Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
concurrently added errors; made the new error a full sentence per
current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
* ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
was due to style corrections in development
(4cb1f4d49cff999d0c853bc696ad7eea68888c35) which I merged with
my refactoring.
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first case, variable declarations: merged line
by line:
* dig_signed_len: added in async
* signature_len: removed in async
* hashlen: type changed to size_t in development
* hash: size changed to MBEDTLS_MD_MAX_SIZE in async
* ret: added in async
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first cae comment: the conflict was due to style
corrections in development (4cb1f4d49cff999d0c853bc696ad7eea68888c35)
which I merged with my comment changes made as part of refactoring
the function.
* ssl_prepare_server_key_exchange "Compute the hash to be signed" if
`md_alg != MBEDTLS_MD_NONE`: conflict between
ebd652fe2dfc2c82d774bfd334398279d9027492
"ssl_write_server_key_exchange: calculate hashlen explicitly" and
46f5a3e9b4d5db3cacfe2ba33480a27317c62d46 "Check return codes from
MD in ssl code". I took the code from commit
ca1d74290439ec9e2723a911657fd96aa320e219 made on top of development
which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
definitions for async support, and the introduction of idle().
* definitions before main: concurrent additions, kept both.
* main, just after `handshake:`: in the loop around
mbedtls_ssl_handshake(), merge the addition of support for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
with the addition of the idle() call.
* main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
* main, loop around mbedtls_ssl_read() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
* main, loop around mbedtls_ssl_write() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
diff --git a/ChangeLog b/ChangeLog
index ae8d86f..8155182 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,9 @@
ECDH primitive functions (mbedtls_ecdh_gen_public(),
mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
Nicholas Wilson (#348).
+ * In TLS servers, support offloading private key operations to an external
+ cryptoprocessor. Private key operations can be asynchronous to allow
+ non-blocking operation of the TLS server stack.
API Changes
* Add function mbedtls_net_poll to public API allowing to wait for a
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 9585e69..4aec9ac 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2473,6 +2473,17 @@
#define MBEDTLS_SHA512_C
/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE_C
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE_C
+
+/**
* \def MBEDTLS_SSL_CACHE_C
*
* Enable simple SSL cache implementation.
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 8b4d3a8..698a5b6 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -89,7 +89,7 @@
* ECP 4 9 (Started from top)
* MD 5 5
* CIPHER 6 8
- * SSL 6 17 (Started from top)
+ * SSL 6 22 (Started from top)
* SSL 7 31
*
* Module dependent error code (5 bits 0x.00.-0x.F8.)
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index bb9c02d..720c338 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -120,6 +120,7 @@
#define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 /**< The alert message received indicates a non-fatal error. */
#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */
#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */
/*
* Various constants
@@ -536,6 +537,162 @@
*/
typedef int mbedtls_ssl_get_timer_t( void * ctx );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief Callback type: start external signature operation
+ *
+ * Callback to start a signature operation using an
+ * external processor. The parameter \c cert contains
+ * the public key; it is up to the callback function to
+ * look up the associated private key or a handle to the
+ * private key.
+ *
+ * This function must start the signature operation.
+ * It is expected to be non-blocking, i.e. typically
+ * this function sends or enqueues a request and does
+ * not wait for the operation to complete.
+ *
+ * The parameters \c connection_ctx and \c cert are
+ * guaranteed to remain valid as long as the SSL
+ * configuration remains valid. On the other hand, this
+ * function must save the contents of \c hash, as the
+ * \c hash buffer is no longer valid when this function
+ * returns.
+ *
+ * \param connection_ctx Pointer to the connection context set in the
+ * SSL configuration
+ * \param p_operation_ctx On success, pointer to the operation context.
+ * This must be a non-null pointer. Success means
+ * that an operation was started, and the return
+ * status is 0 or \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
+ * This pointer will be passed to later calls to the
+ * resume or cancel function. If the callback fails,
+ * the value is ignored.
+ * \param cert Certificate containing the public key
+ * \param md_alg Hash algorithm
+ * \param hash Buffer containing the hash. This buffer is
+ * no longer valid when the function returns.
+ * \param hash_len Size of the \c hash buffer in bytes
+ *
+ * \return - 0 if the operation was started successfully and the SSL
+ * stack should call the resume callback immediately.
+ * - \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ * was started successfully and the SSL stack should return
+ * immediately without calling the resume callback yet.
+ * - \c MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ * processor does not support this key. The SSL stack will
+ * use the private key object instead.
+ * - Any other error indicates a fatal failure and is
+ * propagated up the call chain.
+ */
+typedef int mbedtls_ssl_async_sign_t( void *connection_ctx,
+ void **p_operation_ctx,
+ mbedtls_x509_crt *cert,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash,
+ size_t hash_len );
+
+/**
+ * \brief Callback type: start external decryption operation
+ *
+ * Callback to start a decryption operation using an
+ * external processor. The parameter \c cert contains
+ * the public key; it is up to the callback function to
+ * look up the associated private key or a handle to the
+ * private key.
+ *
+ * This function must start the decryption operation.
+ * It is expected to be non-blocking, i.e. typically
+ * this function sends or enqueues a request and does
+ * not wait for the operation to complete.
+ *
+ * The parameters \c connection_ctx and \c cert are
+ * guaranteed to remain valid as long as the SSL
+ * configuration remains valid. On the other hand, this
+ * function must save the contents of \c hash, as the
+ * \c hash buffer is no longer valid when this function
+ * returns.
+ *
+ * \param connection_ctx Pointer to the connection context set in the
+ * SSL configuration
+ * \param p_operation_ctx On success, pointer to the operation context.
+ * This must be a non-null pointer. Success means
+ * that an operation was started, and the return
+ * status is 0 or \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
+ * This pointer will be passed to later calls to the
+ * resume or cancel function. If the callback fails,
+ * the value is ignored.
+ * \param cert Certificate containing the public key
+ * \param input Buffer containing the input ciphertext. This buffer
+ * is no longer valid when the function returns.
+ * \param input_len Size of the \c input buffer in bytes
+ *
+ * \return - 0 if the operation was started successfully and the SSL
+ * stack should call the resume callback immediately.
+ * - \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ * was started successfully and the SSL stack should return
+ * immediately without calling the resume callback yet.
+ * - \c MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ * processor does not support this key. The SSL stack will
+ * use the private key object instead.
+ * - Any other error indicates a fatal failure and is
+ * propagated up the call chain.
+ */
+typedef int mbedtls_ssl_async_decrypt_t( void *connection_ctx,
+ void **p_operation_ctx,
+ mbedtls_x509_crt *cert,
+ const unsigned char *input,
+ size_t input_len );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief Callback type: resume external operation
+ *
+ * Callback to resume an external operation
+ * started by the \c mbedtls_ssl_async_sign_t callback.
+ *
+ * \param connection_ctx Pointer to the connection context set in the
+ * SSL configuration
+ * \param operation_ctx Pointer to the operation context created by
+ * the start function. If this callback returns
+ * any value other than
+ * \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it should
+ * free all resources associated with this context.
+ * \param output Buffer containing the output on success
+ * \param output_len On success, number of bytes written to \c output
+ * \param output_size Size of the \c output buffer in bytes
+ *
+ * \return - 0 if output of the operation is available in the
+ * \c output buffer.
+ * - \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ * is still in progress. Subsequent requests for progress
+ * on the SSL connection will call the resume callback
+ * again.
+ * - Any other error means that the operation is aborted.
+ * The SSL handshake is aborted.
+ */
+typedef int mbedtls_ssl_async_resume_t( void *connection_ctx,
+ void *operation_ctx,
+ unsigned char *output,
+ size_t *output_len,
+ size_t output_size );
+
+/**
+ * \brief Callback type: cancel external operation
+ *
+ * Callback to cancel an external operation
+ * started by the \c mbedtls_ssl_async_sign_t callback.
+ *
+ * \param connection_ctx Pointer to the connection context set in the
+ * SSL configuration
+ * \param operation_ctx Pointer to the operation context created by
+ * the start function. The callback should free
+ * all resources associated with this context.
+ */
+typedef void mbedtls_ssl_async_cancel_t( void *connection_ctx,
+ void *operation_ctx );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
/* Defined below */
typedef struct mbedtls_ssl_session mbedtls_ssl_session;
@@ -669,6 +826,16 @@
mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+ mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */
+ mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */
+ void *p_async_connection_ctx; /*!< connection context for asynchronous operation callbacks */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
const int *sig_hashes; /*!< allowed signature hashes */
#endif
@@ -1315,6 +1482,40 @@
void *p_export_keys );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+/**
+ * \brief Configure asynchronous private key operation callbacks.
+ *
+ * \param conf SSL configuration context
+ * \param f_async_sign Callback to start a signature operation. See
+ * the description of \c mbedtls_ssl_async_sign_t
+ * for more information. This may be NULL if the
+ * external processor does no support any signature
+ * operation; in this case the private key object
+ * associated with the certificate will be used.
+ * \param f_async_decrypt Callback to start a decryption operation. See
+ * the description of \c mbedtls_ssl_async_decrypt_t
+ * for more information. This may be NULL if the
+ * external processor does no support any decryption
+ * operation; in this case the private key object
+ * associated with the certificate will be used.
+ * \param f_async_resume Callback to resume an asynchronous operation. See
+ * the description of \c mbedtls_ssl_async_resume_t
+ * for more information.
+ * \param f_async_cancel Callback to cancel an asynchronous operation. See
+ * the description of \c mbedtls_ssl_async_cancel_t
+ * for more information.
+ * \param connection_ctx Pointer to the connection context which will be
+ * passed to the callbacks
+ */
+void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf,
+ mbedtls_ssl_async_sign_t *f_async_sign,
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+ mbedtls_ssl_async_resume_t *f_async_resume,
+ mbedtls_ssl_async_cancel_t *f_async_cancel,
+ void *connection_ctx );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
/**
* \brief Callback type: generate a cookie
*
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index d4b1b19..6f36711 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -243,6 +243,10 @@
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ void *p_async_operation_ctx; /*!< asynchronous operation context */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
@@ -410,9 +414,11 @@
* \brief Free referenced items in an SSL handshake context and clear
* memory
*
+ * \param conf SSL configuration
* \param handshake SSL handshake context
*/
-void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake );
+void mbedtls_ssl_handshake_free( const mbedtls_ssl_config *conf,
+ mbedtls_ssl_handshake_params *handshake );
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
diff --git a/library/error.c b/library/error.c
index 96ab203..1d708fb 100644
--- a/library/error.c
+++ b/library/error.c
@@ -493,6 +493,8 @@
mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
+ mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 618c81b..fa858f8 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -715,7 +715,7 @@
MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
cur->cert );
- if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
+ if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
continue;
@@ -739,7 +739,7 @@
#if defined(MBEDTLS_ECDSA_C)
if( pk_alg == MBEDTLS_PK_ECDSA &&
- ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
+ ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
continue;
@@ -2834,54 +2834,49 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
+ size_t *signature_len )
{
- int ret;
- size_t n = 0;
+ size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN
+ - ( ssl->out_msg + ssl->out_msglen + 2 ) );
+ int ret = ssl->conf->f_async_resume( ssl->conf->p_async_connection_ctx,
+ ssl->handshake->p_async_operation_ctx,
+ ssl->out_msg + ssl->out_msglen + 2,
+ signature_len, sig_max_len );
+ if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ {
+ ssl->handshake->p_async_operation_ctx = NULL;
+ }
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
+ return( ret );
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE_C) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ calculating the signature if any, but excluding formatting the
+ signature and sending the message. */
+static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
+ size_t *signature_len )
+{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->transform_negotiate->ciphersuite_info;
-
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
- unsigned char *p = ssl->out_msg + 4;
- size_t len;
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
- unsigned char *dig_signed = p;
- size_t dig_signed_len = 0;
+ unsigned char *dig_signed = NULL;
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+ (void) ciphersuite_info; /* unused in some configurations */
+ (void) signature_len; /* unused in some configurations */
+
+ ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
/*
*
- * Part 1: Extract static ECDH parameters and abort
- * if ServerKeyExchange not needed.
- *
- */
-
- /* For suites involving ECDH, extract DH parameters
- * from certificate at this point. */
-#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
- if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
- {
- ssl_get_ecdh_params_from_cert( ssl );
- }
-#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
-
- /* Key exchanges not involving ephemeral keys don't use
- * ServerKeyExchange, so end here. */
-#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
- if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
- ssl->state++;
- return( 0 );
- }
-#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
-
- /*
- *
- * Part 2: Provide key exchange parameters for chosen ciphersuite.
+ * Part 1: Provide key exchange parameters for chosen ciphersuite.
*
*/
@@ -2891,18 +2886,21 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
{
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ int ret;
+ size_t len;
- ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
- p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
+ ret = mbedtls_ecjpake_write_round_two(
+ &ssl->handshake->ecjpake_ctx,
+ ssl->out_msg + ssl->out_msglen,
+ MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen, &len,
+ ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
return( ret );
}
- p += len;
- n += len;
+ ssl->out_msglen += len;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -2916,10 +2914,8 @@
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
{
- *(p++) = 0x00;
- *(p++) = 0x00;
-
- n += 2;
+ ssl->out_msg[ssl->out_msglen++] = 0x00;
+ ssl->out_msg[ssl->out_msglen++] = 0x00;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
@@ -2930,6 +2926,9 @@
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
{
+ int ret;
+ size_t len;
+
if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
@@ -2953,21 +2952,21 @@
return( ret );
}
- if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
- (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
- p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ if( ( ret = mbedtls_dhm_make_params(
+ &ssl->handshake->dhm_ctx,
+ (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+ ssl->out_msg + ssl->out_msglen, &len,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
return( ret );
}
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
- dig_signed = p;
- dig_signed_len = len;
+ dig_signed = ssl->out_msg + ssl->out_msglen;
#endif
- p += len;
- n += len;
+ ssl->out_msglen += len;
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
@@ -2992,6 +2991,8 @@
*/
const mbedtls_ecp_curve_info **curve = NULL;
const mbedtls_ecp_group_id *gid;
+ int ret;
+ size_t len;
/* Match our preference list against the offered curves */
for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
@@ -3015,21 +3016,21 @@
return( ret );
}
- if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
- p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
- ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ if( ( ret = mbedtls_ecdh_make_params(
+ &ssl->handshake->ecdh_ctx, &len,
+ ssl->out_msg + ssl->out_msglen,
+ MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
return( ret );
}
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
- dig_signed = p;
- dig_signed_len = len;
+ dig_signed = ssl->out_msg + ssl->out_msglen;
#endif
- p += len;
- n += len;
+ ssl->out_msglen += len;
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
}
@@ -3037,19 +3038,20 @@
/*
*
- * Part 3: For key exchanges involving the server signing the
+ * Part 2: For key exchanges involving the server signing the
* exchange parameters, compute and add the signature here.
*
*/
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
{
- size_t signature_len = 0;
+ size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
size_t hashlen = 0;
- unsigned char hash[64];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+ int ret;
/*
- * 3.1: Choose hash algorithm:
+ * 2.1: Choose hash algorithm:
* A: For TLS 1.2, obey signature-hash-algorithm extension
* to choose appropriate hash.
* B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
@@ -3096,7 +3098,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
/*
- * 3.2: Compute the hash to be signed
+ * 2.2: Compute the hash to be signed
*/
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
@@ -3134,14 +3136,8 @@
MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
/*
- * 3.3: Compute and add the signature
+ * 2.3: Compute and add the signature
*/
- if( mbedtls_ssl_own_key( ssl ) == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
- return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
- }
-
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
@@ -3161,33 +3157,141 @@
*
*/
- *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
- *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
-
- n += 2;
+ ssl->out_msg[ssl->out_msglen++] =
+ mbedtls_ssl_hash_from_md_alg( md_alg );
+ ssl->out_msg[ssl->out_msglen++] =
+ mbedtls_ssl_sig_from_pk_alg( sig_alg );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
- p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( ssl->conf->f_async_sign_start != NULL )
+ {
+ ret = ssl->conf->f_async_sign_start(
+ ssl->conf->p_async_connection_ctx,
+ &ssl->handshake->p_async_operation_ctx,
+ mbedtls_ssl_own_cert( ssl ),
+ md_alg, hash, hashlen );
+ switch( ret )
+ {
+ case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+ /* act as if f_async_sign was null */
+ break;
+ case 0:
+ return( ssl_resume_server_key_exchange( ssl, signature_len ) );
+ case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ default:
+ MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign", ret );
+ return( ret );
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
+ if( mbedtls_ssl_own_key( ssl ) == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ }
+
+ if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
+ md_alg, hash, hashlen,
+ ssl->out_msg + ssl->out_msglen + 2,
+ signature_len,
+ ssl->conf->f_rng,
+ ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
return( ret );
}
-
- *(p++) = (unsigned char)( signature_len >> 8 );
- *(p++) = (unsigned char)( signature_len );
- n += 2;
-
- MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
-
- n += signature_len;
}
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
- /* Done with actual work; add header and send. */
+ return( 0 );
+}
- ssl->out_msglen = 4 + n;
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ that do not include a ServerKeyExchange message, do nothing. Either
+ way, if successful, move on to the next step in the SSL state
+ machine */
+static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+ int ret;
+ size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+ /* Extract static ECDH parameters and abort if ServerKeyExchange
+ * is not needed. */
+ if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+ {
+ /* For suites involving ECDH, extract DH parameters
+ * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
+ {
+ ssl_get_ecdh_params_from_cert( ssl );
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+ /* Key exchanges not involving ephemeral keys don't use
+ * ServerKeyExchange, so end here. */
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
+ ssl->state++;
+ return( 0 );
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ /* If we have already prepared the message and there is an ongoing
+ signature operation, resume signing. */
+ if( ssl->handshake->p_async_operation_ctx != NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
+ ret = ssl_resume_server_key_exchange( ssl, &signature_len );
+ }
+ else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE_C) */
+ {
+ /* ServerKeyExchange is needed. Prepare the message. */
+ ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
+ }
+
+ if( ret != 0 )
+ {
+ if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
+ else
+ ssl->out_msglen = 0;
+ return( ret );
+ }
+
+ /* If there is a signature, write its length.
+ ssl_prepare_server_key_exchange already wrote the signature
+ itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+ if( signature_len != 0 )
+ {
+ ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
+ ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
+ ssl->out_msg + ssl->out_msglen,
+ signature_len );
+
+ /* Skip over the already-written signature */
+ ssl->out_msglen += signature_len;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+ /* Add header and send. */
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
@@ -3200,7 +3304,6 @@
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
-
return( 0 );
}
@@ -3275,28 +3378,50 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
- const unsigned char *p,
- const unsigned char *end,
- size_t pms_offset )
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
+ unsigned char *peer_pms,
+ size_t *peer_pmslen,
+ size_t peer_pmssize )
+{
+ int ret = ssl->conf->f_async_resume( ssl->conf->p_async_connection_ctx,
+ ssl->handshake->p_async_operation_ctx,
+ peer_pms, peer_pmslen, peer_pmssize );
+ if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ {
+ ssl->handshake->p_async_operation_ctx = NULL;
+ }
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
+ return( ret );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
+static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
+ const unsigned char *p,
+ const unsigned char *end,
+ unsigned char *peer_pms,
+ size_t *peer_pmslen,
+ size_t peer_pmssize )
{
int ret;
- size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
- unsigned char *pms = ssl->handshake->premaster + pms_offset;
- unsigned char ver[2];
- unsigned char fake_pms[48], peer_pms[48];
- unsigned char mask;
- size_t i, peer_pmslen;
- unsigned int diff;
+ mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
+ mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
+ size_t len = mbedtls_pk_get_len( public_key );
- if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ /* If we have already started decoding the message and there is an ongoing
+ decryption operation, resume signing. */
+ if( ssl->handshake->p_async_operation_ctx != NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
- return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
+ return( ssl_resume_decrypt_pms( ssl,
+ peer_pms, peer_pmslen, peer_pmssize ) );
}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
/*
- * Decrypt the premaster using own private RSA key
+ * Prepare to decrypt the premaster using own private RSA key
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
@@ -3317,26 +3442,95 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
}
- mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
- ssl->handshake->max_minor_ver,
- ssl->conf->transport, ver );
+ /*
+ * Decrypt the premaster secret
+ */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( ssl->conf->f_async_decrypt_start != NULL )
+ {
+ ret = ssl->conf->f_async_decrypt_start(
+ ssl->conf->p_async_connection_ctx,
+ &ssl->handshake->p_async_operation_ctx,
+ mbedtls_ssl_own_cert( ssl ),
+ p, len );
+ switch( ret )
+ {
+ case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+ /* act as if f_async_decrypt_start was null */
+ break;
+ case 0:
+ return( ssl_resume_decrypt_pms( ssl,
+ peer_pms,
+ peer_pmslen,
+ peer_pmssize ) );
+ case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ default:
+ MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign", ret );
+ return( ret );
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
+ if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
+ {
+ /* */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ }
+
+ ret = mbedtls_pk_decrypt( private_key, p, len,
+ peer_pms, peer_pmslen, peer_pmssize,
+ ssl->conf->f_rng, ssl->conf->p_rng );
+ return( ret );
+}
+
+static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
+ const unsigned char *p,
+ const unsigned char *end,
+ size_t pms_offset )
+{
+ int ret;
+ unsigned char *pms = ssl->handshake->premaster + pms_offset;
+ unsigned char ver[2];
+ unsigned char fake_pms[48], peer_pms[48];
+ unsigned char mask;
+ size_t i, peer_pmslen;
+ unsigned int diff;
+
+ ret = ssl_decrypt_encrypted_pms( ssl, p, end,
+ peer_pms,
+ &peer_pmslen,
+ sizeof( peer_pms ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ return( ret );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
/*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
* must not cause the connection to end immediately; instead, send a
* bad_record_mac later in the handshake.
- * Also, avoid data-dependant branches here to protect against
- * timing-based variants.
+ * To protect against timing-based variants of the attack, we must
+ * not have any branch that depends on whether the decryption was
+ * successful. In particular, always generate the fake premaster secret,
+ * regardless of whether it will ultimately influence the output or not.
*/
ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
if( ret != 0 )
+ {
+ /* It's ok to abort on an RNG failure, since this does not */
return( ret );
+ }
- ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
- peer_pms, &peer_pmslen,
- sizeof( peer_pms ),
- ssl->conf->f_rng, ssl->conf->p_rng );
+ mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
+ ssl->handshake->max_minor_ver,
+ ssl->conf->transport, ver );
+ /* Avoid data-dependent branches while checking for invalid
+ * padding, to protect against timing-based Bleichenbacher-type
+ * attacks. */
diff = (unsigned int) ret;
diff |= peer_pmslen ^ 48;
diff |= peer_pms[0] ^ ver[0];
@@ -3367,6 +3561,8 @@
#pragma warning( pop )
#endif
+ /* Set pms to either the true or the fake PMS, without
+ * data-dependent branches. */
for( i = 0; i < ssl->handshake->pmslen; i++ )
pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
@@ -3448,6 +3644,20 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C) && \
+ ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
+ if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
+ ( ssl->handshake->p_async_operation_ctx != NULL ) )
+ {
+ /* We've already read a record and there is an asynchronous
+ * operation in progress to decrypt it. So skip reading the
+ record. */
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
+ }
+ else
+#endif
if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
@@ -3560,6 +3770,19 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
{
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if ( ssl->handshake->p_async_operation_ctx != NULL )
+ {
+ /* There is an asynchronous operation in progress to
+ * decrypt the encrypted premaster secret, so skip
+ * directly to resuming this operation. */
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
+ /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+ * won't actually use it, but maintain p anyway for robustness. */
+ p += ssl->conf->psk_identity_len + 2;
+ }
+ else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 28c234a..8ad3494 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5201,7 +5201,7 @@
/*
* Free our handshake params
*/
- mbedtls_ssl_handshake_free( ssl->handshake );
+ mbedtls_ssl_handshake_free( ssl->conf, ssl->handshake );
mbedtls_free( ssl->handshake );
ssl->handshake = NULL;
@@ -5556,7 +5556,7 @@
if( ssl->session_negotiate )
mbedtls_ssl_session_free( ssl->session_negotiate );
if( ssl->handshake )
- mbedtls_ssl_handshake_free( ssl->handshake );
+ mbedtls_ssl_handshake_free( ssl->conf, ssl->handshake );
/*
* Either the pointers are now NULL or cleared properly and can be freed.
@@ -6478,6 +6478,23 @@
}
#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+void mbedtls_ssl_conf_async_private_cb(
+ mbedtls_ssl_config *conf,
+ mbedtls_ssl_async_sign_t *f_async_sign,
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+ mbedtls_ssl_async_resume_t *f_async_resume,
+ mbedtls_ssl_async_cancel_t *f_async_cancel,
+ void *connection_ctx )
+{
+ conf->f_async_sign_start = f_async_sign;
+ conf->f_async_decrypt_start = f_async_decrypt;
+ conf->f_async_resume = f_async_resume;
+ conf->f_async_cancel = f_async_cancel;
+ conf->p_async_connection_ctx = connection_ctx;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
/*
* SSL get accessors
*/
@@ -7409,10 +7426,12 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
+void mbedtls_ssl_handshake_free( const mbedtls_ssl_config *conf,
+ mbedtls_ssl_handshake_params *handshake )
{
if( handshake == NULL )
return;
+ (void) conf; /*unused in some compile-time configurations*/
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
@@ -7476,6 +7495,15 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( conf->f_async_cancel != NULL &&
+ handshake->p_async_operation_ctx != NULL )
+ {
+ conf->f_async_cancel( conf->p_async_connection_ctx,
+ handshake->p_async_operation_ctx );
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_free( handshake->verify_cookie );
mbedtls_free( handshake->hs_msg );
@@ -7543,7 +7571,7 @@
if( ssl->handshake )
{
- mbedtls_ssl_handshake_free( ssl->handshake );
+ mbedtls_ssl_handshake_free( ssl->conf, ssl->handshake );
mbedtls_ssl_transform_free( ssl->transform_negotiate );
mbedtls_ssl_session_free( ssl->session_negotiate );
diff --git a/library/version_features.c b/library/version_features.c
index a452caf..c017c41 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -648,6 +648,9 @@
#if defined(MBEDTLS_SHA512_C)
"MBEDTLS_SHA512_C",
#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ "MBEDTLS_SSL_ASYNC_PRIVATE_C",
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
#if defined(MBEDTLS_SSL_CACHE_C)
"MBEDTLS_SSL_CACHE_C",
#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 6bfb210..02f9633 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -109,6 +109,10 @@
#define DFL_KEY_FILE ""
#define DFL_CRT_FILE2 ""
#define DFL_KEY_FILE2 ""
+#define DFL_ASYNC_OPERATIONS "-"
+#define DFL_ASYNC_PRIVATE_DELAY1 ( -1 )
+#define DFL_ASYNC_PRIVATE_DELAY2 ( -1 )
+#define DFL_ASYNC_PRIVATE_ERROR ( 0 )
#define DFL_PSK ""
#define DFL_PSK_IDENTITY "Client_identity"
#define DFL_ECJPAKE_PW NULL
@@ -196,6 +200,18 @@
#define USAGE_IO ""
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+#define USAGE_SSL_ASYNC \
+ " async_operations=%%c... d=decrypt, s=sign (default: -=off)\n" \
+ " async_private_delay1=%%d Asynchronous delay for key_file or preloaded key\n" \
+ " async_private_delay2=%%d Asynchronous delay for key_file2\n" \
+ " default: -1 (not asynchronous)\n" \
+ " async_private_error=%%d Async callback error injection (default=0=none,\n" \
+ " 1=start, 2=cancel, 3=resume, 4=pk, negative=first time only)"
+#else
+#define USAGE_SSL_ASYNC ""
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
#define USAGE_PSK \
" psk=%%s default: \"\" (in hex, without 0x)\n" \
@@ -346,6 +362,7 @@
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
" options: 1 (send ca list), 0 (don't send)\n" \
USAGE_IO \
+ USAGE_SSL_ASYNC \
USAGE_SNI \
"\n" \
USAGE_PSK \
@@ -410,6 +427,10 @@
const char *key_file; /* the file with the server key */
const char *crt_file2; /* the file with the 2nd server certificate */
const char *key_file2; /* the file with the 2nd server key */
+ const char *async_operations; /* supported SSL asynchronous operations */
+ int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
+ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
+ int async_private_error; /* inject error in async private callback */
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
char *psk_list; /* list of PSK id/key pairs for callback */
@@ -841,6 +862,189 @@
};
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+typedef struct
+{
+ mbedtls_x509_crt *cert;
+ mbedtls_pk_context *pk;
+ unsigned delay;
+} ssl_async_key_slot_t;
+
+typedef enum {
+ SSL_ASYNC_INJECT_ERROR_NONE = 0,
+ SSL_ASYNC_INJECT_ERROR_START,
+ SSL_ASYNC_INJECT_ERROR_CANCEL,
+ SSL_ASYNC_INJECT_ERROR_RESUME,
+ SSL_ASYNC_INJECT_ERROR_PK
+#define SSL_ASYNC_INJECT_ERROR_MAX SSL_ASYNC_INJECT_ERROR_PK
+} ssl_async_inject_error_t;
+
+typedef struct
+{
+ ssl_async_key_slot_t slots[2];
+ size_t slots_used;
+ ssl_async_inject_error_t inject_error;
+ int (*f_rng)(void *, unsigned char *, size_t);
+ void *p_rng;
+} ssl_async_key_context_t;
+
+void ssl_async_set_key( ssl_async_key_context_t *ctx,
+ mbedtls_x509_crt *cert,
+ mbedtls_pk_context *pk,
+ unsigned delay )
+{
+ ctx->slots[ctx->slots_used].cert = cert;
+ ctx->slots[ctx->slots_used].pk = pk;
+ ctx->slots[ctx->slots_used].delay = delay;
+ ++ctx->slots_used;
+}
+
+#define SSL_ASYNC_INPUT_MAX_SIZE 512
+typedef struct
+{
+ size_t slot;
+ mbedtls_md_type_t md_alg;
+ unsigned char input[SSL_ASYNC_INPUT_MAX_SIZE];
+ size_t input_len;
+ unsigned delay;
+} ssl_async_operation_context_t;
+
+static int ssl_async_start( void *connection_ctx_arg,
+ void **p_operation_ctx,
+ mbedtls_x509_crt *cert,
+ const char *op_name,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *input,
+ size_t input_len )
+{
+ ssl_async_key_context_t *key_ctx = connection_ctx_arg;
+ size_t slot;
+ ssl_async_operation_context_t *ctx = NULL;
+ {
+ char dn[100];
+ mbedtls_x509_dn_gets( dn, sizeof( dn ), &cert->subject );
+ mbedtls_printf( "Async %s callback: looking for DN=%s\n", op_name, dn );
+ }
+ for( slot = 0; slot < key_ctx->slots_used; slot++ )
+ {
+ if( key_ctx->slots[slot].cert == cert )
+ break;
+ }
+ if( slot == key_ctx->slots_used )
+ {
+ mbedtls_printf( "Async %s callback: no key matches this certificate.\n",
+ op_name );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH );
+ }
+ mbedtls_printf( "Async %s callback: using key slot %zd, delay=%u.\n",
+ op_name, slot, key_ctx->slots[slot].delay );
+ if( key_ctx->inject_error == SSL_ASYNC_INJECT_ERROR_START )
+ {
+ mbedtls_printf( "Async %s callback: injected error\n", op_name );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+ }
+ if( input_len > SSL_ASYNC_INPUT_MAX_SIZE )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ ctx = mbedtls_calloc( 1, sizeof( *ctx ) );
+ if( ctx == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ ctx->slot = slot;
+ ctx->md_alg = md_alg;
+ memcpy( ctx->input, input, input_len );
+ ctx->input_len = input_len;
+ ctx->delay = key_ctx->slots[slot].delay;
+ *p_operation_ctx = ctx;
+ if( ctx->delay == 0 )
+ return( 0 );
+ else
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+}
+
+static int ssl_async_sign( void *connection_ctx_arg,
+ void **p_operation_ctx,
+ mbedtls_x509_crt *cert,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash,
+ size_t hash_len )
+{
+ return( ssl_async_start( connection_ctx_arg, p_operation_ctx, cert,
+ "sign", md_alg,
+ hash, hash_len ) );
+}
+
+static int ssl_async_decrypt( void *connection_ctx_arg,
+ void **p_operation_ctx,
+ mbedtls_x509_crt *cert,
+ const unsigned char *input,
+ size_t input_len )
+{
+ return( ssl_async_start( connection_ctx_arg, p_operation_ctx, cert,
+ "decrypt", MBEDTLS_MD_NONE,
+ input, input_len ) );
+}
+
+static int ssl_async_resume( void *connection_ctx_arg,
+ void *operation_ctx_arg,
+ unsigned char *output,
+ size_t *output_len,
+ size_t output_size )
+{
+ ssl_async_operation_context_t *ctx = operation_ctx_arg;
+ ssl_async_key_context_t *connection_ctx = connection_ctx_arg;
+ ssl_async_key_slot_t *key_slot = &connection_ctx->slots[ctx->slot];
+ int ret;
+ const char *op_name;
+ if( connection_ctx->inject_error == SSL_ASYNC_INJECT_ERROR_RESUME )
+ {
+ mbedtls_printf( "Async resume callback: injected error\n" );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+ }
+ if( ctx->delay > 0 )
+ {
+ --ctx->delay;
+ mbedtls_printf( "Async resume (slot %zd): call %u more times.\n",
+ ctx->slot, ctx->delay );
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ }
+ if( ctx->md_alg == MBEDTLS_MD_NONE )
+ {
+ op_name = "decrypt";
+ ret = mbedtls_pk_decrypt( key_slot->pk,
+ ctx->input, ctx->input_len,
+ output, output_len, output_size,
+ connection_ctx->f_rng, connection_ctx->p_rng );
+ }
+ else
+ {
+ op_name = "sign";
+ ret = mbedtls_pk_sign( key_slot->pk,
+ ctx->md_alg,
+ ctx->input, ctx->input_len,
+ output, output_len,
+ connection_ctx->f_rng, connection_ctx->p_rng );
+ }
+ if( connection_ctx->inject_error == SSL_ASYNC_INJECT_ERROR_PK )
+ {
+ mbedtls_printf( "Async resume callback: %s done but injected error\n",
+ op_name );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+ }
+ mbedtls_printf( "Async resume (slot %zd): %s done, status=%d.\n",
+ ctx->slot, op_name, ret );
+ mbedtls_free( ctx );
+ return( ret );
+}
+
+static void ssl_async_cancel( void *connection_ctx_arg,
+ void *operation_ctx_arg )
+{
+ ssl_async_operation_context_t *ctx = operation_ctx_arg;
+ (void) connection_ctx_arg;
+ mbedtls_printf( "Async cancel callback.\n" );
+ mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
/*
* Wait for an event from the underlying transport or the timer
* (Used in event-driven IO mode).
@@ -929,7 +1133,10 @@
mbedtls_x509_crt srvcert2;
mbedtls_pk_context pkey2;
int key_cert_init = 0, key_cert_init2 = 0;
-#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ ssl_async_key_context_t ssl_async_keys;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_context dhm;
#endif
@@ -1032,6 +1239,10 @@
opt.key_file = DFL_KEY_FILE;
opt.crt_file2 = DFL_CRT_FILE2;
opt.key_file2 = DFL_KEY_FILE2;
+ opt.async_operations = DFL_ASYNC_OPERATIONS;
+ opt.async_private_delay1 = DFL_ASYNC_PRIVATE_DELAY1;
+ opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2;
+ opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR;
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST;
@@ -1124,6 +1335,25 @@
opt.key_file2 = q;
else if( strcmp( p, "dhm_file" ) == 0 )
opt.dhm_file = q;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ else if( strcmp( p, "async_operations" ) == 0 )
+ opt.async_operations = q;
+ else if( strcmp( p, "async_private_delay1" ) == 0 )
+ opt.async_private_delay1 = atoi( q );
+ else if( strcmp( p, "async_private_delay2" ) == 0 )
+ opt.async_private_delay2 = atoi( q );
+ else if( strcmp( p, "async_private_error" ) == 0 )
+ {
+ int n = atoi( q );
+ if( n < -SSL_ASYNC_INJECT_ERROR_MAX ||
+ n > SSL_ASYNC_INJECT_ERROR_MAX )
+ {
+ ret = 2;
+ goto usage;
+ }
+ opt.async_private_error = n;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
else if( strcmp( p, "psk_identity" ) == 0 )
@@ -2018,18 +2248,72 @@
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( key_cert_init )
- if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
+ {
+ mbedtls_pk_context *pk = &pkey;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( opt.async_private_delay1 >= 0 )
+ {
+ ssl_async_set_key( &ssl_async_keys, &srvcert, pk,
+ opt.async_private_delay1 );
+ pk = NULL;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+ if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, pk ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
+ }
if( key_cert_init2 )
- if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 )
+ {
+ mbedtls_pk_context *pk = &pkey2;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( opt.async_private_delay2 >= 0 )
+ {
+ ssl_async_set_key( &ssl_async_keys, &srvcert2, pk,
+ opt.async_private_delay2 );
+ pk = NULL;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+ if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, pk ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
-#endif
+ }
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( opt.async_operations[0] != '-' )
+ {
+ mbedtls_ssl_async_sign_t *sign = NULL;
+ mbedtls_ssl_async_decrypt_t *decrypt = NULL;
+ const char *p;
+ for( p = opt.async_operations; *p; p++ )
+ {
+ switch( *p )
+ {
+ case 'd':
+ decrypt = ssl_async_decrypt;
+ break;
+ case 's':
+ sign = ssl_async_sign;
+ break;
+ }
+ }
+ ssl_async_keys.inject_error = ( opt.async_private_error < 0 ?
+ - opt.async_private_error :
+ opt.async_private_error );
+ ssl_async_keys.f_rng = mbedtls_ctr_drbg_random;
+ ssl_async_keys.p_rng = &ctr_drbg;
+ mbedtls_ssl_conf_async_private_cb( &conf,
+ sign,
+ decrypt,
+ ssl_async_resume,
+ ssl_async_cancel,
+ &ssl_async_keys );
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(SNI_OPTION)
if( opt.sni != NULL )
@@ -2205,8 +2489,18 @@
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
+ ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL )
+ {
+ mbedtls_printf( " cancelling on injected error\n" );
+ break;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
break;
/* For event-driven IO, wait for socket to become available */
@@ -2244,6 +2538,11 @@
}
#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+ if( opt.async_private_error < 0 )
+ /* Injected error only the first time round, to test reset */
+ ssl_async_keys.inject_error = SSL_ASYNC_INJECT_ERROR_NONE;
+#endif
goto reset;
}
else /* ret == 0 */
@@ -2325,7 +2624,8 @@
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+ ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
{
if( opt.event == 1 /* level triggered IO */ )
{
@@ -2425,7 +2725,7 @@
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
- while( 1 )
+ do
{
/* Without the call to `mbedtls_ssl_check_pending`, it might
* happen that the client sends application data in the same
@@ -2455,10 +2755,10 @@
* it can happen that the subsequent call to `mbedtls_ssl_read`
* returns `MBEDTLS_ERR_SSL_WANT_READ`, because the pending messages
* might be discarded (e.g. because they are retransmissions). */
- if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
- break;
}
+ while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+ ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
if( ret <= 0 )
{
@@ -2494,7 +2794,8 @@
while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
goto reset;
@@ -2538,7 +2839,8 @@
}
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto reset;
@@ -2563,7 +2865,8 @@
ret = mbedtls_ssl_write( &ssl, buf, len );
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
break;
/* For event-driven IO, wait for socket to become available */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 497a261..0eda378 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -557,8 +557,8 @@
msg "test: main suites (full config)" # ~ 5s
make test
-msg "test: ssl-opt.sh default (full config)" # ~ 1s
-if_build_succeeded tests/ssl-opt.sh -f Default
+msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
+if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c4a10a2..ee34a6c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4067,6 +4067,289 @@
-c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
+# Tests of asynchronous private key support in SSL
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: sign, delay=0" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: sign, delay=1" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: decrypt, delay=0" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: decrypt, delay=1" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: decrypt RSA-PSK, delay=0" \
+ "$P_SRV psk=abc123 \
+ async_operations=d async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI psk=abc123 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: decrypt RSA-PSK, delay=1" \
+ "$P_SRV psk=abc123 \
+ async_operations=d async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI psk=abc123 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: sign callback not present" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI; [ \$? -eq 1 ] &&
+ $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -S "Async sign callback" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "The own private key or pre-shared key is not set, but needed" \
+ -s "Async resume (slot [0-9]): decrypt done, status=0" \
+ -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: decrypt callback not present" \
+ "$P_SRV debug_level=1 \
+ async_operations=s async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
+ [ \$? -eq 1 ] && $P_CLI" \
+ 0 \
+ -S "Async decrypt callback" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "got no RSA private key" \
+ -s "Async resume (slot [0-9]): sign done, status=0" \
+ -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 from slot 0
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: slot 0 used with key1" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 0," \
+ -s "Async resume (slot 0): call 0 more times." \
+ -s "Async resume (slot 0): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 from slot 0
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: slot 0 used with key2" \
+ "$P_SRV \
+ async_operations=s async_private_delay2=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 0," \
+ -s "Async resume (slot 0): call 0 more times." \
+ -s "Async resume (slot 0): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 from slot 1
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: slot 1 used" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1\
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 1," \
+ -s "Async resume (slot 1): call 0 more times." \
+ -s "Async resume (slot 1): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: fall back to transparent key" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: no key matches this certificate."
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: error in start" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=1" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: injected error" \
+ -S "Async resume" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: cancel after start" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=2" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: using key slot " \
+ -S "Async resume" \
+ -s "Async cancel"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: error in resume" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=3" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume callback: injected error" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: error in pk" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=4" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume callback: sign done but injected error" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: cancel after start then operate correctly" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=-2" \
+ "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+ 0 \
+ -s "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async resume" \
+ -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: error in resume then operate correctly" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=-3" \
+ "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+ 0 \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async resume" \
+ -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: cancel after start then fall back to transparent key" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_error=-2 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+ [ \$? -eq 1 ] &&
+ $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -S "Async resume" \
+ -s "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async sign callback: no key matches this certificate." \
+ -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test "SSL async private: error in resume then fall back to transparent key" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_error=-3 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+ [ \$? -eq 1 ] &&
+ $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async resume" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async sign callback: no key matches this certificate." \
+ -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: client-initiated; sign" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1" \
+ "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: server-initiated; sign" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1 renegotiate=1" \
+ "$P_CLI exchanges=2 renegotiation=1" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: client-initiated; decrypt" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1" \
+ "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
+ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: server-initiated; decrypt" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1 renegotiate=1" \
+ "$P_CLI exchanges=2 renegotiation=1 \
+ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
# Tests for DTLS HelloVerifyRequest
run_test "DTLS cookie: enabled" \