes_t *) attributes,
+ unwrapped_key, unwrapped_key_length,
+ alg, input, input_length, salt, salt_length,
+ output, output_size, output_length);
+#else
+ return mbedtls_psa_asymmetric_encrypt(
+ attributes, unwrapped_key, unwrapped_key_length,
+ alg, input, input_length, salt, salt_length,
+ output, output_size, output_length);
+#endif
+
return PSA_ERROR_NOT_SUPPORTED;
}
@@ -132,17 +150,31 @@
size_t input_length, const uint8_t *salt, size_t salt_length,
uint8_t *output, size_t output_size, size_t *output_length)
{
- (void) attributes;
- (void) key;
- (void) key_length;
- (void) alg;
- (void) input;
- (void) input_length;
- (void) salt;
- (void) salt_length;
- (void) output;
- (void) output_size;
- (void) output_length;
+ unsigned char unwrapped_key[PSA_RSA_KEY_PAIR_MAX_SIZE];
+ size_t unwrapped_key_length;
+ psa_status_t status;
+
+ status = mbedtls_test_opaque_unwrap_key(key, key_length,
+ unwrapped_key, sizeof(unwrapped_key),
+ &unwrapped_key_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ (defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT))
+ return libtestdriver1_mbedtls_psa_asymmetric_decrypt(
+ (const libtestdriver1_psa_key_attributes_t *) attributes,
+ unwrapped_key, unwrapped_key_length,
+ alg, input, input_length, salt, salt_length,
+ output, output_size, output_length);
+#else
+ return mbedtls_psa_asymmetric_decrypt(
+ attributes, unwrapped_key, unwrapped_key_length,
+ alg, input, input_length, salt, salt_length,
+ output, output_size, output_length);
+#endif
+
return PSA_ERROR_NOT_SUPPORTED;
}
diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c
index d522ebf..a3d532d 100644
--- a/tests/src/drivers/test_driver_key_management.c
+++ b/tests/src/drivers/test_driver_key_management.c
@@ -159,7 +159,7 @@
* The argument key_buffer_length is filled with the unwrapped(clear)
* key_size on success.
* */
-static psa_status_t mbedtls_test_opaque_unwrap_key(
+psa_status_t mbedtls_test_opaque_unwrap_key(
const uint8_t *wrapped_key,
size_t wrapped_key_length,
uint8_t *key_buffer,
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 3d8937d..980c192 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -9,7 +9,7 @@
*/
#include <test/ssl_helpers.h>
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_SSL_TLS_C)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
@@ -841,6 +841,23 @@
}
#endif
+#if defined(MBEDTLS_DEBUG_C)
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (endpoint_type == MBEDTLS_SSL_IS_SERVER &&
+ options->srv_log_fun != NULL) {
+ mbedtls_ssl_conf_dbg(&(ep->conf), options->srv_log_fun,
+ options->srv_log_obj);
+ }
+#endif
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (endpoint_type == MBEDTLS_SSL_IS_CLIENT &&
+ options->cli_log_fun != NULL) {
+ mbedtls_ssl_conf_dbg(&(ep->conf), options->cli_log_fun,
+ options->cli_log_obj);
+ }
+#endif
+#endif /* MBEDTLS_DEBUG_C */
+
ret = mbedtls_test_ssl_endpoint_certificate_init(ep, options->pk_alg,
options->opaque_alg,
options->opaque_alg2,
@@ -1977,6 +1994,12 @@
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+#if defined(MBEDTLS_DEBUG_C)
+ if (options->cli_log_fun || options->srv_log_fun) {
+ mbedtls_debug_set_threshold(4);
+ }
+#endif
+
/* Client side */
if (options->dtls != 0) {
TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client,
@@ -2000,14 +2023,6 @@
set_ciphersuite(&client.conf, options->cipher, forced_ciphersuite);
}
-#if defined(MBEDTLS_DEBUG_C)
- if (options->cli_log_fun) {
- mbedtls_debug_set_threshold(4);
- mbedtls_ssl_conf_dbg(&client.conf, options->cli_log_fun,
- options->cli_log_obj);
- }
-#endif
-
/* Server side */
if (options->dtls != 0) {
TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server,
@@ -2072,14 +2087,6 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
-#if defined(MBEDTLS_DEBUG_C)
- if (options->srv_log_fun) {
- mbedtls_debug_set_threshold(4);
- mbedtls_ssl_conf_dbg(&server.conf, options->srv_log_fun,
- options->srv_log_obj);
- }
-#endif
-
TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket),
&(server.socket),
BUFFSIZE) == 0);
@@ -2419,4 +2426,40 @@
return 0;
}
#endif /* MBEDTLS_TEST_HOOKS */
+
+/*
+ * Functions for tests based on tickets. Implementations of the
+ * write/parse ticket interfaces as defined by mbedtls_ssl_ticket_write/parse_t.
+ * Basically same implementations as in ticket.c without the encryption. That
+ * way we can tweak easily tickets characteristics to simulate misbehaving
+ * peers.
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_test_ticket_write(
+ void *p_ticket, const mbedtls_ssl_session *session,
+ unsigned char *start, const unsigned char *end,
+ size_t *tlen, uint32_t *lifetime)
+{
+ int ret;
+ ((void) p_ticket);
+
+ if ((ret = mbedtls_ssl_session_save(session, start, end - start,
+ tlen)) != 0) {
+ return ret;
+ }
+
+ /* Maximum ticket lifetime as defined in RFC 8446 */
+ *lifetime = 7 * 24 * 3600;
+
+ return 0;
+}
+
+int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+ unsigned char *buf, size_t len)
+{
+ ((void) p_ticket);
+
+ return mbedtls_ssl_session_load(session, buf, len);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 92b3e17..26c5a79 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4836,8 +4836,9 @@
requires_gnutls_tls1_3
requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
"$P_SRV debug_level=3 force_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
@@ -4849,28 +4850,30 @@
requires_gnutls_tls1_3
requires_gnutls_record_size_limit
-requires_gnutls_next_disable_tls13_compat
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
- "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert -d 4" \
"$P_CLI debug_level=4 force_version=tls13" \
0 \
- -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'"
-# The P_CLI can not yet send the Record Size Limit extension. Thus, the G_NEXT_SRV does not send
-# a response in its EncryptedExtensions record.
-# -c "RecordSizeLimit: 16385 Bytes"
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "EncryptedExtensions: record_size_limit(28) extension received." \
+ -c "RecordSizeLimit: 16385 Bytes" \
-# In the following (9) tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
-# maximum record size using "https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size".
-# There is currently a lower limit of 512, caused by this function not respecting the
-# "%ALLOW_SMALL_RECORDS" priority string and not using the more recent function
-# https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size.
+# In the following tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
+# maximum record size using gnutls_record_set_max_size()
+# (https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size).
+# There is currently a lower limit of 512, caused by gnutls_record_set_max_size()
+# not respecting the "%ALLOW_SMALL_RECORDS" priority string and not using the
+# more recent function gnutls_record_set_max_recv_size()
+# (https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size).
# There is currently an upper limit of 4096, caused by the cli arg parser:
# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/src/cli-args.def#L395.
-# Thus, these tests are currently limit to that value range.
-# Moreover, the value sent in the extension is expected to be larger by one compared
-# to the value passed on the cli:
+# Thus, these tests are currently limited to the value range 512-4096.
+# Also, the value sent in the extension will be one larger than the value
+# set at the command line:
# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
# Currently test certificates being used do not fit in 513 record size limit
@@ -4886,10 +4889,13 @@
"$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
response_size=256" \
- "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
- --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+ --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
0 \
-s "RecordSizeLimit: 513 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 511" \
-s "256 bytes written in 1 fragments"
@@ -4906,6 +4912,9 @@
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
0 \
-s "RecordSizeLimit: 513 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 511" \
-s "768 bytes written in 2 fragments"
@@ -4922,6 +4931,9 @@
--pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
0 \
-s "RecordSizeLimit: 513 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 511" \
-s "1280 bytes written in 3 fragments"
@@ -4936,6 +4948,8 @@
0 \
-s "RecordSizeLimit: 1024 Bytes" \
-s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 1023" \
-s "512 bytes written in 1 fragments"
@@ -4950,6 +4964,8 @@
0 \
-s "RecordSizeLimit: 1024 Bytes" \
-s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 1023" \
-s "1536 bytes written in 2 fragments"
@@ -4964,6 +4980,8 @@
0 \
-s "RecordSizeLimit: 1024 Bytes" \
-s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 1023" \
-s "2560 bytes written in 3 fragments"
@@ -4978,6 +4996,8 @@
0 \
-s "RecordSizeLimit: 4096 Bytes" \
-s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 4095" \
-s "2048 bytes written in 1 fragments"
@@ -4992,6 +5012,8 @@
0 \
-s "RecordSizeLimit: 4096 Bytes" \
-s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 4095" \
-s "6144 bytes written in 2 fragments"
@@ -5006,11 +5028,181 @@
0 \
-s "RecordSizeLimit: 4096 Bytes" \
-s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Sent RecordSizeLimit: 16384 Bytes" \
+ -s "EncryptedExtensions: record_size_limit(28) extension exists." \
-s "Maximum outgoing record payload length is 4095" \
-s "10240 bytes written in 3 fragments"
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 1 fragment" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=256" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 513 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 511" \
+ -c "256 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 2 fragments" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=768" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 513 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 511" \
+ -c "768 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 3 fragments" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=1280" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 513 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 511" \
+ -c "1280 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 1 fragment" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=512" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 1024 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 1023" \
+ -c "512 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 2 fragments" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=1536" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 1024 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 1023" \
+ -c "1536 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 3 fragments" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=2560" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 1024 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 1023" \
+ -c "2560 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 1 fragment" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=2048" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 4096 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 4095" \
+ -c "2048 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 2 fragments" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=6144" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 4096 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 4095" \
+ -c "6144 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 3 fragments" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
+ "$P_CLI debug_level=4 force_version=tls13 request_size=10240" \
+ 0 \
+ -c "Sent RecordSizeLimit: 16384 Bytes" \
+ -c "ClientHello: record_size_limit(28) extension exists." \
+ -c "RecordSizeLimit: 4096 Bytes" \
+ -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+ -c "Maximum outgoing record payload length is 4095" \
+ -c "10240 bytes written in 3 fragments"
+
+# TODO: For time being, we send fixed value of RecordSizeLimit defined by
+# MBEDTLS_SSL_IN_CONTENT_LEN. Once we support variable buffer length of
+# RecordSizeLimit, we need to modify value of RecordSizeLimit in below test.
+requires_config_value_equals "MBEDTLS_SSL_IN_CONTENT_LEN" 16384
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3 m->m: both peer comply with record size limit (default)" \
+ "$P_SRV debug_level=4 force_version=tls13" \
+ "$P_CLI debug_level=4" \
+ 0 \
+ -c "Sent RecordSizeLimit: $MAX_IN_LEN Bytes" \
+ -c "RecordSizeLimit: $MAX_IN_LEN Bytes" \
+ -s "RecordSizeLimit: $MAX_IN_LEN Bytes" \
+ -s "Sent RecordSizeLimit: $MAX_IN_LEN Bytes" \
+ -s "Maximum outgoing record payload length is 16383" \
+ -s "Maximum incoming record payload length is 16384"
+
+# End of Record size limit tests
+
# Tests for renegotiation
+# G_NEXT_SRV is used in renegotiation tests becuase of the increased
+# extensions limit since we exceed the limit in G_SRV when we send
+# TLS 1.3 extensions in the initial handshake.
+
# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
run_test "Renegotiation: none, for reference" \
"$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
@@ -5341,7 +5533,7 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renegotiation: gnutls server strict, client-initiated" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
0 \
-c "client hello, adding renegotiation extension" \
@@ -5355,7 +5547,7 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1 \
-c "client hello, adding renegotiation extension" \
@@ -5369,7 +5561,7 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
allow_legacy=0" \
1 \
@@ -5384,7 +5576,7 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
allow_legacy=1" \
0 \
@@ -5445,7 +5637,7 @@
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
- "$G_SRV -u --mtu 4096" \
+ "$G_NEXT_SRV -u --mtu 4096" \
"$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
0 \
-c "client hello, adding renegotiation extension" \
@@ -5460,7 +5652,7 @@
requires_gnutls
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls server strict, client default" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
0 \
-c "found renegotiation extension" \
@@ -5470,7 +5662,7 @@
requires_gnutls
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls server unsafe, client default" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
0 \
-C "found renegotiation extension" \
@@ -5480,7 +5672,7 @@
requires_gnutls
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls server unsafe, client break legacy" \
- "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 allow_legacy=-1" \
1 \
-C "found renegotiation extension" \
@@ -11756,6 +11948,21 @@
-S "Version: TLS1.2" \
-C "Protocol : TLSv1.2"
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \
+ "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \
+ "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \
+ 1 \
+ -c "The SSL configuration is tls12 only" \
+ -c "supported_versions(43) extension does not exist." \
+ -c "A fatal alert message was received from our peer" \
+ -s "The SSL configuration is tls13 only" \
+ -s "TLS 1.2 not supported."
+
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
diff --git a/tests/suites/test_suite_aes.ctr.data b/tests/suites/test_suite_aes.ctr.data
new file mode 100644
index 0000000..a148236
--- /dev/null
+++ b/tests/suites/test_suite_aes.ctr.data
@@ -0,0 +1,137 @@
+# Test vectors from NIST Special Publication 800-38A 2001 Edition
+# Recommendation for Block Edition Cipher Modes of Operation
+
+# as below, but corrupt the key to check the test catches it
+AES-CTR NIST 128 bad
+aes_ctr:"00000000000000000000000000000000":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee":1
+
+AES-CTR NIST 128
+aes_ctr:"2b7e151628aed2a6abf7158809cf4f3c":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee":0
+
+AES-CTR NIST 192
+depends_on:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+aes_ctr:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e941e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050":0
+
+AES-CTR NIST 256
+depends_on:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+aes_ctr:"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c52b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6":0
+
+AES-CTR aes_encrypt_ctr_multipart 1 1
+aes_encrypt_ctr_multipart:1:1
+
+AES-CTR aes_encrypt_ctr_multipart 2 1
+aes_encrypt_ctr_multipart:2:1
+
+AES-CTR aes_encrypt_ctr_multipart 2 2
+aes_encrypt_ctr_multipart:2:2
+
+AES-CTR aes_encrypt_ctr_multipart 4 1
+aes_encrypt_ctr_multipart:4:1
+
+AES-CTR aes_encrypt_ctr_multipart 4 2
+aes_encrypt_ctr_multipart:4:2
+
+AES-CTR aes_encrypt_ctr_multipart 15 1
+aes_encrypt_ctr_multipart:15:1
+
+AES-CTR aes_encrypt_ctr_multipart 15 2
+aes_encrypt_ctr_multipart:15:2
+
+AES-CTR aes_encrypt_ctr_multipart 15 8
+aes_encrypt_ctr_multipart:15:8
+
+AES-CTR aes_encrypt_ctr_multipart 15 15
+aes_encrypt_ctr_multipart:15:15
+
+AES-CTR aes_encrypt_ctr_multipart 16 1
+aes_encrypt_ctr_multipart:16:1
+
+AES-CTR aes_encrypt_ctr_multipart 16 2
+aes_encrypt_ctr_multipart:16:2
+
+AES-CTR aes_encrypt_ctr_multipart 16 8
+aes_encrypt_ctr_multipart:16:8
+
+AES-CTR aes_encrypt_ctr_multipart 16 15
+aes_encrypt_ctr_multipart:16:15
+
+AES-CTR aes_encrypt_ctr_multipart 16 16
+aes_encrypt_ctr_multipart:16:16
+
+AES-CTR aes_encrypt_ctr_multipart 17 1
+aes_encrypt_ctr_multipart:17:1
+
+AES-CTR aes_encrypt_ctr_multipart 17 2
+aes_encrypt_ctr_multipart:17:2
+
+AES-CTR aes_encrypt_ctr_multipart 17 8
+aes_encrypt_ctr_multipart:17:8
+
+AES-CTR aes_encrypt_ctr_multipart 17 15
+aes_encrypt_ctr_multipart:17:15
+
+AES-CTR aes_encrypt_ctr_multipart 17 16
+aes_encrypt_ctr_multipart:17:16
+
+AES-CTR aes_encrypt_ctr_multipart 63 1
+aes_encrypt_ctr_multipart:63:1
+
+AES-CTR aes_encrypt_ctr_multipart 63 2
+aes_encrypt_ctr_multipart:63:2
+
+AES-CTR aes_encrypt_ctr_multipart 63 8
+aes_encrypt_ctr_multipart:63:8
+
+AES-CTR aes_encrypt_ctr_multipart 63 15
+aes_encrypt_ctr_multipart:63:15
+
+AES-CTR aes_encrypt_ctr_multipart 63 16
+aes_encrypt_ctr_multipart:63:16
+
+AES-CTR aes_encrypt_ctr_multipart 63 17
+aes_encrypt_ctr_multipart:63:17
+
+AES-CTR aes_encrypt_ctr_multipart 64 1
+aes_encrypt_ctr_multipart:64:1
+
+AES-CTR aes_encrypt_ctr_multipart 64 2
+aes_encrypt_ctr_multipart:64:2
+
+AES-CTR aes_encrypt_ctr_multipart 64 8
+aes_encrypt_ctr_multipart:64:8
+
+AES-CTR aes_encrypt_ctr_multipart 64 15
+aes_encrypt_ctr_multipart:64:15
+
+AES-CTR aes_encrypt_ctr_multipart 64 16
+aes_encrypt_ctr_multipart:64:16
+
+AES-CTR aes_encrypt_ctr_multipart 64 17
+aes_encrypt_ctr_multipart:64:17
+
+AES-CTR aes_encrypt_ctr_multipart 1024 1
+aes_encrypt_ctr_multipart:1024:1
+
+AES-CTR aes_encrypt_ctr_multipart 1024 10
+aes_encrypt_ctr_multipart:1024:10
+
+AES-CTR aes_encrypt_ctr_multipart 1024 15
+aes_encrypt_ctr_multipart:1024:15
+
+AES-CTR aes_encrypt_ctr_multipart 1024 16
+aes_encrypt_ctr_multipart:1024:16
+
+AES-CTR aes_encrypt_ctr_multipart 1024 63
+aes_encrypt_ctr_multipart:1024:63
+
+AES-CTR aes_encrypt_ctr_multipart 1024 64
+aes_encrypt_ctr_multipart:1024:64
+
+AES-CTR aes_encrypt_ctr_multipart 1024 65
+aes_encrypt_ctr_multipart:1024:65
+
+AES-CTR aes_encrypt_ctr_multipart 1024 1023
+aes_encrypt_ctr_multipart:1024:1023
+
+AES-CTR aes_encrypt_ctr_multipart 1024 1024
+aes_encrypt_ctr_multipart:1024:1024
diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function
index 2ca3f7f..9118a98 100644
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@@ -88,6 +88,124 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aes_ctr(data_t *key, data_t *ictr, data_t *pt, data_t *ct, int expected)
+{
+ unsigned char *output = NULL;
+ unsigned char ctr[16];
+ unsigned char stream_block[16];
+ mbedtls_aes_context ctx;
+
+ // sanity checks on test input
+ TEST_ASSERT(pt->len == ct->len);
+ TEST_ASSERT(key->len == 16 || key->len == 24 || key->len == 32);
+
+ TEST_CALLOC(output, pt->len);
+
+ // expected result is always success on zero-length input, so skip len == 0 if expecting failure
+ for (size_t len = (expected == 0 ? 0 : 1); len <= pt->len; len++) {
+ for (int i = 0; i < 2; i++) {
+ mbedtls_aes_init(&ctx);
+ TEST_ASSERT(mbedtls_aes_setkey_enc(&ctx, key->x, key->len * 8) == 0);
+
+ memcpy(ctr, ictr->x, 16);
+ memset(stream_block, 0, 16);
+ memset(output, 0, pt->len);
+
+ size_t nc_off = 0;
+
+ if (i == 0) {
+ // encrypt
+ TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, len, &nc_off, ctr,
+ stream_block, pt->x, output), 0);
+ TEST_ASSERT(!!memcmp(output, ct->x, len) == expected);
+ } else {
+ // decrypt
+ TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, len, &nc_off, ctr,
+ stream_block, ct->x, output), 0);
+ TEST_ASSERT(!!memcmp(output, pt->x, len) == expected);
+ }
+ }
+ }
+
+exit:
+ mbedtls_free(output);
+ mbedtls_aes_free(&ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aes_encrypt_ctr_multipart(int length, int step_size)
+{
+ unsigned char key[16];
+ unsigned char ctr_a[16];
+ unsigned char ctr_b[16];
+ unsigned char stream_block_a[16];
+ unsigned char stream_block_b[16];
+ unsigned char *input = NULL;
+ unsigned char *output_a = NULL;
+ unsigned char *output_b = NULL;
+ mbedtls_aes_context ctx;
+ size_t nc_off_a, nc_off_b;
+
+ TEST_ASSERT(length >= 0);
+ TEST_ASSERT(step_size > 0);
+
+ TEST_CALLOC(input, length);
+ TEST_CALLOC(output_a, length);
+ TEST_CALLOC(output_b, length);
+
+ // set up a random key
+ mbedtls_test_rnd_std_rand(NULL, key, sizeof(key));
+
+ // random input
+ mbedtls_test_rnd_std_rand(NULL, input, length);
+
+
+ // complete encryption in one call
+ mbedtls_aes_init(&ctx);
+ TEST_ASSERT(mbedtls_aes_setkey_enc(&ctx, key, sizeof(key) * 8) == 0);
+ memset(ctr_a, 0, sizeof(ctr_a));
+ memset(stream_block_a, 0, sizeof(stream_block_a));
+ nc_off_a = 0;
+ TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, length, &nc_off_a, ctr_a,
+ stream_block_a, input, output_a), 0);
+ mbedtls_aes_free(&ctx);
+
+
+ // encrypt in multiple steps of varying size
+ mbedtls_aes_init(&ctx);
+ TEST_ASSERT(mbedtls_aes_setkey_enc(&ctx, key, sizeof(key) * 8) == 0);
+ memset(ctr_b, 0, sizeof(ctr_b));
+ memset(stream_block_b, 0, sizeof(stream_block_b));
+ nc_off_b = 0;
+ size_t remaining = length;
+ unsigned char *ip = input, *op = output_b;
+ while (remaining != 0) {
+ size_t l = MIN(remaining, (size_t) step_size);
+ step_size *= 2;
+ remaining -= l;
+ TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, l, &nc_off_b, ctr_b, stream_block_b, ip, op), 0);
+ ip += l;
+ op += l;
+ }
+
+ // finally, validate that multiple steps produced same result as single-pass
+ TEST_MEMORY_COMPARE(output_a, length, output_b, length);
+ TEST_MEMORY_COMPARE(ctr_a, sizeof(ctr_a), ctr_b, sizeof(ctr_b));
+ TEST_MEMORY_COMPARE(stream_block_a, sizeof(stream_block_a),
+ stream_block_b, sizeof(stream_block_b));
+ TEST_EQUAL(nc_off_a, nc_off_b);
+
+exit:
+ mbedtls_free(input);
+ mbedtls_free(output_a);
+ mbedtls_free(output_b);
+
+ mbedtls_aes_free(&ctx);
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
void aes_decrypt_ecb(data_t *key_str, data_t *src_str,
data_t *dst, int setkey_result)
diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function
index f1748d1..a454eba 100644
--- a/tests/suites/test_suite_aria.function
+++ b/tests/suites/test_suite_aria.function
@@ -16,7 +16,7 @@
* END_DEPENDENCIES
*/
-/* BEGIN_CASE depends_on:NOT_DEFINED */
+/* BEGIN_CASE */
void aria_invalid_param()
{
mbedtls_aria_context ctx;
@@ -52,8 +52,10 @@
output));
#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
exit:
return;
+#endif
}
/* END_CASE */
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index c90f1bb..2305f48 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -144,6 +144,26 @@
/* END_CASE */
/* BEGIN_CASE */
+void mpi_zero_length_buffer_is_null()
+{
+ mbedtls_mpi X;
+ size_t olen;
+
+ mbedtls_mpi_init(&X);
+
+ /* Simply test that the following functions do not crash when a NULL buffer
+ * pointer and 0 length is passed. We don't care much about the return value. */
+ TEST_EQUAL(mbedtls_mpi_read_binary(&X, NULL, 0), 0);
+ TEST_EQUAL(mbedtls_mpi_read_binary_le(&X, NULL, 0), 0);
+ TEST_EQUAL(mbedtls_mpi_write_string(&X, 16, NULL, 0, &olen), MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL);
+ TEST_EQUAL(mbedtls_mpi_write_binary(&X, NULL, 0), 0);
+
+exit:
+ mbedtls_mpi_free(&X);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void mpi_read_binary(data_t *buf, char *input_A)
{
mbedtls_mpi X;
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 9d068f1..c53e42a 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -82,6 +82,9 @@
Test mpi_write_string #10 (Negative hex with odd number of digits)
mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+Provide NULL buffer with 0 length
+mpi_zero_length_buffer_is_null
+
Base test mbedtls_mpi_read_binary #1
mpi_read_binary:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"0941379D00FED1491FE15DF284DFDE4A142F68AA8D412023195CEE66883E6290FFE703F4EA5963BF212713CEE46B107C09182B5EDCD955ADAC418BF4918E2889AF48E1099D513830CEC85C26AC1E158B52620E33BA8692F893EFBB2F958B4424"
diff --git a/tests/suites/test_suite_constant_time_hmac.function b/tests/suites/test_suite_constant_time_hmac.function
index 9d9aa3c..0e870d8 100644
--- a/tests/suites/test_suite_constant_time_hmac.function
+++ b/tests/suites/test_suite_constant_time_hmac.function
@@ -3,7 +3,7 @@
#include <mbedtls/constant_time.h>
#include <mbedtls/md.h>
#include <constant_time_internal.h>
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#include <ssl_misc.h>
#include <test/constant_flow.h>
diff --git a/tests/suites/test_suite_ctr_drbg.data b/tests/suites/test_suite_ctr_drbg.data
index 028a07f..89dfb97 100644
--- a/tests/suites/test_suite_ctr_drbg.data
+++ b/tests/suites/test_suite_ctr_drbg.data
@@ -1105,3 +1105,48 @@
CTR_DRBG self test
ctr_drbg_selftest:
+
+Increment counter rollover
+ctr_increment_rollover
+
+Increment counter 00
+ctr_increment:"00"
+
+Increment counter ff00
+ctr_increment:"ff00"
+
+Increment counter ff0000
+ctr_increment:"ff0000"
+
+Increment counter ff000000
+ctr_increment:"ff000000"
+
+Increment counter ff00000000
+ctr_increment:"ff00000000"
+
+Increment counter ff0000000000
+ctr_increment:"ff0000000000"
+
+Increment counter ff000000000000
+ctr_increment:"ff000000000000"
+
+Increment counter 01
+ctr_increment:"01"
+
+Increment counter ff01
+ctr_increment:"ff01"
+
+Increment counter ff0001
+ctr_increment:"ff0001"
+
+Increment counter ff000001
+ctr_increment:"ff000001"
+
+Increment counter ff00000001
+ctr_increment:"ff00000001"
+
+Increment counter ff0000000001
+ctr_increment:"ff0000000001"
+
+Increment counter ff000000000001
+ctr_increment:"ff000000000001"
diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index 1f0a072..425c43e 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@@ -2,6 +2,7 @@
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "string.h"
+#include "ctr.h"
#if defined(MBEDTLS_THREADING_PTHREAD)
#include "mbedtls/threading.h"
@@ -443,3 +444,75 @@
AES_PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void ctr_increment_rollover()
+{
+ uint8_t c[16];
+ uint8_t r[16];
+
+ // test all increments from 2^n - 1 to 2^n (i.e. where we roll over into the next bit)
+ for (int n = 0; n <= 128; n++) {
+ memset(c, 0, 16);
+ memset(r, 0, 16);
+
+ // set least significant (highest address) n bits to 1, i.e. generate (2^n - 1)
+ for (int i = 0; i < n; i++) {
+ int bit = i % 8;
+ int byte = (i / 8);
+ c[15 - byte] |= 1 << bit;
+ }
+ // increment to get 2^n
+ mbedtls_ctr_increment_counter(c);
+
+ // now generate a reference result equal to 2^n - i.e. set only bit (n + 1)
+ // if n == 127, this will not set any bits (i.e. wraps to 0).
+ int bit = n % 8;
+ int byte = n / 8;
+ if (byte < 16) {
+ r[15 - byte] = 1 << bit;
+ }
+
+ TEST_MEMORY_COMPARE(c, 16, r, 16);
+ }
+
+ uint64_t lsb = 10, msb = 20;
+ MBEDTLS_PUT_UINT64_BE(msb, c, 0);
+ MBEDTLS_PUT_UINT64_BE(lsb, c, 8);
+ memcpy(r, c, 16);
+ mbedtls_ctr_increment_counter(c);
+ for (int i = 15; i >= 0; i--) {
+ r[i] += 1;
+ if (r[i] != 0) {
+ break;
+ }
+ }
+ TEST_MEMORY_COMPARE(c, 16, r, 16);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ctr_increment(data_t *x)
+{
+ uint8_t c[16];
+ uint8_t r[16];
+
+ // initialise c and r from test argument
+ memset(c, 0, 16);
+ memcpy(c, x->x, x->len);
+ memcpy(r, c, 16);
+
+ // increment c
+ mbedtls_ctr_increment_counter(c);
+ // increment reference
+ for (int i = 15; i >= 0; i--) {
+ r[i] += 1;
+ if (r[i] != 0) {
+ break;
+ }
+ }
+
+ // test that mbedtls_ctr_increment_counter behaviour matches reference
+ TEST_MEMORY_COMPARE(c, 16, r, 16);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index b961040..eeefc95 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
#include "string.h"
#include "mbedtls/pk.h"
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 1002991..01fdc47 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -529,6 +529,24 @@
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
mbedtls_ecp_check_pub_priv:MBEDTLS_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":MBEDTLS_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+ECP calculate public: secp256r1, good
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:"0437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff"
+
+ECP calculate public: secp256r1, private value out of range
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_SECP256R1:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_ECP_INVALID_KEY:""
+
+# Alice's private key from rfc 7748, masked and adjusted for endianness
+# because the test function wants the little-endian representation.
+ECP calculate public: Curve25519, good
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_CURVE25519:"6a2cb91da5fb77b12a99c0eb872f4cdf4566b25172c1163c7da518730a6d0770":0:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+ECP calculate public: Curve25519, private value not masked
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_CURVE25519:"2a2cb91da5fb77b12a99c0eb872f4cdf4566b25172c1163c7da518730a6d0770":MBEDTLS_ERR_ECP_INVALID_KEY:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
ECP gen keypair [#1]
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
mbedtls_ecp_gen_keypair:MBEDTLS_ECP_DP_SECP192R1
@@ -581,6 +599,48 @@
ECP generate Montgomery key: Curve448, not enough entropy
genkey_mx_known_answer:447:"4f0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536":""
+ECP set public key: invalid group (0)
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_NONE:MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
+ECP set public key: valid group (secp256r1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_SECP256R1:0
+
+ECP set public key: group not supported (secp256r1)
+depends_on:!MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
+ECP set public key: bad group (not in enum)
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_MAX:MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
+ECP set public key: good, secp256r1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_good:MBEDTLS_ECP_DP_SECP256R1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
+ECP set public key: good, Curve25519
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_set_public_key_good:MBEDTLS_ECP_DP_CURVE25519:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+ECP set public key after private: good, secp256r1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP256R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP256R1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
+ECP set public key after private: good, Curve25519
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_CURVE25519:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":MBEDTLS_ECP_DP_CURVE25519:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+ECP set public key after private: secp256r1 then secp256k1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP256R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP256K1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
+ECP set public key after private: secp256r1 then secp384r1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP256R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP384R1:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaae1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+
+ECP set public key after private: secp384r1 then secp256r1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP384R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP256R1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
ECP read key #1 (short weierstrass, too small)
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"00":MBEDTLS_ERR_ECP_INVALID_KEY:0
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 5751624..295fe7f 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -590,29 +590,41 @@
{
mbedtls_ecp_group grp;
mbedtls_ecp_point P;
+ mbedtls_ecp_keypair key;
unsigned char buf[256];
size_t olen;
memset(buf, 0, sizeof(buf));
mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
+ mbedtls_ecp_keypair_init(&key);
- TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
+ TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0);
- TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x) == 0);
- TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y) == 0);
- TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z) == 0);
+ TEST_EQUAL(mbedtls_test_read_mpi(&P.X, x), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi(&P.Y, y), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi(&P.Z, z), 0);
- TEST_ASSERT(mbedtls_ecp_point_write_binary(&grp, &P, format,
- &olen, buf, blen) == ret);
-
+ TEST_EQUAL(mbedtls_ecp_point_write_binary(&grp, &P, format,
+ &olen, buf, blen), ret);
if (ret == 0) {
- TEST_ASSERT(olen <= MBEDTLS_ECP_MAX_PT_LEN);
- TEST_ASSERT(mbedtls_test_hexcmp(buf, out->x, olen, out->len) == 0);
+ TEST_LE_U(olen, MBEDTLS_ECP_MAX_PT_LEN);
+ ASSERT_COMPARE(buf, olen,
+ out->x, out->len);
+ }
+
+ memset(buf, 0, blen);
+ TEST_EQUAL(mbedtls_ecp_set_public_key(grp.id, &key, &P), 0);
+ TEST_EQUAL(mbedtls_ecp_write_public_key(&key, format,
+ &olen, buf, blen), ret);
+ if (ret == 0) {
+ ASSERT_COMPARE(buf, olen,
+ out->x, out->len);
}
exit:
mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
+ mbedtls_ecp_keypair_free(&key);
}
/* END_CASE */
@@ -989,6 +1001,41 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECP_C */
+void ecp_calc_public(int grp_id, data_t *private_data,
+ int expected_ret, data_t *expected_public)
+{
+ mbedtls_ecp_keypair key;
+ mbedtls_ecp_keypair_init(&key);
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
+
+ TEST_EQUAL(mbedtls_ecp_group_load(&key.grp, grp_id), 0);
+ TEST_EQUAL(mbedtls_mpi_read_binary(&key.d,
+ private_data->x, private_data->len), 0);
+
+ TEST_EQUAL(mbedtls_ecp_keypair_calc_public(&key,
+ &mbedtls_test_rnd_pseudo_rand, &rnd_info),
+ expected_ret);
+
+ if (expected_ret == 0) {
+ TEST_EQUAL(mbedtls_ecp_check_pub_priv(&key, &key,
+ &mbedtls_test_rnd_pseudo_rand, &rnd_info),
+ 0);
+ unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+ size_t length;
+ TEST_EQUAL(mbedtls_ecp_point_write_binary(&key.grp, &key.Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &length, buf, sizeof(buf)),
+ 0);
+ ASSERT_COMPARE(expected_public->x, expected_public->len, buf, length);
+ }
+
+exit:
+ mbedtls_ecp_keypair_free(&key);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_C */
void mbedtls_ecp_gen_keypair(int id)
{
mbedtls_ecp_group grp;
@@ -1030,6 +1077,7 @@
&mbedtls_test_rnd_pseudo_rand,
&rnd_info) == 0);
+ TEST_EQUAL(mbedtls_ecp_keypair_get_group_id(&key), id);
TEST_ASSERT(mbedtls_ecp_check_pubkey(&key.grp, &key.Q) == 0);
TEST_ASSERT(mbedtls_ecp_check_privkey(&key.grp, &key.d) == 0);
@@ -1039,22 +1087,123 @@
/* END_CASE */
/* BEGIN_CASE */
+void ecp_set_public_key_group_check(int grp_id, int expected_ret)
+{
+ mbedtls_ecp_keypair key;
+ mbedtls_ecp_keypair_init(&key);
+ mbedtls_ecp_point Q;
+ mbedtls_ecp_point_init(&Q);
+
+ TEST_EQUAL(mbedtls_ecp_set_public_key(grp_id, &key, &Q),
+ expected_ret);
+
+exit:
+ mbedtls_ecp_keypair_free(&key);
+ mbedtls_ecp_point_free(&Q);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_set_public_key_good(int grp_id, data_t *public_data)
+{
+ mbedtls_ecp_keypair key;
+ mbedtls_ecp_keypair_init(&key);
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_ecp_point Q;
+ mbedtls_ecp_point_init(&Q);
+
+ TEST_EQUAL(mbedtls_ecp_group_load(&grp, grp_id), 0);
+ TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &Q,
+ public_data->x, public_data->len),
+ 0);
+
+ /* Freshly initialized key */
+ TEST_EQUAL(mbedtls_ecp_set_public_key(grp_id, &key, &Q), 0);
+ TEST_EQUAL(key.grp.id, grp_id);
+ TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &Q), 0);
+
+ /* Key with a public key already set to a different value */
+ TEST_EQUAL(mbedtls_mpi_add_int(&key.Q.X, &key.Q.X, 1), 0);
+ TEST_EQUAL(mbedtls_mpi_add_int(&key.Q.Y, &key.Q.Y, 1), 0);
+ TEST_EQUAL(mbedtls_mpi_add_int(&key.Q.Z, &key.Q.Z, 1), 0);
+ TEST_EQUAL(mbedtls_ecp_set_public_key(grp_id, &key, &Q), 0);
+ TEST_EQUAL(key.grp.id, grp_id);
+ TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &Q), 0);
+
+exit:
+ mbedtls_ecp_keypair_free(&key);
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_ecp_point_free(&Q);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_set_public_key_after_private(int private_grp_id, data_t *private_data,
+ int public_grp_id, data_t *public_data)
+{
+ mbedtls_ecp_keypair key;
+ mbedtls_ecp_keypair_init(&key);
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_ecp_point Q;
+ mbedtls_ecp_point_init(&Q);
+ mbedtls_mpi d;
+ mbedtls_mpi_init(&d);
+
+ TEST_EQUAL(mbedtls_ecp_group_load(&grp, public_grp_id), 0);
+ TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &Q,
+ public_data->x, public_data->len),
+ 0);
+ TEST_EQUAL(mbedtls_ecp_read_key(private_grp_id, &key,
+ private_data->x, private_data->len),
+ 0);
+ TEST_EQUAL(mbedtls_mpi_copy(&d, &key.d), 0);
+
+ int ret = mbedtls_ecp_set_public_key(public_grp_id, &key, &Q);
+
+ if (private_grp_id == public_grp_id) {
+ TEST_EQUAL(ret, 0);
+ TEST_EQUAL(key.grp.id, public_grp_id);
+ TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &Q), 0);
+ TEST_EQUAL(mbedtls_mpi_cmp_mpi(&d, &key.d), 0);
+ } else {
+ TEST_EQUAL(ret, MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+ }
+
+exit:
+ mbedtls_ecp_keypair_free(&key);
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_ecp_point_free(&Q);
+ mbedtls_mpi_free(&d);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonical)
{
int ret = 0;
mbedtls_ecp_keypair key;
- mbedtls_ecp_keypair key2;
-
mbedtls_ecp_keypair_init(&key);
+ mbedtls_ecp_keypair key2;
mbedtls_ecp_keypair_init(&key2);
+ TEST_EQUAL(mbedtls_mpi_lset(&key.Q.X, 1), 0);
+ TEST_EQUAL(mbedtls_mpi_lset(&key.Q.Y, 2), 0);
+ TEST_EQUAL(mbedtls_mpi_lset(&key.Q.Z, 3), 0);
+
ret = mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len);
TEST_ASSERT(ret == expected);
if (expected == 0) {
+ TEST_EQUAL(mbedtls_ecp_keypair_get_group_id(&key), grp_id);
ret = mbedtls_ecp_check_privkey(&key.grp, &key.d);
TEST_ASSERT(ret == 0);
+ TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.X, 1), 0);
+ TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Y, 2), 0);
+ TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Z, 3), 0);
+
if (canonical) {
unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
@@ -1233,6 +1382,28 @@
TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &export_Q), 0);
TEST_EQUAL(mbedtls_mpi_cmp_mpi(&key.d, &export_d), 0);
TEST_EQUAL(mbedtls_ecp_group_cmp(&key.grp, &export_grp), 0);
+
+ /* Check consistency with the group id */
+ TEST_EQUAL(export_grp.id,
+ mbedtls_ecp_keypair_get_group_id(&key));
+
+ /* Test null arguments: grp only */
+ mbedtls_ecp_group_free(&export_grp);
+ mbedtls_ecp_group_init(&export_grp);
+ TEST_EQUAL(mbedtls_ecp_export(&key, &export_grp, NULL, NULL), 0);
+ TEST_EQUAL(mbedtls_ecp_group_cmp(&key.grp, &export_grp), 0);
+
+ /* Test null arguments: d only */
+ mbedtls_mpi_free(&export_d);
+ mbedtls_mpi_init(&export_d);
+ TEST_EQUAL(mbedtls_ecp_export(&key, NULL, &export_d, NULL), 0);
+ TEST_EQUAL(mbedtls_mpi_cmp_mpi(&key.d, &export_d), 0);
+
+ /* Test null arguments: Q only */
+ mbedtls_ecp_point_free(&export_Q);
+ mbedtls_ecp_point_init(&export_Q);
+ TEST_EQUAL(mbedtls_ecp_export(&key, NULL, NULL, &export_Q), 0);
+ TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &export_Q), 0);
}
exit:
diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function
index 599c926..8bb7b8b 100644
--- a/tests/suites/test_suite_gcm.function
+++ b/tests/suites/test_suite_gcm.function
@@ -153,6 +153,21 @@
mbedtls_free(output);
}
+static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key,
+ size_t key_bits, const uint8_t *iv, size_t iv_len,
+ int starts_ret)
+{
+ int mode = MBEDTLS_GCM_ENCRYPT;
+ mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
+
+ mbedtls_gcm_init(ctx);
+ TEST_EQUAL(mbedtls_gcm_setkey(ctx, valid_cipher, key, key_bits), 0);
+ TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len));
+exit:
+ /* empty */
+ return;
+}
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -478,6 +493,118 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of IV should
+ * satisfy 1 <= bit_len(IV) <= 2^64 - 1. */
+void gcm_invalid_iv_len(void)
+{
+ mbedtls_gcm_context ctx;
+ mbedtls_gcm_init(&ctx);
+ uint8_t b16[16] = { 0 };
+
+ BLOCK_CIPHER_PSA_INIT();
+
+ // Invalid IV length 0
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT);
+ mbedtls_gcm_free(&ctx);
+
+ // Only testable on platforms where sizeof(size_t) >= 8.
+#if SIZE_MAX >= UINT64_MAX
+ // Invalid IV length 2^61
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT);
+ mbedtls_gcm_free(&ctx);
+#endif
+
+ goto exit; /* To suppress error that exit is defined but not used */
+exit:
+ mbedtls_gcm_free(&ctx);
+ BLOCK_CIPHER_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void gcm_add_len_too_long(void)
+{
+ // Only testable on platforms where sizeof(size_t) >= 8.
+#if SIZE_MAX >= UINT64_MAX
+ mbedtls_gcm_context ctx;
+ mbedtls_gcm_init(&ctx);
+ uint8_t b16[16] = { 0 };
+ BLOCK_CIPHER_PSA_INIT();
+
+ /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should
+ * be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */
+ uint64_t len_max = 1ULL << 61;
+
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+ // Feed AD that just exceeds the length limit
+ TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max),
+ MBEDTLS_ERR_GCM_BAD_INPUT);
+ mbedtls_gcm_free(&ctx);
+
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+ // Feed AD that just exceeds the length limit in two calls
+ TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
+ TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max - 1),
+ MBEDTLS_ERR_GCM_BAD_INPUT);
+ mbedtls_gcm_free(&ctx);
+
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+ // Test if potential total AD length overflow is handled properly
+ TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
+ TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT);
+
+exit:
+ mbedtls_gcm_free(&ctx);
+ BLOCK_CIPHER_PSA_DONE();
+#endif
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void gcm_input_len_too_long(void)
+{
+ // Only testable on platforms where sizeof(size_t) >= 8
+#if SIZE_MAX >= UINT64_MAX
+ mbedtls_gcm_context ctx;
+ uint8_t b16[16] = { 0 };
+ uint8_t out[1];
+ size_t out_len;
+ mbedtls_gcm_init(&ctx);
+ BLOCK_CIPHER_PSA_INIT();
+
+ /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should
+ * be <= 2^39 - 256. This is the maximum valid length in bytes. */
+ uint64_t len_max = (1ULL << 36) - 32;
+
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+ // Feed input that just exceeds the length limit
+ TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, out, len_max + 1,
+ &out_len),
+ MBEDTLS_ERR_GCM_BAD_INPUT);
+ mbedtls_gcm_free(&ctx);
+
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+ // Feed input that just exceeds the length limit in two calls
+ TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
+ TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, out, len_max, &out_len),
+ MBEDTLS_ERR_GCM_BAD_INPUT);
+ mbedtls_gcm_free(&ctx);
+
+ gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+ // Test if potential total input length overflow is handled properly
+ TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
+ TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, out, UINT64_MAX,
+ &out_len),
+ MBEDTLS_ERR_GCM_BAD_INPUT);
+
+exit:
+ mbedtls_gcm_free(&ctx);
+ BLOCK_CIPHER_PSA_DONE();
+#endif
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */
void gcm_selftest()
{
diff --git a/tests/suites/test_suite_gcm.misc.data b/tests/suites/test_suite_gcm.misc.data
index f22b7a3..108630e 100644
--- a/tests/suites/test_suite_gcm.misc.data
+++ b/tests/suites/test_suite_gcm.misc.data
@@ -1,2 +1,14 @@
GCM - Invalid parameters
gcm_invalid_param:
+
+GCM - Invalid IV length
+depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES
+gcm_invalid_iv_len:
+
+GCM - Additional data length too long
+depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES
+gcm_add_len_too_long:
+
+GCM - Input length too long
+depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES
+gcm_input_len_too_long:
diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function
index 866ff58..2a885e2 100644
--- a/tests/suites/test_suite_md.function
+++ b/tests/suites/test_suite_md.function
@@ -1,6 +1,6 @@
/* BEGIN_HEADER */
#include "mbedtls/md.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#include "mbedtls/oid.h"
#include "mbedtls/asn1.h"
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index af1e20c..3414958 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -680,3 +680,432 @@
PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
+
+PSA attributes for pk: NONE (bad)
+pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA
+
+# There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt().
+
+# Bad usage due to not specifying sign/crypt/derive.
+PSA attributes for pk: RSA usage=0 (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# Bad usage due to not specifying sign/crypt/derive.
+PSA attributes for pk: RSA usage=EXPORT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# This usage could make sense, but is not currently supported.
+PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# Bad usage due to specifying more than one of sign/crypt/derive.
+PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# This usage could make sense, but is not currently supported.
+PSA attributes for pk: RSA usage=SIGN_MESSAGE|SIGN_HASH (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# This usage could make sense, but is not currently supported.
+PSA attributes for pk: RSA usage=SIGN_MESSAGE|VERIFY_MESSAGE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 pair DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA attributes for pk: RSA v21 SHA-256 pair DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA attributes for pk: RSA v21 SHA-512 pair DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+PSA attributes for pk: RSA v15 pair->public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA attributes for pk: RSA v21 SHA-256 pair->public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA attributes for pk: RSA v21 SHA-512 pair->public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:1:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+PSA attributes for pk: RSA v15 public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA attributes for pk: RSA v21 SHA-256 public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA attributes for pk: RSA v21 SHA-512 public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:0:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+PSA attributes for pk: RSA v15 public DECRYPT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 pair SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 pair SIGN_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair SIGN_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 pair->public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 public SIGN_HASH (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 pair DERIVE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 public DERIVE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA pair DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA pair ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair DERIVE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH
+
+PSA attributes for pk: ECKEY_DH pair DERIVE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH
+
+PSA attributes for pk: ECDSA pair DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair SIGN_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair SIGN_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY pair SIGN_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair SIGN_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY pair->public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair->public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:1:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair VERIFY_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair VERIFY_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:1:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public VERIFY_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:0:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE (bad policy)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN|VERIFY & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN|DECRYPT & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT
+
+PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_HASH (bad policy)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+# For a PK_OPAQUE key, mbedtls_pk_get_psa_attributes() ignores the input
+# key's algorithm policy. Just this time, test with a few different algorithms.
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [0]
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [raw]
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [v15]
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [PSS]
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, 0 & DECRYPT (bad policy)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair, DECRYPT & DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_DECRYPT
+
+PSA attributes for pk: opaque RSA pair, DECRYPT|... & DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, ... & DERIVE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair, ... & EXPORT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque RSA pair->public, VERIFY_HASH & VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque RSA pair->public, ENCRYPT & ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE (bad policy)
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque ECC pair, SIGN_MESSAGE & SIGN_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque ECC pair, SIGN|VERIFY & SIGN_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque ECC pair, SIGN|DECRYPT & SIGN_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT
+
+PSA attributes for pk: opaque ECC pair, SIGN|... & SIGN_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque ECC pair, SIGN_HASH & SIGN_HASH
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque ECC pair, ... & DERIVE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE
+
+PSA attributes for pk: opaque ECC pair, ... & DECRYPT (bad)
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque ECC pair, ... & EXPORT (bad)
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDH:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque ECC pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque ECC pair->public, VERIFY_HASH & VERIFY_HASH
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad)
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 226598c..2574307 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -6,6 +6,7 @@
#include "mbedtls/asn1.h"
#include "mbedtls/base64.h"
#include "mbedtls/ecp.h"
+#include "mbedtls/error.h"
#include "mbedtls/rsa.h"
#include "pk_internal.h"
@@ -16,7 +17,7 @@
* but the test code generator requires test case data to be valid C code
* unconditionally (https://github.com/Mbed-TLS/mbedtls/issues/2023). */
#include "psa/crypto.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
/* Used for properly sizing the key buffer in pk_genkey_ec() */
#include "psa_util_internal.h"
@@ -35,6 +36,30 @@
#define MBEDTLS_TEST_PK_PSA_SIGN
#endif
+/* MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE is enabled when PSA supports
+ * at least one elliptic curve. This is distinct from
+ * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY because that symbol can be enabled even
+ * when there are no curves. This happens in particular in a configuration
+ * with MBEDTLS_PSA_CRYPTO_CONFIG disabled and where the only legacy curve
+ * is secp224k1, which is not supported in PSA. */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) || \
+ defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) || \
+ defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) || \
+ defined(PSA_WANT_ECC_MONTGOMERY_255) || \
+ defined(PSA_WANT_ECC_MONTGOMERY_448) || \
+ defined(PSA_WANT_ECC_SECP_K1_192) || \
+ defined(PSA_WANT_ECC_SECP_K1_224) || \
+ defined(PSA_WANT_ECC_SECP_K1_256) || \
+ defined(PSA_WANT_ECC_SECP_R1_192) || \
+ defined(PSA_WANT_ECC_SECP_R1_224) || \
+ defined(PSA_WANT_ECC_SECP_R1_256) || \
+ defined(PSA_WANT_ECC_SECP_R1_384) || \
+ defined(PSA_WANT_ECC_SECP_R1_521)
+#define MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+#endif
+#endif
+
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
{
@@ -111,7 +136,14 @@
mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) {
int ret;
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ ret = pk_genkey_ec(pk, curve_or_keybits);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+#else
ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, curve_or_keybits);
if (ret != 0) {
return ret;
@@ -120,15 +152,6 @@
&mbedtls_pk_ec_rw(*pk)->d,
&mbedtls_pk_ec_rw(*pk)->Q,
mbedtls_test_rnd_std_rand, NULL);
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- ret = pk_genkey_ec(pk, curve_or_keybits);
- if (ret != 0) {
- return ret;
- }
-
- return 0;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}
@@ -136,6 +159,32 @@
return -1;
}
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+static psa_key_usage_t pk_get_psa_attributes_implied_usage(
+ psa_key_usage_t expected_usage)
+{
+ /* Usage implied universally */
+ if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) {
+ expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE;
+ }
+ if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) {
+ expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+ }
+ /* Usage implied by mbedtls_pk_get_psa_attributes() */
+ if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) {
+ expected_usage |= PSA_KEY_USAGE_VERIFY_HASH;
+ }
+ if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) {
+ expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+ }
+ if (expected_usage & PSA_KEY_USAGE_DECRYPT) {
+ expected_usage |= PSA_KEY_USAGE_ENCRYPT;
+ }
+ expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
+ return expected_usage;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
#if defined(MBEDTLS_RSA_C)
int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
const unsigned char *input, unsigned char *output,
@@ -162,6 +211,127 @@
}
#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+static mbedtls_ecp_group_id ecc_pick_grp_id(void)
+{
+#if defined(MBEDTLS_ECP_LIGHT)
+ return mbedtls_ecp_grp_id_list()[0];
+#elif defined(PSA_WANT_ECC_SECP_R1_192)
+ return MBEDTLS_ECP_DP_SECP192R1;
+#elif defined(PSA_WANT_ECC_SECP_R1_224)
+ return MBEDTLS_ECP_DP_SECP224R1;
+#elif defined(PSA_WANT_ECC_SECP_R1_256)
+ return MBEDTLS_ECP_DP_SECP256R1;
+#elif defined(PSA_WANT_ECC_SECP_R1_384)
+ return MBEDTLS_ECP_DP_SECP384R1;
+#elif defined(PSA_WANT_ECC_SECP_R1_521)
+ return MBEDTLS_ECP_DP_SECP521R1;
+#elif defined(PSA_WANT_ECC_SECP_K1_192)
+ return MBEDTLS_ECP_DP_SECP192K1;
+#elif defined(PSA_WANT_ECC_SECP_K1_224)
+ return MBEDTLS_ECP_DP_SECP224K1;
+#elif defined(PSA_WANT_ECC_SECP_K1_256)
+ return MBEDTLS_ECP_DP_SECP256K1;
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+ return MBEDTLS_ECP_DP_BP256R1;
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+ return MBEDTLS_ECP_DP_BP384R1;
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+ return MBEDTLS_ECP_DP_BP512R1;
+#elif defined(PSA_WANT_ECC_MONTGOMERY_255)
+ return MBEDTLS_ECP_DP_CURVE25519;
+#elif defined(PSA_WANT_ECC_MONTGOMERY_448)
+ return MBEDTLS_ECP_DP_CURVE448;
+#else
+ return 0;
+#endif
+}
+#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair,
+ mbedtls_pk_context *pk, psa_key_type_t *psa_type)
+{
+ if (pk_type == MBEDTLS_PK_NONE) {
+ return 0;
+ }
+ TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0);
+
+ switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_PK_RSA:
+ {
+ *psa_type = PSA_KEY_TYPE_RSA_KEY_PAIR;
+ mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
+ if (want_pair) {
+#if defined(MBEDTLS_GENPRIME)
+ TEST_EQUAL(mbedtls_rsa_gen_key(
+ rsa,
+ mbedtls_test_rnd_std_rand, NULL,
+ MBEDTLS_RSA_GEN_KEY_MIN_BITS, 65537), 0);
+#else
+ TEST_FAIL("I don't know how to create an RSA key pair in this configuration.");
+#endif
+ } else {
+ unsigned char N[PSA_BITS_TO_BYTES(MBEDTLS_RSA_GEN_KEY_MIN_BITS)] = { 0xff };
+ N[sizeof(N) - 1] = 0x03;
+ const unsigned char E[1] = { 0x03 };
+ TEST_EQUAL(mbedtls_rsa_import_raw(rsa,
+ N, sizeof(N),
+ NULL, 0, NULL, 0, NULL, 0,
+ E, sizeof(E)), 0);
+ TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
+ }
+ break;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ {
+ mbedtls_ecp_group_id grp_id = ecc_pick_grp_id();
+ size_t bits;
+ *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits));
+ TEST_EQUAL(pk_genkey(pk, grp_id), 0);
+ if (!want_pair) {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_key_attributes_t pub_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_set_key_type(&pub_attributes,
+ PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type));
+ psa_set_key_usage_flags(&pub_attributes,
+ PSA_KEY_USAGE_EXPORT |
+ PSA_KEY_USAGE_COPY |
+ PSA_KEY_USAGE_VERIFY_MESSAGE |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&pub_attributes, PSA_ALG_ECDSA_ANY);
+ PSA_ASSERT(psa_destroy_key(pk->priv_id));
+ pk->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
+ mbedtls_mpi_free(&ec->d);
+#endif
+ }
+ break;
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ default:
+ TEST_FAIL("Unknown PK type in test data");
+ break;
+ }
+
+ if (!want_pair) {
+ *psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type);
+ }
+ return 0;
+
+exit:
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+}
+#endif
+
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/*
@@ -1263,6 +1433,14 @@
TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT);
TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0);
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&alt,
+ PSA_KEY_USAGE_ENCRYPT,
+ &attributes),
+ MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
/* Test signature */
#if SIZE_MAX > UINT_MAX
TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX,
@@ -1569,3 +1747,180 @@
PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */
+void pk_get_psa_attributes(int pk_type, int from_pair,
+ int usage_arg,
+ int to_pair, int expected_alg)
+{
+ mbedtls_pk_context pk;
+ mbedtls_pk_init(&pk);
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_usage_t usage = usage_arg;
+
+ PSA_INIT();
+
+ psa_key_type_t expected_psa_type = 0;
+ TEST_EQUAL(pk_setup_for_type(pk_type, from_pair,
+ &pk, &expected_psa_type), 0);
+ if (!to_pair) {
+ expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type);
+ }
+
+ psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE; //TODO: diversity
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; //TODO: diversity
+ psa_set_key_id(&attributes, key_id);
+ psa_set_key_lifetime(&attributes, lifetime);
+ psa_set_key_enrollment_algorithm(&attributes, 42);
+ psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ /* When the resulting algorithm is ECDSA, the compile-time configuration
+ * can cause it to be either deterministic or randomized ECDSA.
+ * Rather than have two near-identical sets of test data depending on
+ * the configuration, always use randomized in the test data and
+ * tweak the expected result here. */
+ if (expected_alg == PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)) {
+ expected_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH);
+ }
+#endif
+
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0);
+
+ TEST_EQUAL(psa_get_key_lifetime(&attributes), lifetime);
+ TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+ key_id));
+ TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type);
+ TEST_EQUAL(psa_get_key_bits(&attributes),
+ mbedtls_pk_get_bitlen(&pk));
+ TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
+ TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
+ TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE);
+
+exit:
+ mbedtls_pk_free(&pk);
+ psa_reset_key_attributes(&attributes);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME */
+void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair,
+ int usage_arg,
+ int to_pair, int expected_alg)
+{
+ mbedtls_pk_context pk;
+ mbedtls_pk_init(&pk);
+ psa_key_usage_t usage = usage_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+ PSA_INIT();
+
+ psa_key_type_t expected_psa_type = 0;
+ TEST_EQUAL(pk_setup_for_type(MBEDTLS_PK_RSA, from_pair,
+ &pk, &expected_psa_type), 0);
+ mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk);
+ TEST_EQUAL(mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_type), 0);
+ if (!to_pair) {
+ expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type);
+ }
+ psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage);
+
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0);
+
+ TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE);
+ TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+ MBEDTLS_SVC_KEY_ID_INIT));
+ TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type);
+ TEST_EQUAL(psa_get_key_bits(&attributes),
+ mbedtls_pk_get_bitlen(&pk));
+ TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
+ TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
+ TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE);
+
+exit:
+ mbedtls_pk_free(&pk);
+ psa_reset_key_attributes(&attributes);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */
+void pk_get_psa_attributes_fail(int pk_type, int from_pair,
+ int usage_arg,
+ int expected_ret)
+{
+ mbedtls_pk_context pk;
+ mbedtls_pk_init(&pk);
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_usage_t usage = usage_arg;
+
+ PSA_INIT();
+
+ psa_key_type_t expected_psa_type;
+ TEST_EQUAL(pk_setup_for_type(pk_type, from_pair,
+ &pk, &expected_psa_type), 0);
+
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes),
+ expected_ret);
+
+exit:
+ mbedtls_pk_free(&pk);
+ psa_reset_key_attributes(&attributes);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
+void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg,
+ int from_usage_arg, int from_alg_arg,
+ int usage_arg,
+ int expected_ret,
+ int to_pair, int expected_usage_arg)
+{
+ mbedtls_pk_context pk;
+ mbedtls_pk_init(&pk);
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t from_type = from_type_arg;
+ size_t bits = from_bits_arg;
+ psa_key_usage_t from_usage = from_usage_arg;
+ psa_algorithm_t alg = from_alg_arg;
+ psa_key_usage_t usage = usage_arg;
+ psa_key_usage_t expected_usage = expected_usage_arg;
+
+ PSA_INIT();
+
+ psa_set_key_type(&attributes, from_type);
+ psa_set_key_bits(&attributes, bits);
+ psa_set_key_usage_flags(&attributes, from_usage);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_enrollment_algorithm(&attributes, 42);
+ //TODO: test with persistent key
+ PSA_ASSERT(psa_generate_key(&attributes, &key_id));
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
+
+ psa_key_type_t expected_psa_type =
+ to_pair ? from_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(from_type);
+
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes),
+ expected_ret);
+
+ if (expected_ret == 0) {
+ TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE);
+ TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+ MBEDTLS_SVC_KEY_ID_INIT));
+ TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type);
+ TEST_EQUAL(psa_get_key_bits(&attributes), bits);
+ TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
+ TEST_EQUAL(psa_get_key_algorithm(&attributes), alg);
+ TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE);
+ }
+
+exit:
+ mbedtls_pk_free(&pk);
+ psa_destroy_key(key_id);
+ psa_reset_key_attributes(&attributes);
+ PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 65384a8..4c8bf23 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -4,6 +4,7 @@
#include "mbedtls/x509.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_crl.h"
+#include "x509_internal.h"
#include "mbedtls/oid.h"
#include "sys/types.h"
#include "sys/stat.h"
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index d416b87..14afef6 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -41,6 +41,33 @@
TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_RSA));
rsa = mbedtls_pk_rsa(ctx);
TEST_EQUAL(mbedtls_rsa_check_privkey(rsa), 0);
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_SIGN_HASH,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_SIGN_MESSAGE,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_DECRYPT,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_MESSAGE,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_ENCRYPT,
+ &attributes), 0);
+#endif
}
exit:
@@ -68,6 +95,21 @@
TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_RSA));
rsa = mbedtls_pk_rsa(ctx);
TEST_EQUAL(mbedtls_rsa_check_pubkey(rsa), 0);
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_ENCRYPT,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_MESSAGE,
+ &attributes), 0);
+#endif
}
exit:
@@ -100,6 +142,17 @@
eckey = mbedtls_pk_ec_ro(ctx);
TEST_EQUAL(mbedtls_ecp_check_pubkey(&eckey->grp, &eckey->Q), 0);
#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_MESSAGE,
+ &attributes), 0);
+#endif
}
exit:
@@ -124,11 +177,34 @@
if (res == 0) {
TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY));
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ /* PSA keys are already checked on import so nothing to do here. */
+#else
const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec_ro(ctx);
TEST_EQUAL(mbedtls_ecp_check_privkey(&eckey->grp, &eckey->d), 0);
-#else
- /* PSA keys are already checked on import so nothing to do here. */
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_SIGN_HASH,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_SIGN_MESSAGE,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_DERIVE,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ &attributes), 0);
+ psa_reset_key_attributes(&attributes);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&ctx,
+ PSA_KEY_USAGE_VERIFY_MESSAGE,
+ &attributes), 0);
#endif
}
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index 733909e..c760090 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
-#include "mbedtls/pk.h"
+#include "pk_internal.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
#include "psa/crypto_sizes.h"
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index cd60333..0882e37 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -684,7 +684,7 @@
PSA import EC keypair: explicit bit-size=255 for secp256r1
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
-import_with_data:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):255:PSA_ERROR_NOT_SUPPORTED
+import_with_data:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):255:PSA_ERROR_INVALID_ARGUMENT
PSA import EC keypair: explicit bit-size=521 for secp521r1 (good)
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
@@ -692,7 +692,7 @@
PSA import EC keypair: explicit bit-size=528 for secp521r1 (bad)
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
-import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):528:PSA_ERROR_NOT_SUPPORTED
+import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):528:PSA_ERROR_INVALID_ARGUMENT
PSA import EC keypair: explicit bit-size, DER format
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
@@ -716,7 +716,7 @@
PSA import EC keypair: implicit bit-size, not a valid length
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
-import_with_data:"0123456789abcdef0123456789abcdef":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_NOT_SUPPORTED
+import_with_data:"0123456789abcdef0123456789abcdef":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT
PSA import EC keypair: secp256r1, all-bits-zero (bad)
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
@@ -1025,35 +1025,39 @@
PSA key policy: asymmetric encryption, encrypt | decrypt
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
PSA key policy: asymmetric encryption, wrong algorithm (v1.5/OAEP)
depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):0
PSA key policy: asymmetric encryption, wrong algorithm (OAEP with different hash)
depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_224):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_224):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):0
PSA key policy: asymmetric encryption, alg=0 in policy
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
PSA key policy: asymmetric encryption, ANY_HASH in policy is not meaningful
depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):0
PSA key policy: asymmetric encryption, encrypt but not decrypt
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
PSA key policy: asymmetric encryption, decrypt but not encrypt
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
PSA key policy: asymmetric encryption, neither encrypt nor decrypt
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
+
+PSA key policy: asymmetric encryption, opaque key, encrypt | decrypt
+depends_on:PSA_CRYPTO_DRIVER_TEST:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:1
PSA key policy: asymmetric signature, sign | verify hash, PKCS#1v1.5 SHA-256
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
@@ -7505,3 +7509,62 @@
PSA derive persistent key: HKDF SHA-256, exportable
persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY
+
+ECP group ID <-> PSA family - SECP192R1
+depends_on:PSA_WANT_ECC_SECP_R1_192
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP192R1:PSA_ECC_FAMILY_SECP_R1:192
+
+ECP group ID <-> PSA family - SECP224R1
+depends_on:PSA_WANT_ECC_SECP_R1_224
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP224R1:PSA_ECC_FAMILY_SECP_R1:224
+
+ECP group ID <-> PSA family - SECP256R1
+depends_on:PSA_WANT_ECC_SECP_R1_256
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP256R1:PSA_ECC_FAMILY_SECP_R1:256
+
+ECP group ID <-> PSA family - SECP384R1
+depends_on:PSA_WANT_ECC_SECP_R1_384
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP384R1:PSA_ECC_FAMILY_SECP_R1:384
+
+ECP group ID <-> PSA family - SECP521R1
+depends_on:PSA_WANT_ECC_SECP_R1_521
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP521R1:PSA_ECC_FAMILY_SECP_R1:521
+
+ECP group ID <-> PSA family - BP256R1
+depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256
+ecc_conversion_functions:MBEDTLS_ECP_DP_BP256R1:PSA_ECC_FAMILY_BRAINPOOL_P_R1:256
+
+ECP group ID <-> PSA family - BP384R1
+depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384
+ecc_conversion_functions:MBEDTLS_ECP_DP_BP384R1:PSA_ECC_FAMILY_BRAINPOOL_P_R1:384
+
+ECP group ID <-> PSA family - BP512R1
+depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512
+ecc_conversion_functions:MBEDTLS_ECP_DP_BP512R1:PSA_ECC_FAMILY_BRAINPOOL_P_R1:512
+
+ECP group ID <-> PSA family - CURVE25519
+depends_on:PSA_WANT_ECC_MONTGOMERY_255
+ecc_conversion_functions:MBEDTLS_ECP_DP_CURVE25519:PSA_ECC_FAMILY_MONTGOMERY:255
+
+ECP group ID <-> PSA family - SECP192K1
+depends_on:PSA_WANT_ECC_SECP_K1_192
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP192K1:PSA_ECC_FAMILY_SECP_K1:192
+
+ECP group ID <-> PSA family - SECP224K1
+depends_on:PSA_WANT_ECC_SECP_K1_224
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP224K1:PSA_ECC_FAMILY_SECP_K1:224
+
+ECP group ID <-> PSA family - SECP256K1
+depends_on:PSA_WANT_ECC_SECP_K1_256
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP256K1:PSA_ECC_FAMILY_SECP_K1:256
+
+ECP group ID <-> PSA family - CURVE448
+depends_on:PSA_WANT_ECC_MONTGOMERY_448
+ecc_conversion_functions:MBEDTLS_ECP_DP_CURVE448:PSA_ECC_FAMILY_MONTGOMERY:448
+
+ECP group ID <-> PSA family - Null values
+ecc_conversion_functions:MBEDTLS_ECP_DP_NONE:0:0
+
+ECP group ID <-> PSA family - Wrong values
+ecc_conversion_functions_fail
+
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index f87c800..95e7a2d 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6,6 +6,8 @@
#include "mbedtls/oid.h"
#include "common.h"
+#include "mbedtls/psa_util.h"
+
/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random()
* uses mbedtls_ctr_drbg internally. */
#include "mbedtls/ctr_drbg.h"
@@ -2107,7 +2109,8 @@
int policy_alg,
int key_type,
data_t *key_data,
- int exercise_alg)
+ int exercise_alg,
+ int use_opaque_key)
{
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -2124,6 +2127,11 @@
psa_set_key_algorithm(&attributes, policy_alg);
psa_set_key_type(&attributes, key_type);
+ if (use_opaque_key) {
+ psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+ PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION));
+ }
+
PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
&key));
@@ -9479,6 +9487,45 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg)
+{
+ mbedtls_ecp_group_id grp_id = grp_id_arg;
+ psa_ecc_family_t ecc_family = psa_family_arg;
+ size_t bits = bits_arg;
+ size_t bits_tmp;
+
+ TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp));
+ TEST_EQUAL(bits, bits_tmp);
+ TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits));
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+void ecc_conversion_functions_fail()
+{
+ size_t bits;
+
+ /* Invalid legacy curve identifiers. */
+ TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits));
+ TEST_EQUAL(0, bits);
+ TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits));
+ TEST_EQUAL(0, bits);
+
+ /* Invalid PSA EC family. */
+ TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192));
+ /* Invalid bit-size for a valid EC family. */
+ TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512));
+
+ /* Twisted-Edward curves are not supported yet. */
+ TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
+ mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255));
+ TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
+ mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448));
+}
+/* END_CASE */
+
+
/* BEGIN_CASE */
void key_agreement_output(int alg_arg,
int our_key_type_arg, data_t *our_key_data,
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index de998e3..86945cc 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3270,3 +3270,15 @@
Test Elliptic curves' info parsing
elliptic_curve_get_properties
+
+TLS 1.3 resume session with ticket
+tls13_resume_session_with_ticket
+
+TLS 1.3 early data, reference
+tls13_early_data:TEST_EARLY_DATA_REFERENCE
+
+TLS 1.3 early data, deprotect and discard
+tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD
+
+TLS 1.3 early data, discard after HRR
+tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8a03d1b..8687a4d 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -12,6 +12,54 @@
#define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 }
+/* Mnemonics for the early data test scenarios */
+#define TEST_EARLY_DATA_REFERENCE 0
+#define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 1
+#define TEST_EARLY_DATA_DISCARD_AFTER_HRR 2
+
+#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \
+ defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+/*
+ * The implementation of the function should be based on
+ * mbedtls_ssl_write_early_data() eventually. The current version aims at
+ * removing the dependency on mbedtls_ssl_write_early_data() for the
+ * development and testing of reading early data.
+ */
+static int write_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+
+ TEST_ASSERT(ret > 0);
+ TEST_ASSERT(len <= (size_t) ret);
+
+ ret = mbedtls_ssl_flush_output(ssl);
+ TEST_EQUAL(ret, 0);
+ TEST_EQUAL(ssl->out_left, 0);
+
+ ssl->out_msglen = len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ if (len > 0) {
+ memcpy(ssl->out_msg, buf, len);
+ }
+
+ ret = mbedtls_ssl_write_record(ssl, 1);
+ TEST_EQUAL(ret, 0);
+
+ ret = len;
+
+exit:
+ return ret;
+}
+#endif
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -3519,3 +3567,270 @@
MD_OR_USE_PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_resume_session_with_ticket()
+{
+ int ret = -1;
+ unsigned char buf[64];
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_ssl_session saved_session;
+
+ /*
+ * Test set-up
+ */
+ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+ mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_init_handshake_options(&server_options);
+ mbedtls_ssl_session_init(&saved_session);
+
+ PSA_INIT();
+
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL,
+ NULL);
+ TEST_EQUAL(ret, 0);
+
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL,
+ NULL);
+ mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+ mbedtls_test_ticket_write,
+ mbedtls_test_ticket_parse,
+ NULL);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+ &(server_ep.socket), 1024);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Run initial handshake: ephemeral key exchange mode, certificate with
+ * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature
+ * algorithm. Then, get the ticket sent by the server at the end of its
+ * handshake sequence.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+ do {
+ ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
+ } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
+
+ /*
+ * Save client session and reset the SSL context of the two endpoints.
+ */
+ ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Set saved session on client side and handshake using the ticket
+ * included in that session.
+ */
+
+ ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not
+ * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks
+ * below.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0);
+
+ TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
+ TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
+ TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ mbedtls_ssl_session_free(&saved_session);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/*
+ * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
+ * a temporary workaround to not run the test in Windows-2013 where there is
+ * an issue with mbedtls_vsnprintf().
+ */
+/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_early_data(int scenario)
+{
+ int ret = -1;
+ unsigned char buf[64];
+ const char *early_data = "This is early data.";
+ size_t early_data_len = strlen(early_data);
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_ssl_session saved_session;
+ mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
+ uint16_t group_list[3] = {
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+ };
+
+ /*
+ * Test set-up
+ */
+ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+ mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_init_handshake_options(&server_options);
+ mbedtls_ssl_session_init(&saved_session);
+
+ PSA_INIT();
+
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL,
+ group_list);
+ TEST_EQUAL(ret, 0);
+ mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
+
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+ server_options.srv_log_obj = &server_pattern;
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL,
+ group_list);
+ TEST_EQUAL(ret, 0);
+ mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
+ mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+ mbedtls_test_ticket_write,
+ mbedtls_test_ticket_parse,
+ NULL);
+
+ ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+ &(server_ep.socket), 1024);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Run initial handshake: ephemeral key exchange mode, certificate with
+ * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature
+ * algorithm. Then, get the ticket sent by the server at the end of its
+ * handshake sequence.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+ do {
+ ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
+ } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
+
+ /*
+ * Save client session and reset the SSL context of the two endpoints.
+ */
+ ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Set saved session on client side and start handshake using the ticket
+ * included in that session.
+ */
+
+ ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ switch (scenario) {
+ case TEST_EARLY_DATA_REFERENCE:
+ break;
+
+ case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD:
+ mbedtls_debug_set_threshold(3);
+ server_pattern.pattern =
+ "EarlyData: deprotect and discard app data records.";
+ mbedtls_ssl_conf_early_data(&server_ep.conf,
+ MBEDTLS_SSL_EARLY_DATA_DISABLED);
+ break;
+
+ case TEST_EARLY_DATA_DISCARD_AFTER_HRR:
+ mbedtls_debug_set_threshold(3);
+ server_pattern.pattern =
+ "EarlyData: Ignore application message before 2nd ClientHello";
+ mbedtls_ssl_conf_groups(&server_ep.conf, group_list + 1);
+ /*
+ * Need to reset again to reconstruct the group list in the
+ * handshake structure from the configured one.
+ */
+ ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+ TEST_EQUAL(ret, 0);
+ break;
+
+ default:
+ TEST_FAIL("Unknown scenario.");
+ }
+
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(client_ep.ssl), &(server_ep.ssl),
+ MBEDTLS_SSL_SERVER_HELLO), 0);
+
+ TEST_ASSERT(client_ep.ssl.early_data_status !=
+ MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT);
+
+ ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data,
+ early_data_len);
+ TEST_EQUAL(ret, early_data_len);
+
+ ret = mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_WRAPUP);
+
+ switch (scenario) {
+ case TEST_EARLY_DATA_REFERENCE:
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+ TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
+ TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl),
+ buf, sizeof(buf)), early_data_len);
+ TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
+ break;
+
+ case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: /* Intentional fallthrough */
+ case TEST_EARLY_DATA_DISCARD_AFTER_HRR:
+ TEST_EQUAL(ret, 0);
+ TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
+ TEST_EQUAL(server_pattern.counter, 1);
+ break;
+ }
+
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ mbedtls_ssl_session_free(&saved_session);
+ mbedtls_debug_set_threshold(0);
+ PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index faa3166..6290331 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compile time library version
-check_compiletime_version:"3.5.1"
+check_compiletime_version:"3.5.2"
Check runtime library version
-check_runtime_version:"3.5.1"
+check_runtime_version:"3.5.2"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index c2a2f55..66477e0 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -4,6 +4,7 @@
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_crl.h"
#include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
#include "mbedtls/base64.h"
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 28cef30..5c6a903 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -265,3 +265,6 @@
Check max serial length
x509_set_serial_check:
+
+Check max extension length
+x509_set_extension_length_check:
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index b59fd48..3d84c72 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -2,12 +2,13 @@
#include "mbedtls/bignum.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
#include "mbedtls/rsa.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/pk.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_RSA_C)
int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
@@ -752,3 +753,24 @@
USE_PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_WRITE_C */
+void x509_set_extension_length_check()
+{
+ int ret = 0;
+
+ mbedtls_x509write_csr ctx;
+ mbedtls_x509write_csr_init(&ctx);
+
+ unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 };
+ unsigned char *p = buf + sizeof(buf);
+
+ ret = mbedtls_x509_set_extension(&(ctx.MBEDTLS_PRIVATE(extensions)),
+ MBEDTLS_OID_EXTENDED_KEY_USAGE,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
+ 0,
+ p,
+ SIZE_MAX);
+ TEST_ASSERT(MBEDTLS_ERR_X509_BAD_INPUT_DATA == ret);
+}
+/* END_CASE */