Merge pull request #8733 from ivq/gcm_ad_len_check
Add back restriction on AD length of GCM
diff --git a/BRANCHES.md b/BRANCHES.md
index c085b16..b71247f 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -106,6 +106,6 @@
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see
- <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6>.
+ <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7>.
Users are urged to always use the latest version of a maintained branch.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index ad05646..78599d9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -381,7 +381,7 @@
write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion
- VERSION 3.5.1)
+ VERSION 3.5.2)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
diff --git a/ChangeLog b/ChangeLog
index 28c45f7..28f2654 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS 3.5.2 branch released 2024-01-26
+
+Security
+ * Fix a timing side channel in private key RSA operations. This side channel
+ could be sufficient for an attacker to recover the plaintext. A local
+ attacker or a remote attacker who is close to the victim on the network
+ might have precise enough timing measurements to exploit this. It requires
+ the attacker to send a large number of messages for decryption. For
+ details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
+ by Hubert Kario, Red Hat.
+ * Fix a failure to validate input when writing x509 extensions lengths which
+ could result in an integer overflow, causing a zero-length buffer to be
+ allocated to hold the extension. The extension would then be copied into
+ the buffer, causing a heap buffer overflow.
+
= Mbed TLS 3.5.1 branch released 2023-11-06
Changes
diff --git a/ChangeLog.d/8726.txt b/ChangeLog.d/8726.txt
new file mode 100644
index 0000000..c1e5a40
--- /dev/null
+++ b/ChangeLog.d/8726.txt
@@ -0,0 +1,2 @@
+Features
+ * Add partial platform support for z/OS.
diff --git a/ChangeLog.d/iar-gcc-perf.txt b/ChangeLog.d/iar-gcc-perf.txt
new file mode 100644
index 0000000..fb0fbb1
--- /dev/null
+++ b/ChangeLog.d/iar-gcc-perf.txt
@@ -0,0 +1,2 @@
+Features
+ * Improve performance for gcc (versions older than 9.3.0) and IAR.
diff --git a/ChangeLog.d/linux-aarch64-hwcap.txt b/ChangeLog.d/linux-aarch64-hwcap.txt
new file mode 100644
index 0000000..23af878
--- /dev/null
+++ b/ChangeLog.d/linux-aarch64-hwcap.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
+ acceleration detection when the libc headers do not define the
+ corresponding constant. Reported by valord577.
diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md
new file mode 100644
index 0000000..e09d23c
--- /dev/null
+++ b/docs/architecture/psa-migration/psa-legacy-bridges.md
@@ -0,0 +1,344 @@
+Bridges between legacy and PSA crypto APIs
+==========================================
+
+## Introduction
+
+### Goal of this document
+
+This document explores the needs of applications that use both Mbed TLS legacy crypto interfaces and PSA crypto interfaces. Based on [requirements](#requirements), we [analyze gaps](#gap-analysis) and [API design](#api-design).
+
+This is a design document. The target audience is library maintainers. See the companion document [“Transitioning to the PSA API”](../../psa-transition.md) for a user focus on the same topic.
+
+### Keywords
+
+* [TODO] A part of the analysis that isn't finished.
+* [OPEN] Open question: a specific aspect of the design where there are several plausible decisions.
+* [ACTION] A finalized part of the design that will need to be carried out.
+
+### Context
+
+Mbed TLS 3.x supports two cryptographic APIs:
+
+* The legacy API `mbedtls_xxx` is inherited from PolarSSL.
+* The PSA API `psa_xxx` was introduced in Mbed TLS 2.17.
+
+Mbed TLS is gradually shifting from the legacy API to the PSA API. Mbed TLS 4.0 will be the first version where the PSA API is considered the main API, and large parts of the legacy API will be removed.
+
+In Mbed TLS 4.0, the cryptography will be provided by a separate project [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). For simplicity, in this document, we just refer to the whole as “Mbed TLS”.
+
+### Document history
+
+This document was originally written when preparing Mbed TLS 3.6. Mbed TLS 3.6 includes both PSA and legacy APIs covering largely overlapping ground. Many legacy APIs will be removed in Mbed TLS 4.0.
+
+## Requirements
+
+### Why mix APIs?
+
+There is functionality that is tied to one API and is not directly available in the other API:
+
+* Only PSA fully supports PSA accelerators and secure element integration.
+* Only PSA supports isolating cryptographic material in a secure service.
+* The legacy API has features that are not present (yet) in PSA, notably parsing and formatting asymmetric keys.
+
+The legacy API can partially leverage PSA features via `MBEDTLS_USE_PSA_CRYPTO`, but this has limited scope.
+
+In addition, many applications cannot be migrated in a single go. For large projects, it is impractical to rewrite a significant part of the code all at once. (For example, Mbed TLS itself will have taken more than 6 years to transition.) Projects that use one or more library in addition to Mbed TLS must follow the evolution of these libraries, each of which might have its own pace.
+
+### Where mixing happens
+
+Mbed TLS can be, and normally is, built with support for both APIs. Therefore no special effort is necessary to allow an application to use both APIs.
+
+Special effort is necessary to use both APIs as part of the implementation of the same feature. From an informal analysis of typical application requirements, we identify four parts of the use of cryptography which can be provided by different APIs:
+
+* Metadata manipulation: parsing and producing encrypted or signed files, finding mutually supported algorithms in a network protocol negotiation, etc.
+* Key management: parsing, generating, deriving and formatting cryptographic keys.
+* Data manipulation other than keys. In practice, most data formats within the scope of the legacy crypto APIs are trivial (ciphertexts, hashes, MACs, shared secrets). The one exception is ECDSA signatures.
+* Cryptographic operations: hash, sign, encrypt, etc.
+
+From this, we deduce the following requirements:
+
+* Convert between PSA and legacy metadata.
+* Creating a key with the legacy API and consuming it in the PSA API.
+* Creating a key with the PSA API and consuming it in the legacy API.
+* Manipulating data formats, other than keys, where the PSA API is lacking.
+
+### Scope limitations
+
+The goal of this document is to bridge the legacy API and the PSA API. The goal is not to provide a PSA way to do everything that is currently possible with the legacy API. The PSA API is less flexible in some regards, and extending it is out of scope in the present study.
+
+With respect to the legacy API, we do not consider functionality of low-level modules for individual algorithms. Our focus is on applications that use high-level legacy crypto modules (md, cipher, pk) and need to combine that with uses of the PSA APIs.
+
+## Gap analysis
+
+The document [“Transitioning to the PSA API”](../../psa-transition.md) enumerates the public header files in Mbed TLS 3.4 and the API elements (especially enums and functions) that they provide, listing PSA equivalents where they exist. There are gaps in two cases:
+
+* Where the PSA equivalents do not provide the same functionality. A typical example is parsing and formatting asymmetric keys.
+* To convert between data representations used by legacy APIs and data representations used by PSA APIs.
+
+Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms.
+
+### Generic metadata gaps
+
+#### Need for error code conversion
+
+Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use.
+
+Mbed TLS needs these conversions because it has many functions that expose one API (legacy/API) but are implemented on top of the other API. Most applications would convert legacy and PSA error code to their own error codes, and converting between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` is not particularly helpful for that. Application code might need such conversion functions when implementing an X.509 or TLS callback (returning `MBEDTLS_ERR_xxx`) on top of PSA functions, but this is a very limited use case.
+
+Conclusion: no need for public error code conversion functions.
+
+### Hash gap analysis
+
+Hashes do not involve keys, and involves no nontrivial data format. Therefore the only gap is with metadata, namely specifying a hash algorithm.
+
+Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, etc.). Therefore metadata about hashes is relevant not only when calculating hashes, but also when performing many other cryptographic operations.
+
+Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls_md_type_t`. Such functions exist in Mbed TLS 3.5 (`mbedtls_md_psa_alg_from_type`, `mbedtls_md_type_from_psa_alg`) but they are declared only in private headers.
+
+### MAC gap analysis
+
+[TODO]
+
+### Cipher and AEAD gap analysis
+
+[TODO]
+
+### Key derivation gap analysis
+
+[TODO]
+
+### Random generation gap analysis
+
+[TODO]
+
+### Asymmetric cryptography gap analysis
+
+#### Asymmetric cryptography metadata
+
+The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys can also be further classified according to their curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module.
+
+An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module:
+
+* RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption.
+* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`).
+
+ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve.
+
+Since there is no algorithm that can be used with multiple types, and PSA keys have a policy that (for the most part) limits them to one algorithm, there does not seem to be a need to convert between legacy and PSA asymmetric key types on their own. The useful metadata conversions are:
+
+* Selecting an **elliptic curve**.
+
+ This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`.
+
+ This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_from_psa`, which were introduced into the public API between Mbed TLS 3.5 and 3.6 ([#8664](https://github.com/Mbed-TLS/mbedtls/pull/8664)).
+
+* Selecting A **DHM group**.
+
+ PSA only supports predefined groups, whereas legacy only supports ad hoc groups. An existing application referring to `MBEDTLS_DHM_RFC7919_FFDHExxx` values would need to refer to `PSA_DH_FAMILY_RFC7919`; an existing application using arbitrary groups cannot migrate to PSA.
+
+* Simultaneously supporting **a key type and an algorithm**.
+
+ On the legacy side, this is an `mbedtls_pk_type_t` value and more. For ECDSA, the choice between randomized and deterministic is made at compile time. For RSA, the choice of encryption or signature algorithm is made either by configuring the underlying `mbedtls_rsa_context` or when calling the operation function.
+
+ On the PSA side, this is a `psa_key_type_t` value and an algorithm which is normally encoded as policy information in a `psa_key_attributes_t`. The algorithm is also needed in its own right when calling operation functions.
+
+#### Using a legacy key pair or public key with PSA
+
+There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`).
+
+Reasons for first creating a legacy key object, where it's impossible or impractical to directly create a PSA key:
+
+* A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions.
+* The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent.
+* The pk object may be created by a part of the application (or a third-party library) that hasn't been migrated to the PSA API yet.
+
+Reasons for needing a PSA key object:
+
+* Using the key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a few TLS functions that take PSA key identifiers, but as of Mbed TLS 3.5, it is always possible to use a legacy key instead.)
+* Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.)
+
+Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below.
+
+#### Using a PSA key as a PK context
+
+There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 and TLS APIs or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents.
+
+There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations:
+
+* It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded.
+* It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object.
+* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. This is not a priority concern, since we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA. However, this function is useful to use specific PSA keys in X.509/TLS regardless of whether X.509/TLS use the PSA API for all cryptographic operations, so this is a wart in the current API.
+
+It therefore appears that we need two ways to “convert” a PSA key to PK:
+
+* Wrapping, which is what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's lifetime and creates a PK object with limited functionality.
+* Copying, which requires a new function. This requires an exportable key but creates a fully independent, fully functional PK object.
+
+Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable.
+
+After some discussion, have not identified anything we want to change in the behavior of `mbedtls_pk_setup_opaque`. We only want to generalize it to non-`MBEDTLS_USE_PSA_CRYPTO` and to document it better.
+
+#### Signature formats
+
+The pk module uses signature formats intended for X.509. The PSA module uses the simplest sensible signature format.
+
+* For RSA, the formats are the same.
+* For ECDSA, PSA uses a fixed-size concatenation of (r,s), whereas X.509 and pk use an ASN.1 DER encoding of the sequence (r,s).
+
+Gap: We need APIs to convert between these two formats. The conversion code already exists under the hood, but it's in pieces that can't be called directly.
+
+There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain.
+
+Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage.
+
+For ECDSA, there are two plausible APIs: follow the ASN.1/X.509 write/parse APIs, or present an ordinary input/output API. The ASN.1 APIs are the way they are to accommodate nested TLV structures. But ECDSA signatures do not appear nested in TLV structures in either TLS (there's just a signature field) or X.509 (the signature is inside a BITSTRING, not directly in a SEQUENCE). So there does not seem to be a need for an ASN.1-like API for the ASN.1 format, just the format conversion itself in a buffer that just contains the signature.
+
+#### Asymmetric cryptography TODO
+
+[TODO] Other gaps?
+
+## New APIs
+
+This section presents new APIs to implement based on the [gap analysis](#gap-analysis).
+
+### General notes
+
+Each action to implement a function entails:
+
+* Implement the library function.
+* Document it precisely, including error conditions.
+* Unit-test it.
+* Mention it where relevant in the PSA transition guide.
+
+### Hash APIs
+
+Based on the [gap analysis](#hash-gap-analysis):
+
+[ACTION] [#8340](https://github.com/Mbed-TLS/mbedtls/issues/8340) Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`.
+
+### MAC APIs
+
+[TODO]
+
+### Cipher and AEAD APIs
+
+[TODO]
+
+### Key derivation APIs
+
+[TODO]
+
+### Random generation APIs
+
+[TODO]
+
+### Asymmetric cryptography APIs
+
+#### Asymmetric cryptography metadata APIs
+
+Based on the [gap analysis](#asymmetric-cryptography-metadata):
+
+* No further work is needed about RSA specifically. The amount of metadata other than hashes is sufficiently small to be handled in ad hoc ways in applications, and hashes have [their own conversions](#hash-apis).
+* No further work is needed about ECC specifically. We have just added adequate functions.
+* No further work is needed about DHM specifically. There is no good way to translate the relevant information.
+* [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm.
+ Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_copy_from_psa` do the job.
+
+#### API to create a PSA key from a PK context
+
+Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa):
+
+Given an `mbedtls_pk_context`, we want a function that creates a PSA key with the same key material and algorithm. “Same key material” is straightforward, but “same algorithm” is not, because a PK context has incomplete algorithm information. For example, there is no way to distinguish between an RSA key that is intended for signature or for encryption. Between algorithms of the same nature, there is no way to distinguish a key intended for PKCS#1v1.5 and one intended for PKCS#1v2.1 (OAEP/PSS): this is indicated in the underlying RSA context, but the indication there is only a default that can be overridden by calling `mbedtls_pk_{sign,verify}_ext`. Also there is no way to distinguish between `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)` and `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`: in the legacy interface, this is only determined when actually doing a signature/verification operation. Therefore the function that creates the PSA key needs extra information to indicate which algorithm to put in the key's policy.
+
+When creating a PSA key, apart from the key material, the key is determined by attributes, which fall under three categories:
+
+* Type and size. These are directly related to the key material and can be deduced from it if the key material is in a structured format, which is the case with an `mbedtls_pk_context` input.
+* Policy. This includes the chosen algorithm, which as discussed above cannot be fully deduced from the `mbedtls_pk_context` object. Just choosing one algorithm is problematic because it doesn't allow implementation-specific extensions, such as Mbed TLS's enrollment algorithm. The intended usage flags cannot be deduced from the PK context either, but the conversion function could sensibly just enable all the relevant usage flags. Users who want a more restrictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more restrictive usage.
+* Persistence and location. This is completely orthogonal to the information from the `mbedtls_pk_context` object. It is convenient, but not necessary, for the conversion function to allow customizing these aspects. If it doesn't, users can call the conversion function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired location.
+
+To allow the full flexibility around policies, and make the creation of a persistent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` input, like all other functions that create a PSA key. In addition, there shall be a helper function to populate a `psa_key_attributes_t` with a sensible default. This lets the caller choose a more flexible, or just different usage policy, unlike the default-then-copy approach which only allows restricting the policy.
+
+This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases.
+
+[ACTION] [#8708](https://github.com/Mbed-TLS/mbedtls/issues/8708) Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`.
+
+```
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+ psa_key_usage_flags_t usage,
+ psa_key_attributes_t *attributes);
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *key_id);
+```
+
+* `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default).
+ * [OPEN] Or should it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OPAQUE`. But that's an uncommon use case. It's probably less surprising if this function leaves the lifetime-related alone, since its job is to set the type-related and policy-related attributes.
+* `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context.
+ * The key type is a key pair if the context contains a private key and the indicated usage is a private-key usage. The key type is a public key if the context only contains a public key, in which case a private-key usage is an error.
+* `mbedtls_pk_get_psa_attributes` sets the usage flags based on the `usage` parameter. It extends the usage to other usage that is possible:
+ * `EXPORT` and `COPY` are always set.
+ * If `SIGN_{HASH,MESSAGE}` is set then so is `VERIFY_{HASH,MESSAGE}`.
+ * If `DECRYPT` is set then so is `ENCRYPT`.
+ * It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type.
+* `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`.
+ * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage.
+ * For an RSA key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.)
+ * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`.
+ * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`.
+ * For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed.
+ * Public-key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key type, and remove private-key usage flags from the usage flags read from the existing key.
+* `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key).
+ * The key type can be a public key even if the private key is available.
+* `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks.
+* `mbedtls_pk_import_into_psa` does not check that the policy in the attributes is sensible. That's on the user.
+
+#### API to copy a PSA key to a PK context
+
+Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
+
+[ACTION] [#8709](https://github.com/Mbed-TLS/mbedtls/issues/8709) Implement `mbedtls_pk_copy_from_psa` as described below.
+
+```
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk);
+```
+
+* `pk` must be initialized, but not set up.
+* It is an error if the key is neither a key pair nor a public key.
+* It is an error if the key is not exportable.
+* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse).
+* Once this function returns, the pk object is completely independent of the PSA key.
+* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`) if that is a matching operation type (sign/verify, encrypt/decrypt), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`).
+ * For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today.
+ * For an RSA key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode.
+ * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation.
+
+#### API to create a PK object that wraps a PSA key
+
+Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
+
+[ACTION] [#8712](https://github.com/Mbed-TLS/mbedtls/issues/8712) Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`.
+
+[ACTION] [#8710](https://github.com/Mbed-TLS/mbedtls/issues/8710) Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly.
+
+[OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`?
+
+#### API to convert between signature formats
+
+Based on the [gap analysis](#signature-formats):
+
+[ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below.
+
+```
+int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len,
+ unsigned char *der, size_t der_size, size_t *der_len,
+ size_t bits);
+int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len,
+ unsigned char *raw, size_t raw_size, size_t *raw_len,
+ size_t bits);
+```
+
+* These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`.
+* The input and output buffers can overlap.
+* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is not needed in the raw-to-DER direction, but [it can help catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971) and the information is readily available in practice.
+* Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015).
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index c391c59..17762d7 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -10,7 +10,7 @@
*/
/**
- * @mainpage Mbed TLS v3.5.1 API Documentation
+ * @mainpage Mbed TLS v3.5.2 API Documentation
*
* This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 89048f2..cbbb759 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -1,4 +1,4 @@
-PROJECT_NAME = "Mbed TLS v3.5.1"
+PROJECT_NAME = "Mbed TLS v3.5.2"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 7a70e25..2f336ba 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -26,16 +26,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 3
#define MBEDTLS_VERSION_MINOR 5
-#define MBEDTLS_VERSION_PATCH 1
+#define MBEDTLS_VERSION_PATCH 2
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x03050100
-#define MBEDTLS_VERSION_STRING "3.5.1"
-#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.1"
+#define MBEDTLS_VERSION_NUMBER 0x03050200
+#define MBEDTLS_VERSION_STRING "3.5.2"
+#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.2"
/* Macros for build-time platform detection */
@@ -83,6 +83,14 @@
#endif
#endif
+#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
+ && !defined(__llvm__) && !defined(__INTEL_COMPILER)
+/* Defined if the compiler really is gcc and not clang, etc */
+#define MBEDTLS_COMPILER_IS_GCC
+#define MBEDTLS_GCC_VERSION \
+ (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
+#endif
+
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
#define _CRT_SECURE_NO_DEPRECATE 1
#endif
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index e5e172f..9136375 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -684,6 +684,10 @@
* It is the generic wrapper for performing a PKCS#1 decryption
* operation.
*
+ * \warning When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15,
+ * mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an
+ * inherently dangerous function (CWE-242).
+ *
* \note The output buffer length \c output_max_len should be
* as large as the size \p ctx->len of \p ctx->N (for example,
* 128 Bytes if RSA-1024 is used) to be able to hold an
@@ -720,6 +724,11 @@
* \brief This function performs a PKCS#1 v1.5 decryption
* operation (RSAES-PKCS1-v1_5-DECRYPT).
*
+ * \warning This is an inherently dangerous function (CWE-242). Unless
+ * it is used in a side channel free and safe way (eg.
+ * implementing the TLS protocol as per 7.4.7.1 of RFC 5246),
+ * the calling code is vulnerable.
+ *
* \note The output buffer length \c output_max_len should be
* as large as the size \p ctx->len of \p ctx->N, for example,
* 128 Bytes if RSA-1024 is used, to be able to hold an
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 3629526..b063360 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -90,8 +90,18 @@
#define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00
/** Not possible to read early data */
#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80
+/**
+ * Early data has been received as part of an on-going handshake.
+ * This error code can be returned only on server side if and only if early
+ * data has been enabled by means of the mbedtls_ssl_conf_early_data() API.
+ * This error code can then be returned by mbedtls_ssl_handshake(),
+ * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if
+ * early data has been received as part of the handshake sequence they
+ * triggered. To read the early data, call mbedtls_ssl_read_early_data().
+ */
+#define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA -0x7C00
/** Not possible to write early data */
-#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C00
+#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C80
/* Error space gap */
/* Error space gap */
/* Error space gap */
@@ -1644,6 +1654,18 @@
*/
mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+ /**
+ * Status of the negotiation of the use of early data.
+ * See the documentation of mbedtls_ssl_get_early_data_status() for more
+ * information.
+ *
+ * Reset to #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT when the context is
+ * reset.
+ */
+ int MBEDTLS_PRIVATE(early_data_status);
+#endif
+
unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -1841,10 +1863,6 @@
* and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- int MBEDTLS_PRIVATE(early_data_status);
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
-
/** Callback to export key block and master secret */
mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
@@ -1993,7 +2011,7 @@
*/
void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode);
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
/**
* \brief Set the early data mode
* Default: disabled on server and client
@@ -2001,14 +2019,24 @@
* \param conf The SSL configuration to use.
* \param early_data_enabled can be:
*
- * MBEDTLS_SSL_EARLY_DATA_DISABLED: early data functionality is disabled
- * This is the default on client and server.
+ * MBEDTLS_SSL_EARLY_DATA_DISABLED:
+ * Early data functionality is disabled. This is the default on client and
+ * server.
*
- * MBEDTLS_SSL_EARLY_DATA_ENABLED: early data functionality is enabled and
- * may be negotiated in the handshake. Application using
- * early data functionality needs to be aware of the
- * lack of replay protection of the early data application
- * payloads.
+ * MBEDTLS_SSL_EARLY_DATA_ENABLED:
+ * Early data functionality is enabled and may be negotiated in the handshake.
+ * Application using early data functionality needs to be aware that the
+ * security properties for early data (also refered to as 0-RTT data) are
+ * weaker than those for other kinds of TLS data. See the documentation of
+ * mbedtls_ssl_write_early_data() and mbedtls_ssl_read_early_data() for more
+ * information.
+ * When early data functionality is enabled on server and only in that case,
+ * the call to one of the APIs that trigger or resume an handshake sequence,
+ * namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
+ * mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code
+ * MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have
+ * been received. To read the early data, call mbedtls_ssl_read_early_data()
+ * before calling the original function again.
*
* \warning This interface is experimental and may change without notice.
*
@@ -2048,7 +2076,7 @@
mbedtls_ssl_config *conf, uint32_t max_early_data_size);
#endif /* MBEDTLS_SSL_SRV_C */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
@@ -4733,6 +4761,13 @@
* \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
* and the client did not demonstrate reachability yet - in
* this case you must stop using the context (see below).
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ * defined in RFC 8446 (TLS 1.3 specification), has been
+ * received as part of the handshake. This is server specific
+ * and may occur only if the early data feature has been
+ * enabled on server (see mbedtls_ssl_conf_early_data()
+ * documentation). You must call mbedtls_ssl_read_early_data()
+ * to read the early data before resuming the handshake.
* \return Another SSL error code - in this case you must stop using
* the context (see below).
*
@@ -4741,7 +4776,8 @@
* #MBEDTLS_ERR_SSL_WANT_READ,
* #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
* on it before re-using it for a new connection; the current
@@ -4810,8 +4846,9 @@
*
* \warning If this function returns something other than \c 0,
* #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
- * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using
* the SSL context for reading or writing, and either free it
* or call \c mbedtls_ssl_session_reset() on it before
* re-using it for a new connection; the current connection
@@ -4879,6 +4916,13 @@
* \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
* side of a DTLS connection and the client is initiating a
* new connection using the same source port. See below.
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ * defined in RFC 8446 (TLS 1.3 specification), has been
+ * received as part of the handshake. This is server specific
+ * and may occur only if the early data feature has been
+ * enabled on server (see mbedtls_ssl_conf_early_data()
+ * documentation). You must call mbedtls_ssl_read_early_data()
+ * to read the early data before resuming the handshake.
* \return Another SSL error code - in this case you must stop using
* the context (see below).
*
@@ -4887,8 +4931,9 @@
* #MBEDTLS_ERR_SSL_WANT_READ,
* #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
* on it before re-using it for a new connection; the current
@@ -4953,6 +4998,13 @@
* operation is in progress (see mbedtls_ecp_set_max_ops()) -
* in this case you must call this function again to complete
* the handshake when you're done attending other tasks.
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ * defined in RFC 8446 (TLS 1.3 specification), has been
+ * received as part of the handshake. This is server specific
+ * and may occur only if the early data feature has been
+ * enabled on server (see mbedtls_ssl_conf_early_data()
+ * documentation). You must call mbedtls_ssl_read_early_data()
+ * to read the early data before resuming the handshake.
* \return Another SSL error code - in this case you must stop using
* the context (see below).
*
@@ -4960,8 +5012,9 @@
* a non-negative value,
* #MBEDTLS_ERR_SSL_WANT_READ,
* #MBEDTLS_ERR_SSL_WANT_WRITE,
- * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
* on it before re-using it for a new connection; the current
@@ -5029,48 +5082,46 @@
#if defined(MBEDTLS_SSL_SRV_C)
/**
- * \brief Read at most 'len' application data bytes while performing
- * the handshake (early data).
+ * \brief Read at most 'len' bytes of early data
*
- * \note This function behaves mainly as mbedtls_ssl_read(). The
- * specification of mbedtls_ssl_read() relevant to TLS 1.3
- * (thus not the parts specific to (D)TLS 1.2) applies to this
- * function and the present documentation is restricted to the
- * differences with mbedtls_ssl_read().
+ * \note This API is server specific.
*
- * \param ssl SSL context
+ * \warning Early data is defined in the TLS 1.3 specification, RFC 8446.
+ * IMPORTANT NOTE from section 2.3 of the specification:
+ *
+ * The security properties for 0-RTT data are weaker than
+ * those for other kinds of TLS data. Specifically:
+ * - This data is not forward secret, as it is encrypted
+ * solely under keys derived using the offered PSK.
+ * - There are no guarantees of non-replay between connections.
+ * Protection against replay for ordinary TLS 1.3 1-RTT data
+ * is provided via the server's Random value, but 0-RTT data
+ * does not depend on the ServerHello and therefore has
+ * weaker guarantees. This is especially relevant if the
+ * data is authenticated either with TLS client
+ * authentication or inside the application protocol. The
+ * same warnings apply to any use of the
+ * early_exporter_master_secret.
+ *
+ * \note This function is used in conjunction with
+ * mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
+ * mbedtls_ssl_read() and mbedtls_ssl_write() to read early
+ * data when these functions return
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA.
+ *
+ * \param ssl SSL context, it must have been initialized and set up.
* \param buf buffer that will hold the data
* \param len maximum number of bytes to read
*
- * \return One additional specific return value:
- * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA.
- *
- * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it
- * is not possible to read early data for the SSL context
- * \p ssl.
- *
- * It may have been possible and it is not possible
- * anymore because the server received the End of Early Data
- * message or the maximum number of allowed early data for the
- * PSK in use has been reached.
- *
- * It may never have been possible and will never be possible
- * for the SSL context \p ssl because the use of early data
- * is disabled for that context or more generally the context
- * is not suitably configured to enable early data or the
- * client does not use early data or the first call to the
- * function was done while the handshake was already too
- * advanced to gather and accept early data.
- *
- * It is not possible to read early data for the SSL context
- * \p ssl but this does not preclude for using it with
- * mbedtls_ssl_write(), mbedtls_ssl_read() or
- * mbedtls_ssl_handshake().
- *
- * \note When a server wants to retrieve early data, it is expected
- * that this function starts the handshake for the SSL context
- * \p ssl. But this is not mandatory.
- *
+ * \return The (positive) number of bytes read if successful.
+ * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not
+ * possible to read early data for the SSL context \p ssl. Note
+ * that this function is intended to be called for an SSL
+ * context \p ssl only after a call to mbedtls_ssl_handshake(),
+ * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or
+ * mbedtls_ssl_write() for \p ssl that has returned
+ * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA.
*/
int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
unsigned char *buf, size_t len);
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 90d98fd..f311acb 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -1756,6 +1756,13 @@
0)
/** RSA PKCS#1 v1.5 encryption.
+ *
+ * \warning Calling psa_asymmetric_decrypt() with this algorithm as a
+ * parameter is considered an inherently dangerous function
+ * (CWE-242). Unless it is used in a side channel free and safe
+ * way (eg. implementing the TLS protocol as per 7.4.7.1 of
+ * RFC 5246), the calling code is vulnerable.
+ *
*/
#define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t) 0x07000200)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5c297e0..b6ea73e 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -297,7 +297,7 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.1 SOVERSION 15)
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.2 SOVERSION 15)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET ${everest_target})
@@ -309,11 +309,11 @@
endif()
add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.1 SOVERSION 6)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.2 SOVERSION 6)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.1 SOVERSION 20)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.2 SOVERSION 20)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/alignment.h b/library/alignment.h
index 9e1e044..248f29b 100644
--- a/library/alignment.h
+++ b/library/alignment.h
@@ -37,6 +37,52 @@
#define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS
#endif
+#if defined(__IAR_SYSTEMS_ICC__) && \
+ (defined(MBEDTLS_ARCH_IS_ARM64) || defined(MBEDTLS_ARCH_IS_ARM32) \
+ || defined(__ICCRX__) || defined(__ICCRL78__) || defined(__ICCRISCV__))
+#pragma language=save
+#pragma language=extended
+#define MBEDTLS_POP_IAR_LANGUAGE_PRAGMA
+/* IAR recommend this technique for accessing unaligned data in
+ * https://www.iar.com/knowledge/support/technical-notes/compiler/accessing-unaligned-data
+ * This results in a single load / store instruction (if unaligned access is supported).
+ * According to that document, this is only supported on certain architectures.
+ */
+ #define UINT_UNALIGNED
+typedef uint16_t __packed mbedtls_uint16_unaligned_t;
+typedef uint32_t __packed mbedtls_uint32_unaligned_t;
+typedef uint64_t __packed mbedtls_uint64_unaligned_t;
+#elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \
+ ((MBEDTLS_GCC_VERSION < 90300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)))
+/*
+ * Old versions of gcc, depending on how the target is specified, may generate a branch to memcpy
+ * for calls like `memcpy(dest, src, 4)` rather than generating some LDR or LDRB instructions
+ * (similar for stores).
+ * Recent versions where unaligned access is not enabled also do this.
+ *
+ * For performance (and code size, in some cases), we want to avoid the branch and just generate
+ * some inline load/store instructions since the access is small and constant-size.
+ *
+ * The manual states:
+ * "The aligned attribute specifies a minimum alignment for the variable or structure field,
+ * measured in bytes."
+ * https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html
+ *
+ * Tested with several versions of GCC from 4.5.0 up to 9.3.0
+ * We don't enable for older than 4.5.0 as this has not been tested.
+ */
+ #define UINT_UNALIGNED
+typedef uint16_t __attribute__((__aligned__(1))) mbedtls_uint16_unaligned_t;
+typedef uint32_t __attribute__((__aligned__(1))) mbedtls_uint32_unaligned_t;
+typedef uint64_t __attribute__((__aligned__(1))) mbedtls_uint64_unaligned_t;
+ #endif
+
+/*
+ * We try to force mbedtls_(get|put)_unaligned_uintXX to be always inline, because this results
+ * in code that is both smaller and faster. IAR and gcc both benefit from this when optimising
+ * for size.
+ */
+
/**
* Read the unsigned 16 bits integer from the given address, which need not
* be aligned.
@@ -44,10 +90,20 @@
* \param p pointer to 2 bytes of data
* \return Data at the given address
*/
-inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
{
uint16_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ r = *p16;
+#else
memcpy(&r, p, sizeof(r));
+#endif
return r;
}
@@ -58,9 +114,19 @@
* \param p pointer to 2 bytes of data
* \param x data to write
*/
-inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ *p16 = x;
+#else
memcpy(p, &x, sizeof(x));
+#endif
}
/**
@@ -70,10 +136,20 @@
* \param p pointer to 4 bytes of data
* \return Data at the given address
*/
-inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
{
uint32_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ r = *p32;
+#else
memcpy(&r, p, sizeof(r));
+#endif
return r;
}
@@ -84,9 +160,19 @@
* \param p pointer to 4 bytes of data
* \param x data to write
*/
-inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ *p32 = x;
+#else
memcpy(p, &x, sizeof(x));
+#endif
}
/**
@@ -96,10 +182,20 @@
* \param p pointer to 8 bytes of data
* \return Data at the given address
*/
-inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
{
uint64_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ r = *p64;
+#else
memcpy(&r, p, sizeof(r));
+#endif
return r;
}
@@ -110,11 +206,25 @@
* \param p pointer to 8 bytes of data
* \param x data to write
*/
-inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ *p64 = x;
+#else
memcpy(p, &x, sizeof(x));
+#endif
}
+#if defined(MBEDTLS_POP_IAR_LANGUAGE_PRAGMA)
+#pragma language=restore
+#endif
+
/** Byte Reading Macros
*
* Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
diff --git a/library/common.h b/library/common.h
index e532777..3936ffd 100644
--- a/library/common.h
+++ b/library/common.h
@@ -27,15 +27,6 @@
#define MBEDTLS_HAVE_NEON_INTRINSICS
#endif
-
-#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
- && !defined(__llvm__) && !defined(__INTEL_COMPILER)
-/* Defined if the compiler really is gcc and not clang, etc */
-#define MBEDTLS_COMPILER_IS_GCC
-#define MBEDTLS_GCC_VERSION \
- (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
-#endif
-
/** Helper to define a function as static except when building invasive tests.
*
* If a function is only used inside its own source file and should be
@@ -167,6 +158,12 @@
return p == NULL ? NULL : p + n;
}
+/* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
/**
* Perform a fast block XOR operation, such that
* r[i] = a[i] ^ b[i] where 0 <= i < n
@@ -177,8 +174,19 @@
* \param a Pointer to input (buffer of at least \p n bytes)
* \param b Pointer to input (buffer of at least \p n bytes)
* \param n Number of bytes to process.
+ *
+ * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
+ * mbedtls_xor_no_simd() (these are functionally equivalent).
+ * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ * For targets without SIMD support, they will behave the same.
*/
-inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
+static inline void mbedtls_xor(unsigned char *r,
+ const unsigned char *a,
+ const unsigned char *b,
+ size_t n)
{
size_t i = 0;
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
@@ -191,17 +199,36 @@
uint8x16_t x = veorq_u8(v1, v2);
vst1q_u8(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+ * where n is a constant multiple of 16.
+ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+ * constant, and is a very small perf regression if n is not a compile-time constant. */
+ if (n % 16 == 0) {
+ return;
+ }
+#endif
#elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
/* This codepath probably only makes sense on architectures with 64-bit registers */
for (; (i + 8) <= n; i += 8) {
uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
mbedtls_put_unaligned_uint64(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 8 == 0) {
+ return;
+ }
+#endif
#else
for (; (i + 4) <= n; i += 4) {
uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
mbedtls_put_unaligned_uint32(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 4 == 0) {
+ return;
+ }
+#endif
#endif
#endif
for (; i < n; i++) {
@@ -209,11 +236,18 @@
}
}
+/* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
+ * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
/**
* Perform a fast block XOR operation, such that
* r[i] = a[i] ^ b[i] where 0 <= i < n
*
- * In some situations, this can perform better than mbedtls_xor (e.g., it's about 5%
+ * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
* better in AES-CBC).
*
* \param r Pointer to result (buffer of at least \p n bytes). \p r
@@ -222,6 +256,14 @@
* \param a Pointer to input (buffer of at least \p n bytes)
* \param b Pointer to input (buffer of at least \p n bytes)
* \param n Number of bytes to process.
+ *
+ * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
+ * mbedtls_xor_no_simd() (these are functionally equivalent).
+ * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ * For targets without SIMD support, they will behave the same.
*/
static inline void mbedtls_xor_no_simd(unsigned char *r,
const unsigned char *a,
@@ -236,11 +278,25 @@
uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
mbedtls_put_unaligned_uint64(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+ * where n is a constant multiple of 8.
+ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+ * constant, and is a very small perf regression if n is not a compile-time constant. */
+ if (n % 8 == 0) {
+ return;
+ }
+#endif
#else
for (; (i + 4) <= n; i += 4) {
uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
mbedtls_put_unaligned_uint32(r + i, x);
}
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 4 == 0) {
+ return;
+ }
+#endif
#endif
#endif
for (; i < n; i++) {
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index de2e038..794ee03 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -5,7 +5,7 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#if defined(__linux__) && !defined(_GNU_SOURCE)
+#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE)
/* Ensure that syscall() is available even when compiling with -std=c99 */
#define _GNU_SOURCE
#endif
@@ -29,7 +29,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__) && !defined(__midipix__)
+ !defined(__HAIKU__) && !defined(__midipix__) && !defined(__MVS__)
#error \
"Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h"
#endif
diff --git a/library/platform_util.c b/library/platform_util.c
index 63643d2..eafb0aa 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -151,10 +151,10 @@
#include <time.h>
#if !defined(_WIN32) && (defined(unix) || \
defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
- defined(__MACH__)))
+ defined(__MACH__)) || defined__midipix__)
#include <unistd.h>
#endif /* !_WIN32 && (unix || __unix || __unix__ ||
- * (__APPLE__ && __MACH__)) */
+ * (__APPLE__ && __MACH__) || __midipix__) */
#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) || \
(defined(_POSIX_THREAD_SAFE_FUNCTIONS) && \
@@ -217,35 +217,15 @@
void (*mbedtls_test_hook_test_fail)(const char *, int, const char *);
#endif /* MBEDTLS_TEST_HOOKS */
-/*
- * Provide external definitions of some inline functions so that the compiler
- * has the option to not inline them
- */
-extern inline void mbedtls_xor(unsigned char *r,
- const unsigned char *a,
- const unsigned char *b,
- size_t n);
-
-extern inline uint16_t mbedtls_get_unaligned_uint16(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x);
-
-extern inline uint32_t mbedtls_get_unaligned_uint32(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x);
-
-extern inline uint64_t mbedtls_get_unaligned_uint64(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x);
-
#if defined(MBEDTLS_HAVE_TIME) && !defined(MBEDTLS_PLATFORM_MS_TIME_ALT)
#include <time.h>
#if !defined(_WIN32) && \
(defined(unix) || defined(__unix) || defined(__unix__) || \
- (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__))
+ (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__) || defined(__midipix__))
#include <unistd.h>
-#endif /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__) */
+#endif \
+ /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__ || __midipix__) */
#if (defined(_POSIX_VERSION) && _POSIX_VERSION >= 199309L) || defined(__HAIKU__)
mbedtls_ms_time_t mbedtls_ms_time(void)
{
@@ -253,7 +233,7 @@
struct timespec tv;
mbedtls_ms_time_t current_ms;
-#if defined(__linux__) && defined(CLOCK_BOOTTIME)
+#if defined(__linux__) && defined(CLOCK_BOOTTIME) || defined(__midipix__)
ret = clock_gettime(CLOCK_BOOTTIME, &tv);
#else
ret = clock_gettime(CLOCK_MONOTONIC, &tv);
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 7b16724..dc376d7 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -20,6 +20,9 @@
#include "psa/crypto.h"
#include "psa/crypto_se_driver.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
/**
* Tell if PSA is ready for this hash.
@@ -111,6 +114,49 @@
} key;
} psa_key_slot_t;
+#if defined(MBEDTLS_THREADING_C)
+
+/** Perform a mutex operation and return immediately upon failure.
+ *
+ * Returns PSA_ERROR_SERVICE_FAILURE if the operation fails
+ * and status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ * psa_status_t status exists.
+ * f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_RET(f) \
+ do \
+ { \
+ if ((f) != 0) { \
+ if (status == PSA_SUCCESS) { \
+ return PSA_ERROR_SERVICE_FAILURE; \
+ } \
+ return status; \
+ } \
+ } while (0);
+
+/** Perform a mutex operation and goto exit on failure.
+ *
+ * Sets status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ * psa_status_t status exists.
+ * Label exit: exists.
+ * f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_GOTO_EXIT(f) \
+ do \
+ { \
+ if ((f) != 0) { \
+ if (status == PSA_SUCCESS) { \
+ status = PSA_ERROR_SERVICE_FAILURE; \
+ } \
+ goto exit; \
+ } \
+ } while (0);
+#endif
+
/* A mask of key attribute flags used only internally.
* Currently there aren't any. */
#define PSA_KA_MASK_INTERNAL_ONLY ( \
diff --git a/library/rsa.c b/library/rsa.c
index 2b9f85b..a90b83a 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -28,6 +28,7 @@
#if defined(MBEDTLS_RSA_C)
#include "mbedtls/rsa.h"
+#include "bignum_core.h"
#include "rsa_alt_helpers.h"
#include "rsa_internal.h"
#include "mbedtls/oid.h"
@@ -971,6 +972,45 @@
}
/*
+ * Unblind
+ * T = T * Vf mod N
+ */
+static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
+ const size_t nlimbs = N->n;
+ const size_t tlimbs = mbedtls_mpi_core_montmul_working_limbs(nlimbs);
+ mbedtls_mpi RR, M_T;
+
+ mbedtls_mpi_init(&RR);
+ mbedtls_mpi_init(&M_T);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
+
+ /* T = T * Vf mod N
+ * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
+ * Usually both operands are multiplied by R mod N beforehand (by calling
+ * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka
+ * "in the Montgomery domain"). Here we only multiply one operand by R mod
+ * N, so the result is directly what we want - no need to call
+ * `from_mont_rep()` on it. */
+ mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p);
+ mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p);
+
+cleanup:
+
+ mbedtls_mpi_free(&RR);
+ mbedtls_mpi_free(&M_T);
+
+ return ret;
+}
+
+/*
* Exponent blinding supposed to prevent side-channel attacks using multiple
* traces of measurements to recover the RSA key. The more collisions are there,
* the more bits of the key can be recovered. See [3].
@@ -1017,23 +1057,14 @@
/* Temporaries holding the blinded exponents for
* the mod p resp. mod q computation (if used). */
mbedtls_mpi DP_blind, DQ_blind;
-
- /* Pointers to actual exponents to be used - either the unblinded
- * or the blinded ones, depending on the presence of a PRNG. */
- mbedtls_mpi *DP = &ctx->DP;
- mbedtls_mpi *DQ = &ctx->DQ;
#else
/* Temporary holding the blinded exponent (if used). */
mbedtls_mpi D_blind;
-
- /* Pointer to actual exponent to be used - either the unblinded
- * or the blinded one, depending on the presence of a PRNG. */
- mbedtls_mpi *D = &ctx->D;
#endif /* MBEDTLS_RSA_NO_CRT */
/* Temporaries holding the initial input and the double
* checked result; should be the same in the end. */
- mbedtls_mpi I, C;
+ mbedtls_mpi input_blinded, check_result_blinded;
if (f_rng == NULL) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
@@ -1068,8 +1099,8 @@
mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
#endif
- mbedtls_mpi_init(&I);
- mbedtls_mpi_init(&C);
+ mbedtls_mpi_init(&input_blinded);
+ mbedtls_mpi_init(&check_result_blinded);
/* End of MPI initialization */
@@ -1079,8 +1110,6 @@
goto cleanup;
}
- MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
-
/*
* Blinding
* T = T * Vi mod N
@@ -1089,6 +1118,8 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T));
+
/*
* Exponent blinding
*/
@@ -1104,8 +1135,6 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
-
- D = &D_blind;
#else
/*
* DP_blind = ( P - 1 ) * R + DP
@@ -1116,8 +1145,6 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
&ctx->DP));
- DP = &DP_blind;
-
/*
* DQ_blind = ( Q - 1 ) * R + DQ
*/
@@ -1126,12 +1153,10 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
&ctx->DQ));
-
- DQ = &DQ_blind;
#endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_RSA_NO_CRT)
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN));
#else
/*
* Faster decryption using the CRT
@@ -1140,8 +1165,8 @@
* TQ = input ^ dQ mod Q
*/
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ));
/*
* T = (TP - TQ) * (Q^-1 mod P) mod P
@@ -1157,20 +1182,19 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
#endif /* MBEDTLS_RSA_NO_CRT */
+ /* Verify the result to prevent glitching attacks. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E,
+ &ctx->N, &ctx->RN));
+ if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) {
+ ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ goto cleanup;
+ }
+
/*
* Unblind
* T = T * Vf mod N
*/
- MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
- MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
-
- /* Verify the result to prevent glitching attacks. */
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
- &ctx->N, &ctx->RN));
- if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
- ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
- goto cleanup;
- }
+ MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
olen = ctx->len;
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
@@ -1199,8 +1223,8 @@
mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
#endif
- mbedtls_mpi_free(&C);
- mbedtls_mpi_free(&I);
+ mbedtls_mpi_free(&check_result_blinded);
+ mbedtls_mpi_free(&input_blinded);
if (ret != 0 && ret >= -0x007f) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
diff --git a/library/sha512.c b/library/sha512.c
index 6011254..6dcea8d 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -102,6 +102,14 @@
# if defined(__linux__)
/* Our preferred method of detection is getauxval() */
# include <sys/auxv.h>
+# if !defined(HWCAP_SHA512)
+/* The same header that declares getauxval() should provide the HWCAP_xxx
+ * constants to analyze its return value. However, the libc may be too
+ * old to have the constant that we need. So if it's missing, assume that
+ * the value is the same one used by the Linux kernel ABI.
+ */
+# define HWCAP_SHA512 (1 << 21)
+# endif
# endif
/* Use SIGILL on Unix, and fall back to it on Linux */
# include <signal.h>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 96afe76..c9632f9 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -650,6 +650,10 @@
/* Flag indicating if a CertificateRequest message has been sent
* to the client or not. */
uint8_t certificate_request_sent;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ /* Flag indicating if the server has accepted early data or not. */
+ uint8_t early_data_accepted;
+#endif
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
@@ -2130,12 +2134,6 @@
unsigned char *buf,
const unsigned char *end,
size_t *out_len);
-
-#if defined(MBEDTLS_SSL_SRV_C)
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED \
- MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT
-#endif /* MBEDTLS_SSL_SRV_C */
-
#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 6579c96..20501c9 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5648,12 +5648,53 @@
}
/*
+ * brief Read at most 'len' application data bytes from the input
+ * buffer.
+ *
+ * param ssl SSL context:
+ * - First byte of application data not read yet in the input
+ * buffer located at address `in_offt`.
+ * - The number of bytes of data not read yet is `in_msglen`.
+ * param buf buffer that will hold the data
+ * param len maximum number of bytes to read
+ *
+ * note The function updates the fields `in_offt` and `in_msglen`
+ * according to the number of bytes read.
+ *
+ * return The number of bytes read.
+ */
+static int ssl_read_application_data(
+ mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
+{
+ size_t n = (len < ssl->in_msglen) ? len : ssl->in_msglen;
+
+ if (len != 0) {
+ memcpy(buf, ssl->in_offt, n);
+ ssl->in_msglen -= n;
+ }
+
+ /* Zeroising the plaintext buffer to erase unused application data
+ from the memory. */
+ mbedtls_platform_zeroize(ssl->in_offt, n);
+
+ if (ssl->in_msglen == 0) {
+ /* all bytes consumed */
+ ssl->in_offt = NULL;
+ ssl->keep_current_message = 0;
+ } else {
+ /* more data available */
+ ssl->in_offt += n;
+ }
+
+ return (int) n;
+}
+
+/*
* Receive application data decrypted from the SSL layer
*/
int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t n;
if (ssl == NULL || ssl->conf == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -5817,32 +5858,34 @@
#endif /* MBEDTLS_SSL_PROTO_DTLS */
}
- n = (len < ssl->in_msglen)
- ? len : ssl->in_msglen;
-
- if (len != 0) {
- memcpy(buf, ssl->in_offt, n);
- ssl->in_msglen -= n;
- }
-
- /* Zeroising the plaintext buffer to erase unused application data
- from the memory. */
- mbedtls_platform_zeroize(ssl->in_offt, n);
-
- if (ssl->in_msglen == 0) {
- /* all bytes consumed */
- ssl->in_offt = NULL;
- ssl->keep_current_message = 0;
- } else {
- /* more data available */
- ssl->in_offt += n;
- }
+ ret = ssl_read_application_data(ssl, buf, len);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
- return (int) n;
+ return ret;
}
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ if (ssl == NULL || (ssl->conf == NULL)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * The server may receive early data only while waiting for the End of
+ * Early Data handshake message.
+ */
+ if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) ||
+ (ssl->in_offt == NULL)) {
+ return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA;
+ }
+
+ return ssl_read_application_data(ssl, buf, len);
+}
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */
+
/*
* Send application data to be encrypted by the SSL layer, taking care of max
* fragment length and buffer size.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0bc18f1..c952add 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1098,6 +1098,10 @@
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
+#endif
+
/* Initialize structures */
mbedtls_ssl_session_init(ssl->session_negotiate);
ssl_handshake_params_init(ssl->handshake);
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index a3d33a3..76f0f18 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1236,10 +1236,6 @@
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
- mbedtls_ssl_handshake_set_state(
- ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
-#endif
MBEDTLS_SSL_DEBUG_MSG(
1, ("Set hs psk for early data when writing the first psk"));
@@ -1294,6 +1290,15 @@
return ret;
}
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
+#else
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to early data keys for outbound traffic"));
+ mbedtls_ssl_set_outbound_transform(
+ ssl, ssl->handshake->transform_earlydata);
+#endif
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
return 0;
@@ -3067,19 +3072,19 @@
}
break;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
if (ret == 0) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
-#if defined(MBEDTLS_SSL_EARLY_DATA)
MBEDTLS_SSL_DEBUG_MSG(
1, ("Switch to early data keys for outbound traffic"));
mbedtls_ssl_set_outbound_transform(
ssl, ssl->handshake->transform_earlydata);
-#endif
}
break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 904bb5b..8bd70ef 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1780,7 +1780,8 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
-static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl)
+static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
+ int hrr_required)
{
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@@ -1788,17 +1789,19 @@
MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: no early data extension received."));
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED;
- return;
+ return 0;
}
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
-
if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
MBEDTLS_SSL_DEBUG_MSG(
1,
("EarlyData: rejected, feature disabled in server configuration."));
- return;
+ return 0;
+ }
+
+ if (hrr_required) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, HRR required."));
+ return 0;
}
if (!handshake->resume) {
@@ -1807,7 +1810,7 @@
resumption. */
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, not a session resumption."));
- return;
+ return 0;
}
/* RFC 8446 4.2.10
@@ -1830,7 +1833,7 @@
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected key in "
"`pre_shared_key` is not the first one."));
- return;
+ return 0;
}
if (handshake->ciphersuite_info->id !=
@@ -1838,7 +1841,7 @@
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected ciphersuite is not the one "
"of the selected pre-shared key."));
- return;
+ return 0;
}
@@ -1847,18 +1850,18 @@
1,
("EarlyData: rejected, early_data not allowed in ticket "
"permission bits."));
- return;
+ return 0;
}
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
-
+ return 1;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
/* Update the handshake state machine */
MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
+static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl,
+ int hrr_required)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1882,10 +1885,10 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
- /* There is enough information, update early data state. */
- ssl_tls13_update_early_data_status(ssl);
+ ssl->handshake->early_data_accepted =
+ ssl_tls13_is_early_data_accepted(ssl, hrr_required);
- if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
+ if (ssl->handshake->early_data_accepted) {
ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(
@@ -1893,6 +1896,8 @@
return ret;
}
}
+#else
+ ((void) hrr_required);
#endif /* MBEDTLS_SSL_EARLY_DATA */
return 0;
@@ -1947,7 +1952,9 @@
return 0;
}
- MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
+ MBEDTLS_SSL_PROC_CHK(
+ ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret ==
+ SSL_CLIENT_HELLO_HRR_REQUIRED));
if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
@@ -2530,7 +2537,7 @@
#endif /* MBEDTLS_SSL_ALPN */
#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
+ if (ssl->handshake->early_data_accepted) {
ret = mbedtls_ssl_tls13_write_early_data_ext(
ssl, 0, p, end, &output_len);
if (ret != 0) {
@@ -2857,7 +2864,7 @@
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
+ if (ssl->handshake->early_data_accepted) {
/* See RFC 8446 section A.2 for more information */
MBEDTLS_SSL_DEBUG_MSG(
1, ("Switch to early keys for inbound traffic. "
@@ -2911,6 +2918,17 @@
if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
+ /* RFC 8446 section 4.6.1
+ *
+ * A server receiving more than max_early_data_size bytes of 0-RTT data
+ * SHOULD terminate the connection with an "unexpected_message" alert.
+ *
+ * TODO: Add received data size check here.
+ */
+ if (ssl->in_offt == NULL) {
+ /* Set the reading pointer */
+ ssl->in_offt = ssl->in_msg;
+ }
return SSL_GOT_EARLY_DATA;
}
@@ -2936,37 +2954,6 @@
return 0;
}
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_process_early_application_data(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- /*
- * Output early data
- *
- * For the time being, we print received data via debug message.
- *
- * TODO: Remove it when `mbedtls_ssl_read_early_data` is ready.
- */
- ssl->in_msg[ssl->in_msglen] = 0;
- MBEDTLS_SSL_DEBUG_MSG(3, ("\n%s", ssl->in_msg));
-
- /* RFC 8446 section 4.6.1
- *
- * A server receiving more than max_early_data_size bytes of 0-RTT data
- * SHOULD terminate the connection with an "unexpected_message" alert.
- *
- * TODO: Add received data size check here.
- */
-
- return 0;
-}
-
/*
* RFC 8446 section A.2
*
@@ -3037,7 +3024,8 @@
ssl_tls13_prepare_for_handshake_second_flight(ssl);
} else if (ret == SSL_GOT_EARLY_DATA) {
- MBEDTLS_SSL_PROC_CHK(ssl_tls13_process_early_application_data(ssl));
+ ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA;
+ goto cleanup;
} else {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 0cb1562..165cee2 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -13,14 +13,13 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
- defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
- defined(MBEDTLS_MD_CAN_SHA1)
+ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
@@ -33,9 +32,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
- !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
- !defined(MBEDTLS_SHA1_C)
+ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
@@ -60,12 +58,14 @@
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
+ unsigned int mdlen;
size_t n, buflen;
mbedtls_net_context server_fd;
unsigned char *p, *end;
unsigned char buf[2048];
- unsigned char hash[32];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+ mbedtls_mpi N, E;
const char *pers = "dh_client";
mbedtls_entropy_context entropy;
@@ -78,6 +78,8 @@
mbedtls_dhm_init(&dhm);
mbedtls_aes_init(&aes);
mbedtls_ctr_drbg_init(&ctr_drbg);
+ mbedtls_mpi_init(&N);
+ mbedtls_mpi_init(&E);
/*
* 1. Setup the RNG
@@ -106,16 +108,13 @@
}
mbedtls_rsa_init(&rsa);
-
- if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
- (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
+ if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
+ (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
+ (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
-
- rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
-
fclose(f);
/*
@@ -182,18 +181,24 @@
p += 2;
- if ((n = (size_t) (end - p)) != rsa.MBEDTLS_PRIVATE(len)) {
+ if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf(" failed\n ! Invalid RSA signature size\n\n");
goto exit;
}
- if ((ret = mbedtls_sha1(buf, (int) (p - 2 - buf), hash)) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret);
+ mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
+ if (mdlen == 0) {
+ mbedtls_printf(" failed\n ! Invalid digest type\n\n");
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret);
goto exit;
}
if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
- 32, hash, p)) != 0) {
+ mdlen, hash, p)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
goto exit;
}
@@ -273,6 +278,8 @@
mbedtls_dhm_free(&dhm);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+ mbedtls_mpi_free(&N);
+ mbedtls_mpi_free(&E);
mbedtls_exit(exit_code);
}
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index adddbf2..91bac0e 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -13,14 +13,13 @@
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
- defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
- defined(MBEDTLS_MD_CAN_SHA1)
+ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
+ defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/net_sockets.h"
#include "mbedtls/aes.h"
#include "mbedtls/dhm.h"
#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
@@ -33,9 +32,8 @@
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
- !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
- !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
- !defined(MBEDTLS_SHA1_C)
+ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
+ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
@@ -53,11 +51,12 @@
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
+ unsigned int mdlen;
size_t n, buflen;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[2048];
- unsigned char hash[32];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
unsigned char buf2[2];
const char *pers = "dh_server";
@@ -186,21 +185,30 @@
/*
* 5. Sign the parameters and send them
*/
- if ((ret = mbedtls_sha1(buf, n, hash)) != 0) {
- mbedtls_printf(" failed\n ! mbedtls_sha1 returned %d\n\n", ret);
+
+ mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
+ if (mdlen == 0) {
+ mbedtls_printf(" failed\n ! Invalid digest type\n\n");
goto exit;
}
- buf[n] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len) >> 8);
- buf[n + 1] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len));
+ if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) {
+ mbedtls_printf(" failed\n ! mbedtls_sha256 returned %d\n\n", ret);
+ goto exit;
+ }
- if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, NULL, NULL, MBEDTLS_MD_SHA256,
- 32, hash, buf + n + 2)) != 0) {
+ const size_t rsa_key_len = mbedtls_rsa_get_len(&rsa);
+ buf[n] = (unsigned char) (rsa_key_len >> 8);
+ buf[n + 1] = (unsigned char) (rsa_key_len);
+
+ if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg,
+ MBEDTLS_MD_SHA256, mdlen,
+ hash, buf + n + 2)) != 0) {
mbedtls_printf(" failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret);
goto exit;
}
- buflen = n + 2 + rsa.MBEDTLS_PRIVATE(len);
+ buflen = n + 2 + rsa_key_len;
buf2[0] = (unsigned char) (buflen >> 8);
buf2[1] = (unsigned char) (buflen);
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index 76bfddf..a84af50 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -133,7 +133,7 @@
fclose(f);
- if (i != rsa.MBEDTLS_PRIVATE(len)) {
+ if (i != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf("\n ! Invalid RSA signature format\n\n");
goto exit;
}
diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c
index 4bbb54e..6538f8a 100644
--- a/programs/pkey/rsa_encrypt.c
+++ b/programs/pkey/rsa_encrypt.c
@@ -126,7 +126,7 @@
goto exit;
}
- for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) {
+ for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index 9d8ebe3..e14953b 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -131,7 +131,7 @@
goto exit;
}
- for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) {
+ for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
mbedtls_fprintf(f, "%02X%s", buf[i],
(i + 1) % 16 == 0 ? "\r\n" : " ");
}
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index e7d72fd..4a9af77 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -37,11 +37,14 @@
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
+ mbedtls_mpi N, E;
unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
char filename[512];
mbedtls_rsa_init(&rsa);
+ mbedtls_mpi_init(&N);
+ mbedtls_mpi_init(&E);
if (argc != 2) {
mbedtls_printf("usage: rsa_verify <filename>\n");
@@ -62,15 +65,13 @@
goto exit;
}
- if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
- (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
+ if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
+ (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
+ (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
mbedtls_printf(" failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret);
fclose(f);
goto exit;
}
-
- rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
-
fclose(f);
/*
@@ -91,7 +92,7 @@
fclose(f);
- if (i != rsa.MBEDTLS_PRIVATE(len)) {
+ if (i != mbedtls_rsa_get_len(&rsa)) {
mbedtls_printf("\n ! Invalid RSA signature format\n\n");
goto exit;
}
@@ -124,6 +125,8 @@
exit:
mbedtls_rsa_free(&rsa);
+ mbedtls_mpi_free(&N);
+ mbedtls_mpi_free(&E);
mbedtls_exit(exit_code);
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 598d38c..48b2282 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1612,6 +1612,7 @@
#if defined(MBEDTLS_SSL_EARLY_DATA)
int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED;
#endif
+
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
#if defined(MBEDTLS_MEMORY_DEBUG)
@@ -3450,6 +3451,19 @@
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
+ memset(buf, 0, opt.buffer_size);
+ ret = mbedtls_ssl_read_early_data(&ssl, buf, opt.buffer_size);
+ if (ret > 0) {
+ buf[ret] = '\0';
+ mbedtls_printf(" %d early data bytes read\n\n%s\n",
+ ret, (char *) buf);
+ }
+ continue;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL) {
diff --git a/tests/data_files/tls13_early_data.txt b/tests/data_files/tls13_early_data.txt
index 0c84b07..95811fd 100644
--- a/tests/data_files/tls13_early_data.txt
+++ b/tests/data_files/tls13_early_data.txt
@@ -1,3 +1,4 @@
EarlyData context: line 0 lf
EarlyData context: line 1 lf
+EarlyData context: line 2 lf
EarlyData context: If it appears, that means early_data received.
diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
index 8de9c4d..a73e06f 100644
--- a/tests/include/test/macros.h
+++ b/tests/include/test/macros.h
@@ -125,8 +125,8 @@
do { \
TEST_ASSERT((pointer) == NULL); \
if ((item_count) != 0) { \
- (pointer) = mbedtls_calloc(sizeof(*(pointer)), \
- (item_count)); \
+ (pointer) = mbedtls_calloc((item_count), \
+ sizeof(*(pointer))); \
TEST_ASSERT((pointer) != NULL); \
} \
} while (0)
@@ -155,8 +155,8 @@
#define TEST_CALLOC_NONNULL(pointer, item_count) \
do { \
TEST_ASSERT((pointer) == NULL); \
- (pointer) = mbedtls_calloc(sizeof(*(pointer)), \
- (item_count)); \
+ (pointer) = mbedtls_calloc((item_count), \
+ sizeof(*(pointer))); \
if (((pointer) == NULL) && ((item_count) == 0)) { \
(pointer) = mbedtls_calloc(1, 1); \
} \
@@ -175,8 +175,8 @@
do { \
TEST_ASSERT((pointer) == NULL); \
if ((item_count) != 0) { \
- (pointer) = mbedtls_calloc(sizeof(*(pointer)), \
- (item_count)); \
+ (pointer) = mbedtls_calloc((item_count), \
+ sizeof(*(pointer))); \
TEST_ASSUME((pointer) != NULL); \
} \
} while (0)
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index d03c624..1f41966 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -589,6 +589,16 @@
int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args);
#endif /* MBEDTLS_TEST_HOOKS */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_test_ticket_write(
+ void *p_ticket, const mbedtls_ssl_session *session,
+ unsigned char *start, const unsigned char *end,
+ size_t *tlen, uint32_t *ticket_lifetime);
+
+int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+ unsigned char *buf, size_t len);
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
#define ECJPAKE_TEST_PWD "bla"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index c1682e3..b6894de 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -506,4 +506,7 @@
-s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN" \
-s "ClientHello: early_data(42) extension exists." \
-s "EncryptedExtensions: early_data(42) extension exists." \
- -s "$( tail -1 $EARLY_DATA_INPUT )"
+ -s "$( head -1 $EARLY_DATA_INPUT )" \
+ -s "$( tail -1 $EARLY_DATA_INPUT )" \
+ -s "200 early data bytes read" \
+ -s "106 early data bytes read"
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 44930d2..315a66b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -821,6 +821,14 @@
fi
}
+clang_version() {
+ if command -v clang > /dev/null ; then
+ clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#'
+ else
+ echo 0 # report version 0 for "no clang"
+ fi
+}
+
################################################################
#### Helpers for components using libtestdriver1
################################################################
@@ -4692,14 +4700,8 @@
}
support_test_aesni_m32_clang() {
- support_test_aesni_m32 && if command -v clang > /dev/null ; then
- # clang >= 4 is required to build with target attributes
- clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')"
- [[ "${clang_ver}" -ge 4 ]]
- else
- # clang not available
- false
- fi
+ # clang >= 4 is required to build with target attributes
+ support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]]
}
component_test_aesni_m32_clang() {
@@ -4750,9 +4752,8 @@
}
support_build_aes_armce() {
- # clang >= 4 is required to build with AES extensions
- ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')"
- [ "${ver}" -ge 11 ]
+ # clang >= 11 is required to build with AES extensions
+ [[ $(clang_version) -ge 11 ]]
}
component_build_aes_armce () {
@@ -4807,15 +4808,8 @@
}
support_build_sha_armce() {
- if command -v clang > /dev/null ; then
- # clang >= 4 is required to build with SHA extensions
- clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')"
-
- [[ "${clang_ver}" -ge 4 ]]
- else
- # clang not available
- false
- fi
+ # clang >= 4 is required to build with SHA extensions
+ [[ $(clang_version) -ge 4 ]]
}
component_build_sha_armce () {
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 2368a76..980c192 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -841,6 +841,23 @@
}
#endif
+#if defined(MBEDTLS_DEBUG_C)
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (endpoint_type == MBEDTLS_SSL_IS_SERVER &&
+ options->srv_log_fun != NULL) {
+ mbedtls_ssl_conf_dbg(&(ep->conf), options->srv_log_fun,
+ options->srv_log_obj);
+ }
+#endif
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (endpoint_type == MBEDTLS_SSL_IS_CLIENT &&
+ options->cli_log_fun != NULL) {
+ mbedtls_ssl_conf_dbg(&(ep->conf), options->cli_log_fun,
+ options->cli_log_obj);
+ }
+#endif
+#endif /* MBEDTLS_DEBUG_C */
+
ret = mbedtls_test_ssl_endpoint_certificate_init(ep, options->pk_alg,
options->opaque_alg,
options->opaque_alg2,
@@ -1977,6 +1994,12 @@
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+#if defined(MBEDTLS_DEBUG_C)
+ if (options->cli_log_fun || options->srv_log_fun) {
+ mbedtls_debug_set_threshold(4);
+ }
+#endif
+
/* Client side */
if (options->dtls != 0) {
TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client,
@@ -2000,14 +2023,6 @@
set_ciphersuite(&client.conf, options->cipher, forced_ciphersuite);
}
-#if defined(MBEDTLS_DEBUG_C)
- if (options->cli_log_fun) {
- mbedtls_debug_set_threshold(4);
- mbedtls_ssl_conf_dbg(&client.conf, options->cli_log_fun,
- options->cli_log_obj);
- }
-#endif
-
/* Server side */
if (options->dtls != 0) {
TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server,
@@ -2072,14 +2087,6 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
-#if defined(MBEDTLS_DEBUG_C)
- if (options->srv_log_fun) {
- mbedtls_debug_set_threshold(4);
- mbedtls_ssl_conf_dbg(&server.conf, options->srv_log_fun,
- options->srv_log_obj);
- }
-#endif
-
TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket),
&(server.socket),
BUFFSIZE) == 0);
@@ -2419,4 +2426,40 @@
return 0;
}
#endif /* MBEDTLS_TEST_HOOKS */
+
+/*
+ * Functions for tests based on tickets. Implementations of the
+ * write/parse ticket interfaces as defined by mbedtls_ssl_ticket_write/parse_t.
+ * Basically same implementations as in ticket.c without the encryption. That
+ * way we can tweak easily tickets characteristics to simulate misbehaving
+ * peers.
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_test_ticket_write(
+ void *p_ticket, const mbedtls_ssl_session *session,
+ unsigned char *start, const unsigned char *end,
+ size_t *tlen, uint32_t *lifetime)
+{
+ int ret;
+ ((void) p_ticket);
+
+ if ((ret = mbedtls_ssl_session_save(session, start, end - start,
+ tlen)) != 0) {
+ return ret;
+ }
+
+ /* Maximum ticket lifetime as defined in RFC 8446 */
+ *lifetime = 7 * 24 * 3600;
+
+ return 0;
+}
+
+int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+ unsigned char *buf, size_t len)
+{
+ ((void) p_ticket);
+
+ return mbedtls_ssl_session_load(session, buf, len);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index de998e3..c06c0a7 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3270,3 +3270,9 @@
Test Elliptic curves' info parsing
elliptic_curve_get_properties
+
+TLS 1.3 resume session with ticket
+tls13_resume_session_with_ticket
+
+TLS 1.3 early data
+tls13_early_data
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8a03d1b..2d1a757 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -12,6 +12,48 @@
#define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 }
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \
+ defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+/*
+ * The implementation of the function should be based on
+ * mbedtls_ssl_write_early_data() eventually. The current version aims at
+ * removing the dependency on mbedtls_ssl_write_early_data() for the
+ * development and testing of reading early data.
+ */
+static int write_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+
+ TEST_ASSERT(ret > 0);
+ TEST_ASSERT(len <= (size_t) ret);
+
+ ret = mbedtls_ssl_flush_output(ssl);
+ TEST_EQUAL(ret, 0);
+ TEST_EQUAL(ssl->out_left, 0);
+
+ ssl->out_msglen = len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ if (len > 0) {
+ memcpy(ssl->out_msg, buf, len);
+ }
+
+ ret = mbedtls_ssl_write_record(ssl, 1);
+ TEST_EQUAL(ret, 0);
+
+ ret = len;
+
+exit:
+ return ret;
+}
+#endif
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -3519,3 +3561,215 @@
MD_OR_USE_PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_resume_session_with_ticket()
+{
+ int ret = -1;
+ unsigned char buf[64];
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_ssl_session saved_session;
+
+ /*
+ * Test set-up
+ */
+ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+ mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_init_handshake_options(&server_options);
+ mbedtls_ssl_session_init(&saved_session);
+
+ PSA_INIT();
+
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL,
+ NULL);
+ TEST_EQUAL(ret, 0);
+
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL,
+ NULL);
+ mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+ mbedtls_test_ticket_write,
+ mbedtls_test_ticket_parse,
+ NULL);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+ &(server_ep.socket), 1024);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Run initial handshake: ephemeral key exchange mode, certificate with
+ * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature
+ * algorithm. Then, get the ticket sent by the server at the end of its
+ * handshake sequence.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+ do {
+ ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
+ } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
+
+ /*
+ * Save client session and reset the SSL context of the two endpoints.
+ */
+ ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Set saved session on client side and handshake using the ticket
+ * included in that session.
+ */
+
+ ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not
+ * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks
+ * below.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0);
+
+ TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
+ TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
+ TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ mbedtls_ssl_session_free(&saved_session);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_early_data()
+{
+ int ret = -1;
+ unsigned char buf[64];
+ const char *early_data = "This is early data.";
+ size_t early_data_len = strlen(early_data);
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_ssl_session saved_session;
+
+ /*
+ * Test set-up
+ */
+ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+ mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_init_handshake_options(&server_options);
+ mbedtls_ssl_session_init(&saved_session);
+
+ PSA_INIT();
+
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL,
+ NULL);
+ TEST_EQUAL(ret, 0);
+ mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
+
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL,
+ NULL);
+ TEST_EQUAL(ret, 0);
+ mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+ mbedtls_test_ticket_write,
+ mbedtls_test_ticket_parse,
+ NULL);
+ mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
+
+ ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+ &(server_ep.socket), 1024);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Run initial handshake: ephemeral key exchange mode, certificate with
+ * SECP256R1 key, CA certificate with SECP384R1 key, ECDSA signature
+ * algorithm. Then, get the ticket sent by the server at the end of its
+ * handshake sequence.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+ do {
+ ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
+ } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
+
+ /*
+ * Save client session and reset the SSL context of the two endpoints.
+ */
+ ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Set saved session on client side and start handshake using the ticket
+ * included in that session.
+ */
+
+ ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(client_ep.ssl), &(server_ep.ssl),
+ MBEDTLS_SSL_SERVER_HELLO), 0);
+
+ TEST_ASSERT(client_ep.ssl.early_data_status !=
+ MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT);
+
+ ret = write_early_data(&(client_ep.ssl), (unsigned char *) early_data,
+ early_data_len);
+ TEST_EQUAL(ret, early_data_len);
+
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_CLIENT_FINISHED), MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+
+ TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
+ TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), buf, sizeof(buf)),
+ early_data_len);
+ TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
+
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(server_ep.ssl), &(client_ep.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ mbedtls_ssl_session_free(&saved_session);
+ PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index faa3166..6290331 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compile time library version
-check_compiletime_version:"3.5.1"
+check_compiletime_version:"3.5.2"
Check runtime library version
-check_runtime_version:"3.5.1"
+check_runtime_version:"3.5.2"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0