Merge pull request #5953 from tuvshinzayaArm/update-document-PSA_ALG_RSA_PSS
Update documentation of PSA_ALG_RSA_PSS
diff --git a/BRANCHES.md b/BRANCHES.md
index bc8e750..6240023 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -12,11 +12,6 @@
- One or more long-time support (LTS) branches: these only get bug fixes and
security fixes. Currently, the only supported LTS branch is:
[`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28).
-- For a short time we also have the previous LTS, which has recently ended its
- support period,
- [`mbedtls-2.16`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.16).
- This branch will move into the `archive` namespace around the time of
- the next release.
We retain a number of historical branches, whose names are prefixed by `archive/`,
such as [`archive/mbedtls-2.7`](https://github.com/Mbed-TLS/mbedtls/tree/archive/mbedtls-2.7).
@@ -28,7 +23,7 @@
compatibility on major version changes (e.g. from 3.x to 4.0). We also maintain
ABI compatibility within LTS branches; see the next section for details.
-## Backwards Compatibility
+## Backwards Compatibility for application code
We maintain API compatibility in released versions of Mbed TLS. If you have
code that's working and secure with Mbed TLS x.y.z and does not rely on
@@ -36,6 +31,14 @@
modification with any later release x.y'.z' with the same major version
number, and your code will still build, be secure, and work.
+Note that this guarantee only applies if you either use the default
+compile-time configuration (`mbedtls/mbedtls_config.h`) or the same modified
+compile-time configuration. Changing compile-time configuration options can
+result in an incompatible API or ABI, although features will generally not
+affect unrelated features (for example, enabling or disabling a
+cryptographic algorithm does not break code that does not use that
+algorithm).
+
Note that new releases of Mbed TLS may extend the API. Here are some
examples of changes that are common in minor releases of Mbed TLS, and are
not considered API compatibility breaks:
@@ -57,6 +60,25 @@
comes in conflict with backwards compatibility, we will put security first,
but always attempt to provide a compatibility option.
+## Backward compatibility for the key store
+
+We maintain backward compatibility with previous versions of the
+PSA Crypto persistent storage since Mbed TLS 2.25.0, provided that the
+storage backend (PSA ITS implementation) is configured in a compatible way.
+We intend to maintain this backward compatibility throughout a major version
+of Mbed TLS (for example, all Mbed TLS 3.y versions will be able to read
+keys written under any Mbed TLS 3.x with x <= y).
+
+Mbed TLS 3.x can also read keys written by Mbed TLS 2.25.0 through 2.28.x
+LTS, but future major version upgrades (for example from 2.28.x/3.x to 4.y)
+may require the use of an upgrade tool.
+
+Note that this guarantee does not currently fully extend to drivers, which
+are an experimental feature. We intend to maintain compatibility with the
+basic use of drivers from Mbed TLS 2.28.0 onwards, even if driver APIs
+change. However, for more experimental parts of the driver interface, such
+as the use of driver state, we do not yet guarantee backward compatibility.
+
## Long-time support branches
For the LTS branches, additionally we try very hard to also maintain ABI
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b97368f..a0d0aa7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -348,7 +348,7 @@
write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion
- VERSION 3.1.0)
+ VERSION 3.2.1)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
diff --git a/ChangeLog b/ChangeLog
index 71ba44d..6dfb23f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,279 @@
-mbed TLS ChangeLog (Sorted per branch, date)
+Mbed TLS ChangeLog (Sorted per branch, date)
+
+= Mbed TLS 3.2.1 branch released 2022-07-12
+
+Bugfix
+ * Re-add missing generated file library/ssl_debug_helpers_generated.c
+
+= Mbed TLS 3.2.0 branch released 2022-07-11
+
+Default behavior changes
+ * mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
+ for IV lengths other than 12. The library was silently overwriting this
+ length with 12, but did not inform the caller about it. Fixes #4301.
+
+Requirement changes
+ * The library will no longer compile out of the box on a platform without
+ setbuf(). If your platform does not have setbuf(), you can configure an
+ alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or
+ MBEDTLS_PLATFORM_SETBUF_MACRO.
+
+New deprecations
+ * Deprecate mbedtls_ssl_conf_max_version() and
+ mbedtls_ssl_conf_min_version() in favor of
+ mbedtls_ssl_conf_max_tls_version() and
+ mbedtls_ssl_conf_min_tls_version().
+ * Deprecate mbedtls_cipher_setup_psa(). Use psa_aead_xxx() or
+ psa_cipher_xxx() directly instead.
+ * Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated.
+ This was intended as an experimental feature, but had not been explicitly
+ documented as such. Use opaque drivers with the interface enabled by
+ MBEDTLS_PSA_CRYPTO_DRIVERS instead.
+ * Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
+ mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
+ TLS 1.3 handshake should now be configured with
+ mbedtls_ssl_conf_sig_algs().
+
+Features
+ * Add accessor to obtain ciphersuite id from ssl context.
+ * Add accessors to get members from ciphersuite info.
+ * Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
+ * Add accessor to get the raw buffer pointer from a PEM context.
+ * The structures mbedtls_ssl_config and mbedtls_ssl_context now store
+ a piece of user data which is reserved for the application. The user
+ data can be either a pointer or an integer.
+ * Add an accessor function to get the configuration associated with
+ an SSL context.
+ * Add a function to access the protocol version from an SSL context in a
+ form that's easy to compare. Fixes #5407.
+ * Add function mbedtls_md_info_from_ctx() to recall the message digest
+ information that was used to set up a message digest context.
+ * Add ALPN support in TLS 1.3 clients.
+ * Add server certificate selection callback near end of Client Hello.
+ Register callback with mbedtls_ssl_conf_cert_cb().
+ * Provide mechanism to reset handshake cert list by calling
+ mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
+ * Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
+ cert callback (mbedtls_ssl_conf_cert_cb()) during handshake.
+ * The X.509 module now uses PSA hash acceleration if present.
+ * Add support for psa crypto key derivation for elliptic curve
+ keys. Fixes #3260.
+ * Add function mbedtls_timing_get_final_delay() to access the private
+ final delay field in an mbedtls_timing_delay_context, as requested in
+ #5183.
+ * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
+ PSA Crypto is enabled.
+ * Add function mbedtls_ecp_export() to export ECP key pair parameters.
+ Fixes #4838.
+ * Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
+ Handshake has completed or not, and thus whether to continue calling
+ mbedtls_ssl_handshake_step(), requested in #4383.
+ * Add the function mbedtls_ssl_get_own_cid() to access our own connection id
+ within mbedtls_ssl_context, as requested in #5184.
+ * Introduce mbedtls_ssl_hs_cb_t typedef for use with
+ mbedtls_ssl_conf_cert_cb() and perhaps future callbacks
+ during TLS handshake.
+ * Add functions mbedtls_ssl_conf_max_tls_version() and
+ mbedtls_ssl_conf_min_tls_version() that use a single value to specify
+ the protocol version.
+ * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
+ mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
+ holding the other secret.
+ * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
+ feature requirements in the file named by the new macro
+ MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
+ Furthermore you may name an additional file to include after the main
+ file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
+ * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
+ field within mbedtls_x509_crt context, as requested in #5585.
+ * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
+ * Add support for the ARMv8 SHA-2 acceleration instructions when building
+ for Aarch64.
+ * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
+ * Add support for server HelloRetryRequest message. The TLS 1.3 client is
+ now capable of negotiating another shared secret if the one sent in its
+ first ClientHello was not suitable to the server.
+ * Add support for client-side TLS version negotiation. If both TLS 1.2 and
+ TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
+ negotiates TLS 1.3 or TLS 1.2 with TLS servers.
+ * Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
+ 1.2 protocol support.
+ * Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key
+ establishment only). See docs/architecture/tls13-support.md for a
+ description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
+ MBEDTLS_SSL_SRV_C configuration options control this.
+ * Add accessors to configure DN hints for certificate request:
+ mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints()
+ * The configuration option MBEDTLS_USE_PSA_CRYPTO, which previously
+ affected only a limited subset of crypto operations in TLS, X.509 and PK,
+ now causes most of them to be done using PSA Crypto; see
+ docs/use-psa-crypto.md for the list of exceptions.
+ * The function mbedtls_pk_setup_opaque() now supports RSA key pairs as well.
+ Opaque keys can now be used everywhere a private key is expected in the
+ TLS and X.509 modules.
+ * Opaque pre-shared keys for TLS, provisioned with
+ mbedtls_ssl_conf_psk_opaque() or mbedtls_ssl_set_hs_psk_opaque(), which
+ previously only worked for "pure" PSK key exchange, now can also be used
+ for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
+ * cmake now detects if it is being built as a sub-project, and in that case
+ disables the target export/installation and package configuration.
+ * Make USE_PSA_CRYPTO compatible with KEY_ID_ENCODES_OWNER. Fixes #5259.
+ * Add example programs cipher_aead_demo.c, md_hmac_demo.c, aead_demo.c
+ and hmac_demo.c, which use PSA and the md/cipher interfaces side
+ by side in order to illustrate how the operation is performed in PSA.
+ Addresses #5208.
+
+Security
+ * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
+ module before freeing them. These buffers contain secret key material, and
+ could thus potentially leak the key through freed heap.
+ * Fix potential memory leak inside mbedtls_ssl_cache_set() with
+ an invalid session id length.
+ * Add the platform function mbedtls_setbuf() to allow buffering to be
+ disabled on stdio files, to stop secrets loaded from said files being
+ potentially left in memory after file operations. Reported by
+ Glenn Strauss.
+ * Fix a potential heap buffer overread in TLS 1.2 server-side when
+ MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
+ mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
+ is selected. This may result in an application crash or potentially an
+ information leak.
+ * Fix a buffer overread in DTLS ClientHello parsing in servers with
+ MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
+ or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
+ after the end of the SSL input buffer. The buffer overread only happens
+ when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
+ the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
+ and possibly up to 571 bytes with a custom cookie check function.
+ Reported by the Cybeats PSI Team.
+ * Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
+ client or server could cause an MbedTLS server or client to overread up
+ to 64 kBytes of data and potentially overread the input buffer by that
+ amount minus the size of the input buffer. As overread data undergoes
+ various checks, the likelihood of reaching the boundary of the input
+ buffer is rather small but increases as its size
+ MBEDTLS_SSL_IN_CONTENT_LEN decreases.
+ * Fix check of certificate key usage in TLS 1.3. The usage of the public key
+ provided by a client or server certificate for authentication was not
+ checked properly when validating the certificate. This could cause a
+ client or server to be able to authenticate itself through a certificate
+ to an Mbed TLS TLS 1.3 server or client while it does not own a proper
+ certificate to do so.
+
+Bugfix
+ * Declare or use PSA_WANT_ALG_CCM_STAR_NO_TAG following the general
+ pattern for PSA_WANT_xxx symbols. Previously you had to specify
+ PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
+ * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
+ * Fixed swap of client and server random bytes when exporting them alongside
+ TLS 1.3 handshake and application traffic secret.
+ * Fix several bugs (warnings, compiler and linker errors, test failures)
+ in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
+ enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
+ client would fail to check that the curve selected by the server for
+ ECDHE was indeed one that was offered. As a result, the client would
+ accept any curve that it supported, even if that curve was not allowed
+ according to its configuration. Fixes #5291.
+ * The TLS 1.3 implementation is now compatible with the
+ MBEDTLS_USE_PSA_CRYPTO configuration option.
+ * Fix unit tests that used 0 as the file UID. This failed on some
+ implementations of PSA ITS. Fixes #3838.
+ * Fix mbedtls_ssl_get_version() not reporting TLSv1.3. Fixes #5406.
+ * Fix API violation in mbedtls_md_process() test by adding a call to
+ mbedtls_md_starts(). Fixes #2227.
+ * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
+ to catch bad uses of time.h.
+ * Fix a race condition in out-of-source builds with CMake when generated data
+ files are already present. Fixes #5374.
+ * Fix the library search path when building a shared library with CMake
+ on Windows.
+ * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
+ potentially leading to corrupted alert messages being sent in case
+ the function needs to be re-called after initially returning
+ MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
+ * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not
+ MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null
+ pointer dereference. Fix this. Fixes #3998.
+ The fix was released, but not announced, in Mbed TLS 3.1.0.
+ * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
+ documentation stated that the `allowed_pks` field applies to signatures
+ only, but in fact it does apply to the public key type of the end entity
+ certificate, too. Fixes #1992.
+ * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
+ not NULL and val_len is zero.
+ * Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
+ * Fix compilation error when using C++ Builder on Windows. Reported by
+ Miroslav Mastny in #4015.
+ * psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
+ applicable. Fixes #5735.
+ * Fix a bug in the x25519 example program where the removal of
+ MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
+ #3191.
+ * Fix a TLS 1.3 handshake failure when the peer Finished message has not
+ been received yet when we first try to fetch it.
+ * Encode X.509 dates before 1/1/2000 as UTCTime rather than
+ GeneralizedTime. Fixes #5465.
+ * Add mbedtls_x509_dn_get_next function to return the next relative DN in
+ an X509 name, to allow walking the name list. Fixes #5431.
+ * Fix order value of curve x448.
+ * Fix string representation of DNs when outputting values containing commas
+ and other special characters, conforming to RFC 1779. Fixes #769.
+ * Silence a warning from GCC 12 in the selftest program. Fixes #5974.
+ * Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+ when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
+ dependencies explicit in the documentation. Fixes #5610.
+ * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
+ * Fix a TLS 1.3 handshake failure when the first attempt to send the client
+ Finished message on the network cannot be satisfied. Fixes #5499.
+ * Fix resource leaks in mbedtls_pk_parse_public_key() in low
+ memory conditions.
+ * Fix server connection identifier setting for outgoing encrypted records
+ on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
+ connection identifier, the Mbed TLS client now properly sends the server
+ connection identifier in encrypted record headers. Fix #5872.
+ * Fix a null pointer dereference when performing some operations on zero
+ represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
+ by 2, and mbedtls_mpi_write_string() in base 2).
+ * Fix record sizes larger than 16384 being sometimes accepted despite being
+ non-compliant. This could not lead to a buffer overflow. In particular,
+ application data size was already checked correctly.
+ * Fix MBEDTLS_SVC_KEY_ID_GET_KEY_ID() and MBEDTLS_SVC_KEY_ID_GET_OWNER_ID()
+ which have been broken, resulting in compilation errors, since Mbed TLS
+ 3.0.
+ * Ensure that TLS 1.2 ciphersuite/certificate and key selection takes into
+ account not just the type of the key (RSA vs EC) but also what it can
+ actually do. Resolves #5831.
+ * Fix CMake windows host detection, especially when cross compiling.
+ * Fix an error in make where the absence of a generated file caused
+ make to break on a clean checkout. Fixes #5340.
+ * Work around an MSVC ARM64 compiler bug causing incorrect behaviour
+ in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
+ * Removed the prompt to exit from all windows build programs that was causing
+ issues in CI/CD environments.
+
+Changes
+ * The file library/psa_crypto_driver_wrappers.c is now generated
+ from a template. In the future, the generation will support
+ driver descriptions. For the time being, to customize this file,
+ see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
+ * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
+ AEAD functions is not an AEAD algorithm. This aligns them with the
+ multipart functions, and the PSA Crypto API 1.1 specification.
+ * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
+ temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
+ * Assume source files are in UTF-8 when using MSVC with CMake.
+ * Fix runtime library install location when building with CMake and MinGW.
+ DLLs are now installed in the bin directory instead of lib.
+ * cmake: Use GnuInstallDirs to customize install directories
+ Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
+ variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
+ LIB_INSTALL_DIR is set.
+ * Add a CMake option that enables static linking of the runtime library
+ in Microsoft Visual C++ compiler. Contributed by Microplankton.
+ * In CMake builds, add aliases for libraries so that the normal MbedTLS::*
+ targets work when MbedTLS is built as a subdirectory. This allows the
+ use of FetchContent, as requested in #5688.
= mbed TLS 3.1.0 branch released 2021-12-17
diff --git a/ChangeLog.d/Driver_wrapper_codegen_1.0.txt b/ChangeLog.d/Driver_wrapper_codegen_1.0.txt
deleted file mode 100644
index a4d9c54..0000000
--- a/ChangeLog.d/Driver_wrapper_codegen_1.0.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * The file library/psa_crypto_driver_wrappers.c is now generated
- from a template. In the future, the generation will support
- driver descriptions. For the time being, to customize this file,
- see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
diff --git a/ChangeLog.d/MD-X.509-hashing.txt b/ChangeLog.d/MD-X.509-hashing.txt
deleted file mode 100644
index 2ca989c..0000000
--- a/ChangeLog.d/MD-X.509-hashing.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * The X.509 module now uses PSA hash acceleration if present.
diff --git a/ChangeLog.d/PSA-test-suites-NOT-using-UID-0.txt b/ChangeLog.d/PSA-test-suites-NOT-using-UID-0.txt
deleted file mode 100644
index 9acbb0a..0000000
--- a/ChangeLog.d/PSA-test-suites-NOT-using-UID-0.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix unit tests that used 0 as the file UID. This failed on some
- implementations of PSA ITS. Fixes #3838.
diff --git a/ChangeLog.d/add-mbedtls_md_starts-to-mbedtls_md_process-test.txt b/ChangeLog.d/add-mbedtls_md_starts-to-mbedtls_md_process-test.txt
deleted file mode 100644
index 57c7561..0000000
--- a/ChangeLog.d/add-mbedtls_md_starts-to-mbedtls_md_process-test.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix API violation in mbedtls_md_process() test by adding a call to
- mbedtls_md_starts(). Fixes #2227.
diff --git a/ChangeLog.d/add_final_delay_accessor b/ChangeLog.d/add_final_delay_accessor
deleted file mode 100644
index 8d341df..0000000
--- a/ChangeLog.d/add_final_delay_accessor
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Add the function mbedtls_timing_get_final_delay() to access the private
- final delay field in an mbedtls_timing_delay_context, as requested in
- #5183
diff --git a/ChangeLog.d/add_handshake_completion_accessor b/ChangeLog.d/add_handshake_completion_accessor
deleted file mode 100644
index e2b28cf..0000000
--- a/ChangeLog.d/add_handshake_completion_accessor
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
- Handshake has completed or not, and thus whether to continue calling
- mbedtls_ssl_handshake_step(), requested in #4383
diff --git a/ChangeLog.d/add_own_cid_accessors b/ChangeLog.d/add_own_cid_accessors
deleted file mode 100644
index fb02868..0000000
--- a/ChangeLog.d/add_own_cid_accessors
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Add the function mbedtls_ssl_get_own_cid() to access our own connection id
- within mbedtls_ssl_context, as requested in #5184
-
diff --git a/ChangeLog.d/alert_reentrant.txt b/ChangeLog.d/alert_reentrant.txt
deleted file mode 100644
index 691d64c..0000000
--- a/ChangeLog.d/alert_reentrant.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
- potentially leading to corrupted alert messages being sent in case
- the function needs to be re-called after initially returning
- MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
diff --git a/ChangeLog.d/ccm_star_no_tag.txt b/ChangeLog.d/ccm_star_no_tag.txt
deleted file mode 100644
index 21e829c..0000000
--- a/ChangeLog.d/ccm_star_no_tag.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Declare or use PSA_WANT_ALG_CCM_STAR_NO_TAG following the general
- pattern for PSA_WANT_xxx symbols. Previously you had to specify
- PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
diff --git a/ChangeLog.d/chacha20_invalid_iv_len_fix.txt b/ChangeLog.d/chacha20_invalid_iv_len_fix.txt
deleted file mode 100644
index af35e2a..0000000
--- a/ChangeLog.d/chacha20_invalid_iv_len_fix.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Default behavior changes
- * mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
- for IV lengths other than 12. The library was silently overwriting this
- length with 12, but did not inform the caller about it. Fixes #4301.
diff --git a/ChangeLog.d/cmake_add_subdirectory_support.txt b/ChangeLog.d/cmake_add_subdirectory_support.txt
deleted file mode 100644
index afcc4b6..0000000
--- a/ChangeLog.d/cmake_add_subdirectory_support.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Add aliases for libraries so that the normal MbedTLS::* targets
- work when MbedTLS is built as a subdirectory. Allows use of
- CMake's FetchContent, as requested in #5688.
diff --git a/ChangeLog.d/cmake_fix_dll_install.txt b/ChangeLog.d/cmake_fix_dll_install.txt
deleted file mode 100644
index df51c65..0000000
--- a/ChangeLog.d/cmake_fix_dll_install.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * cmake: Fix runtime library install location in mingw
- This install DLLs in bin directory instead of lib.
diff --git a/ChangeLog.d/cmake_msvc_utf8.txt b/ChangeLog.d/cmake_msvc_utf8.txt
deleted file mode 100644
index 552eec7..0000000
--- a/ChangeLog.d/cmake_msvc_utf8.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Changes
- * Assume source files are in UTF-8 when using MSVC with CMake.
diff --git a/ChangeLog.d/cmake_use_GnuInstallDirs.txt b/ChangeLog.d/cmake_use_GnuInstallDirs.txt
deleted file mode 100644
index d848755..0000000
--- a/ChangeLog.d/cmake_use_GnuInstallDirs.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * cmake: Use GnuInstallDirs to customize install directories
- Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
- variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
- LIB_INSTALL_DIR is set.
diff --git a/ChangeLog.d/deprecate_mbedtls_cipher_setup_psa.txt b/ChangeLog.d/deprecate_mbedtls_cipher_setup_psa.txt
deleted file mode 100644
index 782b751..0000000
--- a/ChangeLog.d/deprecate_mbedtls_cipher_setup_psa.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-New deprecations
- * Deprecate mbedtls_cipher_setup_psa() function.
- Use psa_aead_xxx() / psa_cipher_xxx() directly instead.
diff --git a/ChangeLog.d/doc-x509-profile-pk.txt b/ChangeLog.d/doc-x509-profile-pk.txt
deleted file mode 100644
index 35625fe..0000000
--- a/ChangeLog.d/doc-x509-profile-pk.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
- documentation stated that the `allowed_pks` field applies to signatures
- only, but in fact it does apply to the public key type of the end entity
- certificate, too. Fixes #1992.
diff --git a/ChangeLog.d/dtls-cid-null.txt b/ChangeLog.d/dtls-cid-null.txt
deleted file mode 100644
index b020616..0000000
--- a/ChangeLog.d/dtls-cid-null.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not
- MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null
- pointer dereference. Fix this. Fixes #3998.
- The fix was released, but not announced, in Mbed TLS 3.1.0.
diff --git a/ChangeLog.d/fix-parllel-cmake-build-fail.txt b/ChangeLog.d/fix-parllel-cmake-build-fail.txt
deleted file mode 100644
index 4746c7b..0000000
--- a/ChangeLog.d/fix-parllel-cmake-build-fail.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a race condition in out-of-source builds with CMake when generated data
- files are already present. Fixes #5374
diff --git a/ChangeLog.d/fix-time-format-pre-2000.txt b/ChangeLog.d/fix-time-format-pre-2000.txt
deleted file mode 100644
index 414201e..0000000
--- a/ChangeLog.d/fix-time-format-pre-2000.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Encode X.509 dates before 1/1/2000 as UTCTime rather than
- GeneralizedTime. Fixes #5465.
diff --git a/ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt b/ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt
deleted file mode 100644
index b30f7fa..0000000
--- a/ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
- not NULL and val_len is zero.
diff --git a/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt b/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt
deleted file mode 100644
index 6878645..0000000
--- a/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix compilation on Windows when building shared library, by setting
- library search path to CMAKE_CURRENT_BINARY_DIR.
diff --git a/ChangeLog.d/fix-x25519-program.txt b/ChangeLog.d/fix-x25519-program.txt
deleted file mode 100644
index af60465..0000000
--- a/ChangeLog.d/fix-x25519-program.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix a bug in x25519 example program where the removal of
- MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
- #3191.
diff --git a/ChangeLog.d/mbedtls_ecp_export.txt b/ChangeLog.d/mbedtls_ecp_export.txt
deleted file mode 100644
index 4b5d7d4..0000000
--- a/ChangeLog.d/mbedtls_ecp_export.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add mbedtls_ecp_export() function to export ECP
- keypair parameters. Fixes #4838.
diff --git a/ChangeLog.d/mbedtls_pem_get_der.txt b/ChangeLog.d/mbedtls_pem_get_der.txt
deleted file mode 100644
index b03b058..0000000
--- a/ChangeLog.d/mbedtls_pem_get_der.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * Add accessor to get the raw buffer pointer from a PEM context.
diff --git a/ChangeLog.d/mbedtls_pk_sign_ext.txt b/ChangeLog.d/mbedtls_pk_sign_ext.txt
deleted file mode 100644
index 8dfa2e5..0000000
--- a/ChangeLog.d/mbedtls_pk_sign_ext.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
- PSA Crypto is enabled.
diff --git a/ChangeLog.d/mbedtls_sha256_a64_crypto_acceleration.txt b/ChangeLog.d/mbedtls_sha256_a64_crypto_acceleration.txt
deleted file mode 100644
index 865b337..0000000
--- a/ChangeLog.d/mbedtls_sha256_a64_crypto_acceleration.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * A64 SHA-2 crypto extension support for SHA-256
diff --git a/ChangeLog.d/mbedtls_sha512_a64_crypto_acceleration.txt b/ChangeLog.d/mbedtls_sha512_a64_crypto_acceleration.txt
deleted file mode 100644
index 01be0b3..0000000
--- a/ChangeLog.d/mbedtls_sha512_a64_crypto_acceleration.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * A64 crypto extension support for SHA-512
diff --git a/ChangeLog.d/mbedtls_ssl_cert_cb.txt b/ChangeLog.d/mbedtls_ssl_cert_cb.txt
deleted file mode 100644
index fcdc23c..0000000
--- a/ChangeLog.d/mbedtls_ssl_cert_cb.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
- * Add server certificate selection callback near end of Client Hello.
- Register callback with mbedtls_ssl_conf_cert_cb().
- * Provide mechanism to reset handshake cert list by calling
- mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
- * Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
- cert callback (mbedtls_ssl_conf_cert_cb()) during handshake.
diff --git a/ChangeLog.d/mbedtls_ssl_comfig_defaults-memleak.txt b/ChangeLog.d/mbedtls_ssl_comfig_defaults-memleak.txt
deleted file mode 100644
index d55c016..0000000
--- a/ChangeLog.d/mbedtls_ssl_comfig_defaults-memleak.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix memory leak if mbedtls_ssl_config_defaults() call is repeated
diff --git a/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt b/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt
deleted file mode 100644
index c4235b7..0000000
--- a/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add accessor to obtain ciphersuite id from ssl context.
- * Add accessors to get members from ciphersuite info.
diff --git a/ChangeLog.d/mbedtls_ssl_hs_cb_t.txt b/ChangeLog.d/mbedtls_ssl_hs_cb_t.txt
deleted file mode 100644
index 28c3371..0000000
--- a/ChangeLog.d/mbedtls_ssl_hs_cb_t.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Introduce mbedtls_ssl_hs_cb_t typedef for use with
- mbedtls_ssl_conf_cert_cb() and perhaps future callbacks
- during TLS handshake.
diff --git a/ChangeLog.d/mbedtls_ssl_ticket_rotate.txt b/ChangeLog.d/mbedtls_ssl_ticket_rotate.txt
deleted file mode 100644
index b843bfd..0000000
--- a/ChangeLog.d/mbedtls_ssl_ticket_rotate.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
diff --git a/ChangeLog.d/mbedtls_ssl_tls13_client.txt b/ChangeLog.d/mbedtls_ssl_tls13_client.txt
deleted file mode 100644
index 855945b..0000000
--- a/ChangeLog.d/mbedtls_ssl_tls13_client.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Add ALPN support in tls13 client. Client is able to write ALPN extension
- in client hello, and able to parse the response from server encrypted
- extension.
diff --git a/ChangeLog.d/mbedtls_tlsver_enum.txt b/ChangeLog.d/mbedtls_tlsver_enum.txt
deleted file mode 100644
index 16435c6..0000000
--- a/ChangeLog.d/mbedtls_tlsver_enum.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * Unify internal/external TLS protocol version enums
- * Deprecate mbedtls_ssl_conf_max_version()
- Replaced with mbedtls_ssl_conf_max_tls_version()
- * Deprecate mbedtls_ssl_conf_min_version()
- Replaced with mbedtls_ssl_conf_min_tls_version()
diff --git a/ChangeLog.d/md_info_from_ctx.txt b/ChangeLog.d/md_info_from_ctx.txt
deleted file mode 100644
index f8ec1a0..0000000
--- a/ChangeLog.d/md_info_from_ctx.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add a function to extract message digest information from a message
- digest context.
diff --git a/ChangeLog.d/mingw.txt b/ChangeLog.d/mingw.txt
deleted file mode 100644
index ac4e741..0000000
--- a/ChangeLog.d/mingw.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
- * Fix compilation error when using C++ Builder on Windows. Reported by
- Miroslav Mastny in #4015.
diff --git a/ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt b/ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt
deleted file mode 100644
index 9d7a32e..0000000
--- a/ChangeLog.d/pkparse-pkcs8-unencrypted-no-alloc.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
- temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
diff --git a/ChangeLog.d/psa_aead_singleshot_error.txt b/ChangeLog.d/psa_aead_singleshot_error.txt
deleted file mode 100644
index 7243874..0000000
--- a/ChangeLog.d/psa_aead_singleshot_error.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to singleshot
- AEAD functions is not an AEAD algorithm. This aligns them with the
- multipart functions, and the PSA Crypto API 1.1 spec.
diff --git a/ChangeLog.d/psa_crypto_config_file.txt b/ChangeLog.d/psa_crypto_config_file.txt
deleted file mode 100644
index d42651d..0000000
--- a/ChangeLog.d/psa_crypto_config_file.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
- feature requirements in the file named by the new macro
- MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
- Furthermore you may name an additional file to include after the main
- file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
diff --git a/ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt b/ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt
deleted file mode 100644
index 393fa8d..0000000
--- a/ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add support for psa crypto key derivation for elliptic curve
- keys. Fixes #3260.
diff --git a/ChangeLog.d/psa_crypto_reduced_configs.txt b/ChangeLog.d/psa_crypto_reduced_configs.txt
deleted file mode 100644
index 5bc9bc1..0000000
--- a/ChangeLog.d/psa_crypto_reduced_configs.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * Automatically enable MBEDTLS_PK_WRITE_C if MBEDTLS_PK_C and
- MBEDTLS_USE_PSA_CRYPTO are enabled. This is due to ecdsa_verify_wrap
- requirements, but will also probably be needed by RSA soon, hence the
- broader PK_C requirement.
diff --git a/ChangeLog.d/psa_crypto_reduced_configs_bugs.txt b/ChangeLog.d/psa_crypto_reduced_configs_bugs.txt
deleted file mode 100644
index 0d61cb7..0000000
--- a/ChangeLog.d/psa_crypto_reduced_configs_bugs.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix several bugs (warnings, compiler and linker errors, test failures)
- in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
diff --git a/ChangeLog.d/psa_raw_key_agreement-buffer_too_small.txt b/ChangeLog.d/psa_raw_key_agreement-buffer_too_small.txt
deleted file mode 100644
index 415c849..0000000
--- a/ChangeLog.d/psa_raw_key_agreement-buffer_too_small.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
- applicable. Fixes #5735.
diff --git a/ChangeLog.d/psk_to_ms_mixed_psk.txt b/ChangeLog.d/psk_to_ms_mixed_psk.txt
deleted file mode 100644
index b189661..0000000
--- a/ChangeLog.d/psk_to_ms_mixed_psk.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
- mixed-psk. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
- holding the other secret.
diff --git a/ChangeLog.d/raw-agreement-destroy-missing.txt b/ChangeLog.d/raw-agreement-destroy-missing.txt
deleted file mode 100644
index 7342b8c..0000000
--- a/ChangeLog.d/raw-agreement-destroy-missing.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Add missing key slot destruction calls when a raw key agreement or
- a public key export fails in ssl_write_client_key_exchange.
diff --git a/ChangeLog.d/ssl_context-user_data.txt b/ChangeLog.d/ssl_context-user_data.txt
deleted file mode 100644
index 630d8f0..0000000
--- a/ChangeLog.d/ssl_context-user_data.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * The structures mbedtls_ssl_config and mbedtls_ssl_context now store
- a piece of user data which is reserved for the application. The user
- data can be either a pointer or an integer.
- * Add an accessor function to get the configuration associated with
- an SSL context.
diff --git a/ChangeLog.d/ssl_context-version_number.txt b/ChangeLog.d/ssl_context-version_number.txt
deleted file mode 100644
index b5951d0..0000000
--- a/ChangeLog.d/ssl_context-version_number.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add a function to access the protocol version from an SSL context in a
- form that's easy to compare. Fixes #5407.
diff --git a/ChangeLog.d/ssl_get_version_1_3.txt b/ChangeLog.d/ssl_get_version_1_3.txt
deleted file mode 100644
index 4436522..0000000
--- a/ChangeLog.d/ssl_get_version_1_3.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix mbedtls_ssl_get_version() not reporting TLSv1.3. Fixes #5406.
diff --git a/ChangeLog.d/static_link_common_runtime_msvc.txt b/ChangeLog.d/static_link_common_runtime_msvc.txt
deleted file mode 100644
index 6104943..0000000
--- a/ChangeLog.d/static_link_common_runtime_msvc.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Add a CMake option that enables static linking of the runtime library
- in Microsoft Visual C++ compiler. Contributed by Microplankton.
diff --git a/ChangeLog.d/timeless.txt b/ChangeLog.d/timeless.txt
deleted file mode 100644
index 84f07d6..0000000
--- a/ChangeLog.d/timeless.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
- to catch bad uses of time.h.
diff --git a/ChangeLog.d/tls13-fix-finished-fetch.txt b/ChangeLog.d/tls13-fix-finished-fetch.txt
deleted file mode 100644
index 28c30f9..0000000
--- a/ChangeLog.d/tls13-fix-finished-fetch.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix handshake failure when the peer Finished message has not been received
- yet when we first try to fetch it. The fetching is moved before the
- preprocessing computations to avoid doing them multiple times, which was
- causing the handshake to fail.
diff --git a/ChangeLog.d/tls13_and_use_psa_crypto.txt b/ChangeLog.d/tls13_and_use_psa_crypto.txt
deleted file mode 100644
index 6198804..0000000
--- a/ChangeLog.d/tls13_and_use_psa_crypto.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * The TLS 1.3 implementation is now compatible with the
- MBEDTLS_USE_PSA_CRYPTO configuration option.
diff --git a/ChangeLog.d/tls13_f_export_keys.txt b/ChangeLog.d/tls13_f_export_keys.txt
deleted file mode 100644
index 31debc2..0000000
--- a/ChangeLog.d/tls13_f_export_keys.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fixed swap of client and server random bytes when exporting them alongside
- TLS 1.3 handshake and application traffic secret.
diff --git a/ChangeLog.d/use-psa-ecdhe-curve.txt b/ChangeLog.d/use-psa-ecdhe-curve.txt
deleted file mode 100644
index cc432bd..0000000
--- a/ChangeLog.d/use-psa-ecdhe-curve.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
- * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
- enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
- client would fail to check that the curve selected by the server for
- ECDHE was indeed one that was offered. As a result, the client would
- accept any curve that it supported, even if that curve was not allowed
- according to its configuration.
diff --git a/ChangeLog.d/x509_ext_types_accessor.txt b/ChangeLog.d/x509_ext_types_accessor.txt
deleted file mode 100644
index 13a3152..0000000
--- a/ChangeLog.d/x509_ext_types_accessor.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
- field within mbedtls_x509_crt context, as requested in #5585.
diff --git a/ChangeLog.d/zeroize_key_buffers_before_free.txt b/ChangeLog.d/zeroize_key_buffers_before_free.txt
deleted file mode 100644
index ba5bae1..0000000
--- a/ChangeLog.d/zeroize_key_buffers_before_free.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
- module before freeing them. These buffers contain secret key material, and
- could thus potentially leak the key through freed heap.
diff --git a/README.md b/README.md
index 275e2dd..8978faf 100644
--- a/README.md
+++ b/README.md
@@ -286,11 +286,9 @@
### PSA implementation in Mbed TLS
Mbed TLS includes a reference implementation of the PSA Cryptography API.
-This implementation is not yet as mature as the rest of the library. Some parts of the code have not been reviewed as thoroughly, and some parts of the PSA implementation are not yet well optimized for code size.
+However, it does not aim to implement the whole specification; in particular it does not implement all the algorithms.
-The X.509 and TLS code can use PSA cryptography for a limited subset of operations. To enable this support, activate the compilation option `MBEDTLS_USE_PSA_CRYPTO` in `mbedtls_config.h`.
-
-There are currently a few deviations where the library does not yet implement the latest version of the specification. Please refer to the [compliance issues on Github](https://github.com/Mbed-TLS/mbedtls/labels/compliance) for an up-to-date list.
+The X.509 and TLS code can use PSA cryptography for most operations. To enable this support, activate the compilation option `MBEDTLS_USE_PSA_CRYPTO` in `mbedtls_config.h`. Note that TLS 1.3 uses PSA cryptography for most operations regardless of this option. See `docs/use-psa-crypto.md` for details.
### Upcoming features
diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md
index 3653683..b933edf 100644
--- a/docs/3.0-migration-guide.md
+++ b/docs/3.0-migration-guide.md
@@ -2,7 +2,7 @@
This guide details the steps required to migrate from Mbed TLS version 2.x to
Mbed TLS version 3.0 or greater. Unlike normal releases, Mbed TLS 3.0 breaks
-compatibility with previous versions, so users (and alt implementors) might
+compatibility with previous versions, so users (and alt implementers) might
need to change their own code in order to make it work with Mbed TLS 3.0.
Here's the list of breaking changes; each entry should help you answer these
@@ -13,7 +13,28 @@
- Removal of many insecure or obsolete features
- Tidying up of configuration options (including removing some less useful options).
- Changing function signatures, e.g. adding return codes, adding extra parameters, or making some arguments const.
-- Removal of functions previously marked as deprecated.
+- Removal of functions, macros, and types previously marked as deprecated.
+
+Much of the information needed to determine a migration path can be found in the Mbed TLS 2.x documentation.
+
+
+## Accessing the Mbed TLS 2.x documentation
+
+For features previously marked as deprecated, Mbed TLS 2.x documentation may
+explain how to upgrade, and should be referred to when migrating code. Where a
+migration path is not provided in prior documentation, changes made and the
+upgrade steps required will be explained later in this guide.
+
+It's best to use the latest version of Mbed TLS 2.x for this purpose, which is the 2.28 LTS release.
+So to generate the documentation, checkout the `mbedtls-2.28` branch and follow
+the instructions in the [Documentation section of the README](https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-2.28/README.md#documentation).
+Then browse `apidoc/deprecated.html` for guidance on upgrading deprecated code.
+
+For some deprecated functions, 2.x documentation will suggest using a variant
+suffixed with `_ret`. In Mbed TLS 3.x, this change may not be required, as most
+of these variants have been renamed without the suffix. The section
+[Rename mbedtls_*_ret...](#rename-mbedtls__ret-cryptography-functions-whose-deprecated-variants-have-been-removed)
+has further detail on which functions this applies to.
## General changes
@@ -157,7 +178,7 @@
`MBEDTLS_DHM_RFC3526_MODP_4096_P `and `MBEDTLS_DHM_RFC3526_MODP_4096_G` were
removed. The primes from RFC 5114 are deprecated because their derivation is not
documented and therefore their usage constitutes a security risk; they are fully
-removed from the library. Please use parameters from RFC3526 (still in the
+removed from the library. Please use parameters from RFC 3526 (still in the
library, only in binary form) or RFC 7919 (also available in the library) or
other trusted sources instead.
@@ -248,22 +269,29 @@
### Deprecated error codes for hardware failures were removed
-- The macros `MBEDTLS_ERR_xxx_FEATURE_UNSUPPORTED` from various crypto modules
+- The macros `MBEDTLS_ERR_xxx_FEATURE_UNAVAILABLE` from various crypto modules
were removed; `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` is now used
instead.
+- The macro `MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION` was removed;
+ `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` is now used instead.
- The macros `MBEDTLS_ERR_xxx_HW_ACCEL_FAILED` from various crypto modules
were removed; `MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED` is now used instead.
+### Deprecated error codes for invalid input data were removed
+
+- The macros `MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH` from ARIA and Camellia
+ modules were removed; `MBEDTLS_ERR_xxx_BAD_INPUT_DATA` is now used instead.
+
### Remove the mode parameter from RSA functions
-This affects all users who use the RSA encryption, decryption, sign and
+This affects all users who use the RSA encrypt, decrypt, sign and
verify APIs.
The RSA module no longer supports private-key operations with the public key or
vice versa. As a consequence, RSA operation functions no longer have a mode
parameter. If you were calling RSA operations with the normal mode (public key
for verification or encryption, private key for signature or decryption), remove
-the `MBEDTLS_MODE_PUBLIC` or `MBEDTLS_MODE_PRIVATE` argument. If you were calling
+the `MBEDTLS_RSA_PUBLIC` or `MBEDTLS_RSA_PRIVATE` argument. If you were calling
RSA operations with the wrong mode, which rarely makes sense from a security
perspective, this is no longer supported.
@@ -334,7 +362,7 @@
### Remove the padding parameters from `mbedtls_rsa_init()`
-This affects all users who use the RSA encryption, decryption, sign and
+This affects all users who use the RSA encrypt, decrypt, sign and
verify APIs.
The function `mbedtls_rsa_init()` no longer supports selecting the PKCS#1 v2.1
@@ -552,13 +580,13 @@
### Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `mbedtls_config.h`
This change affects users who have chosen the configuration options to disable the
-library's verification of the `keyUsage` and `extendedKeyUsage` fields of x509
+library's verification of the `keyUsage` and `extendedKeyUsage` fields of X.509
certificates.
The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE`
-configuration options are removed and the X509 code now behaves as if they were
+configuration options are removed and the X.509 code now behaves as if they were
always enabled. It is consequently not possible anymore to disable at compile
-time the verification of the `keyUsage` and `extendedKeyUsage` fields of X509
+time the verification of the `keyUsage` and `extendedKeyUsage` fields of X.509
certificates.
The verification of the `keyUsage` and `extendedKeyUsage` fields is important,
diff --git a/docs/architecture/mbed-crypto-storage-specification.md b/docs/architecture/mbed-crypto-storage-specification.md
index 914bca3..60203a0 100644
--- a/docs/architecture/mbed-crypto-storage-specification.md
+++ b/docs/architecture/mbed-crypto-storage-specification.md
@@ -112,7 +112,7 @@
The way in which the file name is constructed from the key identifier depends on the storage backend. The content of the file is described [below](#key-file-format-for-1.0.0).
* Library integration: the key file name is just the key identifier as defined in the PSA crypto specification. This is a 32-bit value.
-* PSA service integration: the key file name is `(uint32_t)owner_uid << 32 | key_id` where `key_id` is the key identifier from the owner point of view and `owner_uid` (of type `int32_t`) is the calling partition identifier provided to the server by the partition manager. This is a 64-bit value.
+* PSA service integration: the key file name is `(uint64_t)owner_uid << 32 | key_id` where `key_id` is the key identifier from the owner point of view and `owner_uid` (of type `int32_t`) is the calling partition identifier provided to the server by the partition manager. This is a 64-bit value.
### Key file format for 1.0.0
@@ -120,7 +120,11 @@
### Nonvolatile random seed file format for 1.0.0
-[Identical to 0.1.0](#nonvolatile-random-seed-file-format-for-0.1.0).
+The nonvolatile random seed file contains a seed for the random generator. If present, it is rewritten at each boot as part of the random generator initialization.
+
+The file format is just the seed as a byte string with no metadata or encoding of any kind.
+
+This is unchanged since [the feature was introduced in Mbed Crypto 0.1.0](#nonvolatile-random-seed-file-format-for-0.1.0).
### File namespace on a PSA platform for 1.0.0
@@ -167,7 +171,21 @@
Released in early June 2019. <br>
Integrated in Mbed OS 5.13.
-Identical to [1.0.0](#mbed-crypto-1.0.0) except for some changes in the key file format.
+Changes since [1.0.0](#mbed-crypto-1.0.0):
+
+* The stdio backend for storage has been replaced by an implementation of [PSA ITS over stdio](#file-namespace-on-stdio-for-1.1.0).
+* [Some changes in the key file format](#key-file-format-for-1.1.0).
+
+### File namespace on stdio for 1.1.0
+
+Assumption: C stdio, allowing names containing lowercase letters, digits and underscores, of length up to 23.
+
+An undocumented build-time configuration value `PSA_ITS_STORAGE_PREFIX` allows storing the key files in a directory other than the current directory. This value is simply prepended to the file name (so it must end with a directory separator to put the keys in a different directory).
+
+* `PSA_ITS_STORAGE_PREFIX "tempfile.psa_its"`: used as a temporary file. Must be writable. May be overwritten or deleted if present.
+* `sprintf(PSA_ITS_STORAGE_PREFIX "%016llx.psa_its", key_id)`: a key or non-key file. The `key_id` in the name is the 64-bit file identifier, which is the [key identifier](#key-names-for-mbed-tls-2.25.0) for a key file or some reserved identifier for a non-key file (currently: only the [nonvolatile random seed](#nonvolatile-random-seed-file-format-for-1.0.0)). The contents of the file are:
+ * Magic header (8 bytes): `"PSA\0ITS\0"`
+ * File contents.
### Key file format for 1.1.0
@@ -314,3 +332,134 @@
* For an opaque key (unified driver interface): driver-specific opaque key blob.
* For an opaque key (key in a secure element): slot number (8 bytes), in platform endianness.
* Any trailing data is rejected on load.
+
+Mbed TLS 2.25.0
+---------------
+
+Tags: `mbedtls-2.25.0`, `mbedtls-2.26.0`, `mbedtls-2.27.0`, `mbedtls-2.28.0`, `mbedtls-3.0.0`, `mbedtls-3.1.0`
+
+First released in December 2020.
+
+Note: this is the first version that is officially supported. The version number is still 0.
+
+Backward compatibility commitments: we promise backward compatibility for stored keys when Mbed TLS is upgraded from x to y if x >= 2.25 and y < 4. See [`BRANCHES.md`](../../BRANCHES.md) for more details.
+
+Supported integrations:
+
+* [PSA platform](#file-namespace-on-a-psa-platform-on-mbed-tls-2.25.0)
+* [library using PSA ITS](#file-namespace-on-its-as-a-library-on-mbed-tls-2.25.0)
+* [library using C stdio](#file-namespace-on-stdio-for-mbed-tls-2.25.0)
+
+Supported features:
+
+* [Persistent keys](#key-file-format-for-mbed-tls-2.25.0) designated by a [key identifier and owner](#key-names-for-mbed-tls-2.25.0). Keys can be:
+ * Transparent, stored in the export format.
+ * Opaque, using the unified driver interface with statically registered drivers (`MBEDTLS_PSA_CRYPTO_DRIVERS`). The driver determines the content of the opaque key blob.
+ * Opaque, using the deprecated secure element interface with dynamically registered drivers (`MBEDTLS_PSA_CRYPTO_SE_C`). The driver picks a slot number which is stored in the place of the key material.
+* [Nonvolatile random seed](#nonvolatile-random-seed-file-format-for-mbed-tls-2.25.0) on ITS only.
+
+### Changes introduced in Mbed TLS 2.25.0
+
+* The numerical encodings of `psa_key_type_t`, `psa_key_usage_t` and `psa_algorithm_t` have changed.
+
+### File namespace on a PSA platform on Mbed TLS 2.25.0
+
+Assumption: ITS provides a 64-bit file identifier namespace. The Crypto service can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
+
+Assumption: the owner identifier is a nonzero value of type `int32_t`.
+
+* Files 0 through 0xfffeffff: unused.
+* Files 0xffff0000 through 0xffffffff: reserved for internal use of the crypto library or crypto service. See [non-key files](#non-key-files-on-mbed-tls-2.25.0).
+* Files 0x100000000 through 0xffffffffffff: [content](#key-file-format-for-mbed-tls-2.25.0) of the [key whose identifier is the file identifier](#key-names-for-mbed-tls-2.25.0). The upper 32 bits determine the owner.
+
+### File namespace on ITS as a library on Mbed TLS 2.25.0
+
+Assumption: ITS provides a 64-bit file identifier namespace. The entity using the crypto library can use arbitrary file identifiers and no other part of the system accesses the same file identifier namespace.
+
+This is a library integration, so there is no owner. The key file identifier is identical to the key identifier.
+
+* File 0: unused.
+* Files 1 through 0xfffeffff: [content](#key-file-format-for-mbed-tls-2.25.0) of the [key whose identifier is the file identifier](#key-names-for-mbed-tls-2.25.0).
+* Files 0xffff0000 through 0xffffffff: reserved for internal use of the crypto library or crypto service. See [non-key files](#non-key-files-on-mbed-tls-2.25.0).
+* Files 0x100000000 through 0xffffffffffffffff: unused.
+
+### File namespace on stdio for Mbed TLS 2.25.0
+
+Assumption: C stdio, allowing names containing lowercase letters, digits and underscores, of length up to 23.
+
+An undocumented build-time configuration value `PSA_ITS_STORAGE_PREFIX` allows storing the key files in a directory other than the current directory. This value is simply prepended to the file name (so it must end with a directory separator to put the keys in a different directory).
+
+* `PSA_ITS_STORAGE_PREFIX "tempfile.psa_its"`: used as a temporary file. Must be writable. May be overwritten or deleted if present.
+* `sprintf(PSA_ITS_STORAGE_PREFIX "%016llx.psa_its", key_id)`: a key or non-key file. The `key_id` in the name is the 64-bit file identifier, which is the [key identifier](#key-names-for-mbed-tls-2.25.0) for a key file or some reserved identifier for a [non-key file](#non-key-files-on-mbed-tls-2.25.0). The contents of the file are:
+ * Magic header (8 bytes): `"PSA\0ITS\0"`
+ * File contents.
+
+### Key names for Mbed TLS 2.25.0
+
+Information about each key is stored in a dedicated file designated by the key identifier. In integrations where there is no concept of key owner (in particular, in library integrations), the key identifier is exactly the key identifier as defined in the PSA Cryptography API specification (`psa_key_id_t`). In integrations where there is a concept of key owner (integration into a service for example), the key identifier is made of an owner identifier (its semantics and type are integration specific) and of the key identifier (`psa_key_id_t`) from the key owner point of view.
+
+The way in which the file name is constructed from the key identifier depends on the storage backend. The content of the file is described [below](#key-file-format-for-mbed-tls-2.25.0).
+
+* Library integration: the key file name is just the key identifier as defined in the PSA crypto specification. This is a 32-bit value which must be in the range 0x00000001..0x3fffffff (`PSA_KEY_ID_USER_MIN`..`PSA_KEY_ID_USER_MAX`).
+* PSA service integration: the key file name is `(uint64_t)owner_uid << 32 | key_id` where `key_id` is the key identifier from the owner point of view and `owner_uid` (of type `int32_t`) is the calling partition identifier provided to the server by the partition manager. This is a 64-bit value.
+
+### Key file format for Mbed TLS 2.25.0
+
+All integers are encoded in little-endian order in 8-bit bytes except where otherwise indicated.
+
+The layout of a key file is:
+
+* magic (8 bytes): `"PSA\0KEY\0"`.
+* version (4 bytes): 0.
+* lifetime (4 bytes): `psa_key_lifetime_t` value.
+* type (2 bytes): `psa_key_type_t` value.
+* bits (2 bytes): `psa_key_bits_t` value.
+* policy usage flags (4 bytes): `psa_key_usage_t` value.
+* policy usage algorithm (4 bytes): `psa_algorithm_t` value.
+* policy enrollment algorithm (4 bytes): `psa_algorithm_t` value.
+* key material length (4 bytes).
+* key material:
+ * For a transparent key: output of `psa_export_key`.
+ * For an opaque key (unified driver interface): driver-specific opaque key blob.
+ * For an opaque key (key in a dynamic secure element): slot number (8 bytes), in platform endianness.
+* Any trailing data is rejected on load.
+
+### Non-key files on Mbed TLS 2.25.0
+
+File identifiers that are outside the range of persistent key identifiers are reserved for internal use by the library. The only identifiers currently in use have the owner id (top 32 bits) set to 0.
+
+* Files 0xfffffe02 through 0xfffffeff (`PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + lifetime`): dynamic secure element driver storage. The content of the file is the secure element driver's persistent data.
+* File 0xffffff52 (`PSA_CRYPTO_ITS_RANDOM_SEED_UID`): [nonvolatile random seed](#nonvolatile-random-seed-file-format-for-mbed-tls-2.25.0).
+* File 0xffffff54 (`PSA_CRYPTO_ITS_TRANSACTION_UID`): [transaction file](#transaction-file-format-for-mbed-tls-2.25.0).
+* Other files are unused and reserved for future use.
+
+### Nonvolatile random seed file format for Mbed TLS 2.25.0
+
+[Identical to Mbed Crypto 0.1.0](#nonvolatile-random-seed-file-format-for-0.1.0).
+
+### Transaction file format for Mbed TLS 2.25.0
+
+The transaction file contains data about an ongoing action that cannot be completed atomically. It exists only if there is an ongoing transaction.
+
+All integers are encoded in platform endianness.
+
+All currently existing transactions concern a key in a dynamic secure element.
+
+The layout of a transaction file is:
+
+* type (2 bytes): the [transaction type](#transaction-types-on-mbed-tls-2.25.0).
+* unused (2 bytes)
+* lifetime (4 bytes): `psa_key_lifetime_t` value that corresponds to a key in a secure element.
+* slot number (8 bytes): `psa_key_slot_number_t` value. This is the unique designation of the key for the secure element driver.
+* key identifier (4 bytes in a library integration, 8 bytes on a PSA platform): the internal representation of the key identifier. On a PSA platform, this encodes the key owner in the same way as [in file identifiers for key files](#file-namespace-on-a-psa-platform-on-mbed-tls-2.25.0)).
+
+#### Transaction types on Mbed TLS 2.25.0
+
+* 0x0001: key creation. The following locations may or may not contain data about the key that is being created:
+ * The slot in the secure element designated by the slot number.
+ * The file containing the key metadata designated by the key identifier.
+ * The driver persistent data.
+* 0x0002: key destruction. The following locations may or may not still contain data about the key that is being destroyed:
+ * The slot in the secure element designated by the slot number.
+ * The file containing the key metadata designated by the key identifier.
+ * The driver persistent data.
diff --git a/docs/architecture/psa-migration/psa-limitations.md b/docs/architecture/psa-migration/psa-limitations.md
index f5b5700..7b8ec99 100644
--- a/docs/architecture/psa-migration/psa-limitations.md
+++ b/docs/architecture/psa-migration/psa-limitations.md
@@ -14,8 +14,8 @@
Restartable ECC operations
--------------------------
-There is currently no support for that in PSA at all. API design, as well as
-implementation, would be non-trivial.
+There is currently no support for that in PSA at all, but it will be added at
+some point, see <https://github.com/orgs/Mbed-TLS/projects/1#column-18816849>.
Currently, `MBEDTLS_USE_PSA_CRYPTO` is simply incompatible with
`MBEDTLS_ECP_RESTARTABLE`.
@@ -60,16 +60,25 @@
1. Implement support for custom FFDH parameters in PSA Crypto: this would pose
non-trivial API design problem, but most importantly seems backwards, as
-the crypto community is moving away from custom FFDH parameters.
+the crypto community is moving away from custom FFDH parameters. (Could be
+done any time.)
2. Drop the DHE-RSA and DHE-PSK key exchanges in TLS 1.2 when moving to PSA.
-3. Implement RFC 7919, support DHE-RSA and DHE-PSK only in conjunction with it
- when moving to PSA. We can modify our server so that it only selects a DHE
- ciphersuite if the client offered name FFDH groups; unfortunately
+ (For people who want some algorithmic variety in case ECC collapses, FFDH
+would still be available in TLS 1.3, just not in 1.2.) (Can only be done in
+4.0 or another major version.)
+3. Variant of the precedent: only drop client-side support. Server-side is
+ easy to support in terms of API/protocol, as the server picks the
+parameters: we just need remove the existing `mbedtls_ssl_conf_dh_param_xxx()`
+APIs and tell people to use `mbedtls_ssl_conf_groups()` instead. (Can only be
+done in 4.0 or another major version.)
+4. Implement RFC 7919, support DHE-RSA and DHE-PSK only in conjunction with it
+ when moving to PSA. Server-side would work as above; unfortunately
client-side the only option is to offer named groups and break the handshake
if the server didn't take on our offer. This is not fully satisfying, but is
perhaps the least unsatisfying option in terms of result; it's also probably
the one that requires the most work, but it would deliver value beyond PSA
-migration by implementing RFC 7919.
+migration by implementing RFC 7919. (Implementing RFC 7919 could be done any
+time; making it mandatory can only be done in 4.0 or another major version.)
RSA-PSS parameters
------------------
@@ -294,7 +303,7 @@
Mask Algorithm: mgf1 with sha512
Salt Length: 0x3E
-These CSRss are signed with a 2048-bit key. It appears that they are
+These CSRs are signed with a 2048-bit key. It appears that they are
all using saltlen = keylen - hashlen - 2.
### Possible courses of action
@@ -308,87 +317,13 @@
saltlen happens to match hashlen, and falling back to `ANY_SALT` otherwise.
Same issue as with the previous point, except more contained.
3. Reject all certificates with saltlen != hashlen. This includes all
- certificates generate with OpenSSL using the default parameters, so it's
+ certificates generated with OpenSSL using the default parameters, so it's
probably not acceptable.
4. Request an extension to the PSA Crypto API and use one of the above options
in the meantime. Such an extension seems inconvenient and not motivated by
strong security arguments, so it's unclear whether it would be accepted.
-HKDF: Expand not exposed on its own (TLS 1.3)
----------------------------------------------
-
-The HKDF function uses an Extract-then-Expand approach, that is:
-
- HKDF(x, ...) = HKDF-Expand(HKDF-Extract(x, ...), ...)
-
-Only the full HKDF function is safe in general, however there are cases when
-one case safely use the individual Extract and Expand; the TLS 1.3 key
-schedule does so. Specifically, looking at the [hierarchy of secrets][13hs]
-is seems that Expand and Extract are always chained, so that this hierarchy
-can be implemented using only the full HKDF. However, looking at the
-derivation of traffic keys (7.3) and the update mechanism (7.2) it appears
-that calls to HKDF-Expand are iterated without any intermediated call to
-HKDF-Extract : that is, the traffic keys are computed as
-
- HKDF-Expand(HKDF-Expand(HKDF-Extract(...)))
-
-(with possibly more than two Expands in a row with update).
-
-[13hs]: https://datatracker.ietf.org/doc/html/rfc8446#page-93
-
-In the short term (early 2022), we'll work around that by re-implementing HKDF
-in `ssl_tls13_keys.c` based on the `psa_mac_` APIs (for HMAC).
-
-In the long term, it is desirable to extend the PSA API. See
-https://github.com/ARM-software/psa-crypto-api/issues/539
-
Limitations relevant for G2 (isolation of long-term secrets)
============================================================
-Custom key derivations for mixed-PSK handshake
-----------------------------------------------
-
-Currently, `MBEDTLS_USE_PSA_CRYPTO` enables the new configuration function
-`mbedtls_ssl_conf_psk_opaque()` which allows a PSA-held key to be used for the
-(pure) `PSK` key exchange in TLS 1.2. This requires that the derivation of the
-Master Secret (MS) be done on the PSA side. To support this, an algorithm
-family `PSA_ALG_TLS12_PSK_TO_MS(hash_alg)` was added to PSA Crypto.
-
-If we want to support key isolation for the "mixed PSK" key exchanges:
-DHE-PSK, RSA-PSK, ECDHE-PSK, where the PSK is concatenated with the result of
-a DH key agreement (resp. RSA decryption) to form the pre-master secret (PMS)
-from which the MS is derived. If the value of the PSK is to remain hidden, we
-need the derivation PSK + secondary secret -> MS to be implemented as an
-ad-hoc PSA key derivation algorithm.
-
-Adding this new, TLS-specific, key derivation algorithm to PSA Crypto should
-be no harder than it was to add `PSA_ALG_TLS12_PSK_TO_MS()` but still requires
-an extension to PSA Crypto.
-
-Note: looking at RFCs 4279 and 5489, it appears that the structure of the PMS
-is always the same: 2-byte length of the secondary secret, secondary secret,
-2-byte length of the PSK, PSK. So, a single key derivation algorithm should be
-able to cover the 3 key exchanges DHE-PSK, RSA-PSK and ECDHE-PSK. (That's a
-minor gain: adding 3 algorithms would not be a blocker anyway.)
-
-Note: if later we want to also isolate short-term secret (G3), the "secondary
-secret" (output of DHE/ECDHE key agreement or RSA decryption) could be a
-candidate. This wouldn't be a problem as the PSA key derivation API always
-allows inputs from key slots. (Tangent: the hard part in isolating the result
-of RSA decryption would be still checking that is has the correct format:
-48 bytes, the first two matching the TLS version - note that this is timing
-sensitive.)
-
-HKDF: Expand not exposed on its own (TLS 1.3)
----------------------------------------------
-
-See the section with the same name in the G1 part above for background.
-
-The work-around mentioned there works well enough just for acceleration, but
-is not sufficient for key isolation or generally proper key management (it
-requires marking keys are usable for HMAC while they should only be used for
-key derivation).
-
-The obvious long-term solution is to make HKDF-Expand available as a new KDF
-(in addition to the full HKDF) in PSA (with appropriate warnings in the
-documentation).
+Currently none.
diff --git a/docs/architecture/psa-migration/strategy.md b/docs/architecture/psa-migration/strategy.md
index 2bb0284..7bb8247 100644
--- a/docs/architecture/psa-migration/strategy.md
+++ b/docs/architecture/psa-migration/strategy.md
@@ -40,16 +40,14 @@
The reasons why `MBEDTLS_USE_PSA_CRYPTO` is optional and disabled by default
are:
- it's incompatible with `MBEDTLS_ECP_RESTARTABLE`;
-- historical: used to be incompatible
- `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` (fixed early 2022, see
- <https://github.com/Mbed-TLS/mbedtls/issues/5259>);
- it does not work well with `MBEDTLS_PSA_CRYPTO_CONFIG` (could compile with
both of them, but then `MBEDTLS_PSA_CRYPTO_CONFIG` won't have the desired
effect)
- to avoid a hard/default dependency of TLS, X.509 and PK on
`MBEDTLS_PSA_CRYPTO_C`, for backward compatibility reasons:
- - when `MBEDTLS_PSA_CRYPTO_C` is enabled and used, applications need to call
- `psa_crypto_init()` before TLS/X.509 uses PSA functions
+ - When `MBEDTLS_PSA_CRYPTO_C` is enabled and used, applications need to call
+ `psa_crypto_init()` before TLS/X.509 uses PSA functions. (This prevents us
+from even enabling the option by default.)
- `MBEDTLS_PSA_CRYPTO_C` has a hard depend on `MBEDTLS_ENTROPY_C ||
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` but it's
currently possible to compilte TLS and X.509 without any of the options.
@@ -65,8 +63,11 @@
cost. The rest of this section explains the reasons for the
incompatibilities mentioned above.
-In the medium term (writing this in early 2020), we're going to look for ways
-to make `MBEDTLS_USE_PSA_CRYPTO` non-optional (always enabled).
+At the time of writing (early 2022) it is unclear what could be done about the
+backward compatibility issues, and in particular if the cost of implementing
+solutions to these problems would be higher or lower than the cost of
+maintaining dual code paths until the next major version. (Note: these
+solutions would probably also solve other problems at the same time.)
### `MBEDTLS_ECP_RESTARTABLE`
@@ -84,7 +85,13 @@
Note: it is possible to make the options compatible at build time simply by
deciding that when `USE_PSA_CRYPTO` is enabled, PSA APIs are used except if
restartable behaviour was requested at run-time (in addition to enabling
-`MBEDTLS_ECP_RESTARTABLE` in the build).
+`MBEDTLS_ECP_RESTARTABLE` in the build). This would require some work to
+dispatch operations as intended, and test.
+
+Currently (early 2022) the mild consensus seems to be that since we'll need to
+implement restartable in PSA anyway, it's probably not worth spending time on
+the compatibility issue while waiting for it to get a more satisfying
+resolution when PSA starts supporting restartable.
### `MBEDTLS_PSA_CRYPTO_CONFIG`
@@ -174,9 +181,8 @@
- Downside: tricky to implement if the PSA implementation is currently done on
top of that layer (dependency loop).
-This strategy is currently (late 2021) used for ECDSA signature
-verification in the PK layer, and could be extended to all operations in the
-PK layer.
+This strategy is currently (early 2022) used for all operations in the PK
+layer.
This strategy is not very well suited to the Cipher layer, as the PSA
implementation is currently done on top of that layer.
@@ -184,9 +190,9 @@
This strategy will probably be used for some time for the PK layer, while we
figure out what the future of that layer is: parts of it (parse/write, ECDSA
signatures in the format that X.509 & TLS want) are not covered by PSA, so
-they will need to keep existing in some way. Also the PK layer is also a good
+they will need to keep existing in some way. (Also, the PK layer is a good
place for dispatching to either PSA or `mbedtls_xxx_restartable` while that
-part is not covered by PSA yet.
+part is not covered by PSA yet, if we decide to do that.)
Replace calls for each operation
--------------------------------
@@ -199,10 +205,8 @@
code size.
- Downside: TLS/X.509 code has to be done for each operation.
-This strategy is currently (late 2021) used for the MD layer. (Currently only
-a subset of calling places, but will be extended to all of them.)
-
-In the future (early 2022) we're going to use it for the Cipher layer as well.
+This strategy is currently (early 2022) used for the MD layer and the Cipher
+layer.
Opt-in use of PSA from the abstraction layer
--------------------------------------------
@@ -225,20 +229,16 @@
supporting both G1 and G2 in that area), and one without isolation (the key is
still stored outside of PSA most of the time, supporting only G1).
-This strategy, with support for key isolation, is currently (end of 2021) used for ECDSA
-signature generation in the PK layer - see `mbedtls_pk_setup_opaque()`. This
+This strategy, with support for key isolation, is currently (early 2022) used for
+private-key operations in the PK layer - see `mbedtls_pk_setup_opaque()`. This
allows use of PSA-held private ECDSA keys in TLS and X.509 with no change to
-the TLS/X.509 code, but a contained change in the application. If could be
-extended to other private key operations in the PK layer, which is the plan as
-of early 2022.
+the TLS/X.509 code, but a contained change in the application.
-This strategy, without key isolation, is also currently used in the Cipher
-layer - see `mbedtls_cipher_setup_psa()`. This allows use of PSA for cipher
-operations in TLS with no change to the application code, and a
-contained change in TLS code. (It currently only supports a subset of
-ciphers.) However, we'll move to the "Replace calls for each operation"
-strategy (early 2022), in the hope of being able to build without this layer
-in order to save some code size in the future.
+This strategy, without key isolation, was also previously used (until 3.1
+included) in the Cipher layer - see `mbedtls_cipher_setup_psa()`. This allowed
+use of PSA for cipher operations in TLS with no change to the application
+code, and a contained change in TLS code. (It only supported a subset of
+ciphers.)
Note: for private key operations in the PK layer, both the "silent" and the
"opt-in" strategy can apply, and can complement each other, as one provides
@@ -249,13 +249,11 @@
Summary
-------
-Strategies currently used with each abstraction layer:
+Strategies currently (early 2022) used with each abstraction layer:
- PK (for G1): silently call PSA
- PK (for G2): opt-in use of PSA (new key type)
-- Cipher (G1):
- - late 2021: opt-in use of PSA (new setup function)
- - early 2022: moving to "replace calls at each call site"
+- Cipher (G1): replace calls at each call site
- MD (G1): replace calls at each call site
Migrating away from the legacy API
@@ -281,7 +279,7 @@
runtime, RAM usage or code size penalty), for example just a bunch of
`#define`s, essentially mapping `mbedtls_` APIs to their `psa_` equivalent.
-Unfortunately that's unlikely fully work. For example, the MD layer uses the
+Unfortunately that's unlikely to fully work. For example, the MD layer uses the
same context type for hashes and HMACs, while the PSA API (rightfully) has
distinct operation types. Similarly, the Cipher layer uses the same context
type for unauthenticated and AEAD ciphers, which again the PSA API
@@ -373,5 +371,5 @@
the low-level crypto APIs and making PK, MD and Cipher optional compatibility
layers is to be sure to preserve testing quality. A lot of the existing test
cases use the low level crypto APIs; we would need to either keep using that
-API for tests, or manually migrated test to the PSA Crypto API. Perhaps a
+API for tests, or manually migrate tests to the PSA Crypto API. Perhaps a
combination of both, perhaps evolving gradually over time.
diff --git a/docs/architecture/psa-migration/tasks-g2.md b/docs/architecture/psa-migration/tasks-g2.md
deleted file mode 100644
index 72bd377..0000000
--- a/docs/architecture/psa-migration/tasks-g2.md
+++ /dev/null
@@ -1,80 +0,0 @@
-This document is temporary; it lists tasks to achieve G2 as described in
-`strategy.md` while the strategy is being reviewed - once that's done,
-corresponding github issues will be created and this document removed.
-
-For all of the tasks here, specific testing (integration and unit test depending
-on the task) is required, see `testing.md`.
-
-RSA Signature operations
-========================
-
-In PK
------
-
-### Modify existing `PK_OPAQUE` type to allow for RSA keys
-
-- the following must work and be tested: `mbedtls_pk_get_type()`,
- `mbedtls_pk_get_name()`, `mbedtls_pk_get_bitlen()`, `mbedtls_pk_get_len()`,
-`mbedtls_pk_can_do()`.
-- most likely adapt `pk_psa_genkey()` in `test_suite_pk.function`.
-- all other function (sign, verify, encrypt, decrypt, check pair, debug) will
- return `MBEDTLS_ERR_PK_TYPE_MISMATCH` and this will be tested too.
-
-### Modify `mbedtls_pk_wrap_as_opaque()` to work with RSA.
-
-- OK to have policy hardcoded on signing with PKCS1v1.5, or allow more if
- available at this time
-
-### Modify `mbedtls_pk_write_pubkey_der()` to work with RSA-opaque.
-
-- OK to just test that a generated key (with `pk_psa_genkey()`) can be
- written, without checking for correctness of the result - this will be
-tested as part of another task
-
-### Make `mbedtls_pk_sign()` work with RSA-opaque.
-
-- testing may extend `pk_psa_sign()` in `test_suite_pk_function` by adding
- selector for ECDSA/RSA.
-
-In X.509
---------
-
-### Test using RSA-opaque for CSR generation
-
-- similar to what's already done with ECDSA-opaque
-
-### Test using opaque keys for Certificate generation
-
-- similar to what's done with testing CSR generation
-- should test both RSA and ECDSA as ECDSA is not tested yet
-- might require slight code adaptations, even if unlikely
-
-
-In TLS
-------
-
-### Test using RSA-opaque for TLS client auth
-
-- similar to what's already done with ECDSA-opaque
-
-### Test using RSA-opaque for TLS server auth
-
-- similar to what's already done with ECDSA-opaque
-- key exchanges: ECDHE-RSA and DHE-RSA
-
-RSA decrypt
-===========
-
-### Extend `PK_OPAQUE` to allow RSA decryption (PKCS1 v1.5)
-
-### Test using that in TLS for RSA and RSA-PSK key exchange.
-
-Support opaque PSKs for "mixed-PSK" key exchanges
-=================================================
-
-See `PSA-limitations.md`.
-
-Possible split:
-- one task to extend PSA (see `PSA-limitations.md`)
-- then one task per handshake: DHE-PSK, ECDHE-PSK, RSA-PSK (with tests for
- each)
diff --git a/docs/architecture/psa-migration/testing.md b/docs/architecture/psa-migration/testing.md
index 70229ce..f205c16 100644
--- a/docs/architecture/psa-migration/testing.md
+++ b/docs/architecture/psa-migration/testing.md
@@ -21,11 +21,11 @@
However, when it comes to TLS, we also have the option of using debug messages
to confirm which code path is taken. This is generally unnecessary, except when
a decision is made at run-time about whether to use the PSA or legacy code
-path. For example, for record protection, currently some ciphers are supported
-via PSA while some others aren't, with a run-time fallback. In this case, it's
+path. (For example, for record protection, previously (until 3.1), some ciphers were supported
+via PSA while some others weren't, with a run-time fallback. In this case, it's
good to have a debug message checked by the test case to confirm that the
right decision was made at run-time, i. e. that we didn't use the fallback for
-ciphers that are supposed to be supported.
+ciphers that are supposed to be supported.)
New APIs meant for application use
@@ -54,9 +54,8 @@
(We should have the same server-side.)
- in `test_suite_x509write` we have a new test function
`x509_csr_check_opaque()` checking integration of the new API with the
- existing `mbedtls_x509write_csr_set_key()`.
- (We should have something similar for
- `mbedtls_x509write_crt_set_issuer_key()`.)
+ existing `mbedtls_x509write_csr_set_key()`. (And also
+ `mbedtls_x509write_crt_set_issuer_key()` since #5710.)
For some APIs, for example with `mbedtls_ssl_conf_psk_opaque()`, testing in
`test_suite_ssl` was historically not possible, so we only have testing in
@@ -65,8 +64,9 @@
New APIs meant for internal use
-------------------------------
-For example, `mbedtls_cipher_setup_psa()` is meant to be used by the TLS
-layer, but probably not directly by applications.
+For example, `mbedtls_cipher_setup_psa()` (no longer used, soon to be
+deprecated - #5261) was meant to be used by the TLS layer, but probably not
+directly by applications.
In that case, we want:
diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md
index 2cf2a48..10da3c5 100644
--- a/docs/architecture/tls13-support.md
+++ b/docs/architecture/tls13-support.md
@@ -4,8 +4,8 @@
Overview
--------
-Mbed TLS provides a minimum viable implementation of the TLS 1.3 protocol
-defined in the "MVP definition" section below. The TLS 1.3 support enablement
+Mbed TLS provides a partial implementation of the TLS 1.3 protocol defined in
+the "Support description" section below. The TLS 1.3 support enablement
is controlled by the MBEDTLS_SSL_PROTO_TLS1_3 configuration option.
The development of the TLS 1.3 protocol is based on the TLS 1.3 prototype
@@ -16,38 +16,22 @@
status" below describes what remains to be upstreamed.
-MVP definition
---------------
+Support description
+-------------------
- Overview
- - The TLS 1.3 MVP implements only the client side of the protocol.
+ - Mbed TLS implements both the client and the server side of the TLS 1.3
+ protocol.
- - The TLS 1.3 MVP supports ECDHE key establishment.
+ - Mbed TLS supports ECDHE key establishment.
- - The TLS 1.3 MVP does not support DHE key establishment.
+ - Mbed TLS does not support DHE key establishment.
- - The TLS 1.3 MVP does not support pre-shared keys, including any form of
+ - Mbed TLS does not support pre-shared keys, including any form of
session resumption. This implies that it does not support sending early
data (0-RTT data).
- - The TLS 1.3 MVP supports the authentication of the server by the client
- but does not support authentication of the client by the server. In terms
- of TLS 1.3 authentication messages, this means that the TLS 1.3 MVP
- supports the processing of the Certificate and CertificateVerify messages
- but not of the CertificateRequest message.
-
- - The TLS 1.3 MVP does not support the handling of server HelloRetryRequest
- message. In practice, this means that the handshake will fail if the MVP
- does not provide in its ClientHello the shared secret associated to the
- group selected by the server for key establishement. For more information,
- see the comment associated to the `key_share` extension below.
-
- - If the TLS 1.3 MVP receives a HelloRetryRequest or a CertificateRequest
- message, it aborts the handshake with an handshake_failure closure alert
- and the `mbedtls_ssl_handshake()` returns in error with the
- `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` error code.
-
- Supported cipher suites: depends on the library configuration. Potentially
all of them:
TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,
@@ -55,94 +39,72 @@
- Supported ClientHello extensions:
- | Extension | MVP | Prototype (1) |
- | ---------------------------- | ------- | ------------- |
- | server_name | YES | YES |
- | max_fragment_length | no | YES |
- | status_request | no | no |
- | supported_groups | YES | YES |
- | signature_algorithms | YES | YES |
- | use_srtp | no | no |
- | heartbeat | no | no |
- | apln | no | YES |
- | signed_certificate_timestamp | no | no |
- | client_certificate_type | no | no |
- | server_certificate_type | no | no |
- | padding | no | no |
- | key_share | YES (2) | YES |
- | pre_shared_key | no | YES |
- | psk_key_exchange_modes | no | YES |
- | early_data | no | YES |
- | cookie | no | YES |
- | supported_versions | YES (3) | YES |
- | certificate_authorities | no | no |
- | post_handshake_auth | no | no |
- | signature_algorithms_cert | no | no |
+ | Extension | Support |
+ | ---------------------------- | ------- |
+ | server_name | YES |
+ | max_fragment_length | no |
+ | status_request | no |
+ | supported_groups | YES |
+ | signature_algorithms | YES |
+ | use_srtp | no |
+ | heartbeat | no |
+ | apln | YES |
+ | signed_certificate_timestamp | no |
+ | client_certificate_type | no |
+ | server_certificate_type | no |
+ | padding | no |
+ | key_share | YES |
+ | pre_shared_key | no |
+ | psk_key_exchange_modes | no |
+ | early_data | no |
+ | cookie | no |
+ | supported_versions | YES |
+ | certificate_authorities | no |
+ | post_handshake_auth | no |
+ | signature_algorithms_cert | no |
- (1) This is just for comparison.
-
- (2) The MVP sends only one shared secret corresponding to the configured
- preferred group. This could end up with connection failure if the
- server does not support our preferred curve, as the MVP does not implement
- HelloRetryRequest. The preferred group is the group of the first curve in
- the list of allowed curves as defined by the configuration. The allowed
- curves are by default ordered as follows: `x25519`, `secp256r1`,
- `secp384r1` and finally `secp521r1`. Note that, in the absence of an
- application profile standard specifying otherwise, section 9.1 of the
- specification rather promotes curve `secp256r1` to be supported over
- curve `x25519`. The MVP would, however, rather keep the preference order
- currently promoted by Mbed TLS as this applies to TLS 1.2 as well, and
- changing the order only for TLS1.3 would be potentially difficult.
- In the unlikely event a server does not support curve `x25519` but does
- support curve `secp256r1`, curve `secp256r1` can be set as the preferred
- curve through the `mbedtls_ssl_conf_curves()` API.
-
- (3) The MVP proposes only TLS 1.3 and does not support version negotiation.
- Out-of-protocol fallback is supported though if the Mbed TLS library
- has been built to support both TLS 1.3 and TLS 1.2: just set the
- maximum of the minor version of the SSL configuration to
- MBEDTLS_SSL_MINOR_VERSION_3 (`mbedtls_ssl_conf_min_version()` API) and
- re-initiate a server handshake.
- Supported groups: depends on the library configuration.
- Potentially all ECDHE groups but x448:
- secp256r1, x25519, secp384r1 and secp521r1.
+ Potentially all ECDHE groups:
+ secp256r1, x25519, secp384r1, x448 and secp521r1.
Finite field groups (DHE) are not supported.
- Supported signature algorithms (both for certificates and CertificateVerify):
depends on the library configuration.
Potentially:
- rsa_pkcs1_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256,
- ecdsa_secp384r1_sha384 and ecdsa_secp521r1_sha512.
+ ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512,
+ rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_rsae_sha256,
+ rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512.
Note that in absence of an application profile standard specifying otherwise
- the three first ones in the list above are mandatory (see section 9.1 of the
- specification).
+ rsa_pkcs1_sha256, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256 are
+ mandatory (see section 9.1 of the specification).
- Supported versions:
- - TLS 1.2 and TLS 1.3 but version negotiation is not supported.
+ - TLS 1.2 and TLS 1.3 with version negotiation on the client side, not server
+ side.
- - TLS 1.3 cannot be enabled in the build (MBEDTLS_SSL_PROTO_TLS1_3
- configuration option) without TLS 1.2 (MBEDTLS_SSL_PROTO_TLS1_2 configuration
- option).
-
- - TLS 1.2 can be enabled in the build independently of TLS 1.3.
+ - TLS 1.2 and TLS 1.3 can be enabled in the build independently of each
+ other.
- If both TLS 1.3 and TLS 1.2 are enabled at build time, only one of them can
- be configured at runtime via `mbedtls_ssl_conf_{min,max}_version`. Otherwise,
- `mbedtls_ssl_setup` will raise `MBEDTLS_ERR_SSL_BAD_CONFIG` error.
+ be configured at runtime via `mbedtls_ssl_conf_{min,max}_tls_version` for a
+ server endpoint. Otherwise, `mbedtls_ssl_setup` will raise
+ `MBEDTLS_ERR_SSL_BAD_CONFIG` error.
- Compatibility with existing SSL/TLS build options:
- The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the
- sense that when enabling the TLS 1.3 MVP in the library there is no need to
- modify the configuration for TLS 1.2. The MBEDTLS_USE_PSA_CRYPTO configuration
- option is an exception though, the TLS 1.3 MVP is not compatible with it.
+ The TLS 1.3 implementation is compatible with nearly all TLS 1.2
+ configuration options in the sense that when enabling TLS 1.3 in the library
+ there is rarely any need to modify the configuration from that used for
+ TLS 1.2. There are two exceptions though: the TLS 1.3 implementation requires
+ MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options
+ must be enabled.
- Mbed TLS SSL/TLS related features are not supported or not applicable to the
- TLS 1.3 MVP:
+ Most of the Mbed TLS SSL/TLS related options are not supported or not
+ applicable to the TLS 1.3 implementation:
| Mbed TLS configuration option | Support |
| ---------------------------------------- | ------- |
@@ -152,13 +114,12 @@
| MBEDTLS_SSL_DEBUG_ALL | no |
| MBEDTLS_SSL_ENCRYPT_THEN_MAC | n/a |
| MBEDTLS_SSL_EXTENDED_MASTER_SECRET | n/a |
- | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE | no |
+ | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE | no (1) |
| MBEDTLS_SSL_RENEGOTIATION | n/a |
| MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | no |
| | |
| MBEDTLS_SSL_SESSION_TICKETS | no |
- | MBEDTLS_SSL_EXPORT_KEYS | no (1) |
- | MBEDTLS_SSL_SERVER_NAME_INDICATION | no |
+ | MBEDTLS_SSL_SERVER_NAME_INDICATION | yes |
| MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | no |
| | |
| MBEDTLS_ECP_RESTARTABLE | no |
@@ -176,35 +137,20 @@
| MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | n/a |
| | |
- | MBEDTLS_USE_PSA_CRYPTO | no |
+ | MBEDTLS_PSA_CRYPTO_C | no (1) |
+ | MBEDTLS_USE_PSA_CRYPTO | yes |
- (1) Some support has already been upstreamed but it is incomplete.
+ (1) These options must remain in their default state of enabled.
(2) Key exchange configuration options for TLS 1.3 will likely to be
organized around the notion of key exchange mode along the line
of the MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL
runtime configuration macros.
-- Quality considerations
- - Standard Mbed TLS review bar
- - Interoperability testing with OpenSSL and GnuTLS. Test with all the
- cipher suites and signature algorithms supported by OpenSSL/GnuTLS server.
- - Negative testing against OpenSSL/GnuTLS servers with which the
- handshake fails due to incompatibility with the capabilities of the
- MVP: TLS 1.2 or 1.1 server, server sending an HelloRetryRequest message in
- response to the MVP ClientHello, server sending a CertificateRequest
- message ...
-
Prototype upstreaming status
----------------------------
-The following summarizes which parts of the TLS 1.3 prototype remain to be
-upstreamed:
-
-- Ephemeral only handshake on client side: client authentication,
- HelloRetryRequest support, version negotiation.
-
-- Ephemeral only handshake server side.
+The following parts of the TLS 1.3 prototype remain to be upstreamed:
- Pre-shared keys, session resumption and 0-RTT data (both client and server
side).
@@ -409,3 +355,101 @@
buf_len );
```
even if it fits.
+
+
+Overview of handshake code organization
+---------------------------------------
+
+The TLS 1.3 handshake protocol is implemented as a state machine. The
+functions `mbedtls_ssl_tls13_handshake_{client,server}_step` are the top level
+functions of that implementation. They are implemented as a switch over all the
+possible states of the state machine.
+
+Most of the states are either dedicated to the processing or writing of an
+handshake message.
+
+The implementation does not go systematically through all states as this would
+result in too many checks of whether something needs to be done or not in a
+given state to be duplicated across several state handlers. For example, on
+client side, the states related to certificate parsing and validation are
+bypassed if the handshake is based on a pre-shared key and thus does not
+involve certificates.
+
+On the contrary, the implementation goes systematically though some states
+even if they could be bypassed if it helps in minimizing when and where inbound
+and outbound keys are updated. The `MBEDTLS_SSL_CLIENT_CERTIFICATE` state on
+client side is a example of that.
+
+The names of the handlers processing/writing an handshake message are
+prefixed with `(mbedtls_)ssl_tls13_{process,write}`. To ease the maintenance and
+reduce the risk of bugs, the code of the message processing and writing
+handlers is split into a sequence of stages.
+
+The sending of data to the peer only occurs in `mbedtls_ssl_handshake_step`
+between the calls to the handlers and as a consequence handlers do not have to
+care about the MBEDTLS_ERR_SSL_WANT_WRITE error code. Furthermore, all pending
+data are flushed before to call the next handler. That way, handlers do not
+have to worry about pending data when changing outbound keys.
+
+### Message processing handlers
+For message processing handlers, the stages are:
+
+* coordination stage: check if the state should be bypassed. This stage is
+optional. The check is either purely based on the reading of the value of some
+fields of the SSL context or based on the reading of the type of the next
+message. The latter occurs when it is not known what the next handshake message
+will be, an example of that on client side being if we are going to receive a
+CertificateRequest message or not. The intent is, apart from the next record
+reading to not modify the SSL context as this stage may be repeated if the
+next handshake message has not been received yet.
+
+* fetching stage: at this stage we are sure of the type of the handshake
+message we must receive next and we try to fetch it. If we did not go through
+a coordination stage involving the next record type reading, the next
+handshake message may not have been received yet, the handler returns with
+`MBEDTLS_ERR_SSL_WANT_READ` without changing the current state and it will be
+called again later.
+
+* pre-processing stage: prepare the SSL context for the message parsing. This
+stage is optional. Any processing that must be done before the parsing of the
+message or that can be done to simplify the parsing code. Some simple and
+partial parsing of the handshake message may append at that stage like in the
+ServerHello message pre-processing.
+
+* parsing stage: parse the message and restrict as much as possible any
+update of the SSL context. The idea of the pre-processing/parsing/post-processing
+organization is to concentrate solely on the parsing in the parsing function to
+reduce the size of its code and to simplify it.
+
+* post-processing stage: following the parsing, further update of the SSL
+context to prepare for the next incoming and outgoing messages. This stage is
+optional. For example, secret and key computations occur at this stage, as well
+as handshake messages checksum update.
+
+* state change: the state change is done in the main state handler to ease the
+navigation of the state machine transitions.
+
+
+### Message writing handlers
+For message writing handlers, the stages are:
+
+* coordination stage: check if the state should be bypassed. This stage is
+optional. The check is based on the value of some fields of the SSL context.
+
+* preparation stage: prepare for the message writing. This stage is optional.
+Any processing that must be done before the writing of the message or that can
+be done to simplify the writing code.
+
+* writing stage: write the message and restrict as much as possible any update
+of the SSL context. The idea of the preparation/writing/finalization
+organization is to concentrate solely on the writing in the writing function to
+reduce the size of its code and simplify it.
+
+* finalization stage: following the writing, further update of the SSL
+context to prepare for the next incoming and outgoing messages. This stage is
+optional. For example, handshake secret and key computation occur at that
+stage (ServerHello writing finalization), switching to handshake keys for
+outbound message on server side as well.
+
+* state change: the state change is done in the main state handler to ease
+the navigation of the state machine transitions.
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 9c97b5d..c849221 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -1,107 +1,80 @@
This document describes the compile-time configuration option
-`MBEDTLS_USE_PSA_CRYPTO` from a user's perspective, more specifically its
-current effects as well as the parts that aren't covered yet.
+`MBEDTLS_USE_PSA_CRYPTO` from a user's perspective.
-Current effects
-===============
+This option makes the X.509 and TLS library use PSA for cryptographic
+operations, and enables new APIs for using keys handled by PSA Crypto.
-General limitations
--------------------
+General considerations
+----------------------
-Compile-time: enabling `MBEDTLS_USE_PSA_CRYPTO` requires
-`MBEDTLS_ECP_RESTARTABLE` and
-`MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` to be disabled.
+**Compile-time:** enabling `MBEDTLS_USE_PSA_CRYPTO` requires
+`MBEDTLS_ECP_RESTARTABLE` to be disabled.
-Effect: `MBEDTLS_USE_PSA_CRYPTO` has no effect on TLS 1.3 for which PSA
-cryptography is mandatory.
+**Application code:** when this option is enabled, you need to call
+`psa_crypto_init()` before calling any function from the SSL/TLS, X.509 or PK
+module.
-Stability: any API that's only available when `MBEDTLS_USE_PSA_CRYPTO` is
-defined is considered experimental and may change in incompatible ways at any
-time. Said otherwise, these APIs are explicitly excluded from the usual API
-stability promises.
+**Scope:** `MBEDTLS_USE_PSA_CRYPTO` has no effect on the parts of the code that
+are specific to TLS 1.3; those parts always use PSA Crypto. The parts of the
+TLS 1.3 code that are common with TLS 1.2, however, follow this option;
+currently this is the record protection code, computation of the running
+handshake hash, and X.509). You need to enable `MBEDTLS_USE_PSA_CRYPTO` if you
+want TLS 1.3 to use PSA everywhere.
New APIs / API extensions
-------------------------
-Some of these APIs are meant for the application to use in place of
-pre-existing APIs, in order to get access to the benefits; in the sub-sections
-below these are indicated by "Use in (X.509 and) TLS: opt-in", meaning that
-this requires changes to the application code for the (X.509 and) TLS layers
-to pick up the improvements.
-
-Some of these APIs are mostly meant for internal use by the TLS (and X.509)
-layers; they are indicated below by "Use in (X.509 and) TLS: automatic",
-meaning that no changes to the application code are required for the TLS (and
-X.509) layers to pick up the improvements.
-
### PSA-held (opaque) keys in the PK layer
-There is a new API function `mbedtls_pk_setup_opaque()` that can be used to
-wrap a PSA keypair into a PK context. The key can be used for private-key
+**New API function:** `mbedtls_pk_setup_opaque()` - can be used to
+wrap a PSA key pair into a PK context. The key can be used for private-key
operations and its public part can be exported.
-Benefits: isolation of long-term secrets, use of PSA Crypto drivers.
+**Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
-Limitations: only for private keys, only ECC. (That is, only ECDSA signature
-generation. Note: currently this will use randomized ECDSA while Mbed TLS uses
-deterministic ECDSA by default.) The following operations are not supported
+**Limitations:** can only wrap a key pair, can only use it for private key
+operations. (That is, signature generation, and for RSA decryption too.)
+Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses
+deterministic ECDSA by default. The following operations are not supported
with a context set this way, while they would be available with a normal
-`ECKEY` context: `mbedtls_pk_verify()`, `mbedtls_pk_check_pair()`,
-`mbedtls_pk_debug()`.
+context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key
+operations.
-Use in X.509 and TLS: opt-in. The application needs to construct the PK context
+**Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
using the new API in order to get the benefits; it can then pass the
resulting context to the following existing APIs:
- `mbedtls_ssl_conf_own_cert()` or `mbedtls_ssl_set_hs_own_cert()` to use the
- key together with a certificate for ECDSA-based key exchanges (note: while
-this is supported on both sides, it's currently only tested client-side);
+ key together with a certificate for certificate-based key exchanges;
- `mbedtls_x509write_csr_set_key()` to generate a CSR (certificate signature
- request).
-
-In the TLS and X.509 API, there's one other function which accepts a keypair
-as a PK context: `mbedtls_x509write_crt_set_issuer_key()`. Use of opaque
-contexts here probably works but is so far untested.
+ request);
+- `mbedtls_x509write_crt_set_issuer_key()` to generate a certificate.
### PSA-held (opaque) keys for TLS pre-shared keys (PSK)
-There are two new API functions `mbedtls_ssl_conf_psk_opaque()` and
+**New API functions:** `mbedtls_ssl_conf_psk_opaque()` and
`mbedtls_ssl_set_hs_psk_opaque()`. Call one of these from an application to
register a PSA key for use with a PSK key exchange.
-Benefits: isolation of long-term secrets.
+**Benefits:** isolation of long-term secrets.
-Limitations: the key can only be used with "pure"
-PSK key exchanges (ciphersuites starting with `TLS_PSK_WITH_`), to the
-exclusion of RSA-PSK, DHE-PSK and ECDHE-PSK key exchanges. It is the responsibility of
-the user to make sure that when provisioning an opaque pre-shared key, the
-only PSK ciphersuites that can be negotiated are "pure" PSK; other XXX-PSK key
-exchanges will result in a handshake failure with the handshake function
-returning `MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE`.
+**Limitations:** none.
-Use in TLS: opt-in. The application needs to register the key using the new
-APIs to get the benefits.
+**Use in TLS:** opt-in. The application needs to register the key using one of
+the new APIs to get the benefits.
### PSA-based operations in the Cipher layer
There is a new API function `mbedtls_cipher_setup_psa()` to set up a context
that will call PSA to store the key and perform the operations.
-Benefits: use of PSA Crypto drivers; partial isolation of short-term secrets
-(still generated outside of PSA, but then held by PSA).
+This function only worked for a small number of ciphers. It is now deprecated
+and it is recommended to use `psa_cipher_xxx()` or `psa_aead_xxx()` functions
+directly instead.
-Limitations: the key is still passed in the clear by the application. The
-multi-part APIs are not supported, only the one-shot APIs. The only modes
-supported are ECB, CBC without padding, GCM and CCM (this excludes stream
-ciphers and ChachaPoly); the only cipher supported is AES (this excludes Aria,
-Camellia, and ChachaPoly). (Note: ECB is currently not tested.) (Note: it is
-possible to perform multiple one-shot operations with the same context;
-however this is not unit-tested, only tested via usage in TLS.)
-
-Use in TLS: automatic. Used when the cipher and mode is supported (with
-gracious fallback to the legacy API otherwise) in all places where a cipher is
-used. There are two such places: in `ssl_tls.c` for record protection, and in
-`ssl_ticket.c` for protecting tickets we issue.
+**Warning:** This function will be removed in a future version of Mbed TLS. If
+you are using it and would like us to keep it, please let us know about your
+use case.
Internal changes
----------------
@@ -109,89 +82,34 @@
All of these internal changes are active as soon as `MBEDTLS_USE_PSA_CRYPTO`
is enabled, no change required on the application side.
-### TLS: cipher operations based on PSA
+### TLS: most crypto operations based on PSA
-See "PSA-based operations in the Cipher layer" above.
+Current exceptions:
-### PK layer: ECDSA verification based on PSA
+- EC J-PAKE (when `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` is defined)
+- finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA,
+ DHE-PSK)
-Scope: `mbedtls_pk_verify()` will call to PSA for ECDSA signature
-verification.
+Other than the above exceptions, all crypto operations are based on PSA when
+`MBEDTLS_USE_PSA_CRYPTO` is enabled.
-Benefits: use of PSA Crypto drivers.
+### X.509: most crypto operations based on PSA
-Use in TLS and X.509: in all places where an ECDSA signature is verified.
+Current exception:
-### TLS: ECDHE computation based on PSA
+- verification of RSA-PSS signatures with a salt length that is different from
+ the hash length.
-Scope: Client-side, for ECDHE-RSA and ECDHE-ECDSA key exchanges, the
-computation of the ECDHE key exchange is done by PSA.
+Other than the above exceptions, all crypto operations are based on PSA when
+`MBEDTLS_USE_PSA_CRYPTO` is enabled.
-Limitations: client-side only, ECDHE-PSK not covered
+### PK layer: most crypto operations based on PSA
-Benefits: use of PSA Crypto drivers.
+Current exception:
-### TLS: handshake hashes and PRF computed with PSA
+- verification of RSA-PSS signatures with a salt length that is different from
+ the hash length.
-Scope: with TLS 1.2, the following are computed with PSA:
-- the running handshake hashes;
-- the hash of the ServerKeyExchange part that is signed;
-- the `verify_data` part of the Finished message;
-- the TLS PRF.
+Other than the above exceptions, all crypto operations are based on PSA when
+`MBEDTLS_USE_PSA_CRYPTO` is enabled.
-Benefits: use of PSA Crypto drivers.
-
-### X.509: some hashes computed with PSA
-
-Scope: the following hashes are computed with PSA:
-- when verifying a certificate chain, hash of the child for verifying the
- parent's signature;
-- when writing a CSR, hash of the request for self-signing the request.
-
-Benefits: use of PSA Crypto drivers.
-
-Parts that are not covered yet
-==============================
-
-This is only a high-level overview, grouped by theme
-
-TLS: key exchanges / asymmetric crypto
---------------------------------------
-
-The following key exchanges are not covered at all:
-
-- RSA
-- DHE-RSA
-- DHE-PSK
-- RSA-PSK
-- ECDHE-PSK
-- ECDH-RSA
-- ECDH-ECDSA
-- ECJPAKE
-
-The following key exchanges are only partially covered:
-
-- ECDHE-RSA: RSA operations are not covered and, server-side, the ECDHE
- operation isn't either
-- ECDHE-ECDSA: server-side, the ECDHE operation isn't covered. (ECDSA
- signature generation is only covered if using `mbedtls_pk_setup_opaque()`.)
-
-PSK if covered when the application uses `mbedtls_ssl_conf_psk_opaque()` or
-`mbedtls_ssl_set_hs_psk_opaque()`.
-
-TLS: symmetric crypto
----------------------
-
-- some ciphers not supported via PSA yet: ARIA, Camellia, ChachaPoly (silent
- fallback to the legacy APIs)
-- the HMAC part of the CBC and NULL ciphersuites
-- the HMAC computation in `ssl_cookie.c`
-
-X.509
------
-
-- most hash operations are still done via the legacy API, except the few that
- are documented above as using PSA
-- RSA PKCS#1 v1.5 signature generation (from PSA-held keys)
-- RSA PKCS#1 v1.5 signature verification
-- RSA-PSS signature verification
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 1c2be1a..c05042b 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -22,7 +22,7 @@
*/
/**
- * @mainpage mbed TLS v3.1.0 source code documentation
+ * @mainpage mbed TLS v3.2.1 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 6d104c8..f722d28 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -1,4 +1,4 @@
-PROJECT_NAME = "mbed TLS v3.1.0"
+PROJECT_NAME = "mbed TLS v3.2.1"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 3dd944c..234debd 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -37,17 +37,17 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 3
-#define MBEDTLS_VERSION_MINOR 1
-#define MBEDTLS_VERSION_PATCH 0
+#define MBEDTLS_VERSION_MINOR 2
+#define MBEDTLS_VERSION_PATCH 1
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x03010000
-#define MBEDTLS_VERSION_STRING "3.1.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.1.0"
+#define MBEDTLS_VERSION_NUMBER 0x03020100
+#define MBEDTLS_VERSION_STRING "3.2.1"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.2.1"
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
#define _CRT_SECURE_NO_DEPRECATE 1
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index bdc32e1..5fe9849 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -385,6 +385,20 @@
#error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
#endif
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SETBUF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SETBUF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO) &&\
+ ( defined(MBEDTLS_PLATFORM_STD_SETBUF) ||\
+ defined(MBEDTLS_PLATFORM_SETBUF_ALT) )
+#error "MBEDTLS_PLATFORM_SETBUF_MACRO and MBEDTLS_PLATFORM_STD_SETBUF/MBEDTLS_PLATFORM_SETBUF_ALT cannot be defined simultaneously"
+#endif
+
#if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
( !defined(MBEDTLS_PLATFORM_C) ||\
!defined(MBEDTLS_HAVE_TIME) )
@@ -581,6 +595,14 @@
#error "MBEDTLS_PSA_CRYPTO_SE_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_PSA_CRYPTO_SE_C is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_PSA_CRYPTO_SE_C is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
! defined(MBEDTLS_PSA_CRYPTO_C)
#error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
@@ -729,6 +751,13 @@
#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites"
#endif
+/*
+ * The current implementation of TLS 1.3 requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#error "MBEDTLS_SSL_PROTO_TLS1_3 defined without MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 7718f85..2a6672e 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -121,6 +121,20 @@
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
#endif /* PSA_WANT_ALG_HKDF */
+#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
+#endif /* PSA_WANT_ALG_HKDF_EXTRACT */
+
+#if defined(PSA_WANT_ALG_HKDF_EXPAND)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
+#endif /* PSA_WANT_ALG_HKDF_EXPAND */
+
#if defined(PSA_WANT_ALG_HMAC)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
@@ -592,11 +606,19 @@
#define PSA_WANT_ALG_GCM 1
#endif /* MBEDTLS_GCM_C */
+/* Enable PSA HKDF algorithm if mbedtls HKDF is supported.
+ * PSA HKDF EXTRACT and PSA HKDF EXPAND have minimal cost when
+ * PSA HKDF is enabled, so enable both algorithms together
+ * with PSA HKDF. */
#if defined(MBEDTLS_HKDF_C)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#define PSA_WANT_ALG_HMAC 1
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
#define PSA_WANT_ALG_HKDF 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
+#define PSA_WANT_ALG_HKDF_EXTRACT 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
+#define PSA_WANT_ALG_HKDF_EXPAND 1
#endif /* MBEDTLS_HKDF_C */
#if defined(MBEDTLS_MD_C)
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 9c8ec11..1c60ec8 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -225,6 +225,7 @@
* Uncomment a macro to enable alternate implementation of specific base
* platform function
*/
+//#define MBEDTLS_PLATFORM_SETBUF_ALT
//#define MBEDTLS_PLATFORM_EXIT_ALT
//#define MBEDTLS_PLATFORM_TIME_ALT
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
@@ -1184,8 +1185,9 @@
*
* Requires: MBEDTLS_PSA_CRYPTO_C
*
- * \warning This interface is experimental and may change or be removed
- * without notice.
+ * \warning This interface is experimental. We intend to maintain backward
+ * compatibility with application code that relies on drivers,
+ * but the driver interfaces may change without notice.
*/
//#define MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -1444,6 +1446,8 @@
* still ensure that certificates do not change during renegotiation,
* for example by keeping a hash of the peer's certificate.
*
+ * \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set.
+ *
* Comment this macro to disable storing the peer's certificate
* after the handshake.
*/
@@ -1502,8 +1506,16 @@
* See docs/architecture/tls13-support.md for a description of the TLS
* 1.3 support that this option enables.
*
- * Uncomment this macro to enable the support for TLS 1.3.
+ * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+ * Requires: MBEDTLS_PSA_CRYPTO_C
*
+ * Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use
+ * PSA for all crypto operations, you need to also enable
+ * MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are
+ * common with TLS 1.2 (record protection, running handshake hash) will still
+ * use non-PSA crypto.
+ *
+ * Uncomment this macro to enable the support for TLS 1.3.
*/
//#define MBEDTLS_SSL_PROTO_TLS1_3
@@ -1758,12 +1770,11 @@
* \note See docs/use-psa-crypto.md for a complete description of what this
* option currently does, and of parts that are not affected by it so far.
*
- * \warning This option enables new Mbed TLS APIs which are currently
- * considered experimental and may change in incompatible ways at any time.
- * That is, the APIs enabled by this option are not covered by the usual
- * promises of API stability.
+ * \warning If you enable this option, you need to call `psa_crypto_init()`
+ * before calling any function from the SSL/TLS, X.509 or PK modules.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
+ * Conflicts with: MBEDTLS_ECP_RESTARTABLE
*
* Uncomment this to enable internal use of PSA Crypto and new associated APIs.
*/
@@ -2686,11 +2697,11 @@
/**
* \def MBEDTLS_PSA_CRYPTO_SE_C
*
- * Enable secure element support in the Platform Security Architecture
+ * Enable dynamic secure element support in the Platform Security Architecture
* cryptography API.
*
- * \warning This feature is not yet suitable for production. It is provided
- * for API evaluation and testing purposes only.
+ * \deprecated This feature is deprecated. Please switch to the driver
+ * interface enabled by #MBEDTLS_PSA_CRYPTO_DRIVERS.
*
* Module: library/psa_crypto_se.c
*
@@ -2813,9 +2824,9 @@
/**
* \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
*
- * Enable acceleration of the SHA-256 cryptographic hash algorithm with the
- * Arm A64 cryptographic extensions if they are available at runtime. If not,
- * it will fall back to the C implementation.
+ * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions if they are available at runtime.
+ * If not, the library will fall back to the C implementation.
*
* \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building
* for a non-Aarch64 build it will be silently ignored.
@@ -2838,9 +2849,9 @@
/**
* \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
*
- * Enable acceleration of the SHA-256 cryptographic hash algorithm with the
- * Arm A64 cryptographic extensions, which must be available at runtime (or
- * an illegal instruction fault will occur).
+ * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions, which must be available at runtime
+ * or else an illegal instruction fault will occur.
*
* \note This allows builds with a smaller code size than with
* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
@@ -2896,9 +2907,9 @@
/**
* \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
*
- * Enable acceleration of the SHA-512 cryptographic hash algorithm with the
- * Arm A64 cryptographic extensions if they are available at runtime. If not,
- * it will fall back to the C implementation.
+ * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions if they are available at runtime.
+ * If not, the library will fall back to the C implementation.
*
* \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building
* for a non-Aarch64 build it will be silently ignored.
@@ -2923,9 +2934,9 @@
/**
* \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
*
- * Enable acceleration of the SHA-512 cryptographic hash algorithm with the
- * Arm A64 cryptographic extensions, which must be available at runtime (or
- * an illegal instruction fault will occur).
+ * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms
+ * with the ARMv8 cryptographic extensions, which must be available at runtime
+ * or else an illegal instruction fault will occur.
*
* \note This allows builds with a smaller code size than with
* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
@@ -3318,6 +3329,7 @@
//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
@@ -3335,6 +3347,7 @@
//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 207aed0..867961d 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -216,32 +216,6 @@
typedef void mbedtls_pk_restart_ctx;
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-#if defined(MBEDTLS_RSA_C)
-/**
- * Quick access to an RSA context inside a PK context.
- *
- * \warning You must make sure the PK context actually holds an RSA context
- * before using this function!
- */
-static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
-{
- return( (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
-}
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_ECP_C)
-/**
- * Quick access to an EC context inside a PK context.
- *
- * \warning You must make sure the PK context actually holds an EC context
- * before using this function!
- */
-static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
-{
- return( (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
-}
-#endif /* MBEDTLS_ECP_C */
-
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/**
* \brief Types for RSA-alt abstraction
@@ -735,6 +709,55 @@
*/
mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
+#if defined(MBEDTLS_RSA_C)
+/**
+ * Quick access to an RSA context inside a PK context.
+ *
+ * \warning This function can only be used when the type of the context, as
+ * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_RSA.
+ * Ensuring that is the caller's responsibility.
+ * Alternatively, you can check whether this function returns NULL.
+ *
+ * \return The internal RSA context held by the PK context, or NULL.
+ */
+static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
+{
+ switch( mbedtls_pk_get_type( &pk ) )
+ {
+ case MBEDTLS_PK_RSA:
+ return( (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
+ default:
+ return( NULL );
+ }
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * Quick access to an EC context inside a PK context.
+ *
+ * \warning This function can only be used when the type of the context, as
+ * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_ECKEY,
+ * #MBEDTLS_PK_ECKEY_DH, or #MBEDTLS_PK_ECDSA.
+ * Ensuring that is the caller's responsibility.
+ * Alternatively, you can check whether this function returns NULL.
+ *
+ * \return The internal EC context held by the PK context, or NULL.
+ */
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
+{
+ switch( mbedtls_pk_get_type( &pk ) )
+ {
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ return( (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
+ default:
+ return( NULL );
+ }
+}
+#endif /* MBEDTLS_ECP_C */
+
#if defined(MBEDTLS_PK_PARSE_C)
/** \ingroup pk_module */
/**
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index a598434..a5a43ac 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -91,6 +91,9 @@
#if !defined(MBEDTLS_PLATFORM_STD_FREE)
#define MBEDTLS_PLATFORM_STD_FREE free /**< The default \c free function to use. */
#endif
+#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
+#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< The default \c setbuf function to use. */
+#endif
#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
#define MBEDTLS_PLATFORM_STD_EXIT exit /**< The default \c exit function to use. */
#endif
@@ -277,6 +280,56 @@
#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
/*
+ * The function pointers for setbuf
+ */
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+#include <stdio.h>
+/**
+ * \brief Function pointer to call for `setbuf()` functionality
+ * (changing the internal buffering on stdio calls).
+ *
+ * \note The library calls this function to disable
+ * buffering when reading or writing sensitive data,
+ * to avoid having extra copies of sensitive data
+ * remaining in stdio buffers after the file is
+ * closed. If this is not a concern, for example if
+ * your platform's stdio doesn't have any buffering,
+ * you can set mbedtls_setbuf to a function that
+ * does nothing.
+ *
+ * The library always calls this function with
+ * `buf` equal to `NULL`.
+ */
+extern void (*mbedtls_setbuf)( FILE *stream, char *buf );
+
+/**
+ * \brief Dynamically configure the function that is called
+ * when the mbedtls_setbuf() function is called by the
+ * library.
+ *
+ * \param setbuf_func The \c setbuf function implementation
+ *
+ * \return \c 0
+ */
+int mbedtls_platform_set_setbuf( void (*setbuf_func)(
+ FILE *stream, char *buf ) );
+#elif defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
+/**
+ * \brief Macro defining the function for the library to
+ * call for `setbuf` functionality (changing the
+ * internal buffering on stdio calls).
+ *
+ * \note See extra comments on the mbedtls_setbuf() function
+ * pointer above.
+ *
+ * \return \c 0 on success, negative on error.
+ */
+#define mbedtls_setbuf MBEDTLS_PLATFORM_SETBUF_MACRO
+#else
+#define mbedtls_setbuf setbuf
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT / MBEDTLS_PLATFORM_SETBUF_MACRO */
+
+/*
* The function pointers for exit
*/
#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 79d7ddd..b3b5d47 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -647,6 +647,8 @@
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY,
MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED,
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
+ MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO,
+ MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST,
}
mbedtls_ssl_states;
@@ -1494,6 +1496,10 @@
#if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_hs_cb_t MBEDTLS_PRIVATE(f_cert_cb); /*!< certificate selection callback */
#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+ const mbedtls_x509_crt *MBEDTLS_PRIVATE(dn_hints);/*!< acceptable client cert issuers */
+#endif
};
struct mbedtls_ssl_context
@@ -3126,6 +3132,26 @@
mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl );
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+/**
+ * \brief Set DN hints sent to client in CertificateRequest message
+ *
+ * \note If not set, subject distinguished names (DNs) are taken
+ * from \c mbedtls_ssl_conf_ca_chain()
+ * or \c mbedtls_ssl_set_hs_ca_chain())
+ *
+ * \param conf SSL configuration
+ * \param crt crt chain whose subject DNs are issuer DNs of client certs
+ * from which the client should select client peer certificate.
+ */
+static inline
+void mbedtls_ssl_conf_dn_hints( mbedtls_ssl_config *conf,
+ const mbedtls_x509_crt *crt )
+{
+ conf->MBEDTLS_PRIVATE(dn_hints) = crt;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
/**
* \brief Set the trusted certificate callback.
@@ -3650,6 +3676,21 @@
mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl );
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+/**
+ * \brief Set DN hints sent to client in CertificateRequest message
+ *
+ * \note Same as \c mbedtls_ssl_conf_dn_hints() but for use within
+ * the SNI callback or the certificate selection callback.
+ *
+ * \param ssl SSL context
+ * \param crt crt chain whose subject DNs are issuer DNs of client certs
+ * from which the client should select client peer certificate.
+ */
+void mbedtls_ssl_set_hs_dn_hints( mbedtls_ssl_context *ssl,
+ const mbedtls_x509_crt *crt );
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
/**
* \brief Set authmode for the current handshake.
*
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index c770528..cd6ccbc 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -389,6 +389,10 @@
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg( const mbedtls_ssl_ciphersuite_t *info );
+psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage( const mbedtls_ssl_ciphersuite_t *info );
+#endif
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
#endif
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index 3c76fec..213efa0 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -267,6 +267,25 @@
int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn );
/**
+ * \brief Return the next relative DN in an X509 name.
+ *
+ * \note Intended use is to compare function result to dn->next
+ * in order to detect boundaries of multi-valued RDNs.
+ *
+ * \param dn Current node in the X509 name
+ *
+ * \return Pointer to the first attribute-value pair of the
+ * next RDN in sequence, or NULL if end is reached.
+ */
+static inline mbedtls_x509_name * mbedtls_x509_dn_get_next(
+ mbedtls_x509_name * dn )
+{
+ while( dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL )
+ dn = dn->next;
+ return( dn->next );
+}
+
+/**
* \brief Store the certificate serial in printable form into buf;
* no more than size characters will be written.
*
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index e437750..991be96 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -67,6 +67,8 @@
#define PSA_WANT_ALG_ECDSA 1
#define PSA_WANT_ALG_GCM 1
#define PSA_WANT_ALG_HKDF 1
+#define PSA_WANT_ALG_HKDF_EXTRACT 1
+#define PSA_WANT_ALG_HKDF_EXPAND 1
#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_MD5 1
#define PSA_WANT_ALG_OFB 1
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 434554d..957b4c6 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -181,7 +181,9 @@
return( v );
}
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
typedef struct
{
uint8_t *MBEDTLS_PRIVATE(info);
@@ -197,7 +199,9 @@
uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE];
struct psa_mac_operation_s MBEDTLS_PRIVATE(hmac);
} psa_hkdf_key_derivation_t;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF ||
+ MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
+ MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
@@ -254,7 +258,9 @@
{
/* Make the union non-empty even with no supported algorithms. */
uint8_t MBEDTLS_PRIVATE(dummy);
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
psa_hkdf_key_derivation_t MBEDTLS_PRIVATE(hkdf);
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index 2cf965d..e619cf5 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -70,38 +70,70 @@
*/
/** \brief Encoding of a key type.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_KEY_TYPE_xxx`.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint16_t psa_key_type_t;
/** The type of PSA elliptic curve family identifiers.
*
+ * Values of this type are generally constructed by macros called
+ * `PSA_ECC_FAMILY_xxx`.
+ *
* The curve identifier is required to create an ECC key using the
* PSA_KEY_TYPE_ECC_KEY_PAIR() or PSA_KEY_TYPE_ECC_PUBLIC_KEY()
* macros.
*
* Values defined by this standard will never be in the range 0x80-0xff.
* Vendors who define additional families must use an encoding in this range.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint8_t psa_ecc_family_t;
/** The type of PSA Diffie-Hellman group family identifiers.
*
+ * Values of this type are generally constructed by macros called
+ * `PSA_DH_FAMILY_xxx`.
+ *
* The group identifier is required to create an Diffie-Hellman key using the
* PSA_KEY_TYPE_DH_KEY_PAIR() or PSA_KEY_TYPE_DH_PUBLIC_KEY()
* macros.
*
* Values defined by this standard will never be in the range 0x80-0xff.
* Vendors who define additional families must use an encoding in this range.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint8_t psa_dh_family_t;
/** \brief Encoding of a cryptographic algorithm.
*
+ * Values of this type are generally constructed by macros called
+ * `PSA_ALG_xxx`.
+ *
* For algorithms that can be applied to multiple key types, this type
* does not encode the key type. For example, for symmetric ciphers
* based on a block cipher, #psa_algorithm_t encodes the block cipher
* mode and the padding mode while the block cipher itself is encoded
* via #psa_key_type_t.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint32_t psa_algorithm_t;
@@ -143,6 +175,14 @@
* #PSA_KEY_LIFETIME_PERSISTENT is supported if persistent storage is
* available. Other lifetime values may be supported depending on the
* library configuration.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_KEY_LIFETIME_xxx`.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint32_t psa_key_lifetime_t;
@@ -174,6 +214,11 @@
* \note Key persistence levels are 8-bit values. Key management
* interfaces operate on lifetimes (type ::psa_key_lifetime_t) which
* encode the persistence as the lower 8 bits of a 32-bit value.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint8_t psa_key_persistence_t;
@@ -210,6 +255,11 @@
* \note Key location indicators are 24-bit values. Key management
* interfaces operate on lifetimes (type ::psa_key_lifetime_t) which
* encode the location as the upper 24 bits of a 32-bit value.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
*/
typedef uint32_t psa_key_location_t;
@@ -221,9 +271,27 @@
* #PSA_KEY_ID_VENDOR_MIN to #PSA_KEY_ID_VENDOR_MAX.
* - 0 is reserved as an invalid key identifier.
* - Key identifiers outside these ranges are reserved for future use.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to how values are allocated must require careful
+ * consideration to allow backward compatibility.
*/
typedef uint32_t psa_key_id_t;
+/** Encoding of key identifiers as seen inside the PSA Crypto implementation.
+ *
+ * When PSA Crypto is built as a library inside an application, this type
+ * is identical to #psa_key_id_t. When PSA Crypto is built as a service
+ * that can store keys on behalf of multiple clients, this type
+ * encodes the #psa_key_id_t value seen by each client application as
+ * well as extra information that identifies the client that owns
+ * the key.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
+*/
#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
typedef psa_key_id_t mbedtls_svc_key_id_t;
@@ -247,7 +315,16 @@
* @{
*/
-/** \brief Encoding of permitted usage on a key. */
+/** \brief Encoding of permitted usage on a key.
+ *
+ * Values of this type are generally constructed as bitwise-ors of macros
+ * called `PSA_KEY_USAGE_xxx`.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ * Any changes to existing values will require bumping the storage
+ * format version and providing a translation when reading the old
+ * format.
+ */
typedef uint32_t psa_key_usage_t;
/**@}*/
@@ -376,7 +453,11 @@
* @{
*/
-/** \brief Encoding of the step of a key derivation. */
+/** \brief Encoding of the step of a key derivation.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_KEY_DERIVATION_INPUT_xxx`.
+ */
typedef uint16_t psa_key_derivation_step_t;
/**@}*/
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index a360f27..b5f6501 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -12,6 +12,11 @@
* designations of cryptographic algorithms, and error codes returned by
* the library.
*
+ * Note that many of the constants defined in this file are embedded in
+ * the persistent key store, as part of key metadata (including usage
+ * policies). As a consequence, they must not be changed (unless the storage
+ * format version changes).
+ *
* This header file only defines preprocessor macros.
*/
/*
@@ -41,6 +46,18 @@
/* PSA error codes */
+/* Error codes are standardized across PSA domains (framework, crypto, storage,
+ * etc.). Do not change the values in this section or even the expansions
+ * of each macro: it must be possible to `#include` both this header
+ * and some other PSA component's headers in the same C source,
+ * which will lead to duplicate definitions of the `PSA_SUCCESS` and
+ * `PSA_ERROR_xxx` macros, which is ok if and only if the macros expand
+ * to the same sequence of tokens.
+ *
+ * If you must add a new
+ * value, check with the Arm PSA framework group to pick one that other
+ * domains aren't already using. */
+
/** The action was completed successfully. */
#define PSA_SUCCESS ((psa_status_t)0)
@@ -317,6 +334,12 @@
* @{
*/
+/* Note that key type values, including ECC family and DH group values, are
+ * embedded in the persistent key store, as part of key metadata. As a
+ * consequence, they must not be changed (unless the storage format version
+ * changes).
+ */
+
/** An invalid key type value.
*
* Zero is not the encoding of any key type.
@@ -719,6 +742,11 @@
1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) : \
0u)
+/* Note that algorithm values are embedded in the persistent key store,
+ * as part of key metadata. As a consequence, they must not be changed
+ * (unless the storage format version changes).
+ */
+
/** Vendor-defined algorithm flag.
*
* Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG
@@ -1743,6 +1771,12 @@
* You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before
* starting to generate output.
*
+ * \warning HKDF processes the salt as follows: first hash it with hash_alg
+ * if the salt is longer than the block size of the hash algorithm; then
+ * pad with null bytes up to the block size. As a result, it is possible
+ * for distinct salt inputs to result in the same outputs. To ensure
+ * unique outputs, it is recommended to use a fixed length for salt values.
+ *
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
*
@@ -1768,6 +1802,112 @@
#define PSA_ALG_HKDF_GET_HASH(hkdf_alg) \
(PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
+#define PSA_ALG_HKDF_EXTRACT_BASE ((psa_algorithm_t)0x08000400)
+/** Macro to build an HKDF-Extract algorithm.
+ *
+ * For example, `PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA256)` is
+ * HKDF-Extract using HMAC-SHA-256.
+ *
+ * This key derivation algorithm uses the following inputs:
+ * - PSA_KEY_DERIVATION_INPUT_SALT is the salt.
+ * - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the
+ * "extract" step.
+ * The inputs are mandatory and must be passed in the order above.
+ * Each input may only be passed once.
+ *
+ * \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
+ * should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided
+ * as a separate algorithm for the sake of protocols that use it as a
+ * building block. It may also be a slight performance optimization
+ * in applications that use HKDF with the same salt and key but many
+ * different info strings.
+ *
+ * \warning HKDF processes the salt as follows: first hash it with hash_alg
+ * if the salt is longer than the block size of the hash algorithm; then
+ * pad with null bytes up to the block size. As a result, it is possible
+ * for distinct salt inputs to result in the same outputs. To ensure
+ * unique outputs, it is recommended to use a fixed length for salt values.
+ *
+ * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return The corresponding HKDF-Extract algorithm.
+ * \return Unspecified if \p hash_alg is not a supported
+ * hash algorithm.
+ */
+#define PSA_ALG_HKDF_EXTRACT(hash_alg) \
+ (PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** Whether the specified algorithm is an HKDF-Extract algorithm.
+ *
+ * HKDF-Extract is a family of key derivation algorithms that are based
+ * on a hash function and the HMAC construction.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is an HKDF-Extract algorithm, 0 otherwise.
+ * This macro may return either 0 or 1 if \c alg is not a supported
+ * key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_HKDF_EXTRACT(alg) \
+ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE)
+
+#define PSA_ALG_HKDF_EXPAND_BASE ((psa_algorithm_t)0x08000500)
+/** Macro to build an HKDF-Expand algorithm.
+ *
+ * For example, `PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA256)` is
+ * HKDF-Expand using HMAC-SHA-256.
+ *
+ * This key derivation algorithm uses the following inputs:
+ * - PSA_KEY_DERIVATION_INPUT_SECRET is the pseudorandom key (PRK).
+ * - PSA_KEY_DERIVATION_INPUT_INFO is the info string.
+ *
+ * The inputs are mandatory and must be passed in the order above.
+ * Each input may only be passed once.
+ *
+ * \warning HKDF-Expand is not meant to be used on its own. `PSA_ALG_HKDF`
+ * should be used instead if possible. `PSA_ALG_HKDF_EXPAND` is provided as
+ * a separate algorithm for the sake of protocols that use it as a building
+ * block. It may also be a slight performance optimization in applications
+ * that use HKDF with the same salt and key but many different info strings.
+ *
+ * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return The corresponding HKDF-Expand algorithm.
+ * \return Unspecified if \p hash_alg is not a supported
+ * hash algorithm.
+ */
+#define PSA_ALG_HKDF_EXPAND(hash_alg) \
+ (PSA_ALG_HKDF_EXPAND_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** Whether the specified algorithm is an HKDF-Expand algorithm.
+ *
+ * HKDF-Expand is a family of key derivation algorithms that are based
+ * on a hash function and the HMAC construction.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is an HKDF-Expand algorithm, 0 otherwise.
+ * This macro may return either 0 or 1 if \c alg is not a supported
+ * key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_HKDF_EXPAND(alg) \
+ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
+
+/** Whether the specified algorithm is an HKDF or HKDF-Extract or
+ * HKDF-Expand algorithm.
+ *
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is any HKDF type algorithm, 0 otherwise.
+ * This macro may return either 0 or 1 if \c alg is not a supported
+ * key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_ANY_HKDF(alg) \
+ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE || \
+ ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE || \
+ ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
+
#define PSA_ALG_TLS12_PRF_BASE ((psa_algorithm_t)0x08000200)
/** Macro to build a TLS-1.2 PRF algorithm.
*
@@ -2097,6 +2237,11 @@
* @{
*/
+/* Note that location and persistence level values are embedded in the
+ * persistent key store, as part of key metadata. As a consequence, they
+ * must not be changed (unless the storage format version changes).
+ */
+
/** The default lifetime for volatile keys.
*
* A volatile key only exists as long as the identifier to it is not destroyed.
@@ -2212,6 +2357,11 @@
#define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)
+/* Note that key identifier values are embedded in the
+ * persistent key store, as part of key metadata. As a consequence, they
+ * must not be changed (unless the storage format version changes).
+ */
+
/** The null key identifier.
*/
#define PSA_KEY_ID_NULL ((psa_key_id_t)0)
@@ -2323,6 +2473,11 @@
* @{
*/
+/* Note that key usage flags are embedded in the
+ * persistent key store, as part of key metadata. As a consequence, they
+ * must not be changed (unless the storage format version changes).
+ */
+
/** Whether the key may be exported.
*
* A public key or the public part of a key pair may always be exported
@@ -2449,6 +2604,9 @@
* @{
*/
+/* Key input steps are not embedded in the persistent storage, so you can
+ * change them if needed: it's only an ABI change. */
+
/** A secret input for key derivation.
*
* This should be a key of type #PSA_KEY_TYPE_DERIVE
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index d08de59..0884f57 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -274,7 +274,7 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.1.0 SOVERSION 11)
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.2.1 SOVERSION 12)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET everest)
@@ -282,11 +282,11 @@
endif()
add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.1.0 SOVERSION 4)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.2.1 SOVERSION 4)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.1.0 SOVERSION 17)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.2.1 SOVERSION 18)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/Makefile b/library/Makefile
index d267e05..f5ff474 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -47,9 +47,9 @@
endif
endif
-SOEXT_TLS=so.17
+SOEXT_TLS=so.18
SOEXT_X509=so.4
-SOEXT_CRYPTO=so.11
+SOEXT_CRYPTO=so.12
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
# the - prefix for command line options (e.g. llvm-ar)
diff --git a/library/asn1write.c b/library/asn1write.c
index 2110052..053dbb6 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -133,6 +133,11 @@
//
len = mbedtls_mpi_size( X );
+ /* DER represents 0 with a sign bit (0=nonnegative) and 7 value bits, not
+ * as 0 digits. We need to end up with 020100, not with 0200. */
+ if( len == 0 )
+ len = 1;
+
if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
diff --git a/library/bignum.c b/library/bignum.c
index 11acc01..8717c8a 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1785,7 +1785,7 @@
/*
* handle trivial cases
*/
- if( b == 1 )
+ if( b == 1 || A->n == 0 )
{
*r = 0;
return( 0 );
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 23ea07b..43f490e 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -607,6 +607,9 @@
if( ( f = fopen( path, "wb" ) ) == NULL )
return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
if( ( ret = mbedtls_ctr_drbg_random( ctx, buf,
MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
goto exit;
@@ -640,6 +643,9 @@
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
n = fread( buf, 1, sizeof( buf ), f );
if( fread( &c, 1, 1, f ) != 0 )
{
diff --git a/library/dhm.c b/library/dhm.c
index 2ce0ed4..1e95bda 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -620,6 +620,7 @@
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+ /* The data loaded here is public, so don't bother disabling buffering. */
fseek( f, 0, SEEK_END );
if( ( size = ftell( f ) ) == -1 )
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 6b8ff5c..51956cd 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4737,6 +4737,8 @@
ECP_VALIDATE_RET( grp != NULL );
mbedtls_ecp_group_free( grp );
+ mbedtls_ecp_group_init( grp );
+
grp->id = id;
switch( id )
diff --git a/library/entropy.c b/library/entropy.c
index 9e31f84..08c5bd7 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -457,6 +457,9 @@
goto exit;
}
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
if( fwrite( buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f ) != MBEDTLS_ENTROPY_BLOCK_SIZE )
{
ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
@@ -484,6 +487,9 @@
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
fseek( f, 0, SEEK_END );
n = (size_t) ftell( f );
fseek( f, 0, SEEK_SET );
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 058c307..2ae57fd 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -35,7 +35,7 @@
#if defined(MBEDTLS_TIMING_C)
#include "mbedtls/timing.h"
#endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if defined(MBEDTLS_ENTROPY_NV_SEED) || !defined(HAVE_SYSCTL_ARND)
#include "mbedtls/platform.h"
#endif
@@ -195,6 +195,9 @@
if( file == NULL )
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( file, NULL );
+
read_len = fread( output, 1, len, file );
if( read_len != len )
{
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index ab353bf..8b13a86 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -436,6 +436,9 @@
if( ( f = fopen( path, "wb" ) ) == NULL )
return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
if( ( ret = mbedtls_hmac_drbg_random( ctx, buf, sizeof( buf ) ) ) != 0 )
goto exit;
@@ -465,6 +468,9 @@
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
n = fread( buf, 1, sizeof( buf ), f );
if( fread( &c, 1, 1, f ) != 0 )
{
diff --git a/library/md.c b/library/md.c
index f2c1a90..a387da5 100644
--- a/library/md.c
+++ b/library/md.c
@@ -605,6 +605,9 @@
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_MD_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
mbedtls_md_init( &ctx );
if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
diff --git a/library/pkparse.c b/library/pkparse.c
index 68727ec..73d59a6 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -82,6 +82,9 @@
if( ( f = fopen( path, "rb" ) ) == NULL )
return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( f, NULL );
+
fseek( f, 0, SEEK_END );
if( ( size = ftell( f ) ) == -1 )
{
@@ -1454,10 +1457,16 @@
{
p = pem.buf;
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+ {
+ mbedtls_pem_free( &pem );
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+ }
if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+ {
+ mbedtls_pem_free( &pem );
return( ret );
+ }
if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
mbedtls_pk_free( ctx );
diff --git a/library/platform.c b/library/platform.c
index e742fde..6151e6c 100644
--- a/library/platform.c
+++ b/library/platform.c
@@ -226,6 +226,28 @@
}
#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_setbuf_uninit( FILE *stream, char *buf )
+{
+ ((void) stream);
+ ((void) buf);
+}
+
+#define MBEDTLS_PLATFORM_STD_SETBUF platform_setbuf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SETBUF */
+void (*mbedtls_setbuf)( FILE *stream, char *buf ) = MBEDTLS_PLATFORM_STD_SETBUF;
+
+int mbedtls_platform_set_setbuf( void (*setbuf_func)( FILE *stream, char *buf ) )
+{
+ mbedtls_setbuf = setbuf_func;
+ return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
+
#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
/*
@@ -288,6 +310,9 @@
if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb" ) ) == NULL )
return( -1 );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( file, NULL );
+
if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len )
{
fclose( file );
@@ -307,6 +332,9 @@
if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w" ) ) == NULL )
return -1;
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( file, NULL );
+
if( ( n = fwrite( buf, 1, buf_len, file ) ) != buf_len )
{
fclose( file );
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c3af7aa..b0116dd 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -88,6 +88,12 @@
#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+#define BUILTIN_ALG_ANY_HKDF 1
+#endif
+
/****************************************************************/
/* Global data, support functions and library management */
/****************************************************************/
@@ -4235,13 +4241,13 @@
/* Generators */
/****************************************************************/
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
#define AT_LEAST_ONE_BUILTIN_KDF
#endif /* At least one builtin KDF */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
static psa_status_t psa_key_derivation_start_hmac(
@@ -4294,14 +4300,14 @@
* nothing to do. */
}
else
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
- if( PSA_ALG_IS_HKDF( kdf_alg ) )
+#if defined(BUILTIN_ALG_ANY_HKDF)
+ if( PSA_ALG_IS_ANY_HKDF( kdf_alg ) )
{
mbedtls_free( operation->ctx.hkdf.info );
status = psa_mac_abort( &operation->ctx.hkdf.hmac );
}
else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* BUILTIN_ALG_ANY_HKDF */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
@@ -4375,19 +4381,29 @@
return( PSA_SUCCESS );
}
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
-/* Read some bytes from an HKDF-based operation. This performs a chunk
- * of the expand phase of the HKDF algorithm. */
+#if defined(BUILTIN_ALG_ANY_HKDF)
+/* Read some bytes from an HKDF-based operation. */
static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkdf,
- psa_algorithm_t hash_alg,
+ psa_algorithm_t kdf_alg,
uint8_t *output,
size_t output_length )
{
+ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
uint8_t hash_length = PSA_HASH_LENGTH( hash_alg );
size_t hmac_output_length;
psa_status_t status;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) ? 0 : 0xff;
+#else
+ const uint8_t last_block = 0xff;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
- if( hkdf->state < HKDF_STATE_KEYED || ! hkdf->info_set )
+ if( hkdf->state < HKDF_STATE_KEYED ||
+ ( !hkdf->info_set
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ && !PSA_ALG_IS_HKDF_EXTRACT( kdf_alg )
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ ) )
return( PSA_ERROR_BAD_STATE );
hkdf->state = HKDF_STATE_OUTPUT;
@@ -4403,12 +4419,12 @@
hkdf->offset_in_block += n;
if( output_length == 0 )
break;
- /* We can't be wanting more output after block 0xff, otherwise
+ /* We can't be wanting more output after the last block, otherwise
* the capacity check in psa_key_derivation_output_bytes() would have
* prevented this call. It could happen only if the operation
* object was corrupted or if this function is called directly
* inside the library. */
- if( hkdf->block_number == 0xff )
+ if( hkdf->block_number == last_block )
return( PSA_ERROR_BAD_STATE );
/* We need a new block */
@@ -4449,7 +4465,7 @@
return( PSA_SUCCESS );
}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* BUILTIN_ALG_ANY_HKDF */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
@@ -4649,15 +4665,14 @@
}
operation->capacity -= output_length;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
- if( PSA_ALG_IS_HKDF( kdf_alg ) )
+#if defined(BUILTIN_ALG_ANY_HKDF)
+ if( PSA_ALG_IS_ANY_HKDF( kdf_alg ) )
{
- psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
- status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg,
+ status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, kdf_alg,
output, output_length );
}
else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* BUILTIN_ALG_ANY_HKDF */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
@@ -5046,6 +5061,14 @@
if( PSA_ALG_IS_HKDF( kdf_alg ) )
return( 1 );
#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+ return( 1 );
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
+ return( 1 );
+#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
return( 1 );
@@ -5097,8 +5120,12 @@
{
return( PSA_ERROR_NOT_SUPPORTED );
}
-
- operation->capacity = 255 * hash_size;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+ operation->capacity = hash_size;
+ else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ operation->capacity = 255 * hash_size;
return( PSA_SUCCESS );
}
@@ -5152,17 +5179,22 @@
return( status );
}
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(BUILTIN_ALG_ANY_HKDF)
static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
- psa_algorithm_t hash_alg,
+ psa_algorithm_t kdf_alg,
psa_key_derivation_step_t step,
const uint8_t *data,
size_t data_length )
{
+ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
psa_status_t status;
switch( step )
{
case PSA_KEY_DERIVATION_INPUT_SALT:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
if( hkdf->state != HKDF_STATE_INIT )
return( PSA_ERROR_BAD_STATE );
else
@@ -5176,33 +5208,82 @@
return( PSA_SUCCESS );
}
case PSA_KEY_DERIVATION_INPUT_SECRET:
- /* If no salt was provided, use an empty salt. */
- if( hkdf->state == HKDF_STATE_INIT )
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
{
- status = psa_key_derivation_start_hmac( &hkdf->hmac,
- hash_alg,
- NULL, 0 );
+ /* We shouldn't be in different state as HKDF_EXPAND only allows
+ * two inputs: SECRET (this case) and INFO which does not modify
+ * the state. It could happen only if the hkdf
+ * object was corrupted. */
+ if( hkdf->state != HKDF_STATE_INIT )
+ return( PSA_ERROR_BAD_STATE );
+
+ /* Allow only input that fits expected prk size */
+ if( data_length != PSA_HASH_LENGTH( hash_alg ) )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+
+ memcpy( hkdf->prk, data, data_length );
+ }
+ else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+ {
+ /* HKDF: If no salt was provided, use an empty salt.
+ * HKDF-EXTRACT: salt is mandatory. */
+ if( hkdf->state == HKDF_STATE_INIT )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+ return( PSA_ERROR_BAD_STATE );
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ status = psa_key_derivation_start_hmac( &hkdf->hmac,
+ hash_alg,
+ NULL, 0 );
+ if( status != PSA_SUCCESS )
+ return( status );
+ hkdf->state = HKDF_STATE_STARTED;
+ }
+ if( hkdf->state != HKDF_STATE_STARTED )
+ return( PSA_ERROR_BAD_STATE );
+ status = psa_mac_update( &hkdf->hmac,
+ data, data_length );
if( status != PSA_SUCCESS )
return( status );
- hkdf->state = HKDF_STATE_STARTED;
+ status = psa_mac_sign_finish( &hkdf->hmac,
+ hkdf->prk,
+ sizeof( hkdf->prk ),
+ &data_length );
+ if( status != PSA_SUCCESS )
+ return( status );
}
- if( hkdf->state != HKDF_STATE_STARTED )
- return( PSA_ERROR_BAD_STATE );
- status = psa_mac_update( &hkdf->hmac,
- data, data_length );
- if( status != PSA_SUCCESS )
- return( status );
- status = psa_mac_sign_finish( &hkdf->hmac,
- hkdf->prk,
- sizeof( hkdf->prk ),
- &data_length );
- if( status != PSA_SUCCESS )
- return( status );
- hkdf->offset_in_block = PSA_HASH_LENGTH( hash_alg );
- hkdf->block_number = 0;
+
hkdf->state = HKDF_STATE_KEYED;
+ hkdf->block_number = 0;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+ {
+ /* The only block of output is the PRK. */
+ memcpy( hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH( hash_alg ) );
+ hkdf->offset_in_block = 0;
+ }
+ else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ {
+ /* Block 0 is empty, and the next block will be
+ * generated by psa_key_derivation_hkdf_read(). */
+ hkdf->offset_in_block = PSA_HASH_LENGTH( hash_alg );
+ }
+
return( PSA_SUCCESS );
case PSA_KEY_DERIVATION_INPUT_INFO:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) &&
+ hkdf->state == HKDF_STATE_INIT )
+ return( PSA_ERROR_BAD_STATE );
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
if( hkdf->state == HKDF_STATE_OUTPUT )
return( PSA_ERROR_BAD_STATE );
if( hkdf->info_set )
@@ -5221,7 +5302,7 @@
return( PSA_ERROR_INVALID_ARGUMENT );
}
}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* BUILTIN_ALG_ANY_HKDF */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
@@ -5486,15 +5567,14 @@
if( status != PSA_SUCCESS )
goto exit;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
- if( PSA_ALG_IS_HKDF( kdf_alg ) )
+#if defined(BUILTIN_ALG_ANY_HKDF)
+ if( PSA_ALG_IS_ANY_HKDF( kdf_alg ) )
{
- status = psa_hkdf_input( &operation->ctx.hkdf,
- PSA_ALG_HKDF_GET_HASH( kdf_alg ),
+ status = psa_hkdf_input( &operation->ctx.hkdf, kdf_alg,
step, data, data_length );
}
else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* BUILTIN_ALG_ANY_HKDF */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
{
diff --git a/library/psa_its_file.c b/library/psa_its_file.c
index f058720..b7c2e6b 100644
--- a/library/psa_its_file.c
+++ b/library/psa_its_file.c
@@ -102,6 +102,9 @@
if( *p_stream == NULL )
return( PSA_ERROR_DOES_NOT_EXIST );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( *p_stream, NULL );
+
n = fread( &header, 1, sizeof( header ), *p_stream );
if( n != sizeof( header ) )
return( PSA_ERROR_DATA_CORRUPT );
@@ -201,9 +204,13 @@
psa_its_fill_filename( uid, filename );
stream = fopen( PSA_ITS_STORAGE_TEMP, "wb" );
+
if( stream == NULL )
goto exit;
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( stream, NULL );
+
status = PSA_ERROR_INSUFFICIENT_STORAGE;
n = fwrite( &header, 1, sizeof( header ), stream );
if( n != sizeof( header ) )
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index fe4f30c..6505e11 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -50,6 +50,7 @@
#endif
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cache_find_entry( mbedtls_ssl_cache_context *cache,
unsigned char const *session_id,
size_t session_id_len,
@@ -124,6 +125,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cache_pick_writing_slot( mbedtls_ssl_cache_context *cache,
unsigned char const *session_id,
size_t session_id_len,
@@ -312,7 +314,11 @@
#endif
if( session_serialized != NULL )
+ {
mbedtls_platform_zeroize( session_serialized, session_serialized_len );
+ mbedtls_free( session_serialized );
+ session_serialized = NULL;
+ }
return( ret );
}
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 7deb57a..835159e 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1778,6 +1778,7 @@
static int supported_ciphersuites[MAX_CIPHERSUITES];
static int supported_init = 0;
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
{
(void)cs_info;
@@ -1921,11 +1922,57 @@
}
}
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg( const mbedtls_ssl_ciphersuite_t *info )
{
switch( info->key_exchange )
{
case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return( PSA_ALG_RSA_PKCS1V15_CRYPT );
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ return( PSA_ALG_RSA_PKCS1V15_SIGN(
+ mbedtls_psa_translate_md( info->mac ) ) );
+
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return( PSA_ALG_ECDSA( mbedtls_psa_translate_md( info->mac ) ) );
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return( PSA_ALG_ECDH );
+
+ default:
+ return( PSA_ALG_NONE );
+ }
+}
+
+psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return( PSA_KEY_USAGE_DECRYPT );
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return( PSA_KEY_USAGE_SIGN_HASH );
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return( PSA_KEY_USAGE_DERIVE );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return( MBEDTLS_PK_RSA );
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 22ca57c..20f1aff 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -46,6 +46,7 @@
#include "ssl_debug_helpers.h"
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -129,6 +130,7 @@
* } ProtocolNameList;
*
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -226,6 +228,7 @@
*
* DHE groups are not supported yet.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -308,6 +311,7 @@
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_client_hello_cipher_suites(
mbedtls_ssl_context *ssl,
unsigned char *buf,
@@ -424,6 +428,7 @@
* };
* } ClientHello;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -654,6 +659,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_generate_random( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -691,6 +697,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl )
{
int ret;
diff --git a/library/ssl_client.h b/library/ssl_client.h
index 8e0c216..be4d067 100644
--- a/library/ssl_client.h
+++ b/library/ssl_client.h
@@ -28,6 +28,7 @@
#include <stddef.h>
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_CLIENT_H */
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index 0f2bc60..4b2d2d2 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -160,6 +160,7 @@
/*
* Generate the HMAC part of a cookie
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
const unsigned char time[4],
unsigned char **p, unsigned char *end,
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index b1f0c90..39a47ca 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -381,11 +381,38 @@
* \return Zero if the needed space is available in the buffer, non-zero
* otherwise.
*/
+#if ! defined(MBEDTLS_TEST_HOOKS)
static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
const uint8_t *end, size_t need )
{
return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
}
+#else
+typedef struct
+{
+ const uint8_t *cur;
+ const uint8_t *end;
+ size_t need;
+} mbedtls_ssl_chk_buf_ptr_args;
+
+void mbedtls_ssl_set_chk_buf_ptr_fail_args(
+ const uint8_t *cur, const uint8_t *end, size_t need );
+void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void );
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args );
+
+static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
+ const uint8_t *end, size_t need )
+{
+ if( ( cur > end ) || ( need > (size_t)( end - cur ) ) )
+ {
+ mbedtls_ssl_set_chk_buf_ptr_fail_args( cur, end, need );
+ return( 1 );
+ }
+ return( 0 );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
/**
* \brief This macro checks if the remaining size in a buffer is
@@ -850,6 +877,9 @@
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const unsigned char *sni_name; /*!< raw SNI */
size_t sni_name_len; /*!< raw SNI len */
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+ const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
+#endif
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
};
@@ -1099,6 +1129,7 @@
* (<> 0) or not ( 0 ).
* \param[out] out_len Length of the data written into the buffer \p buf
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -1150,7 +1181,9 @@
void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
@@ -1159,15 +1192,19 @@
ssl->state = ( int ) state;
}
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
@@ -1247,16 +1284,20 @@
* following the above definition.
*
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
unsigned update_hs_digest );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
/*
* Write handshake message header
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
unsigned char **buf, size_t *buf_len );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
int update_checksum,
int force_flush );
@@ -1268,19 +1309,28 @@
/*
* Write handshake message tail
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
size_t buf_len, size_t msg_len );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
@@ -1296,10 +1346,12 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
mbedtls_key_exchange_type_t key_ex );
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
#endif
@@ -1367,11 +1419,14 @@
unsigned char mbedtls_ssl_hash_from_md_alg( int md );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
#endif
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
#if defined(MBEDTLS_ECP_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
#endif
@@ -1426,6 +1481,7 @@
*
* Return 0 if everything is OK, -1 if not.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
int cert_endpoint,
@@ -1474,21 +1530,26 @@
#if defined(MBEDTLS_SSL_PROTO_DTLS)
void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
#endif
/* Visible for testing purposes only */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
#endif
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
const mbedtls_ssl_session *src );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
unsigned char *hash, size_t *hashlen,
unsigned char *data, size_t data_len,
@@ -1500,11 +1561,13 @@
#endif
void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec );
@@ -1522,10 +1585,12 @@
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
@@ -1533,6 +1598,7 @@
mbedtls_ssl_transform *transform );
void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
int partial );
@@ -1540,6 +1606,7 @@
/*
* Send pending alert
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
/*
@@ -1560,6 +1627,7 @@
void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -1624,7 +1692,9 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN ];
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
@@ -1637,6 +1707,7 @@
* \param[in] end End address of the buffer where to write the extensions
* \param[out] out_len Length of the data written into the buffer \p buf
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1647,6 +1718,7 @@
*
* \param ssl SSL context
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
/**
@@ -1654,6 +1726,7 @@
*
* \param ssl SSL context
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
@@ -1746,6 +1819,7 @@
/*
* Fetch TLS 1.3 handshake message header
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
unsigned hs_type,
unsigned char **buf,
@@ -1754,17 +1828,20 @@
/*
* Handler of TLS 1.3 server certificate message
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Handler of TLS 1.3 write Certificate message
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
/*
* Handler of TLS 1.3 write Certificate Verify message
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@@ -1772,16 +1849,20 @@
/*
* Generic handler of Certificate Verify
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
/*
* Write of dummy-CCS's for middlebox compatibility
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_ECDH_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
mbedtls_ssl_context *ssl,
uint16_t named_group,
@@ -1797,12 +1878,14 @@
/*
* Parse TLS Signature Algorithm extension
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* Get handshake transcript */
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
const mbedtls_md_type_t md,
unsigned char *dst,
@@ -1922,8 +2005,12 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL )
+ if( ssl->handshake != NULL &&
+ ssl->handshake->sig_algs_heap_allocated == 1 &&
+ ssl->handshake->sig_algs != NULL )
+ {
return( ssl->handshake->sig_algs );
+ }
#endif
return( ssl->conf->sig_algs );
@@ -1969,97 +2056,177 @@
return( 0 );
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
{
- *pk_type = MBEDTLS_PK_NONE;
- *md_alg = MBEDTLS_MD_NONE;
+ *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
+ *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
+
+ if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
+ return( 0 );
switch( sig_alg )
{
-#if defined(MBEDTLS_ECDSA_C)
-
-#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
- *md_alg = MBEDTLS_MD_SHA256;
- *pk_type = MBEDTLS_PK_ECDSA;
- break;
-#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
- *md_alg = MBEDTLS_MD_SHA384;
- *pk_type = MBEDTLS_PK_ECDSA;
- break;
-#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
- *md_alg = MBEDTLS_MD_SHA512;
- *pk_type = MBEDTLS_PK_ECDSA;
- break;
-#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#endif /* MBEDTLS_ECDSA_C */
-
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-
+#if defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA256_C */
-
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA384_C */
-
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA512_C */
-
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
-
-#if defined(MBEDTLS_SHA256_C)
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
- *md_alg = MBEDTLS_MD_SHA256;
- *pk_type = MBEDTLS_PK_RSA;
- break;
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA384_C)
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
- *md_alg = MBEDTLS_MD_SHA384;
- *pk_type = MBEDTLS_PK_RSA;
- break;
-#endif /* MBEDTLS_SHA384_C */
-
-#if defined(MBEDTLS_SHA512_C)
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
- *md_alg = MBEDTLS_MD_SHA512;
- *pk_type = MBEDTLS_PK_RSA;
- break;
-#endif /* MBEDTLS_SHA512_C */
-
-#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
-
+#endif /* MBEDTLS_PKCS1_V21 */
default:
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
return( 0 );
}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
+ const uint16_t sig_alg )
+{
+ switch( sig_alg )
+ {
+#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
+ break;
+#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
+ break;
+#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
+ break;
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ break;
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ break;
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ break;
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V21 */
+ default:
+ return( 0 );
+ }
+ return( 1 );
+
+}
+
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+ const uint16_t sig_alg )
+{
+ switch( sig_alg )
+ {
+#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ break;
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ break;
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ break;
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V15 */
+ default:
+ return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
+ sig_alg ) );
+ }
+ return( 1 );
+}
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
+ const uint16_t sig_alg )
+{
+ /* High byte is hash */
+ unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
+ unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
+
+ switch( hash )
+ {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_SSL_HASH_MD5:
+ break;
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_SSL_HASH_SHA1:
+ break;
+#endif
+
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_SSL_HASH_SHA224:
+ break;
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_SSL_HASH_SHA256:
+ break;
+#endif
+
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_SSL_HASH_SHA384:
+ break;
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_SSL_HASH_SHA512:
+ break;
+#endif
+
+ default:
+ return( 0 );
+ }
+
+ switch( sig )
+ {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_SSL_SIG_RSA:
+ break;
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+ case MBEDTLS_SSL_SIG_ECDSA:
+ break;
+#endif
+
+ default:
+ return( 0 );
+ }
+
+ return( 1 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
static inline int mbedtls_ssl_sig_alg_is_supported(
const mbedtls_ssl_context *ssl,
const uint16_t sig_alg )
@@ -2068,79 +2235,29 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
{
- /* High byte is hash */
- unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
- unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
-
- switch( hash )
- {
-#if defined(MBEDTLS_MD5_C)
- case MBEDTLS_SSL_HASH_MD5:
- break;
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
- case MBEDTLS_SSL_HASH_SHA1:
- break;
-#endif
-
-#if defined(MBEDTLS_SHA224_C)
- case MBEDTLS_SSL_HASH_SHA224:
- break;
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
- case MBEDTLS_SSL_HASH_SHA256:
- break;
-#endif
-
-#if defined(MBEDTLS_SHA384_C)
- case MBEDTLS_SSL_HASH_SHA384:
- break;
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
- case MBEDTLS_SSL_HASH_SHA512:
- break;
-#endif
-
- default:
- return( 0 );
- }
-
- switch( sig )
- {
-#if defined(MBEDTLS_RSA_C)
- case MBEDTLS_SSL_SIG_RSA:
- break;
-#endif
-
-#if defined(MBEDTLS_ECDSA_C)
- case MBEDTLS_SSL_SIG_ECDSA:
- break;
-#endif
-
- default:
- return( 0 );
- }
-
- return( 1 );
+ return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
- mbedtls_pk_type_t pk_type;
- mbedtls_md_type_t md_alg;
- return( ! mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
- sig_alg, &pk_type, &md_alg ) );
+ return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
((void) ssl);
((void) sig_alg);
return( 0 );
}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
+ mbedtls_pk_context *key );
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -2229,6 +2346,7 @@
#if defined(MBEDTLS_ECDH_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t buf_len );
@@ -2261,23 +2379,44 @@
*
* \return 0 if valid, negative value otherwise.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info,
mbedtls_ssl_protocol_version min_tls_version,
mbedtls_ssl_protocol_version max_tls_version );
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
const unsigned char *end, size_t *out_len );
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end );
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
- mbedtls_pk_context *own_key,
- uint16_t *algorithm );
+#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end );
+
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len );
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int mbedtls_ssl_check_dtls_clihlo_cookie(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *cli_id, size_t cli_id_len,
+ const unsigned char *in, size_t in_len,
+ unsigned char *obuf, size_t buf_len, size_t *olen );
+#endif
#endif /* ssl_misc.h */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 4c9a177..fb0b709 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -86,6 +86,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t len,
@@ -157,11 +158,16 @@
static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
uint8_t slot );
static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_buffer_message( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
mbedtls_record const *rec );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
@@ -179,6 +185,7 @@
return( out_buf_len );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
{
size_t const bytes_written = ssl->out_left;
@@ -195,6 +202,7 @@
return( (int) ( mtu - bytes_written ) );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -246,6 +254,7 @@
* Double the retransmit timeout value, within the allowed range,
* returning -1 if the maximum value has already been reached.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
{
uint32_t new_timeout;
@@ -329,6 +338,7 @@
* - A negative error code if `max_len` didn't offer enough space
* for the expansion.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_build_inner_plaintext( unsigned char *content,
size_t *content_size,
size_t remaining,
@@ -356,6 +366,7 @@
/* This function parses a (D)TLSInnerPlaintext structure.
* See ssl_build_inner_plaintext() for details. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_inner_plaintext( unsigned char const *content,
size_t *content_size,
uint8_t *rec_type )
@@ -469,6 +480,7 @@
#if defined(MBEDTLS_GCM_C) || \
defined(MBEDTLS_CCM_C) || \
defined(MBEDTLS_CHACHAPOLY_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_transform_aead_dynamic_iv_is_explicit(
mbedtls_ssl_transform const *transform )
{
@@ -2066,6 +2078,7 @@
/*
* Append current handshake message to current outgoing flight
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_flight_append( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_flight_item *msg;
@@ -2132,6 +2145,7 @@
/*
* Swap transform_out and out_ctr with the alternative ones
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_transform *tmp_transform;
@@ -2720,7 +2734,7 @@
if( ++ssl->cur_out_ctr[i - 1] != 0 )
break;
- /* The loop goes to its end iff the counter is wrapping */
+ /* The loop goes to its end if the counter is wrapping */
if( i == mbedtls_ssl_ep_len( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
@@ -2767,6 +2781,7 @@
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
{
if( ssl->in_msglen < ssl->in_hslen ||
@@ -2792,6 +2807,7 @@
ssl->in_msg[8] );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
{
uint32_t msg_len, frag_off, frag_len;
@@ -2858,6 +2874,7 @@
/*
* Check that bitmask is full
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_bitmask_check( unsigned char *mask, size_t len )
{
size_t i;
@@ -3057,6 +3074,7 @@
( (uint64_t) buf[5] ) );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3139,8 +3157,8 @@
#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
/*
- * Without any SSL context, check if a datagram looks like a ClientHello with
- * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
+ * Check if a datagram looks like a ClientHello with a valid cookie,
+ * and if it doesn't, generate a HelloVerifyRequest message.
* Both input and output include full DTLS headers.
*
* - if cookie is valid, return 0
@@ -3149,15 +3167,15 @@
* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
* - otherwise return a specific error code
*/
-static int ssl_check_dtls_clihlo_cookie(
- mbedtls_ssl_cookie_write_t *f_cookie_write,
- mbedtls_ssl_cookie_check_t *f_cookie_check,
- void *p_cookie,
+MBEDTLS_CHECK_RETURN_CRITICAL
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ssl_check_dtls_clihlo_cookie(
+ mbedtls_ssl_context *ssl,
const unsigned char *cli_id, size_t cli_id_len,
const unsigned char *in, size_t in_len,
unsigned char *obuf, size_t buf_len, size_t *olen )
{
- size_t sid_len, cookie_len;
+ size_t sid_len, cookie_len, epoch, fragment_offset;
unsigned char *p;
/*
@@ -3186,26 +3204,55 @@
*
* Minimum length is 61 bytes.
*/
- if( in_len < 61 ||
- in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
- in[3] != 0 || in[4] != 0 ||
- in[19] != 0 || in[20] != 0 || in[21] != 0 )
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: in_len=%u",
+ (unsigned) in_len ) );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "cli_id", cli_id, cli_id_len );
+ if( in_len < 61 )
{
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: record too short" ) );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+
+ epoch = MBEDTLS_GET_UINT16_BE( in, 3 );
+ fragment_offset = MBEDTLS_GET_UINT24_BE( in, 19 );
+
+ if( in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || epoch != 0 ||
+ fragment_offset != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: not a good ClientHello" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( " type=%u epoch=%u fragment_offset=%u",
+ in[0], (unsigned) epoch,
+ (unsigned) fragment_offset ) );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
sid_len = in[59];
- if( sid_len > in_len - 61 )
+ if( 59 + 1 + sid_len + 1 > in_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u",
+ (unsigned) sid_len,
+ (unsigned) in_len - 61 ) );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+ MBEDTLS_SSL_DEBUG_BUF( 4, "sid received from network",
+ in + 60, sid_len );
cookie_len = in[60 + sid_len];
- if( cookie_len > in_len - 60 )
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
-
- if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
- cli_id, cli_id_len ) == 0 )
+ if( 59 + 1 + sid_len + 1 + cookie_len > in_len )
{
- /* Valid cookie */
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u",
+ (unsigned) cookie_len,
+ (unsigned) ( in_len - sid_len - 61 ) ) );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF( 4, "cookie received from network",
+ in + sid_len + 61, cookie_len );
+ if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
+ in + sid_len + 61, cookie_len,
+ cli_id, cli_id_len ) == 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: valid" ) );
return( 0 );
}
@@ -3240,8 +3287,9 @@
/* Generate and write actual cookie */
p = obuf + 28;
- if( f_cookie_write( p_cookie,
- &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
+ if( ssl->conf->f_cookie_write( ssl->conf->p_cookie,
+ &p, obuf + buf_len,
+ cli_id, cli_id_len ) != 0 )
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
@@ -3280,6 +3328,7 @@
* includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
* errors, and is the right thing to do in both cases).
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3295,15 +3344,13 @@
return( 0 );
}
- ret = ssl_check_dtls_clihlo_cookie(
- ssl->conf->f_cookie_write,
- ssl->conf->f_cookie_check,
- ssl->conf->p_cookie,
+ ret = mbedtls_ssl_check_dtls_clihlo_cookie(
+ ssl,
ssl->cli_id, ssl->cli_id_len,
ssl->in_buf, ssl->in_left,
ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
- MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
+ MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_ssl_check_dtls_clihlo_cookie", ret );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
@@ -3337,6 +3384,7 @@
}
#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_record_type( uint8_t record_type )
{
if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
@@ -3369,6 +3417,7 @@
* Point 2 is needed when the peer is resending, and we have already received
* the first record from a datagram but are still waiting for the others.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t len,
@@ -3481,7 +3530,6 @@
/*
* Parse and validate record version
*/
-
rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
tls_version = mbedtls_ssl_read_version( buf + rec_hdr_version_offset,
@@ -3489,10 +3537,12 @@
if( tls_version > ssl->conf->max_tls_version )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS version mismatch" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS version mismatch: got %u, expected max %u",
+ (unsigned) tls_version,
+ (unsigned) ssl->conf->max_tls_version) );
+
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
-
/*
* Parse/Copy record sequence number.
*/
@@ -3594,6 +3644,7 @@
#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
{
unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
@@ -3623,6 +3674,7 @@
/*
* If applicable, decrypt record content
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
mbedtls_record *rec )
{
@@ -3757,7 +3809,7 @@
/* Check actual (decrypted) record content length against
* configured maximum. */
- if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+ if( rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3775,8 +3827,11 @@
*/
/* Helper functions for mbedtls_ssl_read_record(). */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_next_record( mbedtls_ssl_context *ssl );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
@@ -3864,6 +3919,7 @@
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
{
if( ssl->in_left > ssl->next_record_offset )
@@ -3872,6 +3928,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_handshake_params * const hs = ssl->handshake;
@@ -3969,6 +4026,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
size_t desired )
{
@@ -4011,6 +4069,7 @@
return( -1 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_buffer_message( mbedtls_ssl_context *ssl )
{
int ret = 0;
@@ -4215,6 +4274,7 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
{
/*
@@ -4302,6 +4362,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
{
if( ssl->in_msglen > 0 )
@@ -4328,6 +4389,7 @@
}
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_handshake_params * const hs = ssl->handshake;
@@ -4385,6 +4447,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
mbedtls_record const *rec )
{
@@ -4443,6 +4506,7 @@
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_next_record( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -5193,6 +5257,7 @@
/*
* Check record counters and renegotiate if they're above the limit.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
{
size_t ep_len = mbedtls_ssl_ep_len( ssl );
@@ -5232,6 +5297,7 @@
* and having a helper function allows to distinguish between TLS <= 1.2 and
* TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -5549,6 +5615,7 @@
* Therefore, it is possible that the input message length is 0 and the
* corresponding return code is 0 on success.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_real( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len )
{
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index a924a2a..28c4d3e 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -66,6 +66,7 @@
/*
* Generate/update a key
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
unsigned char index )
{
@@ -113,6 +114,7 @@
/*
* Rotate/generate keys if necessary
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
{
#if !defined(MBEDTLS_HAVE_TIME)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8332461..e60b82f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -58,6 +58,30 @@
#include "mbedtls/oid.h"
#endif
+#if defined(MBEDTLS_TEST_HOOKS)
+static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
+
+void mbedtls_ssl_set_chk_buf_ptr_fail_args(
+ const uint8_t *cur, const uint8_t *end, size_t need )
+{
+ chk_buf_ptr_fail_args.cur = cur;
+ chk_buf_ptr_fail_args.end = end;
+ chk_buf_ptr_fail_args.need = need;
+}
+
+void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void )
+{
+ memset( &chk_buf_ptr_fail_args, 0, sizeof( chk_buf_ptr_fail_args ) );
+}
+
+int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args )
+{
+ return( ( chk_buf_ptr_fail_args.cur != args->cur ) ||
+ ( chk_buf_ptr_fail_args.end != args->end ) ||
+ ( chk_buf_ptr_fail_args.need != args->need ) );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -275,6 +299,7 @@
}
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
{
unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
@@ -380,6 +405,7 @@
const unsigned char *, size_t,
unsigned char *, size_t);
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
int ciphersuite,
const unsigned char master[48],
@@ -393,6 +419,7 @@
const mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SHA256_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_sha256( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@@ -403,6 +430,7 @@
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_sha384( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@@ -415,6 +443,7 @@
static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
unsigned char *buf,
size_t buf_len );
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_session_load_tls12( mbedtls_ssl_session *session,
const unsigned char *buf,
size_t len );
@@ -672,6 +701,7 @@
memset( session, 0, sizeof(mbedtls_ssl_session) );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_handshake_init( mbedtls_ssl_context *ssl )
{
/* Clear old handshake information if present */
@@ -853,16 +883,16 @@
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{
- ssl->handshake->sig_algs = ssl->conf->sig_algs;
ssl->handshake->sig_algs_heap_allocated = 0;
}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
return( 0 );
}
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
/* Dummy cookie callbacks for defaults */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cookie_write_dummy( void *ctx,
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len )
@@ -876,6 +906,7 @@
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cookie_check_dummy( void *ctx,
const unsigned char *cookie, size_t cookie_len,
const unsigned char *cli_id, size_t cli_id_len )
@@ -898,6 +929,7 @@
memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
{
const mbedtls_ssl_config *conf = ssl->conf;
@@ -949,6 +981,7 @@
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_conf_check(const mbedtls_ssl_context *ssl)
{
int ret;
@@ -1093,6 +1126,8 @@
memset( ssl->in_buf, 0, in_buf_len );
}
+ ssl->send_alert = 0;
+
/* Reset outgoing message writing */
ssl->out_msgtype = 0;
ssl->out_msglen = 0;
@@ -1372,6 +1407,7 @@
}
/* Append a new keycert entry to a (possibly empty) list */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
mbedtls_x509_crt *cert,
mbedtls_pk_context *key )
@@ -1472,6 +1508,14 @@
ssl->handshake->sni_ca_crl = ca_crl;
}
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+void mbedtls_ssl_set_hs_dn_hints( mbedtls_ssl_context *ssl,
+ const mbedtls_x509_crt *crt)
+{
+ ssl->handshake->dn_hints = crt;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
int authmode )
{
@@ -1517,6 +1561,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -1562,6 +1607,7 @@
* It checks that the provided identity is well-formed and attempts
* to make a copy of it in the SSL config.
* On failure, the PSK identity in the config remains unset. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
unsigned char const *psk_identity,
size_t psk_identity_len )
@@ -2756,6 +2802,7 @@
*
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_session_save( const mbedtls_ssl_session *session,
unsigned char omit_header,
unsigned char *buf,
@@ -2830,6 +2877,7 @@
* This internal version is wrapped by a public function that cleans up in
* case of error, and has an extra option omit_header.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_session_load( mbedtls_ssl_session *session,
unsigned char omit_header,
const unsigned char *buf,
@@ -2896,6 +2944,7 @@
/*
* Perform a single step of the SSL handshake
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_prepare_handshake_step( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3054,6 +3103,7 @@
/*
* Write HelloRequest to request renegotiation on server
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3652,6 +3702,7 @@
* This internal version is wrapped by a public function that cleans up in
* case of error.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_context_load( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -4019,28 +4070,6 @@
memset( conf, 0, sizeof( mbedtls_ssl_config ) );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/* The selection should be the same as mbedtls_x509_crt_profile_default in
- * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
- * for no fundamental reason.
- * See the documentation of mbedtls_ssl_conf_curves() for what we promise
- * about this list. */
-static int ssl_preset_default_hashes[] = {
-#if defined(MBEDTLS_SHA512_C)
- MBEDTLS_MD_SHA512,
-#endif
-#if defined(MBEDTLS_SHA384_C)
- MBEDTLS_MD_SHA384,
-#endif
-#if defined(MBEDTLS_SHA256_C)
- MBEDTLS_MD_SHA256,
-#endif
- MBEDTLS_MD_NONE
-};
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
/* The selection should be the same as mbedtls_x509_crt_profile_default in
* x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
* curves with a lower resource usage come first.
@@ -4082,17 +4111,6 @@
};
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-static int ssl_preset_suiteb_hashes[] = {
-#if defined(MBEDTLS_SHA256_C)
- MBEDTLS_MD_SHA256,
-#endif
-#if defined(MBEDTLS_SHA384_C)
- MBEDTLS_MD_SHA384,
-#endif
- MBEDTLS_MD_NONE
-};
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
/* NOTICE:
* For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
@@ -4101,6 +4119,13 @@
* - But if there is a good reason, do not change the order of the algorithms.
* - ssl_tls12_present* is for TLS 1.2 use only.
* - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
+ *
+ * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
+ * declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
+ * `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
+ * the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
+ * for its signature in the key exchange message. As Mbed TLS 1.2 does not
+ * support them, the handshake fails.
*/
static uint16_t ssl_preset_default_sig_algs[] = {
@@ -4122,10 +4147,6 @@
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
-
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
@@ -4138,6 +4159,18 @@
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA384_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA384_C */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
+
MBEDTLS_TLS_SIG_NONE
};
@@ -4235,6 +4268,7 @@
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
* to make sure there are no duplicated signature algorithm entries. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
{
size_t i, j;
@@ -4421,9 +4455,6 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- conf->sig_hashes = ssl_preset_suiteb_hashes;
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( conf ) )
conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
@@ -4450,9 +4481,6 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- conf->sig_hashes = ssl_preset_default_hashes;
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( conf ) )
conf->sig_algs = ssl_tls12_preset_default_sig_algs;
@@ -4786,6 +4814,7 @@
#else /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SHA384_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl,
unsigned char *dst,
size_t dst_len,
@@ -4816,6 +4845,7 @@
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl,
unsigned char *dst,
size_t dst_len,
@@ -4937,13 +4967,20 @@
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
-
- MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
- sig_alg ) );
-
- if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
- ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x %s",
+ sig_alg,
+ mbedtls_ssl_sig_alg_to_str( sig_alg ) ) );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ ( ! ( mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) &&
+ mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) ) )
+ {
continue;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "valid signature algorithm: %s",
+ mbedtls_ssl_sig_alg_to_str( sig_alg ) ) );
if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
@@ -5044,6 +5081,7 @@
return( PSA_SUCCESS );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_generic( mbedtls_md_type_t md_type,
const unsigned char *secret, size_t slen,
const char *label,
@@ -5120,6 +5158,7 @@
#else /* MBEDTLS_USE_PSA_CRYPTO */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_generic( mbedtls_md_type_t md_type,
const unsigned char *secret, size_t slen,
const char *label,
@@ -5212,6 +5251,7 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SHA256_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_sha256( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@@ -5223,6 +5263,7 @@
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_sha384( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@@ -5242,6 +5283,7 @@
* Outputs:
* - the tls_prf, calc_verify and calc_finished members of handshake structure
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
mbedtls_md_type_t hash )
{
@@ -5286,6 +5328,7 @@
* EMS: passed to calc_verify (debug + session_negotiate)
* PSA-PSA: conf
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
unsigned char *master,
const mbedtls_ssl_context *ssl )
@@ -5754,6 +5797,7 @@
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -5925,6 +5969,7 @@
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
unsigned char *crt_buf,
size_t crt_buf_len )
@@ -5940,6 +5985,7 @@
return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
unsigned char *crt_buf,
size_t crt_buf_len )
@@ -5974,6 +6020,7 @@
* Once the certificate message is read, parse it into a cert chain and
* perform basic checks, but leave actual verification to the caller
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *chain )
{
@@ -6129,6 +6176,7 @@
}
#if defined(MBEDTLS_SSL_SRV_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
{
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
@@ -6139,7 +6187,7 @@
ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) );
return( 0 );
}
return( -1 );
@@ -6154,6 +6202,7 @@
*/
#define SSL_CERTIFICATE_EXPECTED 0
#define SSL_CERTIFICATE_SKIP 1
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
int authmode )
{
@@ -6183,6 +6232,7 @@
return( SSL_CERTIFICATE_EXPECTED );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
int authmode,
mbedtls_x509_crt *chain,
@@ -6280,7 +6330,9 @@
{
const mbedtls_pk_context *pk = &chain->pk;
- /* If certificate uses an EC key, make sure the curve is OK */
+ /* If certificate uses an EC key, make sure the curve is OK.
+ * This is a public key, so it can't be opaque, so can_do() is a good
+ * enough check to ensure pk_ec() is safe to use here. */
if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
{
@@ -6371,6 +6423,7 @@
}
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
unsigned char *start, size_t len )
{
@@ -6402,6 +6455,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
unsigned char *start, size_t len )
{
@@ -7070,6 +7124,7 @@
* [in] optionally used for:
* - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
int ciphersuite,
const unsigned char master[48],
@@ -7691,10 +7746,38 @@
for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{
- if( sig_alg == MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
- received_sig_algs[i] ) )
- return( MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
- received_sig_algs[i] ) );
+ unsigned int hash_alg_received =
+ MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
+ received_sig_algs[i] );
+ unsigned int sig_alg_received =
+ MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
+ received_sig_algs[i] );
+
+ if( sig_alg == sig_alg_received )
+ {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ssl->handshake->key_cert && ssl->handshake->key_cert->key )
+ {
+ psa_algorithm_t psa_hash_alg =
+ mbedtls_psa_translate_md( hash_alg_received );
+
+ if( sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
+ ! mbedtls_pk_can_do_ext( ssl->handshake->key_cert->key,
+ PSA_ALG_ECDSA( psa_hash_alg ),
+ PSA_KEY_USAGE_SIGN_HASH ) )
+ continue;
+
+ if( sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
+ ! mbedtls_pk_can_do_ext( ssl->handshake->key_cert->key,
+ PSA_ALG_RSA_PKCS1V15_SIGN(
+ psa_hash_alg ),
+ PSA_KEY_USAGE_SIGN_HASH ) )
+ continue;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ return( hash_alg_received );
+ }
}
return( MBEDTLS_SSL_HASH_NONE );
@@ -7871,6 +7954,7 @@
return( used );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_session_load_tls12( mbedtls_ssl_session *session,
const unsigned char *buf,
size_t len )
@@ -8181,12 +8265,17 @@
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
{
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "got signature scheme [%x] %s",
+ *sig_alg,
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) )
continue;
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
p += 2;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "sent signature scheme [%x] %s",
+ *sig_alg,
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
}
/* Length of supported_signature_algorithms */
@@ -8231,6 +8320,7 @@
* ServerName server_name_list<1..2^16-1>
* } ServerNameList;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -8285,4 +8375,126 @@
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ const unsigned char *p = buf;
+ size_t protocol_name_list_len;
+ const unsigned char *protocol_name_list;
+ const unsigned char *protocol_name_list_end;
+ size_t protocol_name_len;
+
+ /* If ALPN not configured, just ignore the extension */
+ if( ssl->conf->alpn_list == NULL )
+ return( 0 );
+
+ /*
+ * RFC7301, section 3.1
+ * opaque ProtocolName<1..2^8-1>;
+ *
+ * struct {
+ * ProtocolName protocol_name_list<2..2^16-1>
+ * } ProtocolNameList;
+ */
+
+ /*
+ * protocol_name_list_len 2 bytes
+ * protocol_name_len 1 bytes
+ * protocol_name >=1 byte
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
+
+ protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
+ protocol_name_list = p;
+ protocol_name_list_end = p + protocol_name_list_len;
+
+ /* Validate peer's list (lengths) */
+ while( p < protocol_name_list_end )
+ {
+ protocol_name_len = *p++;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end,
+ protocol_name_len );
+ if( protocol_name_len == 0 )
+ {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ }
+
+ p += protocol_name_len;
+ }
+
+ /* Use our order of preference */
+ for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
+ {
+ size_t const alpn_len = strlen( *alpn );
+ p = protocol_name_list;
+ while( p < protocol_name_list_end )
+ {
+ protocol_name_len = *p++;
+ if( protocol_name_len == alpn_len &&
+ memcmp( p, *alpn, alpn_len ) == 0 )
+ {
+ ssl->alpn_chosen = *alpn;
+ return( 0 );
+ }
+
+ p += protocol_name_len;
+ }
+ }
+
+ /* If we get here, no match was found */
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
+ MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL );
+ return( MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL );
+}
+
+int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len )
+{
+ unsigned char *p = buf;
+ size_t protocol_name_len;
+ *out_len = 0;
+
+ if( ssl->alpn_chosen == NULL )
+ {
+ return( 0 );
+ }
+
+ protocol_name_len = strlen( ssl->alpn_chosen );
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 + protocol_name_len );
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server side, adding alpn extension" ) );
+ /*
+ * 0 . 1 ext identifier
+ * 2 . 3 ext length
+ * 4 . 5 protocol list length
+ * 6 . 6 protocol name length
+ * 7 . 7+n protocol name
+ */
+ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, p, 0 );
+
+ *out_len = 7 + protocol_name_len;
+
+ MBEDTLS_PUT_UINT16_BE( protocol_name_len + 3, p, 2 );
+ MBEDTLS_PUT_UINT16_BE( protocol_name_len + 1, p, 4 );
+ /* Note: the length of the chosen protocol has been checked to be less
+ * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
+ */
+ p[6] = MBEDTLS_BYTE_0( protocol_name_len );
+
+ memcpy( p + 7, ssl->alpn_chosen, protocol_name_len );
+ return ( 0 );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index f516efa..7fa6443 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -75,6 +75,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -116,6 +117,7 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -147,6 +149,7 @@
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -220,6 +223,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -266,6 +270,7 @@
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -298,6 +303,7 @@
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -328,6 +334,7 @@
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -358,6 +365,7 @@
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -400,6 +408,7 @@
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_DTLS_SRTP)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -629,6 +638,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -673,6 +683,7 @@
}
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -699,6 +710,7 @@
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -755,6 +767,7 @@
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -780,6 +793,7 @@
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -805,6 +819,7 @@
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -831,6 +846,7 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -879,6 +895,7 @@
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -913,6 +930,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len )
{
@@ -983,6 +1001,7 @@
#endif /* MBEDTLS_SSL_ALPN */
#if defined(MBEDTLS_SSL_DTLS_SRTP)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -1103,6 +1122,7 @@
* Parse HelloVerifyRequest. Only called after verifying the HS type.
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
{
const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
@@ -1184,6 +1204,7 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
{
int ret, i;
@@ -1409,16 +1430,6 @@
else
{
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
-
- if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
- return( ret );
- }
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
@@ -1655,6 +1666,24 @@
}
/*
+ * mbedtls_ssl_derive_keys() has to be called after the parsing of the
+ * extensions. It sets the transform data for the resumed session which in
+ * case of DTLS includes the server CID extracted from the CID extension.
+ */
+ if( ssl->handshake->resume )
+ {
+ if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+ return( ret );
+ }
+ }
+
+ /*
* Renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
@@ -1708,6 +1737,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end )
@@ -1753,6 +1783,7 @@
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end )
@@ -1817,6 +1848,7 @@
return( 0 );
}
#else
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
{
const mbedtls_ecp_curve_info *curve_info;
@@ -1845,6 +1877,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end )
@@ -1885,6 +1918,7 @@
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end )
@@ -1931,6 +1965,7 @@
/*
* Generate a pre-master secret and encrypt it with the server's RSA key
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
size_t offset, size_t *olen,
size_t pms_offset )
@@ -2013,6 +2048,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end,
@@ -2071,6 +2107,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2089,6 +2126,8 @@
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ /* This is a public key, so it can't be opaque, so can_do() is a good
+ * enough check to ensure pk_ec() is safe to use below. */
if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
@@ -2158,6 +2197,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2505,6 +2545,7 @@
}
#if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@@ -2523,6 +2564,7 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2534,6 +2576,7 @@
size_t sig_alg_len;
#if defined(MBEDTLS_DEBUG_C)
unsigned char *sig_alg;
+ unsigned char *dn;
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
@@ -2681,6 +2724,43 @@
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
+#if defined(MBEDTLS_DEBUG_C)
+ dn = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n - dn_len;
+ for( size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len )
+ {
+ unsigned char *p = dn + i + 2;
+ mbedtls_x509_name name;
+ mbedtls_x509_name *name_cur, *name_prv;
+ size_t asn1_len;
+ char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+ memset( &name, 0, sizeof( name ) );
+ dni_len = MBEDTLS_GET_UINT16_BE( dn + i, 0 );
+ if( dni_len > dn_len - i - 2 ||
+ mbedtls_asn1_get_tag( &p, p + dni_len, &asn1_len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) != 0 ||
+ mbedtls_x509_get_name( &p, p + asn1_len, &name ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "DN hint: %.*s",
+ mbedtls_x509_dn_gets( s, sizeof(s), &name ), s ) );
+ name_cur = name.next;
+ while( name_cur != NULL )
+ {
+ name_prv = name_cur;
+ name_cur = name_cur->next;
+ mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+ mbedtls_free( name_prv );
+ }
+ }
+#endif
+
exit:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
@@ -2688,6 +2768,7 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2727,6 +2808,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3249,6 +3331,7 @@
}
#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@@ -3274,6 +3357,7 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -3413,6 +3497,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index e92014c..4e18e62 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -78,6 +78,7 @@
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
{
if( conf->f_psk != NULL )
@@ -99,6 +100,7 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -176,6 +178,7 @@
*
* DHE groups are not supported yet.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -242,6 +245,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -287,6 +291,7 @@
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -316,6 +321,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -335,6 +341,7 @@
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -407,6 +414,7 @@
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -431,6 +439,7 @@
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -455,6 +464,7 @@
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t len )
@@ -528,95 +538,8 @@
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-#if defined(MBEDTLS_SSL_ALPN)
-static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len )
-{
- size_t list_len, cur_len, ours_len;
- const unsigned char *theirs, *start, *end;
- const char **ours;
-
- /* If ALPN not configured, just ignore the extension */
- if( ssl->conf->alpn_list == NULL )
- return( 0 );
-
- /*
- * opaque ProtocolName<1..2^8-1>;
- *
- * struct {
- * ProtocolName protocol_name_list<2..2^16-1>
- * } ProtocolNameList;
- */
-
- /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
- if( len < 4 )
- {
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- list_len = ( buf[0] << 8 ) | buf[1];
- if( list_len != len - 2 )
- {
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- /*
- * Validate peer's list (lengths)
- */
- start = buf + 2;
- end = buf + len;
- for( theirs = start; theirs != end; theirs += cur_len )
- {
- cur_len = *theirs++;
-
- /* Current identifier must fit in list */
- if( cur_len > (size_t)( end - theirs ) )
- {
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- /* Empty strings MUST NOT be included */
- if( cur_len == 0 )
- {
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
- }
- }
-
- /*
- * Use our order of preference
- */
- for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
- {
- ours_len = strlen( *ours );
- for( theirs = start; theirs != end; theirs += cur_len )
- {
- cur_len = *theirs++;
-
- if( cur_len == ours_len &&
- memcmp( theirs, *ours, cur_len ) == 0 )
- {
- ssl->alpn_chosen = *ours;
- return( 0 );
- }
- }
- }
-
- /* If we get there, no match was found */
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
- return( MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL );
-}
-#endif /* MBEDTLS_SSL_ALPN */
-
#if defined(MBEDTLS_SSL_DTLS_SRTP)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -745,6 +668,7 @@
* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
*/
#if defined(MBEDTLS_ECDSA_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_key_curve( mbedtls_pk_context *pk,
const mbedtls_ecp_curve_info **curves )
{
@@ -766,12 +690,20 @@
* Try picking a certificate for this ciphersuite,
* return 0 on success and -1 on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_pick_cert( mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
{
mbedtls_ssl_key_cert *cur, *list;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm_t pk_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg( ciphersuite_info );
+ psa_key_usage_t pk_usage =
+ mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage( ciphersuite_info );
+#else
mbedtls_pk_type_t pk_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@@ -781,7 +713,11 @@
#endif
list = ssl->conf->key_cert;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( pk_alg == PSA_ALG_NONE )
+#else
if( pk_alg == MBEDTLS_PK_NONE )
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
@@ -798,7 +734,18 @@
MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
cur->cert );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( ( ssl->conf->f_async_sign_start == NULL &&
+ ssl->conf->f_async_decrypt_start == NULL &&
+ ! mbedtls_pk_can_do_ext( cur->key, pk_alg, pk_usage ) ) ||
+ ! mbedtls_pk_can_do_ext( &cur->cert->pk, pk_alg, pk_usage ) )
+#else
+ if( ! mbedtls_pk_can_do_ext( cur->key, pk_alg, pk_usage ) )
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#else
if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
continue;
@@ -850,6 +797,7 @@
* Check if a given ciphersuite is suitable for use with our config/keys/etc
* Sets ciphersuite_info only if the suite matches.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
{
@@ -909,21 +857,6 @@
}
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- /* If the ciphersuite requires signing, check whether
- * a suitable hash algorithm is present. */
- sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
- if( sig_type != MBEDTLS_PK_NONE &&
- mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
- ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
- "for signature algorithm %u", (unsigned) sig_type ) );
- return( 0 );
- }
-
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/*
* Final check: if ciphersuite requires us to have a
@@ -940,6 +873,21 @@
}
#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ /* If the ciphersuite requires signing, check whether
+ * a suitable hash algorithm is present. */
+ sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
+ if( sig_type != MBEDTLS_PK_NONE &&
+ mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
+ "for signature algorithm %u", (unsigned) sig_type ) );
+ return( 0 );
+ }
+
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
*ciphersuite_info = suite_info;
return( 0 );
}
@@ -947,6 +895,7 @@
/* This function doesn't alert on errors that happen early during
ClientHello parsing because they might indicate that the client is
not talking SSL/TLS at all and would not understand our alert. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
{
int ret, got_common_suite;
@@ -1115,16 +1064,29 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
- ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
-
- /* We don't support fragmentation of ClientHello (yet?) */
- if( buf[1] != 0 ||
- msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ size_t handshake_len = MBEDTLS_GET_UINT24_BE( buf, 1 );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %u",
+ ( unsigned ) handshake_len ) );
+
+ /* The record layer has a record size limit of 2^14 - 1 and
+ * fragmentation is not supported, so buf[1] should be zero. */
+ if( buf[1] != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message: %u != 0",
+ (unsigned) buf[1] ) );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+
+ /* We don't support fragmentation of ClientHello (yet?) */
+ if( msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + handshake_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message: %u != %u + %u",
+ (unsigned) msg_len,
+ (unsigned) mbedtls_ssl_hs_hdr_len( ssl ),
+ (unsigned) handshake_len ) );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -1159,16 +1121,24 @@
ssl->handshake->out_msg_seq = cli_msg_seq;
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
}
-
- /*
- * For now we don't support fragmentation, so make sure
- * fragment_offset == 0 and fragment_length == length
- */
- if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
- memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ /*
+ * For now we don't support fragmentation, so make sure
+ * fragment_offset == 0 and fragment_length == length
+ */
+ size_t fragment_offset, fragment_length, length;
+ fragment_offset = MBEDTLS_GET_UINT24_BE( ssl->in_msg, 6 );
+ fragment_length = MBEDTLS_GET_UINT24_BE( ssl->in_msg, 9 );
+ length = MBEDTLS_GET_UINT24_BE( ssl->in_msg, 1 );
+ MBEDTLS_SSL_DEBUG_MSG(
+ 4, ( "fragment_offset=%u fragment_length=%u length=%u",
+ (unsigned) fragment_offset, (unsigned) fragment_length,
+ (unsigned) length ) );
+ if( fragment_offset != 0 || length != fragment_length )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ }
}
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
@@ -1524,7 +1494,8 @@
case MBEDTLS_TLS_EXT_ALPN:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
- ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
+ ret = mbedtls_ssl_parse_alpn_ext( ssl, ext + 4,
+ ext + 4 + ext_size );
if( ret != 0 )
return( ret );
break;
@@ -2040,39 +2011,6 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-#if defined(MBEDTLS_SSL_ALPN )
-static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t *olen )
-{
- if( ssl->alpn_chosen == NULL )
- {
- *olen = 0;
- return;
- }
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
-
- /*
- * 0 . 1 ext identifier
- * 2 . 3 ext length
- * 4 . 5 protocol list length
- * 6 . 6 protocol name length
- * 7 . 7+n protocol name
- */
- MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, buf, 0);
-
- *olen = 7 + strlen( ssl->alpn_chosen );
-
- MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 );
-
- MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 );
-
- buf[6] = MBEDTLS_BYTE_0( *olen - 7 );
-
- memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
-}
-#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
-
#if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS)
static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
@@ -2143,6 +2081,7 @@
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2261,6 +2200,7 @@
mbedtls_ssl_session_free( &session_tmp );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_HAVE_TIME)
@@ -2446,7 +2386,11 @@
#endif
#if defined(MBEDTLS_SSL_ALPN)
- ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+ unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
+ if( ( ret = mbedtls_ssl_write_alpn_ext( ssl, p + 2 + ext_len, end, &olen ) )
+ != 0 )
+ return ret;
+
ext_len += olen;
#endif
@@ -2476,6 +2420,7 @@
}
#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@@ -2494,6 +2439,7 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -2608,6 +2554,16 @@
* `mbedtls_ssl_conf_ca_cb()`, then the
* CertificateRequest is currently left empty. */
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->handshake->dn_hints != NULL )
+ crt = ssl->handshake->dn_hints;
+ else
+#endif
+ if( ssl->conf->dn_hints != NULL )
+ crt = ssl->conf->dn_hints;
+ else
+#endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
crt = ssl->handshake->sni_ca_chain;
@@ -2655,6 +2611,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
( defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) )
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2749,6 +2706,7 @@
}
#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -2781,6 +2739,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
size_t *signature_len )
{
@@ -2808,6 +2767,7 @@
/* Prepare the ServerKeyExchange message, up to and including
* calculating the signature if any, but excluding formatting the
* signature and sending the message. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
size_t *signature_len )
{
@@ -3235,6 +3195,7 @@
* that do not include a ServerKeyExchange message, do nothing. Either
* way, if successful, move on to the next step in the SSL state
* machine. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3256,7 +3217,12 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
{
- ssl_get_ecdh_params_from_cert( ssl );
+ ret = ssl_get_ecdh_params_from_cert( ssl );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
+ return( ret );
+ }
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
@@ -3332,6 +3298,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3371,6 +3338,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
const unsigned char *end )
{
@@ -3414,6 +3382,7 @@
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
unsigned char *peer_pms,
size_t *peer_pmslen,
@@ -3431,6 +3400,7 @@
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
@@ -3516,6 +3486,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
@@ -3604,6 +3575,7 @@
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
const unsigned char *end )
{
@@ -3664,6 +3636,7 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -4101,6 +4074,7 @@
}
#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@@ -4119,6 +4093,7 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -4282,6 +4257,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index b498fd4..2b68306 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -42,6 +42,7 @@
* ProtocolVersion versions<2..254>;
* } SupportedVersions;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -91,6 +92,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -120,12 +122,14 @@
}
#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len )
+ const unsigned char *buf, size_t len )
{
- size_t list_len, name_len;
const unsigned char *p = buf;
const unsigned char *end = buf + len;
+ size_t protocol_name_list_len, protocol_name_len;
+ const unsigned char *protocol_name_list_end;
/* If we didn't send it, the server shouldn't send it */
if( ssl->conf->alpn_list == NULL )
@@ -141,21 +145,22 @@
* the "ProtocolNameList" MUST contain exactly one "ProtocolName"
*/
- /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */
- MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
-
- list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
+ protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
- MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, list_len );
- name_len = *p++;
- MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, list_len - 1 );
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
+ protocol_name_list_end = p + protocol_name_list_len;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
+ protocol_name_len = *p++;
/* Check that the server chosen protocol was in our list and save it */
- for ( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
+ for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
{
- if( name_len == strlen( *alpn ) &&
- memcmp( buf + 3, *alpn, name_len ) == 0 )
+ if( protocol_name_len == strlen( *alpn ) &&
+ memcmp( p, *alpn, protocol_name_len ) == 0 )
{
ssl->alpn_chosen = *alpn;
return( 0 );
@@ -166,6 +171,7 @@
}
#endif /* MBEDTLS_SSL_ALPN */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
{
uint16_t group_id = ssl->handshake->offered_group_id;
@@ -204,6 +210,7 @@
/*
* Functions for writing key_share extension.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
uint16_t *group_id )
{
@@ -253,6 +260,7 @@
* KeyShareEntry client_shares<0..2^16-1>;
* } KeyShareClientHello;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -366,6 +374,7 @@
* NamedGroup selected_group;
* } KeyShareHelloRetryRequest;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -440,6 +449,7 @@
* opaque key_exchange<1..2^16-1>;
* } KeyShareEntry;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -514,6 +524,7 @@
* a "cookie" extension in the new ClientHello. Clients MUST NOT use
* cookies in their initial ClientHello in subsequent connections.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -547,6 +558,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -640,6 +652,7 @@
* \return 1 if the ServerHello contains a supported_versions extension
* \return A negative value if an error occurred while parsing the ServerHello.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_is_supported_versions_ext_present(
mbedtls_ssl_context *ssl,
const unsigned char *buf,
@@ -667,6 +680,7 @@
* - cipher_suite 2 bytes
* - legacy_compression_method 1 byte
*/
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
p += legacy_session_id_echo_len + 4;
/* Case of no extension */
@@ -714,6 +728,7 @@
* the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
* - 0 otherwise
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -740,12 +755,13 @@
}
/* Returns a negative value on failure, and otherwise
- * - SSL_SERVER_HELLO_COORDINATE_HELLO or
- * - SSL_SERVER_HELLO_COORDINATE_HRR
+ * - SSL_SERVER_HELLO or
+ * - SSL_SERVER_HELLO_HRR
* to indicate which message is expected and to be parsed next.
*/
-#define SSL_SERVER_HELLO_COORDINATE_HELLO 0
-#define SSL_SERVER_HELLO_COORDINATE_HRR 1
+#define SSL_SERVER_HELLO 0
+#define SSL_SERVER_HELLO_HRR 1
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -772,37 +788,33 @@
if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
{
- return( SSL_SERVER_HELLO_COORDINATE_HRR );
+ return( SSL_SERVER_HELLO_HRR );
}
- return( SSL_SERVER_HELLO_COORDINATE_HELLO );
+ return( SSL_SERVER_HELLO );
}
-/* Fetch and preprocess
+/*
* Returns a negative value on failure, and otherwise
- * - SSL_SERVER_HELLO_COORDINATE_HELLO or
- * - SSL_SERVER_HELLO_COORDINATE_HRR or
- * - SSL_SERVER_HELLO_COORDINATE_TLS1_2
+ * - SSL_SERVER_HELLO or
+ * - SSL_SERVER_HELLO_HRR or
+ * - SSL_SERVER_HELLO_TLS1_2
*/
-#define SSL_SERVER_HELLO_COORDINATE_TLS1_2 2
-static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
- unsigned char **buf,
- size_t *buf_len )
+#define SSL_SERVER_HELLO_TLS1_2 2
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const unsigned char *end;
-
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
- MBEDTLS_SSL_HS_SERVER_HELLO,
- buf, buf_len ) );
- end = *buf + *buf_len;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
- ssl, *buf, end ) );
+ ssl, buf, end ) );
if( ret == 0 )
{
MBEDTLS_SSL_PROC_CHK_NEG(
- ssl_tls13_is_downgrade_negotiation( ssl, *buf, end ) );
+ ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
/* If the server is negotiating TLS 1.2 or below and:
* . we did not propose TLS 1.2 or
@@ -810,7 +822,7 @@
* version of the protocol and thus we are under downgrade attack
* abort the handshake with an "illegal parameter" alert.
*/
- if( ssl->handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
+ if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
{
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
@@ -820,7 +832,7 @@
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
- *buf, *buf_len );
+ buf, (size_t)(end - buf) );
if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
@@ -829,23 +841,25 @@
return( ret );
}
- return( SSL_SERVER_HELLO_COORDINATE_TLS1_2 );
+ return( SSL_SERVER_HELLO_TLS1_2 );
}
- ret = ssl_server_hello_is_hrr( ssl, *buf, end );
+ handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
+
+ ret = ssl_server_hello_is_hrr( ssl, buf, end );
switch( ret )
{
- case SSL_SERVER_HELLO_COORDINATE_HELLO:
+ case SSL_SERVER_HELLO:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
break;
- case SSL_SERVER_HELLO_COORDINATE_HRR:
+ case SSL_SERVER_HELLO_HRR:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
/* If a client receives a second
* HelloRetryRequest in the same connection (i.e., where the ClientHello
* was itself in response to a HelloRetryRequest), it MUST abort the
* handshake with an "unexpected_message" alert.
*/
- if( ssl->handshake->hello_retry_request_count > 0 )
+ if( handshake->hello_retry_request_count > 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
@@ -868,7 +882,7 @@
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
- ssl->handshake->hello_retry_request_count++;
+ handshake->hello_retry_request_count++;
break;
}
@@ -878,6 +892,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
const unsigned char **buf,
const unsigned char *end )
@@ -925,6 +940,7 @@
* Extension extensions<6..2^16-1>;
* } ServerHello;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end,
@@ -1183,6 +1199,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1247,11 +1264,6 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
ssl->session_in = ssl->session_negotiate;
- /*
- * State machine update
- */
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
-
cleanup:
if( ret != 0 )
{
@@ -1263,21 +1275,11 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
- /* If not offering early data, the client sends a dummy CCS record
- * immediately before its second flight. This may either be before
- * its second ClientHello or before its encrypted handshake flight.
- */
- mbedtls_ssl_handshake_set_state( ssl,
- MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
-#else
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
-#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
-
mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
/*
@@ -1297,6 +1299,7 @@
* Wait and parse ServerHello handshake message.
* Handler for MBEDTLS_SSL_SERVER_HELLO
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1306,20 +1309,17 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
- /* Coordination step
- * - Fetch record
- * - Make sure it's either a ServerHello or a HRR.
- * - Switch processing routine in case of HRR
- */
- ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
+ MBEDTLS_SSL_HS_SERVER_HELLO,
+ &buf, &buf_len ) );
- ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len );
+ ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
if( ret < 0 )
goto cleanup;
else
- is_hrr = ( ret == SSL_SERVER_HELLO_COORDINATE_HRR );
+ is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
- if( ret == SSL_SERVER_HELLO_COORDINATE_TLS1_2 )
+ if( ret == SSL_SERVER_HELLO_TLS1_2 )
{
ret = 0;
goto cleanup;
@@ -1335,9 +1335,24 @@
buf, buf_len );
if( is_hrr )
+ {
MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* If not offering early data, the client sends a dummy CCS record
+ * immediately before its second flight. This may either be before
+ * its second ClientHello or before its encrypted handshake flight.
+ */
+ mbedtls_ssl_handshake_set_state( ssl,
+ MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
+#else
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+ }
else
+ {
MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
+ }
cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
@@ -1347,61 +1362,19 @@
/*
*
- * EncryptedExtensions message
+ * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
*
* The EncryptedExtensions message contains any extensions which
* should be protected, i.e., any which are not needed to establish
* the cryptographic context.
*/
-/*
- * Overview
- */
-
-/* Main entry point; orchestrates the other functions */
-static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl );
-
-static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end );
-static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl );
-
-/*
- * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
- */
-static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
-{
- int ret;
- unsigned char *buf;
- size_t buf_len;
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
-
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
- MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
- &buf, &buf_len ) );
-
- /* Process the message contents */
- MBEDTLS_SSL_PROC_CHK(
- ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
-
- mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
- buf, buf_len );
-
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_encrypted_extensions( ssl ) );
-
-cleanup:
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
- return( ret );
-
-}
-
/* Parse EncryptedExtensions message
* struct {
* Extension extensions<0..2^16-1>;
* } EncryptedExtensions;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -1416,8 +1389,8 @@
p += 2;
MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
- extensions_end = p + extensions_len;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
+ extensions_end = p + extensions_len;
while( p < extensions_end )
{
@@ -1483,8 +1456,26 @@
return( ret );
}
-static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl )
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
{
+ int ret;
+ unsigned char *buf;
+ size_t buf_len;
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
+
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
+ MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ &buf, &buf_len ) );
+
+ /* Process the message contents */
+ MBEDTLS_SSL_PROC_CHK(
+ ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
+
+ mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ buf, buf_len );
+
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
@@ -1494,12 +1485,16 @@
((void) ssl);
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
#endif
- return( 0 );
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
+ return( ret );
+
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
- *
* STATE HANDLING: CertificateRequest
*
*/
@@ -1512,6 +1507,7 @@
* - SSL_CERTIFICATE_REQUEST_SKIP
* indicating if a Certificate Request is expected or not.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1532,9 +1528,12 @@
if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
{
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
}
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
+
return( SSL_CERTIFICATE_REQUEST_SKIP );
}
@@ -1546,6 +1545,7 @@
* Extension extensions<2..2^16-1>;
* } CertificateRequest;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -1662,6 +1662,7 @@
/*
* Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1687,7 +1688,6 @@
}
else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) );
ret = 0;
}
else
@@ -1697,9 +1697,6 @@
goto cleanup;
}
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
- ssl->handshake->client_auth ? "a" : "no" ) );
-
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
cleanup:
@@ -1711,6 +1708,7 @@
/*
* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
{
int ret;
@@ -1726,6 +1724,7 @@
/*
* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret;
@@ -1742,6 +1741,7 @@
/*
* Handler for MBEDTLS_SSL_SERVER_FINISHED
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
{
int ret;
@@ -1773,6 +1773,7 @@
/*
* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
{
int non_empty_certificate_msg = 0;
@@ -1803,7 +1804,10 @@
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
}
else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+ }
return( 0 );
}
@@ -1812,6 +1816,7 @@
/*
* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
@@ -1826,6 +1831,7 @@
/*
* Handler for MBEDTLS_SSL_CLIENT_FINISHED
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
{
int ret;
@@ -1849,6 +1855,7 @@
/*
* Handler for MBEDTLS_SSL_FLUSH_BUFFERS
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
@@ -1859,6 +1866,7 @@
/*
* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
{
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index f508bca..265d6d3 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -31,6 +31,7 @@
#include <string.h>
#include "ssl_misc.h"
+#include "ssl_tls13_invasive.h"
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
@@ -156,6 +157,7 @@
*verify_buffer_len = idx;
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end,
@@ -256,13 +258,9 @@
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
{
- const mbedtls_md_info_t* md_info;
rsassa_pss_options.mgf1_hash_id = md_alg;
- if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
- {
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
- rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
+
+ rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH( hash_alg );
options = (const void*) &rsassa_pss_options;
}
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
@@ -389,9 +387,11 @@
*/
/* Parse certificate chain send by the server. */
-static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end )
+MBEDTLS_CHECK_RETURN_CRITICAL
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t certificate_request_context_len = 0;
@@ -442,6 +442,7 @@
mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_list_len );
certificate_list_end = p + certificate_list_len;
while( p < certificate_list_end )
{
@@ -521,9 +522,11 @@
return( ret );
}
#else
-static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end )
+MBEDTLS_CHECK_RETURN_CRITICAL
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
{
((void) ssl);
((void) buf);
@@ -536,12 +539,15 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* Validate certificate chain sent by the server. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
{
int ret = 0;
int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
+ const char *ext_oid;
+ size_t ext_len;
uint32_t verify_result = 0;
/* If SNI was used, overwrite authentication mode
@@ -567,7 +573,7 @@
*/
if( ssl->session_negotiate->peer_cert == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) );
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
@@ -630,12 +636,25 @@
/*
* Secondary checks: always done, but change 'ret' only if it was 0
*/
- if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
- ssl->handshake->ciphersuite_info,
- !ssl->conf->endpoint,
- &verify_result ) != 0 )
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
+ ext_oid = MBEDTLS_OID_SERVER_AUTH;
+ ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
+ }
+ else
+ {
+ ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+ ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
+ }
+
+ if( ( mbedtls_x509_crt_check_key_usage(
+ ssl->session_negotiate->peer_cert,
+ MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ) ||
+ ( mbedtls_x509_crt_check_extended_key_usage(
+ ssl->session_negotiate->peer_cert,
+ ext_oid, ext_len ) != 0 ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( ret == 0 )
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
@@ -645,7 +664,8 @@
* with details encoded in the verification flags. All other kinds
* of error codes, including those from the user provided f_vrfy
* functions, are treated as fatal and lead to a failure of
- * ssl_tls13_parse_certificate even if verification was optional. */
+ * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
+ */
if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
@@ -700,6 +720,7 @@
return( ret );
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
{
((void) ssl);
@@ -722,8 +743,8 @@
&buf, &buf_len ) );
/* Parse the certificate chain sent by the peer. */
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf,
- buf + buf_len ) );
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_parse_certificate( ssl, buf,
+ buf + buf_len ) );
/* Validate the certificate chain and set the verification results. */
MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
@@ -761,6 +782,7 @@
* CertificateEntry certificate_list<0..2^24-1>;
* } Certificate;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -812,7 +834,7 @@
/* Currently, we don't have any certificate extensions defined.
* Hence, we are sending an empty extension with length zero.
*/
- MBEDTLS_PUT_UINT24_BE( 0, p, 0 );
+ MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
p += 2;
}
@@ -854,123 +876,88 @@
/*
* STATE HANDLING: Output Certificate Verify
*/
-int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
- mbedtls_pk_context *own_key,
- uint16_t *algorithm )
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
+ mbedtls_pk_context *key )
{
- mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
- /* Determine the size of the key */
- size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
- *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
- ((void) own_key_size);
+ mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk( key );
+ size_t key_size = mbedtls_pk_get_bitlen( key );
- switch( sig )
+ switch( pk_type )
{
-#if defined(MBEDTLS_ECDSA_C)
case MBEDTLS_SSL_SIG_ECDSA:
- switch( own_key_size )
+ switch( key_size )
{
case 256:
- *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
- return( 0 );
+ return(
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 );
+
case 384:
- *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
- return( 0 );
+ return(
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 );
+
case 521:
- *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
- return( 0 );
+ return(
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 );
default:
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "unknown key size: %"
- MBEDTLS_PRINTF_SIZET " bits",
- own_key_size ) );
break;
}
break;
-#endif /* MBEDTLS_ECDSA_C */
-#if defined(MBEDTLS_RSA_C)
case MBEDTLS_SSL_SIG_RSA:
-#if defined(MBEDTLS_PKCS1_V21)
-#if defined(MBEDTLS_SHA256_C)
- if( own_key_size <= 2048 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
+ switch( sig_alg )
{
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA384_C)
- if( own_key_size <= 3072 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA384_C */
-#if defined(MBEDTLS_SHA512_C)
- if( own_key_size <= 4096 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_PKCS1_V21 */
-#if defined(MBEDTLS_PKCS1_V15)
-#if defined(MBEDTLS_SHA256_C)
- if( own_key_size <= 2048 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA384_C)
- if( own_key_size <= 3072 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA384_C */
-#if defined(MBEDTLS_SHA512_C)
- if( own_key_size <= 4096 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_PKCS1_V15 */
- {
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "unknown key size: %"
- MBEDTLS_PRINTF_SIZET " bits",
- own_key_size ) );
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ return( key_size <= 3072 );
+
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ return( key_size <= 7680 );
+
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ return( 1 );
+
+ default:
+ break;
}
break;
-#endif /* MBEDTLS_RSA_C */
+
default:
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "unknown signature type : %u", sig ) );
break;
}
+
+ return( 0 );
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_select_sig_alg_for_certificate_verify(
+ mbedtls_ssl_context *ssl,
+ mbedtls_pk_context *own_key,
+ uint16_t *algorithm )
+{
+ uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+
+ *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
+ for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
+ {
+ if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) &&
+ mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) &&
+ mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "select_sig_alg_for_certificate_verify:"
+ "selected signature algorithm %s [%04x]",
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ),
+ *sig_alg ) );
+ *algorithm = *sig_alg;
+ return( 0 );
+ }
+ }
+ MBEDTLS_SSL_DEBUG_MSG( 2,
+ ( "select_sig_alg_for_certificate_verify:"
+ "no suitable signature algorithm found" ) );
return( -1 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1024,8 +1011,9 @@
* opaque signature<0..2^16-1>;
* } CertificateVerify;
*/
- ret = mbedtls_ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
- if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
+ ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key,
+ &algorithm );
+ if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "signature algorithm not in received or offered list." ) );
@@ -1038,6 +1026,9 @@
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s",
+ mbedtls_ssl_sig_alg_to_str( algorithm )) );
+
if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &pk_type, &md_alg ) != 0 )
{
@@ -1116,6 +1107,7 @@
* Implementation
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
{
int ret;
@@ -1135,6 +1127,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -1213,6 +1206,7 @@
* Implement
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
{
int ret;
@@ -1233,6 +1227,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1312,6 +1307,7 @@
*
*/
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1437,12 +1433,12 @@
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
/* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
/* Check if key size is consistent with given buffer length. */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, peerkey_len );
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, peerkey_len );
/* Store peer's ECDH public key. */
memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h
index 4e39f90..5470200 100644
--- a/library/ssl_tls13_invasive.h
+++ b/library/ssl_tls13_invasive.h
@@ -25,61 +25,9 @@
#include "psa/crypto.h"
#if defined(MBEDTLS_TEST_HOOKS)
-
-/**
- * \brief Take the input keying material \p ikm and extract from it a
- * fixed-length pseudorandom key \p prk.
- *
- * \param hash_alg Hash algorithm to use.
- * \param salt An optional salt value (a non-secret random value);
- * if the salt is not provided, a string of all zeros
- * of the length of the hash provided by \p alg is used
- * as the salt.
- * \param salt_len The length in bytes of the optional \p salt.
- * \param ikm The input keying material.
- * \param ikm_len The length in bytes of \p ikm.
- * \param[out] prk A pseudorandom key of \p prk_len bytes.
- * \param prk_size Size of the \p prk buffer in bytes.
- * \param[out] prk_len On success, the length in bytes of the
- * pseudorandom key in \p prk.
- *
- * \return 0 on success.
- * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid.
- * \return An PSA_ERROR_* error for errors returned from the underlying
- * PSA layer.
- */
-psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t hash_alg,
- const unsigned char *salt, size_t salt_len,
- const unsigned char *ikm, size_t ikm_len,
- unsigned char *prk, size_t prk_size,
- size_t *prk_len );
-
-/**
- * \brief Expand the supplied \p prk into several additional pseudorandom
- * keys, which is the output of the HKDF.
- *
- * \param hash_alg Hash algorithm to use.
- * \param prk A pseudorandom key of \p prk_len bytes. \p prk is
- * usually the output from the HKDF extract step.
- * \param prk_len The length in bytes of \p prk.
- * \param info An optional context and application specific information
- * string. This can be a zero-length string.
- * \param info_len The length of \p info in bytes.
- * \param okm The output keying material of \p okm_len bytes.
- * \param okm_len The length of the output keying material in bytes. This
- * must be less than or equal to
- * 255 * #PSA_HASH_LENGTH( \p alg ) bytes.
- *
- * \return 0 on success.
- * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid.
- * \return An PSA_ERROR_* error for errors returned from the underlying
- * PSA layer.
- */
-psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t hash_alg,
- const unsigned char *prk, size_t prk_len,
- const unsigned char *info, size_t info_len,
- unsigned char *okm, size_t okm_len );
-
+int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end );
#endif /* MBEDTLS_TEST_HOOKS */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 91cc4d9..51743bb 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -137,182 +137,6 @@
*dst_len = total_hkdf_lbl_len;
}
-MBEDTLS_STATIC_TESTABLE
-psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t hash_alg,
- const unsigned char *salt, size_t salt_len,
- const unsigned char *ikm, size_t ikm_len,
- unsigned char *prk, size_t prk_size,
- size_t *prk_len )
-{
- unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' };
- mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_status_t destroy_status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_algorithm_t alg = PSA_ALG_HMAC( hash_alg );
-
- if( salt == NULL || salt_len == 0 )
- {
- size_t hash_len;
-
- if( salt_len != 0 )
- {
- return( PSA_ERROR_INVALID_ARGUMENT );
- }
-
- hash_len = PSA_HASH_LENGTH( alg );
-
- if( hash_len == 0 )
- {
- return( PSA_ERROR_INVALID_ARGUMENT );
- }
-
- /* salt_len <= sizeof( salt ) because
- PSA_HASH_LENGTH( alg ) <= PSA_MAC_MAX_SIZE. */
- salt = null_salt;
- salt_len = hash_len;
- }
-
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
- psa_set_key_algorithm( &attributes, alg );
- psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
-
- status = psa_import_key( &attributes, salt, salt_len, &key );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- status = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len );
-
-cleanup:
- destroy_status = psa_destroy_key( key );
-
- return( ( status == PSA_SUCCESS ) ? destroy_status : status );
-}
-
-MBEDTLS_STATIC_TESTABLE
-psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t hash_alg,
- const unsigned char *prk, size_t prk_len,
- const unsigned char *info, size_t info_len,
- unsigned char *okm, size_t okm_len )
-{
- size_t hash_len;
- size_t where = 0;
- size_t n;
- size_t t_len = 0;
- size_t i;
- mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_status_t destroy_status = PSA_ERROR_CORRUPTION_DETECTED;
- unsigned char t[PSA_MAC_MAX_SIZE];
- psa_algorithm_t alg = PSA_ALG_HMAC( hash_alg );
-
- if( okm == NULL )
- {
- return( PSA_ERROR_INVALID_ARGUMENT );
- }
-
- hash_len = PSA_HASH_LENGTH( alg );
-
- if( prk_len < hash_len || hash_len == 0 )
- {
- return( PSA_ERROR_INVALID_ARGUMENT );
- }
-
- if( info == NULL )
- {
- info = (const unsigned char *) "";
- info_len = 0;
- }
-
- n = okm_len / hash_len;
-
- if( okm_len % hash_len != 0 )
- {
- n++;
- }
-
- /*
- * Per RFC 5869 Section 2.3, okm_len must not exceed
- * 255 times the hash length
- */
- if( n > 255 )
- {
- return( PSA_ERROR_INVALID_ARGUMENT );
- }
-
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
- psa_set_key_algorithm( &attributes, alg );
- psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
-
- status = psa_import_key( &attributes, prk, prk_len, &key );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- memset( t, 0, hash_len );
-
- /*
- * Compute T = T(1) | T(2) | T(3) | ... | T(N)
- * Where T(N) is defined in RFC 5869 Section 2.3
- */
- for( i = 1; i <= n; i++ )
- {
- size_t num_to_copy;
- unsigned char c = i & 0xff;
- size_t len;
-
- status = psa_mac_sign_setup( &operation, key, alg );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- status = psa_mac_update( &operation, t, t_len );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- status = psa_mac_update( &operation, info, info_len );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- /* The constant concatenated to the end of each T(n) is a single octet. */
- status = psa_mac_update( &operation, &c, 1 );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- status = psa_mac_sign_finish( &operation, t, PSA_MAC_MAX_SIZE, &len );
- if( status != PSA_SUCCESS )
- {
- goto cleanup;
- }
-
- num_to_copy = i != n ? hash_len : okm_len - where;
- memcpy( okm + where, t, num_to_copy );
- where += hash_len;
- t_len = hash_len;
- }
-
-cleanup:
- if( status != PSA_SUCCESS )
- psa_mac_abort( &operation );
- destroy_status = psa_destroy_key( key );
-
- mbedtls_platform_zeroize( t, sizeof( t ) );
-
- return( ( status == PSA_SUCCESS ) ? destroy_status : status );
-}
-
int mbedtls_ssl_tls13_hkdf_expand_label(
psa_algorithm_t hash_alg,
const unsigned char *secret, size_t secret_len,
@@ -321,7 +145,11 @@
unsigned char *buf, size_t buf_len )
{
unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
- size_t hkdf_label_len;
+ size_t hkdf_label_len = 0;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_derivation_operation_t operation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
if( label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
{
@@ -352,11 +180,39 @@
hkdf_label,
&hkdf_label_len );
- return( psa_ssl_status_to_mbedtls(
- mbedtls_psa_hkdf_expand( hash_alg,
- secret, secret_len,
- hkdf_label, hkdf_label_len,
- buf, buf_len ) ) );
+ status = psa_key_derivation_setup( &operation, PSA_ALG_HKDF_EXPAND( hash_alg ) );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+ status = psa_key_derivation_input_bytes( &operation,
+ PSA_KEY_DERIVATION_INPUT_SECRET,
+ secret,
+ secret_len );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+ status = psa_key_derivation_input_bytes( &operation,
+ PSA_KEY_DERIVATION_INPUT_INFO,
+ hkdf_label,
+ hkdf_label_len );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+ status = psa_key_derivation_output_bytes( &operation,
+ buf,
+ buf_len );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+cleanup:
+ abort_status = psa_key_derivation_abort( &operation );
+ status = ( status == PSA_SUCCESS ? abort_status : status );
+ mbedtls_platform_zeroize( hkdf_label, hkdf_label_len );
+ return( psa_ssl_status_to_mbedtls ( status ) );
}
/*
@@ -473,10 +329,13 @@
unsigned char *secret_new )
{
int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
size_t hlen, ilen;
unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 };
unsigned char tmp_input [ MBEDTLS_ECP_MAX_BYTES ] = { 0 };
- size_t secret_len;
+ psa_key_derivation_operation_t operation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
if( ! PSA_ALG_IS_HASH( hash_alg ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -498,6 +357,8 @@
goto cleanup;
}
+ ret = 0;
+
if( input != NULL )
{
memcpy( tmp_input, input, input_len );
@@ -508,17 +369,39 @@
ilen = hlen;
}
- /* HKDF-Extract takes a salt and input key material.
- * The salt is the old secret, and the input key material
- * is the input secret (PSK / ECDHE). */
- ret = psa_ssl_status_to_mbedtls(
- mbedtls_psa_hkdf_extract( hash_alg,
- tmp_secret, hlen,
- tmp_input, ilen,
- secret_new, hlen, &secret_len ) );
+ status = psa_key_derivation_setup( &operation,
+ PSA_ALG_HKDF_EXTRACT( hash_alg ) );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+ status = psa_key_derivation_input_bytes( &operation,
+ PSA_KEY_DERIVATION_INPUT_SALT,
+ tmp_secret,
+ hlen );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+ status = psa_key_derivation_input_bytes( &operation,
+ PSA_KEY_DERIVATION_INPUT_SECRET,
+ tmp_input,
+ ilen );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
+
+ status = psa_key_derivation_output_bytes( &operation,
+ secret_new,
+ PSA_HASH_LENGTH( hash_alg ) );
+
+ if( status != PSA_SUCCESS )
+ goto cleanup;
cleanup:
-
+ abort_status = psa_key_derivation_abort( &operation );
+ status = ( status == PSA_SUCCESS ? abort_status : status );
+ ret = ( ret == 0 ? psa_ssl_status_to_mbedtls ( status ) : ret );
mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
return( ret );
@@ -761,6 +644,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_calc_finished_core( psa_algorithm_t hash_alg,
unsigned char const *base_key,
unsigned char const *transcript,
@@ -1188,6 +1072,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int mbedtls_ssl_tls13_get_cipher_key_info(
const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
size_t *key_len, size_t *iv_len )
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index 693b6c4..76c1e93 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -121,6 +121,7 @@
* \return A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_hkdf_expand_label(
psa_algorithm_t hash_alg,
const unsigned char *secret, size_t secret_len,
@@ -159,6 +160,7 @@
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_make_traffic_keys(
psa_algorithm_t hash_alg,
const unsigned char *client_secret,
@@ -205,6 +207,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_derive_secret(
psa_algorithm_t hash_alg,
const unsigned char *secret, size_t secret_len,
@@ -255,6 +258,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_derive_early_secrets(
psa_algorithm_t hash_alg,
unsigned char const *early_secret,
@@ -300,6 +304,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_derive_handshake_secrets(
psa_algorithm_t hash_alg,
unsigned char const *handshake_secret,
@@ -350,6 +355,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_derive_application_secrets(
psa_algorithm_t hash_alg,
unsigned char const *master_secret,
@@ -380,6 +386,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_derive_resumption_master_secret(
psa_algorithm_t hash_alg,
unsigned char const *application_secret,
@@ -453,6 +460,7 @@
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_evolve_secret(
psa_algorithm_t hash_alg,
const unsigned char *secret_old,
@@ -482,6 +490,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
const psa_algorithm_t hash_alg,
unsigned char const *psk, size_t psk_len,
@@ -516,6 +525,7 @@
* mbedtls_ssl_transform_encrypt().
* \return A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
int endpoint,
int ciphersuite,
@@ -542,6 +552,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl );
/**
@@ -560,6 +571,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl );
/**
@@ -574,6 +586,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
mbedtls_ssl_key_set *traffic_keys );
@@ -593,6 +606,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl );
/**
@@ -607,6 +621,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_generate_application_keys(
mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys );
@@ -620,6 +635,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_generate_resumption_master_secret(
mbedtls_ssl_context *ssl );
@@ -645,6 +661,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
unsigned char *dst,
size_t dst_len,
@@ -660,6 +677,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
/**
@@ -671,6 +689,7 @@
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 5be338d..7d99433 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -50,6 +50,7 @@
* ProtocolVersion versions<2..254>;
* } SupportedVersions;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -106,6 +107,7 @@
* NamedGroup named_group_list<2..2^16-1>;
* } NamedGroupList;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -168,6 +170,7 @@
* be needed.
* - A negative value for fatal errors.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -303,9 +306,17 @@
& MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
"TRUE" : "FALSE" ) );
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined ( MBEDTLS_SSL_ALPN )
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "- ALPN_EXTENSION ( %s )",
+ ( ( ssl->handshake->extensions_present
+ & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
+ "TRUE" : "FALSE" ) );
+#endif /* MBEDTLS_SSL_ALPN */
}
#endif /* MBEDTLS_DEBUG_C */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
int exts_mask )
{
@@ -313,6 +324,7 @@
return( masked == exts_mask );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
mbedtls_ssl_context *ssl )
{
@@ -322,6 +334,7 @@
MBEDTLS_SSL_EXT_SIG_ALG ) );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
{
if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
@@ -341,11 +354,11 @@
* Pick best ( private key, certificate chain ) pair based on the signature
* algorithms supported by the client.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_key_cert *key_cert, *key_cert_list;
const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
- uint16_t key_sig_alg;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL )
@@ -365,7 +378,6 @@
for( key_cert = key_cert_list; key_cert != NULL;
key_cert = key_cert->next )
{
- int ret;
MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
key_cert->cert );
@@ -384,13 +396,21 @@
continue;
}
- ret = mbedtls_ssl_tls13_get_sig_alg_from_pk(
- ssl, &key_cert->cert->pk, &key_sig_alg );
- if( ret != 0 )
- continue;
- if( *sig_alg == key_sig_alg )
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "ssl_tls13_pick_key_cert:"
+ "check signature algorithm %s [%04x]",
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ),
+ *sig_alg ) );
+ if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
+ *sig_alg, &key_cert->cert->pk ) )
{
ssl->handshake->key_cert = key_cert;
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "ssl_tls13_pick_key_cert:"
+ "selected signature algorithm"
+ " %s [%04x]",
+ mbedtls_ssl_sig_alg_to_str( *sig_alg ),
+ *sig_alg ) );
MBEDTLS_SSL_DEBUG_CRT(
3, "selected certificate (chain)",
ssl->handshake->key_cert->cert );
@@ -399,6 +419,8 @@
}
}
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
+ "no suitable certificate found" ) );
return( -1 );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C &&
@@ -448,6 +470,7 @@
#define SSL_CLIENT_HELLO_OK 0
#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
@@ -731,6 +754,21 @@
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
break;
+#if defined(MBEDTLS_SSL_ALPN)
+ case MBEDTLS_TLS_EXT_ALPN:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+ ret = mbedtls_ssl_parse_alpn_ext( ssl, p, extension_data_end );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
+ return( ret );
+ }
+ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
+ break;
+#endif /* MBEDTLS_SSL_ALPN */
+
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
@@ -774,6 +812,7 @@
/* Update the handshake state machine */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -820,6 +859,7 @@
* Main entry point from the state machine; orchestrates the otherfunctions.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
{
@@ -858,6 +898,7 @@
/*
* Handler for MBEDTLS_SSL_SERVER_HELLO
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -893,6 +934,7 @@
* ProtocolVersion selected_version;
* } SupportedVersions;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_server_hello_supported_versions_ext(
mbedtls_ssl_context *ssl,
unsigned char *buf,
@@ -930,6 +972,7 @@
/* Generate and export a single key share. For hybrid KEMs, this can
* be called multiple times with the different components of the hybrid. */
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
uint16_t named_group,
unsigned char *buf,
@@ -983,6 +1026,7 @@
* KeyShareEntry server_share;
* } KeyShareServerHello;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1026,6 +1070,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1073,7 +1118,7 @@
* - extension_data_length (2 bytes)
* - selected_group (2 bytes)
*/
- MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 6 );
+ MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
@@ -1101,6 +1146,7 @@
* Extension extensions<6..2^16-1>;
* } ServerHello;
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@@ -1227,6 +1273,7 @@
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1239,14 +1286,10 @@
return( ret );
}
- mbedtls_ssl_set_outbound_transform( ssl,
- ssl->handshake->transform_handshake );
- MBEDTLS_SSL_DEBUG_MSG(
- 3, ( "switching to handshake transform for outbound data" ) );
-
return( ret );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1273,7 +1316,16 @@
MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_server_hello( ssl ) );
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* The server sends a dummy change_cipher_spec record immediately
+ * after its first handshake message. This may either be after
+ * a ServerHello or a HelloRetryRequest.
+ */
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO );
+#else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
cleanup:
@@ -1285,8 +1337,8 @@
/*
* Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
*/
-static int ssl_tls13_write_hello_retry_request_coordinate(
- mbedtls_ssl_context *ssl )
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ssl->handshake->hello_retry_request_count > 0 )
@@ -1312,6 +1364,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1320,7 +1373,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) );
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_hello_retry_request( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
@@ -1339,7 +1392,16 @@
ssl->handshake->hello_retry_request_count++;
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* The server sends a dummy change_cipher_spec record immediately
+ * after its first handshake message. This may either be after
+ * a ServerHello or a HelloRetryRequest.
+ */
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST );
+#else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
@@ -1356,14 +1418,17 @@
* } EncryptedExtensions;
*
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *out_len )
{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = buf;
size_t extensions_len = 0;
unsigned char *p_extensions_len;
+ size_t output_len;
*out_len = 0;
@@ -1372,6 +1437,15 @@
p += 2;
((void) ssl);
+ ((void) ret);
+ ((void) output_len);
+
+#if defined(MBEDTLS_SSL_ALPN)
+ ret = mbedtls_ssl_write_alpn_ext( ssl, p, end, &output_len );
+ if( ret != 0 )
+ return( ret );
+ p += output_len;
+#endif /* MBEDTLS_SSL_ALPN */
extensions_len = ( p - p_extensions_len ) - 2;
MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
@@ -1383,12 +1457,18 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *buf;
size_t buf_len, msg_len;
+ mbedtls_ssl_set_outbound_transform( ssl,
+ ssl->handshake->transform_handshake );
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ( "switching to handshake transform for outbound data" ) );
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extensions" ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
@@ -1429,6 +1509,7 @@
* indicating if the writing of the CertificateRequest
* should be skipped or not.
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
{
int authmode;
@@ -1455,6 +1536,7 @@
* } CertificateRequest;
*
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
@@ -1501,6 +1583,7 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1548,6 +1631,7 @@
/*
* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1573,6 +1657,7 @@
/*
* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
@@ -1586,6 +1671,7 @@
/*
* Handler for MBEDTLS_SSL_SERVER_FINISHED
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1603,31 +1689,29 @@
return( ret );
}
- if( ssl->handshake->certificate_request_sent )
- {
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
+ mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
- mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
- }
+ if( ssl->handshake->certificate_request_sent )
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+ }
+
return( 0 );
}
/*
* Handler for MBEDTLS_SSL_CLIENT_FINISHED
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if( ! ssl->handshake->certificate_request_sent )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "Switch to handshake traffic keys for inbound traffic" ) );
- mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
- }
ret = mbedtls_ssl_tls13_process_finished_message( ssl );
if( ret != 0 )
return( ret );
@@ -1646,6 +1730,7 @@
/*
* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
*/
+MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
@@ -1719,6 +1804,23 @@
break;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+ /*
+ * Injection of dummy-CCS's for middlebox compatibility
+ */
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
+ if( ret == 0 )
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
+ break;
+
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
+ if( ret == 0 )
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
case MBEDTLS_SSL_SERVER_FINISHED:
ret = ssl_tls13_write_server_finished( ssl );
break;
@@ -1741,8 +1843,11 @@
ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
}
else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+ }
}
break;
diff --git a/library/x509.c b/library/x509.c
index 2e11c7f..249034b 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -131,6 +131,48 @@
return( 0 );
}
+/*
+ * Convert md type to string
+ */
+static inline const char* md_type_to_string( mbedtls_md_type_t md_alg )
+{
+ switch( md_alg )
+ {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ return( "MD5" );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ return( "SHA1" );
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ return( "SHA224" );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ return( "SHA256" );
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ return( "SHA384" );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ return( "SHA512" );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ return( "RIPEMD160" );
+#endif
+ case MBEDTLS_MD_NONE:
+ return( NULL );
+ default:
+ return( NULL );
+ }
+}
+
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
/*
* HashAlgorithm ::= AlgorithmIdentifier
@@ -741,7 +783,7 @@
int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t i, n;
+ size_t i, j, n;
unsigned char c, merge = 0;
const mbedtls_x509_name *name;
const char *short_name = NULL;
@@ -775,17 +817,24 @@
ret = mbedtls_snprintf( p, n, "\?\?=" );
MBEDTLS_X509_SAFE_SNPRINTF;
- for( i = 0; i < name->val.len; i++ )
+ for( i = 0, j = 0; i < name->val.len; i++, j++ )
{
- if( i >= sizeof( s ) - 1 )
- break;
+ if( j >= sizeof( s ) - 1 )
+ return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
c = name->val.p[i];
+ // Special characters requiring escaping, RFC 1779
+ if( c && strchr( ",=+<>#;\"\\", c ) )
+ {
+ if( j + 1 >= sizeof( s ) - 1 )
+ return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+ s[j++] = '\\';
+ }
if( c < 32 || c >= 127 )
- s[i] = '?';
- else s[i] = c;
+ s[j] = '?';
+ else s[j] = c;
}
- s[i] = '\0';
+ s[j] = '\0';
ret = mbedtls_snprintf( p, n, "%s", s );
MBEDTLS_X509_SAFE_SNPRINTF;
@@ -855,16 +904,15 @@
if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
{
const mbedtls_pk_rsassa_pss_options *pss_opts;
- const mbedtls_md_info_t *md_info, *mgf_md_info;
pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
- md_info = mbedtls_md_info_from_type( md_alg );
- mgf_md_info = mbedtls_md_info_from_type( pss_opts->mgf1_hash_id );
+ const char *name = md_type_to_string( md_alg );
+ const char *mgf_name = md_type_to_string( pss_opts->mgf1_hash_id );
ret = mbedtls_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
- md_info ? mbedtls_md_get_name( md_info ) : "???",
- mgf_md_info ? mbedtls_md_get_name( mgf_md_info ) : "???",
+ name ? name : "???",
+ mgf_name ? mgf_name : "???",
(unsigned int) pss_opts->expected_salt_len );
MBEDTLS_X509_SAFE_SNPRINTF;
}
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 7288548..136e25b 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -166,6 +166,10 @@
goto exit;
}
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( fin, NULL );
+ mbedtls_setbuf( fout, NULL );
+
/*
* Read the Cipher and MD from the command line
*/
diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index cad875e..1303719 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -56,6 +56,7 @@
#include <stdio.h>
#include <string.h>
+#include "mbedtls/platform.h" // for mbedtls_setbuf
#include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
#include <psa/crypto.h>
@@ -177,6 +178,8 @@
key_data, sizeof( key_data ),
&key_size ) );
SYS_CHECK( ( key_file = fopen( output_file_name, "wb" ) ) != NULL );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( key_file, NULL );
SYS_CHECK( fwrite( key_data, 1, key_size, key_file ) == key_size );
SYS_CHECK( fclose( key_file ) == 0 );
key_file = NULL;
@@ -231,6 +234,8 @@
unsigned char extra_byte;
SYS_CHECK( ( key_file = fopen( key_file_name, "rb" ) ) != NULL );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( key_file, NULL );
SYS_CHECK( ( key_size = fread( key_data, 1, sizeof( key_data ),
key_file ) ) != 0 );
if( fread( &extra_byte, 1, 1, key_file ) != 0 )
@@ -372,6 +377,8 @@
/* Find the size of the data to wrap. */
SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( input_file, NULL );
SYS_CHECK( fseek( input_file, 0, SEEK_END ) == 0 );
SYS_CHECK( ( input_position = ftell( input_file ) ) != -1 );
#if LONG_MAX > SIZE_MAX
@@ -418,6 +425,8 @@
/* Write the output. */
SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( output_file, NULL );
SYS_CHECK( fwrite( &header, 1, sizeof( header ),
output_file ) == sizeof( header ) );
SYS_CHECK( fwrite( buffer, 1, ciphertext_size,
@@ -453,6 +462,8 @@
/* Load and validate the header. */
SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( input_file, NULL );
SYS_CHECK( fread( &header, 1, sizeof( header ),
input_file ) == sizeof( header ) );
if( memcmp( &header.magic, WRAPPED_DATA_MAGIC,
@@ -509,6 +520,8 @@
/* Write the output. */
SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf( output_file, NULL );
SYS_CHECK( fwrite( buffer, 1, plaintext_size,
output_file ) == plaintext_size );
SYS_CHECK( fclose( output_file ) == 0 );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 97b786a..d6724df 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1534,7 +1534,19 @@
if( *p == ',' )
*p++ = '\0';
- if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 )
+ if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
+ }
+ else if( strcmp( q, "rsa_pkcs1_sha384" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
+ }
+ else if( strcmp( q, "rsa_pkcs1_sha512" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
+ }
+ else if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
}
@@ -1558,22 +1570,39 @@
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
}
- else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 )
+ else if( strcmp( q, "ed25519" ) == 0 )
{
- sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED25519;
+ }
+ else if( strcmp( q, "ed448" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED448;
+ }
+ else if( strcmp( q, "rsa_pss_pss_sha256" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256;
+ }
+ else if( strcmp( q, "rsa_pss_pss_sha384" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384;
+ }
+ else if( strcmp( q, "rsa_pss_pss_sha512" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512;
+ }
+ else if( strcmp( q, "rsa_pkcs1_sha1" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1;
+ }
+ else if( strcmp( q, "ecdsa_sha1" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SHA1;
}
else
{
- mbedtls_printf( "unknown signature algorithm %s\n", q );
- mbedtls_printf( "supported signature algorithms: " );
- mbedtls_printf( "ecdsa_secp256r1_sha256 " );
- mbedtls_printf( "ecdsa_secp384r1_sha384 " );
- mbedtls_printf( "ecdsa_secp521r1_sha512 " );
- mbedtls_printf( "rsa_pss_rsae_sha256 " );
- mbedtls_printf( "rsa_pss_rsae_sha384 " );
- mbedtls_printf( "rsa_pss_rsae_sha512 " );
- mbedtls_printf( "rsa_pkcs1_sha256 " );
- mbedtls_printf( "\n" );
+ ret = -1;
+ mbedtls_printf( "unknown signature algorithm \"%s\"\n", q );
+ mbedtls_print_supported_sig_algs();
goto exit;
}
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 4251817..8e432bd 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -116,6 +116,7 @@
#define DFL_CID_VALUE_RENEGO NULL
#define DFL_AUTH_MODE -1
#define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
+#define DFL_CERT_REQ_DN_HINT 0
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
@@ -506,6 +507,7 @@
" options: none, optional, required\n" \
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
" options: 1 (send ca list), 0 (don't send)\n" \
+ " 2 (send conf dn hint), 3 (send hs dn hint)\n" \
USAGE_IO \
USAGE_KEY_OPAQUE \
"\n" \
@@ -629,6 +631,7 @@
int allow_sha1; /* flag for SHA-1 support */
int auth_mode; /* verify mode for connection */
int cert_req_ca_list; /* should we send the CA list? */
+ int cert_req_dn_hint; /* mode to set DN hints for CA list to send */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* accept truncated hmac? */
int tickets; /* enable / disable session tickets */
@@ -1597,6 +1600,7 @@
opt.allow_sha1 = DFL_SHA1;
opt.auth_mode = DFL_AUTH_MODE;
opt.cert_req_ca_list = DFL_CERT_REQ_CA_LIST;
+ opt.cert_req_dn_hint = DFL_CERT_REQ_DN_HINT;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.tickets = DFL_TICKETS;
@@ -1923,8 +1927,13 @@
else if( strcmp( p, "cert_req_ca_list" ) == 0 )
{
opt.cert_req_ca_list = atoi( q );
- if( opt.cert_req_ca_list < 0 || opt.cert_req_ca_list > 1 )
+ if( opt.cert_req_ca_list < 0 || opt.cert_req_ca_list > 3 )
goto usage;
+ if( opt.cert_req_ca_list > 1 )
+ {
+ opt.cert_req_dn_hint = opt.cert_req_ca_list;
+ opt.cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
+ }
}
else if( strcmp( p, "max_frag_len" ) == 0 )
{
@@ -2370,7 +2379,19 @@
if( *p == ',' )
*p++ = '\0';
- if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 )
+ if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
+ }
+ else if( strcmp( q, "rsa_pkcs1_sha384" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
+ }
+ else if( strcmp( q, "rsa_pkcs1_sha512" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
+ }
+ else if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
}
@@ -2394,22 +2415,39 @@
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
}
- else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 )
+ else if( strcmp( q, "ed25519" ) == 0 )
{
- sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED25519;
+ }
+ else if( strcmp( q, "ed448" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED448;
+ }
+ else if( strcmp( q, "rsa_pss_pss_sha256" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256;
+ }
+ else if( strcmp( q, "rsa_pss_pss_sha384" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384;
+ }
+ else if( strcmp( q, "rsa_pss_pss_sha512" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512;
+ }
+ else if( strcmp( q, "rsa_pkcs1_sha1" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1;
+ }
+ else if( strcmp( q, "ecdsa_sha1" ) == 0 )
+ {
+ sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SHA1;
}
else
{
- mbedtls_printf( "unknown signature algorithm %s\n", q );
- mbedtls_printf( "supported signature algorithms: " );
- mbedtls_printf( "ecdsa_secp256r1_sha256 " );
- mbedtls_printf( "ecdsa_secp384r1_sha384 " );
- mbedtls_printf( "ecdsa_secp521r1_sha512 " );
- mbedtls_printf( "rsa_pss_rsae_sha256 " );
- mbedtls_printf( "rsa_pss_rsae_sha384 " );
- mbedtls_printf( "rsa_pss_rsae_sha512 " );
- mbedtls_printf( "rsa_pkcs1_sha256 " );
- mbedtls_printf( "\n" );
+ ret = -1;
+ mbedtls_printf( "unknown signature algorithm \"%s\"\n", q );
+ mbedtls_print_supported_sig_algs();
goto exit;
}
}
@@ -2732,6 +2770,16 @@
if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+ /* exercise setting DN hints for server certificate request
+ * (Intended for use where the client cert expected has been signed by
+ * a specific CA which is an intermediate in a CA chain, not the root) */
+ if( opt.cert_req_dn_hint == 2 && key_cert_init2 )
+ mbedtls_ssl_conf_dn_hints( &conf, &srvcert2 );
+#endif
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
@@ -3332,6 +3380,20 @@
}
#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+ /* exercise setting DN hints for server certificate request
+ * (Intended for use where the client cert expected has been signed by
+ * a specific CA which is an intermediate in a CA chain, not the root)
+ * (Additionally, the CA choice would typically be influenced by SNI
+ * if being set per-handshake using mbedtls_ssl_set_hs_dn_hints()) */
+ if( opt.cert_req_dn_hint == 3 && key_cert_init2 )
+ mbedtls_ssl_set_hs_dn_hints( &ssl, &srvcert2 );
+#endif
+#endif
+#endif
+
mbedtls_printf( " ok\n" );
/*
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 0e66895..8c35fab 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -101,6 +101,10 @@
goto exit;
}
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be
+ * wiped. */
+ mbedtls_setbuf( f, NULL );
+
if( fwrite( nss_keylog_line, 1, len, f ) != len )
{
fclose( f );
@@ -263,12 +267,32 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/*
+ * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
+ * declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
+ * `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
+ * the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
+ * for its signature in the key exchange message. As Mbed TLS 1.2 does not
+ * support them, the handshake fails.
+ */
+#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
+ (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), \
+ ( 0x800 | hash ),
+#else
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
(( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
+#endif
#elif defined(MBEDTLS_ECDSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA),
#elif defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* See above */
+#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), \
+ ( 0x800 | hash ),
+#else
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
+#endif
#else
#define MBEDTLS_SSL_SIG_ALG( hash )
#endif
@@ -285,6 +309,9 @@
#if defined(MBEDTLS_SHA224_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA224 )
#endif
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA1_C)
/* Allow SHA-1 as we use it extensively in tests. */
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA1 )
@@ -330,3 +357,25 @@
#endif /* MBEDTLS_X509_REMOVE_INFO */
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_print_supported_sig_algs( void )
+{
+ mbedtls_printf( "supported signature algorithms:\n" );
+ mbedtls_printf("\trsa_pkcs1_sha256 ");
+ mbedtls_printf("rsa_pkcs1_sha384 ");
+ mbedtls_printf("rsa_pkcs1_sha512\n");
+ mbedtls_printf("\tecdsa_secp256r1_sha256 ");
+ mbedtls_printf("ecdsa_secp384r1_sha384 ");
+ mbedtls_printf("ecdsa_secp521r1_sha512\n");
+ mbedtls_printf("\trsa_pss_rsae_sha256 ");
+ mbedtls_printf("rsa_pss_rsae_sha384 ");
+ mbedtls_printf("rsa_pss_rsae_sha512\n");
+ mbedtls_printf("\trsa_pss_pss_sha256 ");
+ mbedtls_printf("rsa_pss_pss_sha384 ");
+ mbedtls_printf("rsa_pss_pss_sha512\n");
+ mbedtls_printf("\ted25519 ");
+ mbedtls_printf("ed448 ");
+ mbedtls_printf("rsa_pkcs1_sha1 ");
+ mbedtls_printf("ecdsa_sha1\n");
+ mbedtls_printf( "\n" );
+}
diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h
index 03349ba..c368f57 100644
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -34,6 +34,7 @@
#define mbedtls_printf printf
#define mbedtls_fprintf fprintf
#define mbedtls_snprintf snprintf
+#define mbedtls_setbuf setbuf
#define mbedtls_exit exit
#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index a314bd2..ab337a2 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -84,7 +84,6 @@
void *empty2 = mbedtls_calloc( 0, 1 );
void *buffer1 = mbedtls_calloc( 1, 1 );
void *buffer2 = mbedtls_calloc( 1, 1 );
- uintptr_t old_buffer1;
if( empty1 == NULL && empty2 == NULL )
{
@@ -126,7 +125,6 @@
mbedtls_printf( " CALLOC(1): passed\n" );
}
- old_buffer1 = (uintptr_t) buffer1;
mbedtls_free( buffer1 );
buffer1 = mbedtls_calloc( 1, 1 );
if( buffer1 == NULL )
@@ -138,9 +136,7 @@
else
{
if( verbose )
- mbedtls_printf( " CALLOC(1 again): passed (%s address)\n",
- (uintptr_t) old_buffer1 == (uintptr_t) buffer1 ?
- "same" : "different" );
+ mbedtls_printf( " CALLOC(1 again): passed\n" );
}
if( verbose )
diff --git a/scripts/abi_check.py b/scripts/abi_check.py
index f11cdf2..c228843 100755
--- a/scripts/abi_check.py
+++ b/scripts/abi_check.py
@@ -1,9 +1,10 @@
#!/usr/bin/env python3
-"""
-This script compares the interfaces of two versions of Mbed TLS, looking
+"""This script compares the interfaces of two versions of Mbed TLS, looking
for backward incompatibilities between two different Git revisions within
an Mbed TLS repository. It must be run from the root of a Git working tree.
+### How the script works ###
+
For the source (API) and runtime (ABI) interface compatibility, this script
is a small wrapper around the abi-compliance-checker and abi-dumper tools,
applying them to compare the header and library files.
@@ -20,7 +21,66 @@
Returns 0 on success, 1 on non-compliance, and 2 if there is an error
while running the script.
-You must run this test from an Mbed TLS root.
+### How to interpret non-compliance ###
+
+This script has relatively common false positives. In many scenarios, it only
+reports a pass if there is a strict textual match between the old version and
+the new version, and it reports problems where there is a sufficient semantic
+match but not a textual match. This section lists some common false positives.
+This is not an exhaustive list: in the end what matters is whether we are
+breaking a backward compatibility goal.
+
+**API**: the goal is that if an application works with the old version of the
+library, it can be recompiled against the new version and will still work.
+This is normally validated by comparing the declarations in `include/*/*.h`.
+A failure is a declaration that has disappeared or that now has a different
+type.
+
+ * It's ok to change or remove macros and functions that are documented as
+ for internal use only or as experimental.
+ * It's ok to rename function or macro parameters as long as the semantics
+ has not changed.
+ * It's ok to change or remove structure fields that are documented as
+ private.
+ * It's ok to add fields to a structure that already had private fields
+ or was documented as extensible.
+
+**ABI**: the goal is that if an application was built against the old version
+of the library, the same binary will work when linked against the new version.
+This is normally validated by comparing the symbols exported by `libmbed*.so`.
+A failure is a symbol that is no longer exported by the same library or that
+now has a different type.
+
+ * All ABI changes are acceptable if the library version is bumped
+ (see `scripts/bump_version.sh`).
+ * ABI changes that concern functions which are declared only inside the
+ library directory, and not in `include/*/*.h`, are acceptable only if
+ the function was only ever used inside the same library (libmbedcrypto,
+ libmbedx509, libmbedtls). As a counter example, if the old version
+ of libmbedtls calls mbedtls_foo() from libmbedcrypto, and the new version
+ of libmbedcrypto no longer has a compatible mbedtls_foo(), this does
+ require a version bump for libmbedcrypto.
+
+**Storage format**: the goal is to check that persistent keys stored by the
+old version can be read by the new version. This is normally validated by
+comparing the `*read*` test cases in `test_suite*storage_format*.data`.
+A failure is a storage read test case that is no longer present with the same
+function name and parameter list.
+
+ * It's ok if the same test data is present, but its presentation has changed,
+ for example if a test function is renamed or has different parameters.
+ * It's ok if redundant tests are removed.
+
+**Generated test coverage**: the goal is to check that automatically
+generated tests have as much coverage as before. This is normally validated
+by comparing the test cases that are automatically generated by a script.
+A failure is a generated test case that is no longer present with the same
+function name and parameter list.
+
+ * It's ok if the same test data is present, but its presentation has changed,
+ for example if a test function is renamed or has different parameters.
+ * It's ok if redundant tests are removed.
+
"""
# Copyright The Mbed TLS Contributors
diff --git a/scripts/assemble_changelog.py b/scripts/assemble_changelog.py
index 7b036aa..f3aca70 100755
--- a/scripts/assemble_changelog.py
+++ b/scripts/assemble_changelog.py
@@ -122,7 +122,7 @@
class TextChangelogFormat(ChangelogFormat):
"""The traditional Mbed TLS changelog format."""
- _unreleased_version_text = '= mbed TLS x.x.x branch released xxxx-xx-xx'
+ _unreleased_version_text = '= Mbed TLS x.x.x branch released xxxx-xx-xx'
@classmethod
def is_released_version(cls, title):
# Look for an incomplete release date
diff --git a/scripts/config.py b/scripts/config.py
index 356b998..f045f98 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -324,6 +324,9 @@
return adapter(name, active, section)
return continuation
+DEPRECATED = frozenset([
+ 'MBEDTLS_PSA_CRYPTO_SE_C',
+])
def no_deprecated_adapter(adapter):
"""Modify an adapter to disable deprecated symbols.
@@ -334,6 +337,8 @@
def continuation(name, active, section):
if name == 'MBEDTLS_DEPRECATED_REMOVED':
return True
+ if name in DEPRECATED:
+ return False
if adapter is None:
return active
return adapter(name, active, section)
diff --git a/scripts/generate_ssl_debug_helpers.py b/scripts/generate_ssl_debug_helpers.py
index 959cbbc..3127afc 100755
--- a/scripts/generate_ssl_debug_helpers.py
+++ b/scripts/generate_ssl_debug_helpers.py
@@ -276,10 +276,9 @@
translation_table = []
for m in self._definitions:
name = m.groupdict()['name']
+ return_val = name[len('MBEDTLS_TLS1_3_SIG_'):].lower()
translation_table.append(
- '\tcase {}:\n\t return "{}";'.format(name,
- name[len('MBEDTLS_TLS1_3_SIG_'):].lower())
- )
+ ' case {}:\n return "{}";'.format(name, return_val))
body = textwrap.dedent('''\
const char *mbedtls_ssl_sig_alg_to_str( uint16_t in )
@@ -337,7 +336,7 @@
for m in self._definitions:
name = m.groupdict()['name']
iana_name = name[len('MBEDTLS_SSL_IANA_TLS_GROUP_'):].lower()
- translation_table.append('\tcase {}:\n\t return "{}";'.format(name, iana_name))
+ translation_table.append(' case {}:\n return "{}";'.format(name, iana_name))
body = textwrap.dedent('''\
const char *mbedtls_ssl_named_group_to_str( uint16_t in )
diff --git a/scripts/mbedtls_dev/psa_storage.py b/scripts/mbedtls_dev/psa_storage.py
index 45f0380..a06dce1 100644
--- a/scripts/mbedtls_dev/psa_storage.py
+++ b/scripts/mbedtls_dev/psa_storage.py
@@ -1,4 +1,9 @@
"""Knowledge about the PSA key store as implemented in Mbed TLS.
+
+Note that if you need to make a change that affects how keys are
+stored, this may indicate that the key store is changing in a
+backward-incompatible way! Think carefully about backward compatibility
+before changing how test data is constructed or validated.
"""
# Copyright The Mbed TLS Contributors
@@ -146,6 +151,11 @@
This is the content of the PSA storage file. When PSA storage is
implemented over stdio files, this does not include any wrapping made
by the PSA-storage-over-stdio-file implementation.
+
+ Note that if you need to make a change in this function,
+ this may indicate that the key store is changing in a
+ backward-incompatible way! Think carefully about backward
+ compatibility before making any change here.
"""
header = self.MAGIC + self.pack('L', self.version)
if self.version == 0:
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index c0ad9b0..6187d17 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -909,6 +909,10 @@
$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1
all_final += server1.req.cert_type_empty
+server1.req.commas.sha256: server1.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL\, Commas,CN=PolarSSL Server 1" md=SHA256
+all_final += server1.req.commas.sha256
+
# server2*
server2_pwd_ec = PolarSSLTest
@@ -966,7 +970,9 @@
$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
server1.der: server1.crt
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server1.crt server1.noauthid.crt server1.crt.der
+server1.commas.crt: server1.key server1.req.commas.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.req.commas.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
+all_final += server1.crt server1.noauthid.crt server1.crt.der server1.commas.crt
server1.key_usage.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
diff --git a/tests/data_files/server1.commas.crt b/tests/data_files/server1.commas.crt
new file mode 100644
index 0000000..5acd255
--- /dev/null
+++ b/tests/data_files/server1.commas.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAi+gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjBEMQswCQYDVQQGEwJOTDEZMBcG
+A1UECgwQUG9sYXJTU0wsIENvbW1hczEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVy
+IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/Tbu
+gmUuFWFeib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5
+RYDQg2rVQUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdz
+Ew9A+G2BJV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/
+CRm+rWUsZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDK
+iQsE2y6mT3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tS
+glSxAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9
+qL1DWQKmMB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3
+DQEBBQUAA4IBAQA1Ecg+VVJRmgFF9cnlztnXj4y9QKj8MCf2uZA3nTNe1Deh9l17
+ZNNWdPkXzVzf0IeR3LQRKT+daTzxuOOCSV9OxOcN0dIODBwa97BtNQfuWw2eWC9I
+3UOVXbx8Ga+bXnD8ouatpyEG0FfhLO5YgEP0K9TyyN/nFa9kkB2Kvpy8yWm3w9WG
+WgsOr2fpIExfC2ZFaiu3NVGTpT9fLv8RTatSC1XLA5Sr8NNHia3zCvEJEAlTuFHs
+wm8apIAHlb44bbgW+7UwBIH9r2A21gQFy3v4cTLtlbnaUBbHUJvarK4ru70J+gew
+OO3NZ1ocvnV+qGIcc7LgyNA8pZW5Jbewb/gN
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.req.commas.sha256 b/tests/data_files/server1.req.commas.sha256
new file mode 100644
index 0000000..0287a31
--- /dev/null
+++ b/tests/data_files/server1.req.commas.sha256
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICiTCCAXECAQAwRDELMAkGA1UEBhMCTkwxGTAXBgNVBAoMEFBvbGFyU1NMLCBD
+b21tYXMxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhFkNvuiBZS
+0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185fAkER4Kw
+Vzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFTxjB+FTms
++Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6ba
+bFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7OvViJ4lNZ
+nm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggEBAI7ZtRJYX6cMuwVhwXOizPV+WD17wby+273V4R8e9/6QA4nY
+RrSciAse+nWZz9Y6toBzLWr0K/9SCzwBX4OzMvLqu4A1G/wApODCDnbGaUPNUxRt
+6qbg8y7faBWvDGjk4+OpQ0suR/pdbM/L7pImqWRNwYdSPbJumNqIdB/Ewtso0TlA
+QVZ992RPe1LovXpDCfPP2p123L7/UHezNCtu5QmzLsDfQmN/rLhCJ2NZzTsnIdnP
+jp6XYU4kRV2BPDL65k38k8CSVWb6fw9XwPNUiyO3q1Zs6jpGJRYMLj9qTEoRN1np
+RME09CN2siMcgkv8UqDeDJ4Oa9qyXS6VXsDmSNI=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h
index 927009a..8052a85 100644
--- a/tests/include/test/drivers/crypto_config_test_driver_extension.h
+++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h
@@ -190,6 +190,8 @@
#define MBEDTLS_PSA_ACCEL_ALG_ECDH 1
#define MBEDTLS_PSA_ACCEL_ALG_GCM 1
#define MBEDTLS_PSA_ACCEL_ALG_HKDF 1
+#define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT 1
+#define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND 1
#define MBEDTLS_PSA_ACCEL_ALG_HMAC 1
#define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP 1
#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT 1
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 6144c2f..458fe8f 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2253,6 +2253,7 @@
scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
+ scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_FS_IO
@@ -2904,6 +2905,18 @@
if_build_succeeded tests/ssl-opt.sh
}
+component_test_tls13_only_with_hooks () {
+ msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 and MBEDTLS_TEST_HOOKS, without MBEDTLS_SSL_PROTO_TLS1_2"
+ scripts/config.py set MBEDTLS_TEST_HOOKS
+ make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
+
+ msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without MBEDTLS_SSL_PROTO_TLS1_2"
+ if_build_succeeded make test
+
+ msg "ssl-opt.sh (TLS 1.3)"
+ if_build_succeeded tests/ssl-opt.sh
+}
+
component_test_tls13 () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index d1650f1..3705bc5 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -623,10 +623,11 @@
psa_algorithm_t alg )
{
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
- unsigned char input[1];
+ unsigned char input[1] = { 0 };
unsigned char output[1];
int ok = 0;
psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
+ psa_status_t expected_key_agreement_status = PSA_SUCCESS;
if( usage & PSA_KEY_USAGE_DERIVE )
{
@@ -641,7 +642,32 @@
input, sizeof( input ) ) );
}
- PSA_ASSERT( mbedtls_test_psa_key_agreement_with_self( &operation, key ) );
+ if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) )
+ {
+ PSA_ASSERT( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_SALT,
+ input, sizeof( input ) ) );
+ }
+
+ /* For HKDF_EXPAND input secret may fail as secret size may not match
+ to expected PRK size. In practice it means that key bits must match
+ hash length. Otherwise test should fail with INVALID_ARGUMENT. */
+ if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
+ {
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
+ size_t key_bits = psa_get_key_bits( &attributes );
+ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
+
+ if( PSA_BITS_TO_BYTES( key_bits ) != PSA_HASH_LENGTH( hash_alg ) )
+ expected_key_agreement_status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ TEST_EQUAL( mbedtls_test_psa_key_agreement_with_self( &operation, key ),
+ expected_key_agreement_status );
+
+ if( expected_key_agreement_status != PSA_SUCCESS )
+ return( 1 );
if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
@@ -650,7 +676,7 @@
&operation, PSA_KEY_DERIVATION_INPUT_LABEL,
input, sizeof( input ) ) );
}
- else if( PSA_ALG_IS_HKDF( kdf_alg ) )
+ else if( PSA_ALG_IS_HKDF( kdf_alg ) || PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
{
PSA_ASSERT( psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_INFO,
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f507a32..80b7806 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1702,11 +1702,11 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-ECDHE-ECDSA Opaque key for client authentication" \
+run_test "Opaque key for client authentication: ECDHE-ECDSA" \
"$P_SRV auth_mode=required crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
"$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
- key_file=data_files/server5.key" \
+ key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
0 \
-c "key type: Opaque" \
-c "Ciphersuite is TLS-ECDHE-ECDSA" \
@@ -1722,11 +1722,11 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-ECDHE-RSA Opaque key for client authentication" \
+run_test "Opaque key for client authentication: ECDHE-RSA" \
"$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
0 \
-c "key type: Opaque" \
-c "Ciphersuite is TLS-ECDHE-RSA" \
@@ -1740,11 +1740,12 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-DHE-RSA Opaque key for client authentication" \
+run_test "Opaque key for client authentication: DHE-RSA" \
"$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+ key_opaque_algs=rsa-sign-pkcs1,none" \
0 \
-c "key type: Opaque" \
-c "Ciphersuite is TLS-DHE-RSA" \
@@ -1753,47 +1754,16 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
-requires_config_enabled MBEDTLS_RSA_C
-run_test "RSA opaque key on server configured for decryption" \
- "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none" \
- "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
- 0 \
- -c "Verifying peer X.509 certificate... ok" \
- -c "Ciphersuite is TLS-RSA-" \
- -s "key types: Opaque, Opaque" \
- -s "Ciphersuite is TLS-RSA-" \
- -S "error" \
- -C "error"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
-requires_config_enabled MBEDTLS_RSA_C
-run_test "RSA-PSK opaque key on server configured for decryption" \
- "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \
- psk=abc123 psk_identity=foo" \
- "$P_CLI force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
- psk=abc123 psk_identity=foo" \
- 0 \
- -c "Verifying peer X.509 certificate... ok" \
- -c "Ciphersuite is TLS-RSA-PSK-" \
- -s "key types: Opaque, Opaque" \
- -s "Ciphersuite is TLS-RSA-PSK-" \
- -S "error" \
- -C "error"
-
# Test using an EC opaque private key for server authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-ECDHE-ECDSA Opaque key for server authentication" \
- "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
- key_file=data_files/server5.key" \
- "$P_CLI crt_file=data_files/server5.crt \
- key_file=data_files/server5.key" \
+run_test "Opaque key for server authentication: ECDHE-ECDSA" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
+ key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
+ "$P_CLI" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-ECDHE-ECDSA" \
@@ -1807,10 +1777,10 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "Opaque key for server authentication (ECDH-)" \
+run_test "Opaque key for server authentication: ECDH-" \
"$P_SRV force_version=tls12 auth_mode=required key_opaque=1\
crt_file=data_files/server5.ku-ka.crt\
- key_file=data_files/server5.key" \
+ key_file=data_files/server5.key key_opaque_algs=ecdh,none" \
"$P_CLI" \
0 \
-c "Verifying peer X.509 certificate... ok" \
@@ -1820,6 +1790,120 @@
-S "error" \
-C "error"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
+ key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \
+ debug_level=1" \
+ "$P_CLI" \
+ 1 \
+ -s "key types: Opaque, none" \
+ -s "got ciphersuites in common, but none of them usable" \
+ -s "error" \
+ -c "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key key_opaque_algs=ecdh,none \
+ debug_level=1" \
+ "$P_CLI" \
+ 1 \
+ -s "key types: Opaque, none" \
+ -s "got ciphersuites in common, but none of them usable" \
+ -s "error" \
+ -c "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_CCM_C
+run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
+ key_file=data_files/server5.key key_opaque_algs=ecdh,none \
+ debug_level=1" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
+ 1 \
+ -s "key types: Opaque, none" \
+ -s "got ciphersuites in common, but none of them usable" \
+ -s "error" \
+ -c "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+run_test "Opaque keys for server authentication: EC keys with different algs, force ECDHE-ECDSA" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server7.crt \
+ key_file=data_files/server7.key key_opaque_algs=ecdh,none \
+ crt_file2=data_files/server5.crt key_file2=data_files/server5.key \
+ key_opaque_algs2=ecdsa-sign,none" \
+ "$P_CLI" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-ECDHE-ECDSA" \
+ -c "CN=Polarssl Test EC CA" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-ECDHE-ECDSA" \
+ -S "error" \
+ -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA384_C
+requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server7.crt \
+ key_file=data_files/server7.key key_opaque_algs=ecdsa-sign,none \
+ crt_file2=data_files/server5.crt key_file2=data_files/server5.key \
+ key_opaque_algs2=ecdh,none debug_level=3" \
+ "$P_CLI force_ciphersuite=TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-ECDH-ECDSA" \
+ -c "CN=Polarssl Test EC CA" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-ECDH-ECDSA" \
+ -S "error" \
+ -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA384_C
+requires_config_enabled MBEDTLS_CCM_C
+requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
+ key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none \
+ crt_file2=data_files/server2-sha256.crt \
+ key_file2=data_files/server2.key key_opaque_algs2=rsa-sign-pkcs1,none" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-ECDHE-ECDSA" \
+ -c "CN=Polarssl Test EC CA" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-ECDHE-ECDSA" \
+ -S "error" \
+ -C "error"
+
# Test using a RSA opaque private key for server authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
@@ -1827,11 +1911,10 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-ECDHE-RSA Opaque key for server authentication" \
- "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
- "$P_CLI crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
+run_test "Opaque key for server authentication: ECDHE-RSA" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
+ "$P_CLI" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-ECDHE-RSA" \
@@ -1846,11 +1929,10 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-DHE-RSA Opaque key for server authentication" \
- "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
- "$P_CLI crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+run_test "Opaque key for server authentication: DHE-RSA" \
+ "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
+ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-DHE-RSA" \
@@ -1859,17 +1941,113 @@
-S "error" \
-C "error"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+run_test "Opaque key for server authentication: RSA-PSK" \
+ "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \
+ psk=abc123 psk_identity=foo" \
+ "$P_CLI force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
+ psk=abc123 psk_identity=foo" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-RSA-PSK-" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-RSA-PSK-" \
+ -S "error" \
+ -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+run_test "Opaque key for server authentication: RSA-" \
+ "$P_SRV debug_level=3 key_opaque=1 key_opaque_algs=rsa-decrypt,none " \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA256" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-RSA-" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-RSA-" \
+ -S "error" \
+ -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \
+ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \
+ "$P_CLI crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ 1 \
+ -s "key types: Opaque, none" \
+ -s "got ciphersuites in common, but none of them usable" \
+ -s "error" \
+ -c "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+run_test "Opaque keys for server authentication: RSA keys with different algs" \
+ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none \
+ crt_file2=data_files/server4.crt \
+ key_file2=data_files/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
+ "$P_CLI" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-ECDHE-RSA" \
+ -c "CN=Polarssl Test EC CA" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-ECDHE-RSA" \
+ -S "error" \
+ -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SHA384_C
+requires_config_enabled MBEDTLS_GCM_C
+requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \
+ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
+ key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none \
+ crt_file2=data_files/server4.crt \
+ key_file2=data_files/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
+ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -c "Verifying peer X.509 certificate... ok" \
+ -c "Ciphersuite is TLS-DHE-RSA" \
+ -c "CN=Polarssl Test EC CA" \
+ -s "key types: Opaque, Opaque" \
+ -s "Ciphersuite is TLS-DHE-RSA" \
+ -S "error" \
+ -C "error"
+
# Test using an EC opaque private key for client/server authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-ECDHE-ECDSA Opaque key for client/server authentication" \
+run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
- key_file=data_files/server5.key" \
+ key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
"$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
- key_file=data_files/server5.key" \
+ key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
0 \
-c "key type: Opaque" \
-c "Verifying peer X.509 certificate... ok" \
@@ -1887,11 +2065,11 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-ECDHE-RSA Opaque key for client/server authentication" \
+run_test "Opaque key for client/server authentication: ECDHE-RSA" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
0 \
-c "key type: Opaque" \
-c "Verifying peer X.509 certificate... ok" \
@@ -1908,11 +2086,12 @@
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
-run_test "TLS-DHE-RSA Opaque key for client/server authentication" \
+run_test "Opaque key for client/server authentication: DHE-RSA" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key" \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
- key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+ key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none \
+ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "key type: Opaque" \
-c "Verifying peer X.509 certificate... ok" \
@@ -1923,6 +2102,7 @@
-S "error" \
-C "error"
+
# Test ciphersuites which we expect to be fully supported by PSA Crypto
# and check that we don't fall back to Mbed TLS' internal crypto primitives.
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
@@ -3656,6 +3836,29 @@
-C "parse new session ticket" \
-c "a session has been resumed"
+# Tests for Session resume and extensions
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
+run_test "Session resume and connection ID" \
+ "$P_SRV debug_level=3 cid=1 cid_val=dead dtls=1 tickets=0" \
+ "$P_CLI debug_level=3 cid=1 cid_val=beef dtls=1 tickets=0 reconnect=1" \
+ 0 \
+ -c "Enable use of CID extension." \
+ -s "Enable use of CID extension." \
+ -c "client hello, adding CID extension" \
+ -s "found CID extension" \
+ -s "Use of CID extension negotiated" \
+ -s "server hello, adding CID extension" \
+ -c "found CID extension" \
+ -c "Use of CID extension negotiated" \
+ -s "Copy CIDs into SSL transform" \
+ -c "Copy CIDs into SSL transform" \
+ -c "Peer CID (length 2 Bytes): de ad" \
+ -s "Peer CID (length 2 Bytes): be ef" \
+ -s "Use of Connection ID has been negotiated" \
+ -c "Use of Connection ID has been negotiated"
+
# Tests for Session Resume based on session-ID and cache, DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -4747,7 +4950,6 @@
# Tests for auth_mode, there are duplicated tests using ca callback for authentication
# When updating these tests, modify the matching authentication tests accordingly
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server badcert, client required" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@@ -4781,7 +4983,6 @@
-C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@@ -4852,7 +5053,6 @@
-c "Supported Signature Algorithm found: 4," \
-c "Supported Signature Algorithm found: 5,"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client has no cert, server required (TLS)" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=none \
@@ -4864,12 +5064,10 @@
-c "= write certificate$" \
-C "skip write certificate$" \
-S "x509_verify_cert() returned" \
- -s "client has no certificate" \
+ -s "peer has no certificate" \
-s "! mbedtls_ssl_handshake returned" \
- -c "! mbedtls_ssl_handshake returned" \
-s "No client certification received from the client, but required by the authentication mode"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client badcert, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@@ -4885,13 +5083,11 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-s "send alert level=2 message=48" \
- -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
# We don't check that the client receives the alert because it might
# detect that its write end of the connection is closed and abort
# before reading the alert message.
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client cert self-signed and trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required ca_file=data_files/server5-selfsigned.crt" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@@ -4907,7 +5103,6 @@
-S "! The certificate is not correctly signed" \
-S "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client cert not trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@@ -4922,10 +5117,8 @@
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
- -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client badcert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@@ -4943,7 +5136,6 @@
-C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client badcert, server none" \
"$P_SRV debug_level=3 auth_mode=none" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@@ -4961,7 +5153,6 @@
-C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \
@@ -5023,7 +5214,6 @@
# are in place so that the semantics are consistent with the test description.
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server max_int chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
key_file=data_files/dir-maxpath/09.key" \
@@ -5033,7 +5223,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: server max_int+1 chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -5065,7 +5254,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int+1 chain, server default" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5075,7 +5263,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int+1 chain, server optional" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5085,7 +5272,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int+1 chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5095,7 +5281,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client max_int chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
@@ -5134,6 +5319,39 @@
-c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "Authentication: send alt conf DN hints in CertificateRequest" \
+ "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \
+ crt_file2=data_files/server1.crt \
+ key_file2=data_files/server1.key" \
+ "$P_CLI debug_level=3 auth_mode=optional \
+ crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key" \
+ 0 \
+ -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "Authentication: send alt conf DN hints in CertificateRequest (2)" \
+ "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \
+ crt_file2=data_files/server2.crt \
+ key_file2=data_files/server2.key" \
+ "$P_CLI debug_level=3 auth_mode=optional \
+ crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key" \
+ 0 \
+ -c "DN hint: C=NL, O=PolarSSL, CN=localhost"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "Authentication: send alt hs DN hints in CertificateRequest" \
+ "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=3 \
+ crt_file2=data_files/server1.crt \
+ key_file2=data_files/server1.key" \
+ "$P_CLI debug_level=3 auth_mode=optional \
+ crt_file=data_files/server6.crt \
+ key_file=data_files/server6.key" \
+ 0 \
+ -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
+
# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests
# When updating these tests, modify the matching authentication tests accordingly
@@ -5657,7 +5875,6 @@
# Tests for non-blocking I/O: exercise a variety of handshake flows
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Non-blocking I/O: basic handshake" \
"$P_SRV nbio=2 tickets=0 auth_mode=none" \
"$P_CLI nbio=2 tickets=0" \
@@ -5666,7 +5883,6 @@
-C "mbedtls_ssl_handshake returned" \
-c "Read from server: .* bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Non-blocking I/O: client auth" \
"$P_SRV nbio=2 tickets=0 auth_mode=required" \
"$P_CLI nbio=2 tickets=0" \
@@ -5722,7 +5938,6 @@
# Tests for event-driven I/O: exercise a variety of handshake flows
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Event-driven I/O: basic handshake" \
"$P_SRV event=1 tickets=0 auth_mode=none" \
"$P_CLI event=1 tickets=0" \
@@ -5731,7 +5946,6 @@
-C "mbedtls_ssl_handshake returned" \
-c "Read from server: .* bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Event-driven I/O: client auth" \
"$P_SRV event=1 tickets=0 auth_mode=required" \
"$P_CLI event=1 tickets=0" \
@@ -5901,7 +6115,6 @@
# Tests for ALPN extension
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: none" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
@@ -5909,12 +6122,11 @@
-C "client hello, adding alpn extension" \
-S "found alpn extension" \
-C "got an alert message, type: \\[2:120]" \
- -S "server hello, adding alpn extension" \
+ -S "server side, adding alpn extension" \
-C "found alpn extension " \
-C "Application Layer Protocol is" \
-S "Application Layer Protocol is"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: client only" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 alpn=abc,1234" \
@@ -5922,12 +6134,11 @@
-c "client hello, adding alpn extension" \
-s "found alpn extension" \
-C "got an alert message, type: \\[2:120]" \
- -S "server hello, adding alpn extension" \
+ -S "server side, adding alpn extension" \
-C "found alpn extension " \
-c "Application Layer Protocol is (none)" \
-S "Application Layer Protocol is"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: server only" \
"$P_SRV debug_level=3 alpn=abc,1234" \
"$P_CLI debug_level=3" \
@@ -5935,12 +6146,11 @@
-C "client hello, adding alpn extension" \
-S "found alpn extension" \
-C "got an alert message, type: \\[2:120]" \
- -S "server hello, adding alpn extension" \
+ -S "server side, adding alpn extension" \
-C "found alpn extension " \
-C "Application Layer Protocol is" \
-s "Application Layer Protocol is (none)"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: both, common cli1-srv1" \
"$P_SRV debug_level=3 alpn=abc,1234" \
"$P_CLI debug_level=3 alpn=abc,1234" \
@@ -5948,12 +6158,11 @@
-c "client hello, adding alpn extension" \
-s "found alpn extension" \
-C "got an alert message, type: \\[2:120]" \
- -s "server hello, adding alpn extension" \
+ -s "server side, adding alpn extension" \
-c "found alpn extension" \
-c "Application Layer Protocol is abc" \
-s "Application Layer Protocol is abc"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: both, common cli2-srv1" \
"$P_SRV debug_level=3 alpn=abc,1234" \
"$P_CLI debug_level=3 alpn=1234,abc" \
@@ -5961,12 +6170,11 @@
-c "client hello, adding alpn extension" \
-s "found alpn extension" \
-C "got an alert message, type: \\[2:120]" \
- -s "server hello, adding alpn extension" \
+ -s "server side, adding alpn extension" \
-c "found alpn extension" \
-c "Application Layer Protocol is abc" \
-s "Application Layer Protocol is abc"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: both, common cli1-srv2" \
"$P_SRV debug_level=3 alpn=abc,1234" \
"$P_CLI debug_level=3 alpn=1234,abcde" \
@@ -5974,12 +6182,11 @@
-c "client hello, adding alpn extension" \
-s "found alpn extension" \
-C "got an alert message, type: \\[2:120]" \
- -s "server hello, adding alpn extension" \
+ -s "server side, adding alpn extension" \
-c "found alpn extension" \
-c "Application Layer Protocol is 1234" \
-s "Application Layer Protocol is 1234"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "ALPN: both, no common" \
"$P_SRV debug_level=3 alpn=abc,123" \
"$P_CLI debug_level=3 alpn=1234,abcde" \
@@ -5987,7 +6194,7 @@
-c "client hello, adding alpn extension" \
-s "found alpn extension" \
-c "got an alert message, type: \\[2:120]" \
- -S "server hello, adding alpn extension" \
+ -S "server side, adding alpn extension" \
-C "found alpn extension" \
-C "Application Layer Protocol is 1234" \
-S "Application Layer Protocol is 1234"
@@ -6004,7 +6211,6 @@
0 \
-c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
-
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
"$P_SRV key_file=data_files/server2.key \
@@ -6139,6 +6345,78 @@
-c "Ciphersuite is TLS-" \
-c "! Usage does not match the keyUsage extension"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
+ -cert data_files/server2.ku-ds_ke.crt" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
+ -cert data_files/server2.ku-ke.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
+ -cert data_files/server2.ku-ka.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.ku-ds.crt" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.ku-ke.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.ku-ka.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
# Tests for keyUsage in leaf certificates, part 3:
# server-side checking of client cert
@@ -6148,6 +6426,7 @@
"$O_CLI -key data_files/server2.key \
-cert data_files/server2.ku-ds.crt" \
0 \
+ -s "Verifying peer X.509 certificate... ok" \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
@@ -6175,6 +6454,7 @@
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.ku-ds.crt" \
0 \
+ -s "Verifying peer X.509 certificate... ok" \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
@@ -6187,6 +6467,52 @@
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
+ -cert data_files/server2.ku-ds.crt" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok" \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
+ -cert data_files/server2.ku-ke.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.ku-ds.crt" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok" \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.ku-ka.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -6259,6 +6585,54 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: serverAuth -> OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-srv.crt" \
+ "$P_CLI debug_level=1" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-srv_cli.crt" \
+ "$P_CLI debug_level=1" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-cs_any.crt" \
+ "$P_CLI debug_level=1" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.3: codeSign -> fail" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ "$P_CLI debug_level=1" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is"
+
# Tests for extendedKeyUsage, part 3: server-side checking of client cert
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -6306,6 +6680,50 @@
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: clientAuth -> OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-cli.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: serverAuth,clientAuth -> OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-srv_cli.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-cs_any.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_openssl_tls1_3
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \
+ "$P_SRV debug_level=1 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
# Tests for DHM parameters loading
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -7362,6 +7780,20 @@
0 \
-s "Read from client: 1 bytes read"
+run_test "Small client packet TLS 1.3 AEAD" \
+ "$P_SRV force_version=tls13" \
+ "$P_CLI request_size=1 \
+ force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
+ 0 \
+ -s "Read from client: 1 bytes read"
+
+run_test "Small client packet TLS 1.3 AEAD shorter tag" \
+ "$P_SRV force_version=tls13" \
+ "$P_CLI request_size=1 \
+ force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
+ 0 \
+ -s "Read from client: 1 bytes read"
+
# Tests for small client packets in DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
@@ -7412,6 +7844,18 @@
0 \
-c "Read from server: 1 bytes read"
+run_test "Small server packet TLS 1.3 AEAD" \
+ "$P_SRV response_size=1 force_version=tls13" \
+ "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
+ 0 \
+ -c "Read from server: 1 bytes read"
+
+run_test "Small server packet TLS 1.3 AEAD shorter tag" \
+ "$P_SRV response_size=1 force_version=tls13" \
+ "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
+ 0 \
+ -c "Read from server: 1 bytes read"
+
# Tests for small server packets in DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
@@ -7476,6 +7920,22 @@
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
+run_test "Large client packet TLS 1.3 AEAD" \
+ "$P_SRV force_version=tls13" \
+ "$P_CLI request_size=16384 \
+ force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
+ 0 \
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
+
+run_test "Large client packet TLS 1.3 AEAD shorter tag" \
+ "$P_SRV force_version=tls13" \
+ "$P_CLI request_size=16384 \
+ force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
+ 0 \
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
+
# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
run_test "Large server packet TLS 1.2 BlockCipher" \
"$P_SRV response_size=16384 force_version=tls12" \
@@ -7515,6 +7975,18 @@
0 \
-c "Read from server: 16384 bytes read"
+run_test "Large server packet TLS 1.3 AEAD" \
+ "$P_SRV response_size=16384 force_version=tls13" \
+ "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
+ 0 \
+ -c "Read from server: 16384 bytes read"
+
+run_test "Large server packet TLS 1.3 AEAD shorter tag" \
+ "$P_SRV response_size=16384 force_version=tls13" \
+ "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
+ 0 \
+ -c "Read from server: 16384 bytes read"
+
# Tests for restartable ECC
# Force the use of a curve that supports restartable ECC (secp256r1).
@@ -10517,6 +10989,36 @@
-c "HTTP/1.0 200 OK" \
-c "Application Layer Protocol is h2"
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_ALPN
+run_test "TLS 1.3: server alpn - openssl" \
+ "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 alpn=h2" \
+ "$O_NEXT_CLI -msg -tls1_3 -no_middlebox -alpn h2" \
+ 0 \
+ -s "found alpn extension" \
+ -s "server side, adding alpn extension" \
+ -s "Protocol is TLSv1.3" \
+ -s "HTTP/1.0 200 OK" \
+ -s "Application Layer Protocol is h2"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_ALPN
+run_test "TLS 1.3: server alpn - gnutls" \
+ "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 alpn=h2" \
+ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V --alpn h2" \
+ 0 \
+ -s "found alpn extension" \
+ -s "server side, adding alpn extension" \
+ -s "Protocol is TLSv1.3" \
+ -s "HTTP/1.0 200 OK" \
+ -s "Application Layer Protocol is h2"
+
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -11444,6 +11946,35 @@
done
unset TEST_SUITE_NAME
+# Test 1.3 compatibility mode
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->m both peers do not support middlebox compatibility" \
+ "$P_SRV debug_level=4 force_version=tls13 tickets=0" \
+ "$P_CLI debug_level=4" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -c "Protocol is TLSv1.3" \
+ -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->m both with middlebox compat support" \
+ "$P_SRV debug_level=4 force_version=tls13 tickets=0" \
+ "$P_CLI debug_level=4" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -c "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
@@ -11451,10 +11982,11 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3 m->O both peers do not support middlebox compatibility" \
"$O_NEXT_SRV -msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache" \
- "$P_CLI debug_level=3" \
+ "$P_CLI debug_level=4" \
0 \
-c "Protocol is TLSv1.3" \
- -c "HTTP/1.0 200 ok"
+ -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
+ -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -11463,10 +11995,22 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3 m->O server with middlebox compat support, not client" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
- "$P_CLI debug_level=3" \
+ "$P_CLI debug_level=4" \
1 \
-c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->O both with middlebox compat support" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+ "$P_CLI debug_level=4" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
@@ -11476,10 +12020,11 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3 m->G both peers do not support middlebox compatibility" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \
- "$P_CLI debug_level=3" \
+ "$P_CLI debug_level=4" \
0 \
-c "Protocol is TLSv1.3" \
- -c "HTTP/1.0 200 OK"
+ -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
+ -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
@@ -11489,10 +12034,524 @@
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3 m->G server with middlebox compat support, not client" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
- "$P_CLI debug_level=3" \
+ "$P_CLI debug_level=4" \
1 \
-c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->G both with middlebox compat support" \
+ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
+ "$P_CLI debug_level=4" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 O->m both peers do not support middlebox compatibility" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$O_NEXT_CLI -msg -debug -no_middlebox" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -C "14 03 03 00 01"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 O->m server with middlebox compat support, not client" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$O_NEXT_CLI -msg -debug -no_middlebox" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 O->m both with middlebox compat support" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$O_NEXT_CLI -msg -debug" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -c "14 03 03 00 01"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 G->m both peers do not support middlebox compatibility" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -C "SSL 3.3 ChangeCipherSpec packet received"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 G->m server with middlebox compat support, not client" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -c "SSL 3.3 ChangeCipherSpec packet received" \
+ -c "discarding change cipher spec in TLS1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 G->m both with middlebox compat support" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
+ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
+ -c "SSL 3.3 ChangeCipherSpec packet received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->m HRR both peers do not support middlebox compatibility" \
+ "$P_SRV debug_level=4 force_version=tls13 curves=secp384r1 tickets=0" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -c "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
+ -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->m HRR both with middlebox compat support" \
+ "$P_SRV debug_level=4 force_version=tls13 curves=secp384r1 tickets=0" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -c "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->O HRR both peers do not support middlebox compatibility" \
+ "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -no_middlebox -num_tickets 0 -no_cache" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "received HelloRetryRequest message" \
+ -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
+ -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->O HRR server with middlebox compat support, not client" \
+ "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -num_tickets 0 -no_cache" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 1 \
+ -c "received HelloRetryRequest message" \
+ -c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->O HRR both with middlebox compat support" \
+ "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->G HRR both peers do not support middlebox compatibility" \
+ "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "received HelloRetryRequest message" \
+ -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
+ -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->G HRR server with middlebox compat support, not client" \
+ "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 1 \
+ -c "received HelloRetryRequest message" \
+ -c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3 m->G HRR both with middlebox compat support" \
+ "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
+ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 O->m HRR both peers do not support middlebox compatibility" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \
+ "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -C "14 03 03 00 01"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 O->m HRR server with middlebox compat support, not client" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \
+ "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 O->m HRR both with middlebox compat support" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \
+ "$O_NEXT_CLI -msg -debug -groups P-256:P-384" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -c "14 03 03 00 01"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 G->m HRR both peers do not support middlebox compatibility" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -C "SSL 3.3 ChangeCipherSpec packet received"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 G->m HRR server with middlebox compat support, not client" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \
+ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -c "SSL 3.3 ChangeCipherSpec packet received" \
+ -c "discarding change cipher spec in TLS1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 G->m HRR both with middlebox compat support" \
+ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \
+ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+ 0 \
+ -s "Protocol is TLSv1.3" \
+ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
+ -c "SSL 3.3 ChangeCipherSpec packet received"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check signature algorithm order, m->O" \
+ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
+ -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
+ -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
+ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check signature algorithm order, m->G" \
+ "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
+ -d 4
+ --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
+ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check signature algorithm order, m->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
+ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
+ 0 \
+ -c "Protocol is TLSv1.3" \
+ -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Check signature algorithm order, O->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
+ "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \
+ -cert data_files/server2-sha256.crt -key data_files/server2.key \
+ -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
+ 0 \
+ -c "TLSv1.3" \
+ -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Check signature algorithm order, G->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
+ "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \
+ --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \
+ --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384" \
+ 0 \
+ -c "Negotiated version: 3.4" \
+ -c "HTTP/1.0 200 [Oo][Kk]" \
+ -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
+ "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \
+ --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \
+ --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \
+ 1 \
+ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256" \
+ "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \
+ -cert data_files/server2-sha256.crt -key data_files/server2.key \
+ -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \
+ 1 \
+ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
+ "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \
+ 1 \
+ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
+ -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Check server no suitable certificate, G->m" \
+ "$P_SRV debug_level=4 force_version=tls13
+ crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
+ "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \
+ --priority=NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-ECDSA-SECP256R1-SHA256" \
+ 1 \
+ -s "ssl_tls13_pick_key_cert:no suitable certificate found"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3: Check server no suitable certificate, O->m" \
+ "$P_SRV debug_level=4 force_version=tls13
+ crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
+ "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \
+ -sigalgs ecdsa_secp521r1_sha512:ecdsa_secp256r1_sha256" \
+ 1 \
+ -s "ssl_tls13_pick_key_cert:no suitable certificate found"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check server no suitable certificate, m->m" \
+ "$P_SRV debug_level=4 force_version=tls13
+ crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
+ "$P_CLI allow_sha1=0 debug_level=4 \
+ sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256" \
+ 1 \
+ -s "ssl_tls13_pick_key_cert:no suitable certificate found"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check client no signature algorithm, m->O" \
+ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
+ -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
+ -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \
+ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
+ 1 \
+ -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check client no signature algorithm, m->G" \
+ "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
+ -d 4
+ --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
+ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
+ 1 \
+ -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.3: Check client no signature algorithm, m->m" \
+ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required
+ crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
+ crt_file=data_files/server5.crt key_file=data_files/server5.key
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \
+ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
+ 1 \
+ -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG
diff --git a/tests/suites/test_suite_asn1write.data b/tests/suites/test_suite_asn1write.data
index f844d48..725cbc2 100644
--- a/tests/suites/test_suite_asn1write.data
+++ b/tests/suites/test_suite_asn1write.data
@@ -91,8 +91,11 @@
ASN.1 Write enum 2147483647
mbedtls_asn1_write_enum:0x7fffffff:"0A047fffffff"
-#ASN.1 Write mpi 0
-#mbedtls_asn1_write_mpi:"00":"020100"
+ASN.1 Write mpi 0 (null)
+mbedtls_asn1_write_mpi:"":"020100"
+
+ASN.1 Write mpi 0 (1 limb)
+mbedtls_asn1_write_mpi:"00":"020100"
ASN.1 Write mpi 1
mbedtls_asn1_write_mpi:"01":"020101"
@@ -100,11 +103,17 @@
ASN.1 Write mpi 0x7f
mbedtls_asn1_write_mpi:"7f":"02017f"
-#ASN.1 Write mpi 0x80
-#mbedtls_asn1_write_mpi:"7f":"02020080"
+ASN.1 Write mpi 0x7f with leading 0 limb
+mbedtls_asn1_write_mpi:"00000000000000007f":"02017f"
-#ASN.1 Write mpi 0xff
-#mbedtls_asn1_write_mpi:"7f":"020200ff"
+ASN.1 Write mpi 0x80
+mbedtls_asn1_write_mpi:"80":"02020080"
+
+ASN.1 Write mpi 0x80 with leading 0 limb
+mbedtls_asn1_write_mpi:"000000000000000080":"02020080"
+
+ASN.1 Write mpi 0xff
+mbedtls_asn1_write_mpi:"ff":"020200ff"
ASN.1 Write mpi 0x100
mbedtls_asn1_write_mpi:"0100":"02020100"
@@ -112,17 +121,17 @@
ASN.1 Write mpi, 127*8-1 bits
mbedtls_asn1_write_mpi:"7f7b16e05c1537de7c41cef1a0985d6a3ced98aec28e091874cbad6b5e40a5c956258f18861c28bed8ba808259339ee34b2e509c4080149474d5d5b86093f90c475a6443fc87e1a293d4151be625d652f1c32a00a018bba10c8a2ae5b2b0ee4be64e053dce9d07ec7919526c9dfcf2ec9fc3db485caa8e5a68a2cd0a427de8":"027f7f7b16e05c1537de7c41cef1a0985d6a3ced98aec28e091874cbad6b5e40a5c956258f18861c28bed8ba808259339ee34b2e509c4080149474d5d5b86093f90c475a6443fc87e1a293d4151be625d652f1c32a00a018bba10c8a2ae5b2b0ee4be64e053dce9d07ec7919526c9dfcf2ec9fc3db485caa8e5a68a2cd0a427de8"
-#ASN.1 Write mpi, 127*8 bits
-#mbedtls_asn1_write_mpi:"e77b16e05c1537de7c41cef1a0985d6a3ced98aec28e091874cbad6b5e40a5c956258f18861c28bed8ba808259339ee34b2e509c4080149474d5d5b86093f90c475a6443fc87e1a293d4151be625d652f1c32a00a018bba10c8a2ae5b2b0ee4be64e053dce9d07ec7919526c9dfcf2ec9fc3db485caa8e5a68a2cd0a427de8":"028180e77b16e05c1537de7c41cef1a0985d6a3ced98aec28e091874cbad6b5e40a5c956258f18861c28bed8ba808259339ee34b2e509c4080149474d5d5b86093f90c475a6443fc87e1a293d4151be625d652f1c32a00a018bba10c8a2ae5b2b0ee4be64e053dce9d07ec7919526c9dfcf2ec9fc3db485caa8e5a68a2cd0a427de8"
+ASN.1 Write mpi, 127*8 bits
+mbedtls_asn1_write_mpi:"e77b16e05c1537de7c41cef1a0985d6a3ced98aec28e091874cbad6b5e40a5c956258f18861c28bed8ba808259339ee34b2e509c4080149474d5d5b86093f90c475a6443fc87e1a293d4151be625d652f1c32a00a018bba10c8a2ae5b2b0ee4be64e053dce9d07ec7919526c9dfcf2ec9fc3db485caa8e5a68a2cd0a427de8":"02818000e77b16e05c1537de7c41cef1a0985d6a3ced98aec28e091874cbad6b5e40a5c956258f18861c28bed8ba808259339ee34b2e509c4080149474d5d5b86093f90c475a6443fc87e1a293d4151be625d652f1c32a00a018bba10c8a2ae5b2b0ee4be64e053dce9d07ec7919526c9dfcf2ec9fc3db485caa8e5a68a2cd0a427de8"
ASN.1 Write mpi, 127*8+1 bits
-mbedtls_asn1_write_mpi:"108446d68934cc1af23c4cd909884d4bd737a1890e12f5ef8bf3d807d72feffa63c0bf2633345f8b8418d144617c871a7a0277ac0150eed4b3db7f9dff21114cd0d7f282400f03c931cb00c367550e374a1ed3762a1801ca714cfc8d5aac69707ca81e0661400ed0014d97cba48f94d835dd681fc3053c51958afbf7583cf49c":"028180108446d68934cc1af23c4cd909884d4bd737a1890e12f5ef8bf3d807d72feffa63c0bf2633345f8b8418d144617c871a7a0277ac0150eed4b3db7f9dff21114cd0d7f282400f03c931cb00c367550e374a1ed3762a1801ca714cfc8d5aac69707ca81e0661400ed0014d97cba48f94d835dd681fc3053c51958afbf7583cf49c"
+mbedtls_asn1_write_mpi:"018446d68934cc1af23c4cd909884d4bd737a1890e12f5ef8bf3d807d72feffa63c0bf2633345f8b8418d144617c871a7a0277ac0150eed4b3db7f9dff21114cd0d7f282400f03c931cb00c367550e374a1ed3762a1801ca714cfc8d5aac69707ca81e0661400ed0014d97cba48f94d835dd681fc3053c51958afbf7583cf49c":"028180018446d68934cc1af23c4cd909884d4bd737a1890e12f5ef8bf3d807d72feffa63c0bf2633345f8b8418d144617c871a7a0277ac0150eed4b3db7f9dff21114cd0d7f282400f03c931cb00c367550e374a1ed3762a1801ca714cfc8d5aac69707ca81e0661400ed0014d97cba48f94d835dd681fc3053c51958afbf7583cf49c"
ASN.1 Write mpi, 255*8-1 bits
mbedtls_asn1_write_mpi:"7bd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c":"0281ff7bd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c"
-#ASN.1 Write mpi, 255*8 bits
-#mbedtls_asn1_write_mpi:"fbd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c":"0282010000fbd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c"
+ASN.1 Write mpi, 255*8 bits
+mbedtls_asn1_write_mpi:"fbd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c":"0282010000fbd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c"
ASN.1 Write mpi, 256*8-1 bits
mbedtls_asn1_write_mpi:"7bd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c89":"028201007bd1913fcfb652896209ad3e62f5d04a8dfc71eb1698543c52200bd7bbf3c11dd9ff57c299a2f4da172b3d5bd7e29affddf8859be7d50a45537a0df15b17af603d18803fd17134847cba78d83e64bf9fee58364d6124add0541da7bad331cd35fb48186a74bc502ddb967602401c0db02b19e5d38f09e8618fa7f6a1a3f738629baffdc63d9d70d396007d943fd64ae696e5b7e88f2c6d6ec322b461dbddd36efa91d990343b66419cf4832a22dc9ad13021185a1bf007989a50ba3bfd1152b8db899482d3ed498d1b9fae243a3cdae9530d8b29fdb684f70cdc0c9b8527265312603b405e67d59d4b1d654ddc3b7fd5515acb32440dc80903c8474a2c136c89"
@@ -191,7 +200,7 @@
mbedtls_asn1_write_string:MBEDTLS_ASN1_OID:"41":"060141"
ASN.1 Write AlgorithmIdentifier, null parameters
-mbedtls_asn1_write_algorithm_identifier:"4f4944":8:"300d06034f4944"
+mbedtls_asn1_write_algorithm_identifier:"4f4944":0:"300706034f49440500"
ASN.1 Write AlgorithmIdentifier, parameters (8 bytes)
mbedtls_asn1_write_algorithm_identifier:"4f4944":8:"300d06034f4944"
diff --git a/tests/suites/test_suite_asn1write.function b/tests/suites/test_suite_asn1write.function
index 8d5579d..4ed8644 100644
--- a/tests/suites/test_suite_asn1write.function
+++ b/tests/suites/test_suite_asn1write.function
@@ -16,6 +16,8 @@
int generic_write_start_step( generic_write_data_t *data )
{
mbedtls_test_set_step( data->size );
+ mbedtls_free( data->output );
+ data->output = NULL;
ASSERT_ALLOC( data->output, data->size == 0 ? 1 : data->size );
data->end = data->output + data->size;
data->p = data->end;
@@ -45,8 +47,6 @@
ok = 1;
exit:
- mbedtls_free( data->output );
- data->output = NULL;
return( ok );
}
@@ -63,13 +63,14 @@
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
int ret;
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
ret = mbedtls_asn1_write_null( &data.p, data.start );
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+ /* There's no parsing function for NULL. */
}
exit:
@@ -83,13 +84,21 @@
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
int ret;
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
ret = mbedtls_asn1_write_bool( &data.p, data.start, val );
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ if( ret >= 0 )
+ {
+ int read = 0xdeadbeef;
+ TEST_EQUAL( mbedtls_asn1_get_bool( &data.p, data.end, &read ), 0 );
+ TEST_EQUAL( val, read );
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
exit:
@@ -103,13 +112,21 @@
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
int ret;
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
ret = mbedtls_asn1_write_int( &data.p, data.start, val );
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ if( ret >= 0 )
+ {
+ int read = 0xdeadbeef;
+ TEST_EQUAL( mbedtls_asn1_get_int( &data.p, data.end, &read ), 0 );
+ TEST_EQUAL( val, read );
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
exit:
@@ -124,13 +141,21 @@
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
int ret;
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
ret = mbedtls_asn1_write_enum( &data.p, data.start, val );
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ if( ret >= 0 )
+ {
+ int read = 0xdeadbeef;
+ TEST_EQUAL( mbedtls_asn1_get_enum( &data.p, data.end, &read ), 0 );
+ TEST_EQUAL( val, read );
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
exit:
@@ -142,25 +167,35 @@
void mbedtls_asn1_write_mpi( data_t *val, data_t *expected )
{
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
- mbedtls_mpi mpi;
+ mbedtls_mpi mpi, read;
int ret;
mbedtls_mpi_init( &mpi );
+ mbedtls_mpi_init( &read );
TEST_ASSERT( mbedtls_mpi_read_binary( &mpi, val->x, val->len ) == 0 );
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
ret = mbedtls_asn1_write_mpi( &data.p, data.start, &mpi );
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ if( ret >= 0 )
+ {
+ TEST_EQUAL( mbedtls_asn1_get_mpi( &data.p, data.end, &read ), 0 );
+ TEST_EQUAL( 0, mbedtls_mpi_cmp_mpi( &mpi, &read ) );
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
+ /* Skip some intermediate lengths, they're boring. */
if( expected->len > 10 && data.size == 8 )
data.size = expected->len - 2;
}
exit:
mbedtls_mpi_free( &mpi );
+ mbedtls_mpi_free( &read );
mbedtls_free( data.output );
}
/* END_CASE */
@@ -171,7 +206,7 @@
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
int ret;
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
@@ -208,6 +243,8 @@
}
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+ /* There's no parsing function for octet or character strings. */
+ /* Skip some intermediate lengths, they're boring. */
if( expected->len > 10 && data.size == 8 )
data.size = expected->len - 2;
}
@@ -224,8 +261,11 @@
{
generic_write_data_t data = { NULL, NULL, NULL, NULL, 0 };
int ret;
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ unsigned char *buf_complete = NULL;
+#endif /* MBEDTLS_ASN1_PARSE_C */
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
@@ -240,10 +280,69 @@
ret -= par_len;
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ /* Only do a parse-back test if the parameters aren't too large for
+ * a small-heap environment. The boundary is somewhat arbitrary. */
+ if( ret >= 0 && par_len <= 1234 )
+ {
+ mbedtls_asn1_buf alg = {0, 0, NULL};
+ mbedtls_asn1_buf params = {0, 0, NULL};
+ /* The writing function doesn't write the parameters unless
+ * they're null: it only takes their length as input. But the
+ * parsing function requires the parameters to be present.
+ * Thus make up parameters. */
+ size_t data_len = data.end - data.p;
+ size_t len_complete = data_len + par_len;
+ unsigned char expected_params_tag;
+ size_t expected_params_len;
+ ASSERT_ALLOC( buf_complete, len_complete );
+ unsigned char *end_complete = buf_complete + len_complete;
+ memcpy( buf_complete, data.p, data_len );
+ if( par_len == 0 )
+ {
+ /* mbedtls_asn1_write_algorithm_identifier() wrote a NULL */
+ expected_params_tag = 0x05;
+ expected_params_len = 0;
+ }
+ else if( par_len >= 2 && par_len < 2 + 128 )
+ {
+ /* Write an OCTET STRING with a short length encoding */
+ expected_params_tag = buf_complete[data_len] = 0x04;
+ expected_params_len = par_len - 2;
+ buf_complete[data_len + 1] = (unsigned char) expected_params_len;
+ }
+ else if( par_len >= 4 + 128 && par_len < 3 + 256 * 256 )
+ {
+ /* Write an OCTET STRING with a two-byte length encoding */
+ expected_params_tag = buf_complete[data_len] = 0x04;
+ expected_params_len = par_len - 4;
+ buf_complete[data_len + 1] = 0x82;
+ buf_complete[data_len + 2] = (unsigned char) ( expected_params_len >> 8 );
+ buf_complete[data_len + 3] = (unsigned char) ( expected_params_len );
+ }
+ else
+ {
+ TEST_ASSERT( ! "Bad test data: invalid length of ASN.1 element" );
+ }
+ unsigned char *p = buf_complete;
+ TEST_EQUAL( mbedtls_asn1_get_alg( &p, end_complete,
+ &alg, ¶ms ), 0 );
+ TEST_EQUAL( alg.tag, MBEDTLS_ASN1_OID );
+ ASSERT_COMPARE( alg.p, alg.len, oid->x, oid->len );
+ TEST_EQUAL( params.tag, expected_params_tag );
+ TEST_EQUAL( params.len, expected_params_len );
+ mbedtls_free( buf_complete );
+ buf_complete = NULL;
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
exit:
mbedtls_free( data.output );
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ mbedtls_free( buf_complete );
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
/* END_CASE */
@@ -308,18 +407,63 @@
const unsigned char *buf, size_t bits ) =
( is_named ? mbedtls_asn1_write_named_bitstring :
mbedtls_asn1_write_bitstring );
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ unsigned char *masked_bitstring = NULL;
+#endif /* MBEDTLS_ASN1_PARSE_C */
- for( data.size = 0; data.size < expected->len + 1; data.size++ )
+ /* The API expects `bitstring->x` to contain `bits` bits. */
+ size_t byte_length = ( bits + 7 ) / 8;
+ TEST_ASSERT( bitstring->len >= byte_length );
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ ASSERT_ALLOC( masked_bitstring, byte_length );
+ if( byte_length != 0 )
+ {
+ memcpy( masked_bitstring, bitstring->x, byte_length );
+ if( bits % 8 != 0 )
+ masked_bitstring[byte_length - 1] &= ~( 0xff >> ( bits % 8 ) );
+ }
+ size_t value_bits = bits;
+ if( is_named )
+ {
+ /* In a named bit string, all trailing 0 bits are removed. */
+ while( byte_length > 0 && masked_bitstring[byte_length - 1] == 0 )
+ --byte_length;
+ value_bits = 8 * byte_length;
+ if( byte_length > 0 )
+ {
+ unsigned char last_byte = masked_bitstring[byte_length - 1];
+ for( unsigned b = 1; b < 0xff && ( last_byte & b ) == 0; b <<= 1 )
+ --value_bits;
+ }
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+ for( data.size = 0; data.size <= expected->len + 1; data.size++ )
{
if( ! generic_write_start_step( &data ) )
goto exit;
ret = ( *func )( &data.p, data.start, bitstring->x, bits );
if( ! generic_write_finish_step( &data, expected, ret ) )
goto exit;
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ if( ret >= 0 )
+ {
+ mbedtls_asn1_bitstring read = {0, 0, NULL};
+ TEST_EQUAL( mbedtls_asn1_get_bitstring( &data.p, data.end,
+ &read ), 0 );
+ ASSERT_COMPARE( read.p, read.len,
+ masked_bitstring, byte_length );
+ TEST_EQUAL( read.unused_bits, 8 * byte_length - value_bits );
+ }
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
exit:
mbedtls_free( data.output );
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ mbedtls_free( masked_bitstring );
+#endif /* MBEDTLS_ASN1_PARSE_C */
}
/* END_CASE */
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 2eb8c2d..4ea4d3b 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -890,3 +890,56 @@
ECP export key parameters #2 (invalid group)
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
ecp_export:MBEDTLS_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:1
+
+ECP check order for SECP192R1
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831"
+
+ECP check order for SECP224R1
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP224R1:"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D"
+
+ECP check order for SECP256R1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP256R1:"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"
+
+ECP check order for SECP384R1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP384R1:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"
+
+ECP check order for SECP521R1
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP521R1:"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409"
+
+ECP check order for BP256R1
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_BP256R1:"A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7"
+
+ECP check order for BP384R1
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_BP384R1:"8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565"
+
+ECP check order for BP512R1
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_BP512R1:"AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069"
+
+ECP check order for CURVE25519
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_CURVE25519:"1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"
+
+ECP check order for SECP192K1
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP192K1:"fffffffffffffffffffffffe26f2fc170f69466a74defd8d"
+
+ECP check order for SECP224K1
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP224K1:"10000000000000000000000000001dce8d2ec6184caf0a971769fb1f7"
+
+ECP check order for SECP256K1
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_SECP256K1:"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"
+
+ECP check order for CURVE448
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_check_order:MBEDTLS_ECP_DP_CURVE448:"3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"
+
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index c3e6b05..1b77f1d 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1063,3 +1063,27 @@
mbedtls_ecp_point_free( &export_Q );
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_check_order( int id, char * expected_order_hex )
+{
+ mbedtls_ecp_group grp;
+ mbedtls_mpi expected_n;
+
+ mbedtls_ecp_group_init( &grp );
+ mbedtls_mpi_init( &expected_n );
+
+ TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+ TEST_ASSERT( mbedtls_test_read_mpi( &expected_n, 16, expected_order_hex ) == 0);
+
+ // check sign bits are well-formed (i.e. 1 or -1) - see #5810
+ TEST_ASSERT( grp.N.s == -1 || grp.N.s == 1);
+ TEST_ASSERT( expected_n.s == -1 || expected_n.s == 1);
+
+ TEST_ASSERT( mbedtls_mpi_cmp_mpi( &grp.N, &expected_n ) == 0 );
+
+exit:
+ mbedtls_ecp_group_free( &grp );
+ mbedtls_mpi_free( &expected_n );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 02a11c8..056310a 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -67,12 +67,18 @@
Test mpi_read_write_string #9 (Empty MPI hex -> dec)
mpi_read_write_string:16:"":10:"0":4:0:0
+Test mpi_read_write_string #9 (Empty MPI hex -> base 2)
+mpi_read_write_string:16:"":2:"0":4:0:0
+
Test mpi_read_write_string #8 (Empty MPI dec -> hex)
mpi_read_write_string:10:"":16:"":4:0:0
Test mpi_read_write_string #9 (Empty MPI dec -> dec)
mpi_read_write_string:10:"":10:"0":4:0:0
+Test mpi_read_write_string #9 (Empty MPI dec -> base 2)
+mpi_read_write_string:16:"":2:"0":4:0:0
+
Test mpi_write_string #10 (Negative hex with odd number of digits)
mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
@@ -1216,9 +1222,15 @@
Test mbedtls_mpi_mod_int: 0 (null) % 1
mbedtls_mpi_mod_int:16:"":1:0:0
+Test mbedtls_mpi_mod_int: 0 (null) % 2
+mbedtls_mpi_mod_int:16:"":2:0:0
+
Test mbedtls_mpi_mod_int: 0 (null) % -1
mbedtls_mpi_mod_int:16:"":-1:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+Test mbedtls_mpi_mod_int: 0 (null) % -2
+mbedtls_mpi_mod_int:16:"":-2:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
Base test mbedtls_mpi_exp_mod #1
mbedtls_mpi_exp_mod:10:"23":10:"13":10:"29":10:"24":0
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 7250753..1182c00 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -5135,6 +5135,281 @@
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_1
derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"":0:1:0
+# HKDF-Extract tests: out - output, k - secret provided as key, b - secret provided as bytes
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 32+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 22+10 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f":"9c3122ec844ad7c2b3e5":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 0+32 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 1+31 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"07":"7709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 31+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 1+30 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"07":"7709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #2, out 32+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #3, out 32+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #4, out 20+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #5, out 20+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"8adae09a2a307059478d309b26c4115a224cfaf6":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #6, out 20+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #7, out 20+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"2adccada18779e7c2077ad2eb19d3f3e731385dd":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, k derive key
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"":0:1:1
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 32+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 22+10 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f":"9c3122ec844ad7c2b3e5":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 0+32 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 1+31 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"07":"7709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 31+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 1+30 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"07":"7709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #2, out 32+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #3, out 32+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #4, out 20+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #5, out 20+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"8adae09a2a307059478d309b26c4115a224cfaf6":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #6, out 20+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":"":0:0:0
+
+PSA key derivation: HKDF-Extract SHA-1, RFC5869 #7, out 20+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"2adccada18779e7c2077ad2eb19d3f3e731385dd":"":0:0:0
+
+PSA key derivation: HKDF-Extract info before secret
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract info after secret
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract input other secret
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract input label
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_LABEL:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract input password
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_PASSWORD:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract input seed
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"0123456789":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract input cost
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"0123456789":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, b derive key
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"":0:0:1
+
+PSA key derivation: HKDF-Extract SHA-256, RFC5869 #1, out 32+1 (over capacity)
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"00":0:1:0
+
+PSA key derivation: HKDF-Extract SHA-256, no salt
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_BAD_STATE:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":32:"":"":0:0:0
+
+# HKDF-Expand tests: out - output, k - secret provided as key, b - secret provided as bytes
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 42+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 32+10 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf":"34007208d5b887185865":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 0+42 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 1+41 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 41+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 1+40 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #2, out 82+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":82:"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #3, out 42+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #4, out 42+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #5, out 82+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"8adae09a2a307059478d309b26c4115a224cfaf6":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":82:"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #6, out 42+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #7, out 42+0 k
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"2adccada18779e7c2077ad2eb19d3f3e731385dd":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 42+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 32+10 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf":"34007208d5b887185865":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 0+42 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 1+41 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 41+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 1+40 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #2, out 82+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":82:"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #3, out 42+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #4, out 42+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #5, out 82+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"8adae09a2a307059478d309b26c4115a224cfaf6":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":82:"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #6, out 42+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918":"":0:0:0
+
+PSA key derivation: HKDF-Expand SHA-1, RFC5869 #7, out 42+0 b
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"2adccada18779e7c2077ad2eb19d3f3e731385dd":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"":0:0:0
+
+# HKDF-Expand tests: Invalid test cases
+PSA key derivation: HKDF-Expand input other secret
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:1:0
+
+PSA key derivation: HKDF-Expand input salt
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:1:0
+
+PSA key derivation: HKDF-Expand input label
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_LABEL:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:1:0
+
+PSA key derivation: HKDF-Expand input password
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_PASSWORD:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:1:0
+
+PSA key derivation: HKDF-Expand input seed
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"0123456789":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:1:0
+
+PSA key derivation: HKDF-Expand input cost
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"0123456789":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-256, RFC5869 #1, out 42+1 (over capacity)
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"00":0:1:0
+
+PSA key derivation: HKDF-Expand Invalid secret length
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e500":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"":"":0:0:0
+
+PSA key derivation: HKDF-Expand, Info before secret
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"":0:0:0
+
# Test vectors taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
PSA key derivation: TLS 1.2 PRF SHA-256, output 100+0
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
@@ -5470,6 +5745,14 @@
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_1
derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1):"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"":0:1:0
+PSA key derivation: HKDF-Expand SHA-256, request maximum capacity
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256):"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"":0:1:0
+
+PSA key derivation: HKDF-Expand SHA-1, request maximum capacity
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_output:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SECRET:"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1):"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896":"":0:1:0
+
PSA key derivation: HKDF SHA-256, request too much capacity
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_set_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_256):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT
@@ -5478,6 +5761,22 @@
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_1
derive_set_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_1):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1) + 1:PSA_ERROR_INVALID_ARGUMENT
+PSA key derivation: HKDF-Extract SHA-256, request too much capacity
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_set_capacity:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: HKDF-Extract SHA-1, request too much capacity
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_1
+derive_set_capacity:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_1):PSA_HASH_LENGTH(PSA_ALG_SHA_1) + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: HKDF-Expand SHA-256, request too much capacity
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_set_capacity:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: HKDF-Expand SHA-1, request too much capacity
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
+derive_set_capacity:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1) + 1:PSA_ERROR_INVALID_ARGUMENT
+
PSA key derivation: over capacity 42: output 42+1
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"ff":0:1:0
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 0bfabb1..7d368cf 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -7005,9 +7005,13 @@
switch( key_input_type )
{
case 0: // input bytes
- PSA_ASSERT( psa_key_derivation_input_bytes(
+ TEST_EQUAL( psa_key_derivation_input_bytes(
&operation, steps[i],
- inputs[i]->x, inputs[i]->len ) );
+ inputs[i]->x, inputs[i]->len ),
+ statuses[i] );
+
+ if( statuses[i] != PSA_SUCCESS )
+ goto exit;
break;
case 1: // input key
psa_set_key_usage_flags( &attributes1, PSA_KEY_USAGE_DERIVE );
@@ -7087,9 +7091,12 @@
goto exit;
break;
default:
- PSA_ASSERT( psa_key_derivation_input_bytes(
+ TEST_EQUAL( psa_key_derivation_input_bytes(
&operation, steps[i],
- inputs[i]->x, inputs[i]->len ) );
+ inputs[i]->x, inputs[i]->len ), statuses[i] );
+
+ if( statuses[i] != PSA_SUCCESS )
+ goto exit;
break;
}
}
@@ -7111,7 +7118,7 @@
psa_set_key_usage_flags( &attributes4, PSA_KEY_USAGE_EXPORT );
psa_set_key_algorithm( &attributes4, alg );
psa_set_key_type( &attributes4, PSA_KEY_TYPE_DERIVE );
- psa_set_key_bits( &attributes4, 48 );
+ psa_set_key_bits( &attributes4, PSA_BYTES_TO_BITS( requested_capacity ) );
TEST_EQUAL( psa_key_derivation_output_key( &attributes4, &operation,
&derived_key ), expected_status );
diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data
index 83763c5..bf5f04e 100644
--- a/tests/suites/test_suite_psa_crypto_metadata.data
+++ b/tests/suites/test_suite_psa_crypto_metadata.data
@@ -270,6 +270,22 @@
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_384
key_derivation_algorithm:PSA_ALG_HKDF( PSA_ALG_SHA_384 ):ALG_IS_HKDF
+Key derivation: HKDF-Extract using SHA-256
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+key_derivation_algorithm:PSA_ALG_HKDF_EXTRACT( PSA_ALG_SHA_256 ):ALG_IS_HKDF_EXTRACT
+
+Key derivation: HKDF-Extract using SHA-384
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_384
+key_derivation_algorithm:PSA_ALG_HKDF_EXTRACT( PSA_ALG_SHA_384 ):ALG_IS_HKDF_EXTRACT
+
+Key derivation: HKDF-Expand using SHA-256
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+key_derivation_algorithm:PSA_ALG_HKDF_EXPAND( PSA_ALG_SHA_256 ):ALG_IS_HKDF_EXPAND
+
+Key derivation: HKDF-Expand using SHA-384
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_384
+key_derivation_algorithm:PSA_ALG_HKDF_EXPAND( PSA_ALG_SHA_384 ):ALG_IS_HKDF_EXPAND
+
Key derivation: TLS 1.2 PRF using SHA-256
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
key_derivation_algorithm:PSA_ALG_TLS12_PRF( PSA_ALG_SHA_256 ):ALG_IS_TLS12_PRF
diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function
index 092780c..643a92f 100644
--- a/tests/suites/test_suite_psa_crypto_metadata.function
+++ b/tests/suites/test_suite_psa_crypto_metadata.function
@@ -37,14 +37,16 @@
#define ALG_IS_HASH_AND_SIGN ( 1u << 18 )
#define ALG_IS_RSA_OAEP ( 1u << 19 )
#define ALG_IS_HKDF ( 1u << 20 )
-#define ALG_IS_FFDH ( 1u << 21 )
-#define ALG_IS_ECDH ( 1u << 22 )
-#define ALG_IS_WILDCARD ( 1u << 23 )
-#define ALG_IS_RAW_KEY_AGREEMENT ( 1u << 24 )
-#define ALG_IS_AEAD_ON_BLOCK_CIPHER ( 1u << 25 )
-#define ALG_IS_TLS12_PRF ( 1u << 26 )
-#define ALG_IS_TLS12_PSK_TO_MS ( 1u << 27 )
-#define ALG_FLAG_MASK_PLUS_ONE ( 1u << 28 ) /* must be last! */
+#define ALG_IS_HKDF_EXTRACT ( 1u << 21 )
+#define ALG_IS_HKDF_EXPAND ( 1u << 22 )
+#define ALG_IS_FFDH ( 1u << 23 )
+#define ALG_IS_ECDH ( 1u << 24 )
+#define ALG_IS_WILDCARD ( 1u << 25 )
+#define ALG_IS_RAW_KEY_AGREEMENT ( 1u << 26 )
+#define ALG_IS_AEAD_ON_BLOCK_CIPHER ( 1u << 27 )
+#define ALG_IS_TLS12_PRF ( 1u << 28 )
+#define ALG_IS_TLS12_PSK_TO_MS ( 1u << 29 )
+#define ALG_FLAG_MASK_PLUS_ONE ( 1u << 30 ) /* must be last! */
/* Flags for key type classification macros. There is a flag for every
* key type classification macro PSA_KEY_TYPE_IS_xxx except for some that
@@ -140,6 +142,8 @@
TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HASH_AND_SIGN, alg, flags );
TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RSA_OAEP, alg, flags );
TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HKDF, alg, flags );
+ TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HKDF_EXTRACT, alg, flags );
+ TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HKDF_EXPAND, alg, flags );
TEST_CLASSIFICATION_MACRO( 1, ALG_IS_WILDCARD, alg, flags );
TEST_CLASSIFICATION_MACRO( 1, ALG_IS_ECDH, alg, flags );
TEST_CLASSIFICATION_MACRO( 1, ALG_IS_FFDH, alg, flags );
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.data b/tests/suites/test_suite_psa_crypto_persistent_key.data
index b250634..6d208e9 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.data
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.data
@@ -1,3 +1,8 @@
+# Note that if you need to make a change that affects how keys are
+# stored, this may indicate that the key store is changing in a
+# backward-incompatible way! Think carefully about backward compatibility
+# before changing how test data is constructed or validated.
+
Format for storage: RSA private key
format_storage_data_check:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"505341004b455900000000000100000001700004010000000000000700000006620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ALG_CATEGORY_SIGN
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function
index bd9b9c9..08db34a 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.function
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.function
@@ -5,6 +5,11 @@
* on the the storage format. On the other hand, these tests treat the storage
* subsystem as a black box, and in particular have no reliance on the
* internals of the ITS implementation.
+ *
+ * Note that if you need to make a change that affects how files are
+ * stored, this may indicate that the key store is changing in a
+ * backward-incompatible way! Think carefully about backward compatibility
+ * before changing how test data is constructed or validated.
*/
#include <stdint.h>
diff --git a/tests/suites/test_suite_psa_its.function b/tests/suites/test_suite_psa_its.function
index e16c050..12878b5 100644
--- a/tests/suites/test_suite_psa_its.function
+++ b/tests/suites/test_suite_psa_its.function
@@ -3,6 +3,11 @@
/* This test file is specific to the ITS implementation in PSA Crypto
* on top of stdio. It expects to know what the stdio name of a file is
* based on its keystore name.
+ *
+ * Note that if you need to make a change that affects how files are
+ * stored, this may indicate that the key store is changing in a
+ * backward-incompatible way! Think carefully about backward compatibility
+ * before changing how test data is constructed or validated.
*/
#include "../library/psa_crypto_its.h"
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 5192342..19a1ae6 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -246,7 +246,7 @@
handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2
Handshake, tls1_3
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3
Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
@@ -317,6 +317,146 @@
depends_on:MBEDTLS_SSL_PROTO_TLS1_2
handshake_version:0:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_TLS1_2
+Handshake, select RSA-WITH-AES-256-CBC-SHA256, non-opaque
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+
+Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:0:MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+
+Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad alg
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad usage
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, non-opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+
+Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:0:MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+
+Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, bad alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, bad usage
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, no psk
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+
+Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+
+Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+
+Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+
+Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+
+Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+
+Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+
+Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+
+Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+
+Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+
+Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+
+Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+
+Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+
+Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+
+Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
+Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage
+depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
+
Sending app data via TLS, MFL=512 without fragmentation
depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:400:512:1:1
@@ -2792,83 +2932,6 @@
depends_on:PSA_WANT_ALG_SHA_256
ssl_tls13_key_evolution:PSA_ALG_SHA_256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d"
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #1 Extract
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_extract:PSA_ALG_SHA_256:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #2 Extract
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_extract:PSA_ALG_SHA_256:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #3 Extract
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_extract:PSA_ALG_SHA_256:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #4 Extract
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_extract:PSA_ALG_SHA_1:"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #5 Extract
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_extract:PSA_ALG_SHA_1:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"8adae09a2a307059478d309b26c4115a224cfaf6"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #6 Extract
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_extract:PSA_ALG_SHA_1:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #7 Extract
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_extract:PSA_ALG_SHA_1:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"2adccada18779e7c2077ad2eb19d3f3e731385dd"
-
-SSL TLS 1.3 Key schedule: HKDF extract fails with wrong hash alg
-psa_hkdf_extract_ret:0:PSA_ERROR_INVALID_ARGUMENT
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #1 Expand
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_expand:PSA_ALG_SHA_256:"f0f1f2f3f4f5f6f7f8f9":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #2 Expand
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_expand:PSA_ALG_SHA_256:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #3 Expand
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_expand:PSA_ALG_SHA_256:"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #4 Expand
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_expand:PSA_ALG_SHA_1:"f0f1f2f3f4f5f6f7f8f9":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #5 Expand
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_expand:PSA_ALG_SHA_1:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"8adae09a2a307059478d309b26c4115a224cfaf6":"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #6 Expand
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_expand:PSA_ALG_SHA_1:"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918"
-
-SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #7 Expand
-depends_on:PSA_WANT_ALG_SHA_1
-psa_hkdf_expand:PSA_ALG_SHA_1:"":"2adccada18779e7c2077ad2eb19d3f3e731385dd":"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48"
-
-SSL TLS 1.3 Key schedule: HKDF expand fails with NULL okm
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_expand_ret:PSA_ALG_SHA_256:32:0:PSA_ERROR_INVALID_ARGUMENT
-
-SSL TLS 1.3 Key schedule: HKDF expand fails with invalid alg
-psa_hkdf_expand_ret:0:32:32:PSA_ERROR_INVALID_ARGUMENT
-
-SSL TLS 1.3 Key schedule: HKDF expand fails with prk_len < hash_len
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_expand_ret:PSA_ALG_SHA_256:16:32:PSA_ERROR_INVALID_ARGUMENT
-
-SSL TLS 1.3 Key schedule: HKDF expand fails with okm_len / hash_len > 255
-psa_hkdf_expand_ret:PSA_ALG_SHA_256:32:8192:PSA_ERROR_INVALID_ARGUMENT
-
-SSL TLS 1.3 Key schedule: HKDF expand fails with key import
-depends_on:PSA_WANT_ALG_SHA_256
-psa_hkdf_expand_ret:PSA_ALG_SHA_256:32:32:PSA_ERROR_INSUFFICIENT_MEMORY
-
SSL TLS 1.3 Key schedule: HKDF Expand Label #1
# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/)
# Server handshake traffic secret -> Server traffic key
@@ -3363,3 +3426,27 @@
Raw key agreement: bad server key
raw_key_agreement_fail:1
+
+Force a bad session id length
+force_bad_session_id_len
+
+Cookie parsing: nominal run
+cookie_parsing:"16fefd0000000000000000002F010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d00200000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_SSL_INTERNAL_ERROR
+
+Cookie parsing: cookie_len overflow
+cookie_parsing:"16fefd000000000000000000ea010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727db97b7373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737db963":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: non-zero fragment offset
+cookie_parsing:"16fefd00000000000000000032010000de000072000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d01730143":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: sid_len overflow
+cookie_parsing:"16fefd00000000000000000032010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727dFF730143":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: record too short
+cookie_parsing:"16fefd0000000000000000002f010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727dFF":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+Cookie parsing: one byte overread
+cookie_parsing:"16fefd0000000000000000002F010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d0001":MBEDTLS_ERR_SSL_DECODE_ERROR
+
+TLS 1.3 srv Certificate msg - wrong vector lengths
+tls13_server_certificate_msg_invalid_vector_len
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8d683ad..9a031b6 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -9,6 +9,10 @@
#include <ssl_tls13_invasive.h>
#include "test/certs.h"
+#if defined(MBEDTLS_SSL_CACHE_C)
+#include "mbedtls/ssl_cache.h"
+#endif
+
#include <psa/crypto.h>
#include <constant_time_internal.h>
@@ -60,7 +64,12 @@
mbedtls_ssl_protocol_version server_min_version;
mbedtls_ssl_protocol_version server_max_version;
mbedtls_ssl_protocol_version expected_negotiated_version;
+ int expected_handshake_result;
+ int expected_ciphersuite;
int pk_alg;
+ int opaque_alg;
+ int opaque_alg2;
+ int opaque_usage;
data_t *psk_str;
int dtls;
int srv_auth_mode;
@@ -77,34 +86,76 @@
void (*srv_log_fun)(void *, int, const char *, int, const char *);
void (*cli_log_fun)(void *, int, const char *, int, const char *);
int resize_buffers;
+#if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_cache_context *cache;
+#endif
} handshake_test_options;
void init_handshake_options( handshake_test_options *opts )
{
- opts->cipher = "";
- opts->client_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
- opts->client_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
- opts->server_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
- opts->server_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
- opts->expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
- opts->pk_alg = MBEDTLS_PK_RSA;
- opts->psk_str = NULL;
- opts->dtls = 0;
- opts->srv_auth_mode = MBEDTLS_SSL_VERIFY_NONE;
- opts->serialize = 0;
- opts->mfl = MBEDTLS_SSL_MAX_FRAG_LEN_NONE;
- opts->cli_msg_len = 100;
- opts->srv_msg_len = 100;
- opts->expected_cli_fragments = 1;
- opts->expected_srv_fragments = 1;
- opts->renegotiate = 0;
- opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
- opts->srv_log_obj = NULL;
- opts->srv_log_obj = NULL;
- opts->srv_log_fun = NULL;
- opts->cli_log_fun = NULL;
- opts->resize_buffers = 1;
+ opts->cipher = "";
+ opts->client_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
+ opts->client_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
+ opts->server_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
+ opts->server_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
+ opts->expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ opts->expected_handshake_result = 0;
+ opts->expected_ciphersuite = 0;
+ opts->pk_alg = MBEDTLS_PK_RSA;
+ opts->opaque_alg = 0;
+ opts->opaque_alg2 = 0;
+ opts->opaque_usage = 0;
+ opts->psk_str = NULL;
+ opts->dtls = 0;
+ opts->srv_auth_mode = MBEDTLS_SSL_VERIFY_NONE;
+ opts->serialize = 0;
+ opts->mfl = MBEDTLS_SSL_MAX_FRAG_LEN_NONE;
+ opts->cli_msg_len = 100;
+ opts->srv_msg_len = 100;
+ opts->expected_cli_fragments = 1;
+ opts->expected_srv_fragments = 1;
+ opts->renegotiate = 0;
+ opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
+ opts->srv_log_obj = NULL;
+ opts->srv_log_obj = NULL;
+ opts->srv_log_fun = NULL;
+ opts->cli_log_fun = NULL;
+ opts->resize_buffers = 1;
+#if defined(MBEDTLS_SSL_CACHE_C)
+ opts->cache = NULL;
+ ASSERT_ALLOC( opts->cache, sizeof( mbedtls_ssl_cache_context ) );
+ mbedtls_ssl_cache_init( opts->cache );
+exit:
+ return;
+#endif
}
+
+void free_handshake_options( handshake_test_options *opts )
+{
+#if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_cache_free( opts->cache );
+ mbedtls_free( opts->cache );
+#else
+ (void) opts;
+#endif
+}
+
+#if defined(MBEDTLS_TEST_HOOKS)
+static void set_chk_buf_ptr_args(
+ mbedtls_ssl_chk_buf_ptr_args *args,
+ unsigned char *cur, unsigned char *end, size_t need )
+{
+ args->cur = cur;
+ args->end = end;
+ args->need = need;
+}
+
+static void reset_chk_buf_ptr_args( mbedtls_ssl_chk_buf_ptr_args *args )
+{
+ memset( args, 0, sizeof( *args ) );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
/*
* Buffer structure for custom I/O callbacks.
*/
@@ -759,11 +810,16 @@
*
* \retval 0 on success, otherwise error code.
*/
-int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg )
+int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg,
+ int opaque_alg, int opaque_alg2,
+ int opaque_usage )
{
int i = 0;
int ret = -1;
mbedtls_endpoint_certificate *cert;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT;
+#endif
if( ep == NULL )
{
@@ -846,6 +902,19 @@
}
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( opaque_alg != 0 )
+ {
+ TEST_EQUAL( mbedtls_pk_wrap_as_opaque( &( cert->pkey ), &key_slot,
+ opaque_alg, opaque_usage,
+ opaque_alg2 ), 0 );
+ }
+#else
+ (void) opaque_alg;
+ (void) opaque_alg2;
+ (void) opaque_usage;
+#endif
+
mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL );
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ),
@@ -866,6 +935,10 @@
{
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( opaque_alg != 0 )
+ psa_destroy_key( key_slot );
+#endif
mbedtls_pk_free( &( cert->pkey ) );
}
@@ -886,8 +959,8 @@
*
* \retval 0 on success, otherwise error code.
*/
-
-int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg,
+int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type,
+ handshake_test_options *options,
mbedtls_test_message_socket_context *dtls_context,
mbedtls_test_message_queue *input_queue,
mbedtls_test_message_queue *output_queue,
@@ -969,6 +1042,15 @@
mbedtls_ssl_conf_authmode( &( ep->conf ), MBEDTLS_SSL_VERIFY_REQUIRED );
+#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C)
+ if( endpoint_type == MBEDTLS_SSL_IS_SERVER && options->cache != NULL )
+ {
+ mbedtls_ssl_conf_session_cache( &( ep->conf ), options->cache,
+ mbedtls_ssl_cache_get,
+ mbedtls_ssl_cache_set );
+ }
+#endif
+
ret = mbedtls_ssl_setup( &( ep->ssl ), &( ep->conf ) );
TEST_ASSERT( ret == 0 );
@@ -977,7 +1059,10 @@
mbedtls_ssl_conf_dtls_cookies( &( ep->conf ), NULL, NULL, NULL );
#endif
- ret = mbedtls_endpoint_certificate_init( ep, pk_alg );
+ ret = mbedtls_endpoint_certificate_init( ep, options->pk_alg,
+ options->opaque_alg,
+ options->opaque_alg2,
+ options->opaque_usage );
TEST_ASSERT( ret == 0 );
TEST_EQUAL( mbedtls_ssl_conf_get_user_data_n( &ep->conf ), user_data_n );
@@ -997,6 +1082,14 @@
mbedtls_endpoint_certificate *cert = &( ep->cert );
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( mbedtls_pk_get_type( &( cert->pkey ) ) == MBEDTLS_PK_OPAQUE )
+ {
+ mbedtls_svc_key_id_t *key_slot = cert->pkey.pk_ctx;
+
+ psa_destroy_key( *key_slot );
+ }
+#endif
mbedtls_pk_free( &( cert->pkey ) );
}
@@ -1910,7 +2003,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
-void perform_handshake( handshake_test_options* options )
+void perform_handshake( handshake_test_options *options )
{
/* forced_ciphersuite needs to last until the end of the handshake */
int forced_ciphersuite[2];
@@ -1929,7 +2022,7 @@
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int ret = -1;
#endif
- int expected_handshake_result = 0;
+ int expected_handshake_result = options->expected_handshake_result;
USE_PSA_INIT( );
@@ -1942,7 +2035,7 @@
if( options->dtls != 0 )
{
TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
- options->pk_alg, &client_context,
+ options, &client_context,
&client_queue,
&server_queue, NULL ) == 0 );
#if defined(MBEDTLS_TIMING_C)
@@ -1954,7 +2047,7 @@
else
{
TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
- options->pk_alg, NULL, NULL,
+ options, NULL, NULL,
NULL, NULL ) == 0 );
}
@@ -1988,7 +2081,7 @@
if( options->dtls != 0 )
{
TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
- options->pk_alg, &server_context,
+ options, &server_context,
&server_queue,
&client_queue, NULL ) == 0 );
#if defined(MBEDTLS_TIMING_C)
@@ -2000,8 +2093,8 @@
else
{
TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
- options->pk_alg, NULL, NULL,
- NULL, NULL ) == 0 );
+ options, NULL, NULL, NULL,
+ NULL ) == 0 );
}
mbedtls_ssl_conf_authmode( &server.conf, options->srv_auth_mode );
@@ -2101,17 +2194,11 @@
TEST_ASSERT( mbedtls_ssl_is_handshake_over( &client.ssl ) == 1 );
/* Make sure server state is moved to HANDSHAKE_OVER also. */
- TEST_ASSERT( mbedtls_move_handshake_to_state( &(server.ssl),
- &(client.ssl),
- MBEDTLS_SSL_HANDSHAKE_OVER )
- == expected_handshake_result );
- if( expected_handshake_result != 0 )
- {
- goto exit;
- }
+ TEST_EQUAL( mbedtls_move_handshake_to_state( &(server.ssl),
+ &(client.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER ), 0 );
TEST_ASSERT( mbedtls_ssl_is_handshake_over( &server.ssl ) == 1 );
-
/* Check that both sides have negotiated the expected version. */
mbedtls_test_set_step( 0 );
if( ! check_ssl_version( options->expected_negotiated_version,
@@ -2123,6 +2210,12 @@
&server.ssl ) )
goto exit;
+ if( options->expected_ciphersuite != 0 )
+ {
+ TEST_EQUAL( server.ssl.session->ciphersuite,
+ options->expected_ciphersuite );
+ }
+
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
@@ -2307,6 +2400,119 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_TEST_HOOKS)
+/*
+ * Tweak vector lengths in a TLS 1.3 Certificate message
+ *
+ * \param[in] buf Buffer containing the Certificate message to tweak
+ * \param[in]]out] end End of the buffer to parse
+ * \param tweak Tweak identifier (from 1 to the number of tweaks).
+ * \param[out] expected_result Error code expected from the parsing function
+ * \param[out] args Arguments of the MBEDTLS_SSL_CHK_BUF_READ_PTR call that
+ * is expected to fail. All zeroes if no
+ * MBEDTLS_SSL_CHK_BUF_READ_PTR failure is expected.
+ */
+int tweak_tls13_certificate_msg_vector_len(
+ unsigned char *buf, unsigned char **end, int tweak,
+ int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args )
+{
+/*
+ * The definition of the tweaks assume that the certificate list contains only
+ * one certificate.
+ */
+
+/*
+ * struct {
+ * opaque cert_data<1..2^24-1>;
+ * Extension extensions<0..2^16-1>;
+ * } CertificateEntry;
+ *
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * CertificateEntry certificate_list<0..2^24-1>;
+ * } Certificate;
+ */
+ unsigned char *p_certificate_request_context_len = buf;
+ size_t certificate_request_context_len = buf[0];
+
+ unsigned char *p_certificate_list_len = buf + 1 + certificate_request_context_len;
+ unsigned char *certificate_list = p_certificate_list_len + 3;
+ size_t certificate_list_len = MBEDTLS_GET_UINT24_BE( p_certificate_list_len, 0 );
+
+ unsigned char *p_cert_data_len = certificate_list;
+ unsigned char *cert_data = p_cert_data_len + 3;
+ size_t cert_data_len = MBEDTLS_GET_UINT24_BE( p_cert_data_len, 0 );
+
+ unsigned char *p_extensions_len = cert_data + cert_data_len;
+ unsigned char *extensions = p_extensions_len + 2;
+ size_t extensions_len = MBEDTLS_GET_UINT16_BE( p_extensions_len, 0 );
+
+ *expected_result = MBEDTLS_ERR_SSL_DECODE_ERROR;
+
+ switch( tweak )
+ {
+ case 1:
+ /* Failure when checking if the certificate request context length and
+ * certificate list length can be read
+ */
+ *end = buf + 3;
+ set_chk_buf_ptr_args( args, buf, *end, 4 );
+ break;
+
+ case 2:
+ /* Invalid certificate request context length.
+ */
+ *p_certificate_request_context_len =
+ certificate_request_context_len + 1;
+ reset_chk_buf_ptr_args( args );
+ break;
+
+ case 3:
+ /* Failure when checking if certificate_list data can be read. */
+ MBEDTLS_PUT_UINT24_BE( certificate_list_len + 1,
+ p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, certificate_list, *end,
+ certificate_list_len + 1 );
+ break;
+
+ case 4:
+ /* Failure when checking if the cert_data length can be read. */
+ MBEDTLS_PUT_UINT24_BE( 2, p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, p_cert_data_len, certificate_list + 2, 3 );
+ break;
+
+ case 5:
+ /* Failure when checking if cert_data data can be read. */
+ MBEDTLS_PUT_UINT24_BE( certificate_list_len - 3 + 1,
+ p_cert_data_len, 0 );
+ set_chk_buf_ptr_args( args, cert_data,
+ certificate_list + certificate_list_len,
+ certificate_list_len - 3 + 1 );
+ break;
+
+ case 6:
+ /* Failure when checking if the extensions length can be read. */
+ MBEDTLS_PUT_UINT24_BE( certificate_list_len - extensions_len - 1,
+ p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, p_extensions_len,
+ certificate_list + certificate_list_len - extensions_len - 1, 2 );
+ break;
+
+ case 7:
+ /* Failure when checking if extensions data can be read. */
+ MBEDTLS_PUT_UINT16_BE( extensions_len + 1, p_extensions_len, 0 );
+
+ set_chk_buf_ptr_args( args, extensions,
+ certificate_list + certificate_list_len, extensions_len + 1 );
+ break;
+
+ default:
+ return( -1 );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -3964,157 +4170,6 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */
-void psa_hkdf_extract( int alg,
- data_t *ikm,
- data_t *salt,
- data_t *prk )
-{
- unsigned char *output_prk = NULL;
- size_t output_prk_size, output_prk_len;
-
- PSA_INIT( );
-
- output_prk_size = PSA_HASH_LENGTH( alg );
- ASSERT_ALLOC( output_prk, output_prk_size );
-
- PSA_ASSERT( mbedtls_psa_hkdf_extract( alg, salt->x, salt->len,
- ikm->x, ikm->len,
- output_prk, output_prk_size,
- &output_prk_len ) );
-
- ASSERT_COMPARE( output_prk, output_prk_len, prk->x, prk->len );
-
-exit:
- mbedtls_free( output_prk );
-
- PSA_DONE( );
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */
-void psa_hkdf_extract_ret( int alg, int ret )
-{
- int output_ret;
- unsigned char *salt = NULL;
- unsigned char *ikm = NULL;
- unsigned char *prk = NULL;
- size_t salt_len, ikm_len, prk_len;
-
- PSA_INIT( );
-
- ASSERT_ALLOC( prk, PSA_MAC_MAX_SIZE);
- salt_len = 0;
- ikm_len = 0;
- prk_len = 0;
-
- output_ret = mbedtls_psa_hkdf_extract( alg, salt, salt_len,
- ikm, ikm_len,
- prk, PSA_MAC_MAX_SIZE, &prk_len );
- TEST_ASSERT( output_ret == ret );
- TEST_ASSERT( prk_len == 0 );
-
-exit:
- mbedtls_free( prk );
-
- PSA_DONE( );
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */
-void psa_hkdf_expand( int alg,
- data_t *info,
- data_t *prk,
- data_t *okm )
-{
- enum { OKM_LEN = 1024 };
- unsigned char *output_okm = NULL;
-
- PSA_INIT( );
-
- ASSERT_ALLOC( output_okm, OKM_LEN );
- TEST_ASSERT( prk->len == PSA_HASH_LENGTH( alg ) );
- TEST_ASSERT( okm->len < OKM_LEN );
-
- PSA_ASSERT( mbedtls_psa_hkdf_expand( alg, prk->x, prk->len,
- info->x, info->len,
- output_okm, OKM_LEN ) );
-
- ASSERT_COMPARE( output_okm, okm->len, okm->x, okm->len );
-
-exit:
- mbedtls_free( output_okm );
-
- PSA_DONE( );
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */
-void psa_hkdf_expand_ret( int alg, int prk_len, int okm_len, int ret )
-{
- int output_ret;
- unsigned char *info = NULL;
- unsigned char *prk = NULL;
- unsigned char *okm = NULL;
- size_t info_len;
- size_t i;
- mbedtls_svc_key_id_t *keys = NULL;
-
- PSA_INIT( );
-
- info_len = 0;
-
- if( prk_len > 0 )
- ASSERT_ALLOC( prk, prk_len );
-
- if( okm_len > 0 )
- ASSERT_ALLOC( okm, okm_len );
-
- if( ret == PSA_ERROR_INSUFFICIENT_MEMORY )
- {
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-
- /* Reserve all key slot to make the key import fail. */
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
- psa_set_key_algorithm( &attributes, alg );
- psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
-
- ASSERT_ALLOC( keys, MBEDTLS_PSA_KEY_SLOT_COUNT );
-
- for( i = 0; i < MBEDTLS_PSA_KEY_SLOT_COUNT; i++ )
- {
- /* Do not use the 0 value because it will be passed to
- mbedtls_psa_hkdf_expand */
- prk[0] = i + 1;
- keys[i] = MBEDTLS_SVC_KEY_ID_INIT;
- psa_import_key( &attributes, prk, prk_len, &keys[i] );
- }
-
- /* reset prk buffer */
- prk[0] = 0;
- }
-
- output_ret = mbedtls_psa_hkdf_expand( alg, prk, prk_len,
- info, info_len,
- okm, okm_len );
- TEST_ASSERT( output_ret == ret );
-
-exit:
- mbedtls_free( prk );
- mbedtls_free( okm );
-
- if( ret == PSA_ERROR_INSUFFICIENT_MEMORY )
- {
- for( i = 0; i < MBEDTLS_PSA_KEY_SLOT_COUNT; i++ )
- psa_destroy_key( keys[i] );
-
- mbedtls_free( keys );
- }
-
- PSA_DONE( );
-}
-/* END_CASE */
-
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_hkdf_expand_label( int hash_alg,
data_t *secret,
@@ -4864,20 +4919,24 @@
enum { BUFFSIZE = 1024 };
mbedtls_endpoint ep;
int ret = -1;
+ handshake_test_options options;
+ init_handshake_options( &options );
+ options.pk_alg = MBEDTLS_PK_RSA;
- ret = mbedtls_endpoint_init( NULL, endpoint_type, MBEDTLS_PK_RSA,
+ ret = mbedtls_endpoint_init( NULL, endpoint_type, &options,
NULL, NULL, NULL, NULL );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
- ret = mbedtls_endpoint_certificate_init( NULL, MBEDTLS_PK_RSA );
+ ret = mbedtls_endpoint_certificate_init( NULL, options.pk_alg, 0, 0, 0 );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
- ret = mbedtls_endpoint_init( &ep, endpoint_type, MBEDTLS_PK_RSA,
+ ret = mbedtls_endpoint_init( &ep, endpoint_type, &options,
NULL, NULL, NULL, NULL );
TEST_ASSERT( ret == 0 );
exit:
mbedtls_endpoint_free( &ep, NULL );
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -4887,17 +4946,21 @@
enum { BUFFSIZE = 1024 };
mbedtls_endpoint base_ep, second_ep;
int ret = -1;
+ handshake_test_options options;
+ init_handshake_options( &options );
+ options.pk_alg = MBEDTLS_PK_RSA;
USE_PSA_INIT( );
- ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA,
+ ret = mbedtls_endpoint_init( &base_ep, endpoint_type, &options,
NULL, NULL, NULL, NULL );
TEST_ASSERT( ret == 0 );
ret = mbedtls_endpoint_init( &second_ep,
( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ?
MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
- MBEDTLS_PK_RSA, NULL, NULL, NULL, NULL );
+ &options, NULL, NULL, NULL, NULL );
+
TEST_ASSERT( ret == 0 );
ret = mbedtls_mock_socket_connect( &(base_ep.socket),
@@ -4924,6 +4987,7 @@
}
exit:
+ free_handshake_options( &options );
mbedtls_endpoint_free( &base_ep, NULL );
mbedtls_endpoint_free( &second_ep, NULL );
USE_PSA_DONE( );
@@ -4949,6 +5013,9 @@
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
+
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -4967,6 +5034,9 @@
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
+
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -4980,7 +5050,34 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+void handshake_ciphersuite_select( char* cipher, int pk_alg, data_t *psk_str,
+ int psa_alg, int psa_alg2, int psa_usage,
+ int expected_handshake_result,
+ int expected_ciphersuite )
+{
+ handshake_test_options options;
+ init_handshake_options( &options );
+
+ options.cipher = cipher;
+ options.psk_str = psk_str;
+ options.pk_alg = pk_alg;
+ options.opaque_alg = psa_alg;
+ options.opaque_alg2 = psa_alg2;
+ options.opaque_usage = psa_usage;
+ options.expected_handshake_result = expected_handshake_result;
+ options.expected_ciphersuite = expected_ciphersuite;
+ perform_handshake( &options );
+
+ /* The goto below is used to avoid an "unused label" warning.*/
+ goto exit;
+
+exit:
+ free_handshake_options( &options );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments, int dtls )
@@ -4994,14 +5091,21 @@
options.expected_cli_fragments = expected_cli_fragments;
options.expected_srv_fragments = expected_srv_fragments;
options.dtls = dtls;
+#if ! defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#endif
perform_handshake( &options );
+
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
+
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments )
@@ -5036,6 +5140,8 @@
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -5072,6 +5178,9 @@
{
TEST_ASSERT( cli_pattern.counter >= 1 );
}
+
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -5086,8 +5195,11 @@
options.dtls = 1;
perform_handshake( &options );
+
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -5107,8 +5219,11 @@
options.resize_buffers = 1;
perform_handshake( &options );
+
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
+exit:
+ free_handshake_options( &options );
}
/* END_CASE */
@@ -5524,6 +5639,99 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+void force_bad_session_id_len( )
+{
+ enum { BUFFSIZE = 1024 };
+ handshake_test_options options;
+ mbedtls_endpoint client, server;
+ log_pattern srv_pattern, cli_pattern;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ srv_pattern.pattern = cli_pattern.pattern = "cache did not store session";
+ srv_pattern.counter = 0;
+ init_handshake_options( &options );
+
+ options.srv_log_obj = &srv_pattern;
+ options.srv_log_fun = log_analyzer;
+
+ USE_PSA_INIT( );
+
+ mbedtls_message_socket_init( &server_context );
+ mbedtls_message_socket_init( &client_context );
+
+ TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
+ &options, NULL, NULL,
+ NULL, NULL ) == 0 );
+
+ TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
+ &options, NULL, NULL, NULL,
+ NULL ) == 0 );
+
+ mbedtls_debug_set_threshold( 1 );
+ mbedtls_ssl_conf_dbg( &server.conf, options.srv_log_fun,
+ options.srv_log_obj );
+
+ TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
+ &(server.socket),
+ BUFFSIZE ) == 0 );
+
+ TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
+ &(server.ssl),
+ MBEDTLS_SSL_HANDSHAKE_WRAPUP )
+ == 0 );
+ /* Force a bad session_id_len that will be read by the server in
+ * mbedtls_ssl_cache_set. */
+ server.ssl.session_negotiate->id_len = 33;
+ if( options.cli_msg_len != 0 || options.srv_msg_len != 0 )
+ {
+ /* Start data exchanging test */
+ TEST_ASSERT( mbedtls_exchange_data( &(client.ssl), options.cli_msg_len,
+ options.expected_cli_fragments,
+ &(server.ssl), options.srv_msg_len,
+ options.expected_srv_fragments )
+ == 0 );
+ }
+
+ /* Make sure that the cache did not store the session */
+ TEST_EQUAL( srv_pattern.counter, 1 );
+exit:
+ mbedtls_endpoint_free( &client, NULL );
+ mbedtls_endpoint_free( &server, NULL );
+ free_handshake_options( &options );
+ mbedtls_debug_set_threshold( 0 );
+ USE_PSA_DONE( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */
+void cookie_parsing( data_t *cookie, int exp_ret )
+{
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ size_t len;
+
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_config_init( &conf );
+ TEST_EQUAL( mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+ MBEDTLS_SSL_PRESET_DEFAULT ),
+ 0 );
+
+ TEST_EQUAL( mbedtls_ssl_setup( &ssl, &conf ), 0 );
+ TEST_EQUAL( mbedtls_ssl_check_dtls_clihlo_cookie( &ssl, ssl.cli_id,
+ ssl.cli_id_len,
+ cookie->x, cookie->len,
+ ssl.out_buf,
+ MBEDTLS_SSL_OUT_CONTENT_LEN,
+ &len ),
+ exp_ret );
+
+ mbedtls_ssl_free( &ssl );
+ mbedtls_ssl_config_free( &conf );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */
void timing_final_delay_accessor( )
{
@@ -5623,21 +5831,25 @@
mbedtls_endpoint client, server;
mbedtls_psa_stats_t stats;
size_t free_slots_before = -1;
+ handshake_test_options options;
uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
USE_PSA_INIT( );
+ init_handshake_options( &options );
+ options.pk_alg = MBEDTLS_PK_ECDSA;
+
/* Client side, force SECP256R1 to make one key bitflip fail
* the raw key agreement. Flipping the first byte makes the
* required 0x04 identifier invalid. */
TEST_EQUAL( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
- MBEDTLS_PK_ECDSA, NULL, NULL,
+ &options, NULL, NULL,
NULL, iana_tls_group_list ), 0 );
/* Server side */
TEST_EQUAL( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
- MBEDTLS_PK_ECDSA, NULL, NULL,
+ &options, NULL, NULL,
NULL, NULL ), 0 );
TEST_EQUAL( mbedtls_mock_socket_connect( &(client.socket),
@@ -5676,7 +5888,100 @@
exit:
mbedtls_endpoint_free( &client, NULL );
mbedtls_endpoint_free( &server, NULL );
+ free_handshake_options( &options );
USE_PSA_DONE( );
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+void tls13_server_certificate_msg_invalid_vector_len( )
+{
+ int ret = -1;
+ mbedtls_endpoint client_ep, server_ep;
+ unsigned char *buf, *end;
+ size_t buf_len;
+ int step = 0;
+ int expected_result;
+ mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args;
+ handshake_test_options client_options;
+ handshake_test_options server_options;
+
+ /*
+ * Test set-up
+ */
+ USE_PSA_INIT( );
+
+ init_handshake_options( &client_options );
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_endpoint_init( &client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL, NULL );
+ TEST_EQUAL( ret, 0 );
+
+ init_handshake_options( &server_options );
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_endpoint_init( &server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL, NULL );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_mock_socket_connect( &(client_ep.socket),
+ &(server_ep.socket), 1024 );
+ TEST_EQUAL( ret, 0 );
+
+ while( 1 )
+ {
+ mbedtls_test_set_step( ++step );
+
+ ret = mbedtls_move_handshake_to_state( &(server_ep.ssl),
+ &(client_ep.ssl),
+ MBEDTLS_SSL_CERTIFICATE_VERIFY );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_ssl_flush_output( &(server_ep.ssl) );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_move_handshake_to_state( &(client_ep.ssl),
+ &(server_ep.ssl),
+ MBEDTLS_SSL_SERVER_CERTIFICATE );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_ssl_tls13_fetch_handshake_msg( &(client_ep.ssl),
+ MBEDTLS_SSL_HS_CERTIFICATE,
+ &buf, &buf_len );
+ TEST_EQUAL( ret, 0 );
+
+ end = buf + buf_len;
+
+ /*
+ * Tweak server Certificate message and parse it.
+ */
+
+ ret = tweak_tls13_certificate_msg_vector_len(
+ buf, &end, step, &expected_result, &expected_chk_buf_ptr_args );
+
+ if( ret != 0 )
+ break;
+
+ ret = mbedtls_ssl_tls13_parse_certificate( &(client_ep.ssl), buf, end );
+ TEST_EQUAL( ret, expected_result );
+
+ TEST_ASSERT( mbedtls_ssl_cmp_chk_buf_ptr_fail_args(
+ &expected_chk_buf_ptr_args ) == 0 );
+
+ mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
+
+ ret = mbedtls_ssl_session_reset( &(client_ep.ssl) );
+ TEST_EQUAL( ret, 0 );
+
+ ret = mbedtls_ssl_session_reset( &(server_ep.ssl) );
+ TEST_EQUAL( ret, 0 );
+ }
+
+exit:
+ mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
+ mbedtls_endpoint_free( &client_ep, NULL );
+ mbedtls_endpoint_free( &server_ep, NULL );
+ free_handshake_options( &client_options );
+ free_handshake_options( &server_options );
+ USE_PSA_DONE( );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index da12382..f131029 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compile time library version
-check_compiletime_version:"3.1.0"
+check_compiletime_version:"3.2.1"
Check runtime library version
-check_runtime_version:"3.1.0"
+check_runtime_version:"3.2.1"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index d04b7d8..eb9e9aa 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -294,6 +294,10 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n"
+X509 CSR Information RSA with SHA-256, containing commas
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTS_X509_INFO
+mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
+
X509 CSR Information EC with SHA1
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n"
@@ -375,6 +379,42 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
mbedtls_x509_dn_gets:"data_files/server2.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA"
+X509 Get Distinguished Name #5
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+mbedtls_x509_dn_gets:"data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\, Commas, CN=PolarSSL Server 1"
+
+X509 Get Modified DN #1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0
+
+X509 Get Modified DN #2 Name exactly 255 bytes
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, CN=PolarSSL Server 1":0
+
+X509 Get Modified DN #3 Name exceeds 255 bytes
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
+
+X509 Get Modified DN #4 Name exactly 255 bytes, with comma requiring escaping
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"1234567890,1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
+
+X509 Get Modified DN #5 Name exactly 255 bytes, ending with comma requiring escaping
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234,":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
+
+X509 Get Next DN #1 No Multivalue RDNs
+mbedtls_x509_dn_get_next:"C=NL, O=PolarSSL, CN=PolarSSL Server 1":0:"C O CN":3:"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
+
+X509 Get Next DN #2 Initial Multivalue RDN
+mbedtls_x509_dn_get_next:"C=NL, O=PolarSSL, CN=PolarSSL Server 1":0x01:"C CN":2:"C=NL + O=PolarSSL, CN=PolarSSL Server 1"
+
+X509 Get Next DN #3 Single Multivalue RDN
+mbedtls_x509_dn_get_next:"C=NL, O=PolarSSL, CN=PolarSSL Server 1":0x03:"C":1:"C=NL + O=PolarSSL + CN=PolarSSL Server 1"
+
+X509 Get Next DN #4 Consecutive Multivalue RDNs
+mbedtls_x509_dn_get_next:"C=NL, O=PolarSSL, title=Example, CN=PolarSSL Server 1":0x05:"C title":2:"C=NL + O=PolarSSL, title=Example + CN=PolarSSL Server 1"
+
X509 Time Expired #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C
mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_from":1
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 1d06fe3..3bb68d9 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -758,6 +758,37 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
+void mbedtls_x509_dn_gets_subject_replace( char * crt_file, char * new_subject_ou, char * result_str, int ret )
+{
+ mbedtls_x509_crt crt;
+ char buf[2000];
+ int res = 0;
+
+ mbedtls_x509_crt_init( &crt );
+ memset( buf, 0, 2000 );
+
+ TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
+ crt.subject.next->val.p = (unsigned char *) new_subject_ou;
+ crt.subject.next->val.len = strlen( new_subject_ou );
+
+ res = mbedtls_x509_dn_gets( buf, 2000, &crt.subject );
+
+ if ( ret != 0 )
+ {
+ TEST_ASSERT( res == ret );
+ }
+ else
+ {
+ TEST_ASSERT( res != -1 );
+ TEST_ASSERT( res != -2 );
+ TEST_ASSERT( strcmp( buf, result_str ) == 0 );
+ }
+exit:
+ mbedtls_x509_crt_free( &crt );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
void mbedtls_x509_dn_gets( char * crt_file, char * entity, char * result_str )
{
mbedtls_x509_crt crt;
@@ -785,6 +816,77 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
+void mbedtls_x509_dn_get_next( char * name_str, int next_merged, char * expected_oids, int exp_count, char * exp_dn_gets )
+{
+ int ret = 0, i;
+ size_t len = 0, out_size;
+ mbedtls_asn1_named_data *names = NULL;
+ mbedtls_x509_name parsed, *parsed_cur, *parsed_prv;
+ // Size of buf is maximum required for test cases
+ unsigned char buf[80], *out = NULL, *c;
+ const char *short_name;
+
+ memset( &parsed, 0, sizeof( parsed ) );
+ memset( buf, 0, sizeof( buf ) );
+ c = buf + sizeof( buf );
+ // Additional size required for trailing space
+ out_size = strlen( expected_oids ) + 2;
+ ASSERT_ALLOC( out, out_size );
+
+ TEST_EQUAL( mbedtls_x509_string_to_names( &names, name_str ), 0 );
+
+ ret = mbedtls_x509_write_names( &c, buf, names );
+ TEST_LE_S( 0, ret );
+
+ TEST_EQUAL( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ), 0 );
+ TEST_EQUAL( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ), 0 );
+
+ // Iterate over names and set next_merged nodes
+ parsed_cur = &parsed;
+ for( ; next_merged != 0 && parsed_cur != NULL; next_merged = next_merged >> 1 )
+ {
+ parsed_cur->next_merged = next_merged & 0x01;
+ parsed_cur = parsed_cur->next;
+ }
+
+ // Iterate over RDN nodes and print OID of first element to buffer
+ parsed_cur = &parsed;
+ len = 0;
+ for( i = 0; parsed_cur != NULL; i++ )
+ {
+ TEST_EQUAL( mbedtls_oid_get_attr_short_name( &parsed_cur->oid,
+ &short_name ), 0 );
+ len += mbedtls_snprintf( (char*) out + len, out_size - len, "%s ", short_name );
+ parsed_cur = mbedtls_x509_dn_get_next( parsed_cur );
+ }
+ out[len-1] = 0;
+
+ TEST_EQUAL( exp_count, i );
+ TEST_EQUAL( strcmp( (char *) out, expected_oids ), 0 );
+ mbedtls_free( out );
+ out = NULL;
+
+ out_size = strlen( exp_dn_gets ) + 1;
+ ASSERT_ALLOC( out, out_size );
+
+ TEST_LE_S( 0, mbedtls_x509_dn_gets( (char *) out, out_size, &parsed ) );
+ TEST_EQUAL( strcmp( (char *) out, exp_dn_gets ), 0 );
+exit:
+ mbedtls_free( out );
+ mbedtls_asn1_free_named_data_list( &names );
+
+ parsed_cur = parsed.next;
+ while( parsed_cur != 0 )
+ {
+ parsed_prv = parsed_cur;
+ parsed_cur = parsed_cur->next;
+ mbedtls_free( parsed_prv );
+ }
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_x509_time_is_past( char * crt_file, char * entity, int result )
{
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 8d9a11a..91fdd86 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -139,7 +139,7 @@
x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:0:0:1:-1:"":2:0:"data_files/test-ca2.crt"
X509 String to Names #1
-mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
+mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark\, Inc., OU=PolarSSL":0
X509 String to Names #2
mbedtls_x509_string_to_names:"C=NL, O=Offspark, Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_UNKNOWN_OID