Merge pull request #8688 from jwinzig-at-hilscher/development
Fix bug in mbedtls_x509_set_extension
diff --git a/ChangeLog.d/8060.txt b/ChangeLog.d/8060.txt
deleted file mode 100644
index a5fd93c..0000000
--- a/ChangeLog.d/8060.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * The CCM and GCM modules no longer depend on MBEDTLS_CIPHER_C. People who
- use CCM and GCM but don't need the Cipher API can now disable
- MBEDTLS_CIPHER_C in order to save code size.
diff --git a/ChangeLog.d/8357.txt b/ChangeLog.d/8357.txt
deleted file mode 100644
index 9cae396..0000000
--- a/ChangeLog.d/8357.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
- * It is now possible to have AEADs support (CCM, GCM and ChaChaPoly) without
- MBEDTLS_CIPHER_C. This holds both for the builtin suport (MBEDTLS_CCM_C,
- MBEDTLS_GCM_C and MBEDTLS_CHACHAPOLY_C) as well as the PSA one
- (PSA_WANT_ALG_CCM, PSA_WANT_ALG_GCM, PSA_WANT_ALG_CHACHA20_POLY1305).
- On the PSA side this means that it is possible to enable
- MBEDTLS_PSA_CRYPTO_C without MBEDTLS_CIPHER_C if none of the
- non-authenticated ciphers is enabled.
diff --git a/ChangeLog.d/8358.txt b/ChangeLog.d/8358.txt
deleted file mode 100644
index 70b795a..0000000
--- a/ChangeLog.d/8358.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Features
- * If a cipher or AEAD mechanism has a PSA driver, you can now build the
- library without the corresponding built-in implementation. See
- docs/driver-only-builds.md for full details and current limitations.
- * It is possible to disable MBEDTLS_CIPHER_C in some circumstances, please
- see docs/driver-only-builds.md for full details and current limitations.
- * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
- disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
- MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
diff --git a/ChangeLog.d/driver-only-cipher.txt b/ChangeLog.d/driver-only-cipher.txt
new file mode 100644
index 0000000..331b2f9
--- /dev/null
+++ b/ChangeLog.d/driver-only-cipher.txt
@@ -0,0 +1,11 @@
+Features
+ * If a cipher or AEAD mechanism has a PSA driver, you can now build the
+ library without the corresponding built-in implementation. Generally
+ speaking that requires both the key type and algorithm to be accelerated
+ or they'll both be built in. However, for CCM and GCM the built-in
+ implementation is able to take advantage of a driver that only
+ accelerates the key type (that is, the block cipher primitive). See
+ docs/driver-only-builds.md for full details and current limitations.
+ * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
+ disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
+ MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
diff --git a/ChangeLog.d/no-cipher.txt b/ChangeLog.d/no-cipher.txt
new file mode 100644
index 0000000..87f2f6d
--- /dev/null
+++ b/ChangeLog.d/no-cipher.txt
@@ -0,0 +1,9 @@
+Features
+ * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
+ size by disabling it in more circumstances. In particular, the CCM and
+ GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
+ MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
+ unauthenticated (non-AEAD) ciphers are disabled, or if they're all
+ fully provided by drivers. See docs/driver-only-builds.md for full
+ details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
+ decryption still unconditionally depend on MBEDTLS_CIPHER_C.
diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 430b0ca..eda65a3 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -494,7 +494,7 @@
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
-As a starting point, return 1 if PSA crypto has been initialized. This will be refined later (to return 1 if the [accelerator subsystem](https://github.com/Mbed-TLS/mbedtls/issues/6007) has been initialized).
+As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
@@ -514,7 +514,7 @@
#### Error code conversion
-After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code.
+After calling a PSA function, MD light calls `mbedtls_md_error_from_psa` to convert its status code.
### Support all legacy algorithms in PSA
@@ -566,14 +566,15 @@
* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
-### Internal "block cipher" abstraction (Cipher light)
+### Internal "block cipher" abstraction (previously known as "Cipher light")
#### Definition
-The new module is automatically enabled in `build_info.h` by modules that need
-it, namely: CCM, GCM, only when `CIPHER_C` is not available. Note: CCM and GCM
-currently depend on the full `CIPHER_C` (enforced by `check_config.h`); this
-hard dependency would be replaced by the above auto-enablement.
+The new module is automatically enabled in `config_adjust_legacy_crypto.h` by modules that need
+it (namely: CCM, GCM) only when `CIPHER_C` is not available, or the new module
+is needed for PSA dispatch (see next section). Note: CCM and GCM currently
+depend on the full `CIPHER_C` (enforced by `check_config.h`); this hard
+dependency would be replaced by the above auto-enablement.
The following API functions are offered:
```
@@ -593,6 +594,23 @@
an `mbedtls_cipher_id_t` in the `setup()` function, because that's how they're
identifed by callers (GCM/CCM).
-#### Cipher light dual dispatch
+#### Block cipher dual dispatch
-This is likely to come in the future, but has not been defined yet.
+Support for dual dispatch in the new internal module `block_cipher` is extremely similar to that in MD light.
+
+A block cipher context contains either a legacy module's context (AES, ARIA, Camellia) or a PSA key identifier; it has a field indicating which one is in use. All fields are private.
+
+The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
+
+Support is determined at runtime using the new internal function
+```
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
+```
+
+The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA. As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
+
+Each function in the module needs to know whether to dispatch via PSA or legacy. All functions consult the context's `engine` field, except `setup()` which will set it according to the key type and the return value of `psa_can_do_cipher()` as discussed above.
+
+Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress.
+
+After calling a PSA function, `block_cipher` functions call `mbedtls_cipher_error_from_psa` to convert its status code.
diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index f085471..f59420e 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md
@@ -16,6 +16,7 @@
In order to have some mechanism provided only by a driver, you'll want
the following compile-time configuration options enabled:
+
- `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto.
- `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and
TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS
@@ -28,6 +29,7 @@
TLS](proposed/psa-conditional-inclusion-c.md) for details.
In addition, for each mechanism you want provided only by your driver:
+
- Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this
means the algorithm will be available in the PSA Crypto API.
- Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be
@@ -52,9 +54,12 @@
------------------
For now, only the following (families of) mechanisms are supported:
+
- hashes: SHA-3, SHA-2, SHA-1, MD5, etc.
- elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types.
- finite-field Diffie-Hellman: FFDH algorithm, DH key types.
+- RSA: PKCS#1 v1.5 and v2.1 signature and encryption algorithms, RSA key types
+ (for now, only crypto, no X.509 or TLS support).
- AEADs:
- GCM and CCM with AES, ARIA and Camellia key types
- ChachaPoly with ChaCha20 Key type
@@ -71,15 +76,13 @@
in the "Limitations" sub-sections of the sections dedicated to each family
below.
-Currently (mid-2023) we don't have plans to extend this to RSA. If
-you're interested in driver-only support for RSA, please let us know.
-
Hashes
------
It is possible to have all hash operations provided only by a driver.
More precisely:
+
- you can enable `PSA_WANT_ALG_SHA_256` without `MBEDTLS_SHA256_C`, provided
you have `MBEDTLS_PSA_ACCEL_ALG_SHA_256` enabled;
- and similarly for all supported hash algorithms: `MD5`, `RIPEMD160`,
@@ -98,6 +101,7 @@
If you want to check at compile-time whether a certain hash algorithm is
available in the present build of Mbed TLS, regardless of whether it's
provided by a driver or built-in, you should use the following macros:
+
- for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from
`psa/crypto.h`;
- for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from
@@ -107,10 +111,12 @@
---------------------------------
It is possible to have most ECC operations provided only by a driver:
+
- the ECDH, ECDSA and EC J-PAKE algorithms;
- key import, export, and random generation.
More precisely, if:
+
- you have driver support for ECC public and using private keys (that is,
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY` and
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC` are enabled), and
@@ -119,6 +125,7 @@
`MBEDTLS_PSA_ACCEL_ECC_xxx` macros is enabled as well);
then you can:
+
- enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C`, provided
`MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled
- enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C`, provided
@@ -127,6 +134,7 @@
`MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled.
In addition, if:
+
- none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, `MBEDTLS_ECJPAKE_C` are enabled
(see conditions above), and
- you have driver support for all enabled ECC key pair operations - that is,
@@ -138,9 +146,11 @@
still be included in the build, see limitations sub-section below.
In addition, if:
-- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below), and
-- support for RSA key types and algorithms is fully disabled, and
-- support for DH key types and the FFDH algorithm is either disabled, or
+
+- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below),
+- and support for RSA key types and algorithms is either fully disabled or
+ fully provided by a driver,
+- and support for DH key types and the FFDH algorithm is either disabled or
fully provided by a driver,
then you can also disable `MBEDTLS_BIGNUM_C`.
@@ -148,6 +158,7 @@
In such builds, all crypto operations via the PSA Crypto API will work as
usual, as well as the PK, X.509 and TLS modules if `MBEDTLS_USE_PSA_CRYPTO` is
enabled, with the following exceptions:
+
- direct calls to APIs from the disabled modules are not possible;
- PK, X.509 and TLS will not support restartable ECC operations (see
limitation sub-section below).
@@ -155,6 +166,7 @@
If you want to check at compile-time whether a certain curve is available in
the present build of Mbed TLS, regardless of whether ECC is provided by a
driver or built-in, you should use the following macros:
+
- for code that uses only the PSA Crypto API: `PSA_WANT_ECC_xxx` from
`psa/crypto.h`;
- for code that may also use non-PSA crypto APIs: `MBEDTLS_ECP_HAVE_xxx` from
@@ -170,6 +182,7 @@
A limited subset of `ecp.c` will still be automatically re-enabled if any of
the following is enabled:
+
- `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the
public part is in compressed format;
- `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the
@@ -243,12 +256,37 @@
`[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
removing builtin support (i.e. `MBEDTLS_DHM_C`).
+RSA
+---
+
+It is possible for all RSA operations to be provided only by a driver.
+
+More precisely, if:
+
+- all the RSA algorithms that are enabled (`PSA_WANT_ALG_RSA_*`) are also
+ accelerated (`MBEDTLS_PSA_ACCEL_ALG_RSA_*`),
+- and all the RSA key types that are enabled (`PSA_WANT_KEY_TYPE_RSA_*`) are
+ also accelerated (`MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_*`),
+
+then you can disable `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15` and
+`MBEDTLS_PKCS1_V21`, and RSA will still work in PSA Crypto.
+
+### Limitations on RSA acceleration
+
+Unlike other mechanisms, for now in configurations with driver-only RSA, only
+PSA Crypto works. In particular, PK, X.509 and TLS will _not_ work with
+driver-only RSA even if `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+
+Currently (early 2024) we don't have plans to extend this support. If you're
+interested in wider driver-only support for RSA, please let us know.
+
Ciphers (unauthenticated and AEAD)
----------------------------------
It is possible to have all ciphers and AEAD operations provided only by a
driver. More precisely, for each desired combination of key type and
algorithm/mode you can:
+
- Enable desired PSA key type(s):
- `PSA_WANT_KEY_TYPE_AES`,
- `PSA_WANT_KEY_TYPE_ARIA`,
@@ -305,6 +343,7 @@
Some legacy modules can't take advantage of PSA drivers yet, and will either
need to be disabled, or have reduced features when the built-in implementations
of some ciphers are removed:
+
- `MBEDTLS_NIST_KW_C` needs built-in AES: it must be disabled when
`MBEDTLS_AES_C` is disabled.
- `MBEDTLS_CMAC_C` needs built-in AES/DES: it must be disabled when
@@ -329,6 +368,7 @@
Note that the relationship between legacy (i.e. `MBEDTLS_xxx_C`) and PSA
(i.e. `PSA_WANT_xxx`) symbols is not always 1:1. For example:
+
- ECB mode is always enabled in the legacy configuration for each key type that
allows it (AES, ARIA, Camellia, DES), whereas it must be explicitly enabled
in PSA with `PSA_WANT_ALG_ECB_NO_PADDING`.
@@ -349,9 +389,12 @@
ECB mode (`PSA_WANT_ALG_ECB_NO_PADDING` + `MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING`)
together with desired key type(s) (`PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` +
`MBEDTLS_PSA_ACCEL_KEY_TYPE_[AES|ARIA|CAMELLIA]`).
+
In such configurations it is possible to:
+
- Use CCM and GCM via the PSA Crypto APIs.
-- Use CCM and GCM via legacy functions (`mbedtls_[ccm|gcm]_xxx()`).
+- Use CCM and GCM via legacy functions `mbedtls_[ccm|gcm]_xxx()` (but not the
+ legacy functions `mbedtls_cipher_xxx()`).
- Disable legacy key types (`MBEDTLS_[AES|ARIA|CAMELLIA]_C`) if there is no
other dependency requiring them.
@@ -362,6 +405,7 @@
The legacy CTR-DRBG module (enabled by `MBEDTLS_CTR_DRBG_C`) can also benefit
from PSA acceleration if both of the following conditions are met:
+
- The legacy AES module (`MBEDTLS_AES_C`) is not enabled and
- AES is supported on the PSA side together with ECB mode, i.e.
`PSA_WANT_KEY_TYPE_AES` + `PSA_WANT_ALG_ECB_NO_PADDING`.
@@ -370,6 +414,7 @@
It is possible to save code size by disabling MBEDTLS_CIPHER_C when all of the
following conditions are met:
+
- The application is not using the `mbedtls_cipher_` API.
- In PSA, all unauthenticated (that is, non-AEAD) ciphers are either disabled or
fully accelerated (that is, all compatible key types are accelerated too).
@@ -379,6 +424,7 @@
a driver.)
In such a build, everything will work as usual except for the following:
+
- Encryption/decryption functions from the PKCS5 and PKCS12 module will not be
available (only key derivation functions).
- Parsing of PKCS5- or PKCS12-encrypted keys in PK parse will fail.
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index c6b7f8e..696266c 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -22,6 +22,20 @@
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
+/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
+ * in PSA. */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && \
+ (defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG))
+#define MBEDTLS_CIPHER_C
+#endif
+
/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
* This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
*/
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 94e21e2..6a5828c 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -2579,6 +2579,8 @@
* library/ssl_ciphersuites.c
* library/ssl_msg.c
* library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled)
+ * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled
+ * (see the documentation of that option for details).
*
* Uncomment to enable generic cipher wrappers.
*/
@@ -3168,7 +3170,9 @@
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
* or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
* or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
- *
+ * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher
+ * is enabled in PSA (unless it's fully accelerated, see
+ * docs/driver-only-builds.md about that).
*/
#define MBEDTLS_PSA_CRYPTO_C
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 043988f..3192e2a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1188,6 +1188,11 @@
unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+/*!< RecordSizeLimit received from the peer */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ uint16_t MBEDTLS_PRIVATE(record_size_limit);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
unsigned char MBEDTLS_PRIVATE(exported);
/** TLS version negotiated in the session. Used if and when renegotiating
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 5e33f6b..8d30bf0 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -594,19 +594,23 @@
* They are defined in _Standards for Efficient Cryptography_,
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
+ *
+ * \note For secp224k1, the bit-size is 225 (size of a private value).
+ *
+ * \note Mbed TLS only supports secp192k1 and secp256k1.
*/
#define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t) 0x17)
/** SEC random curves over prime fields.
*
* This family comprises the following curves:
- * secp192k1, secp224r1, secp256r1, secp384r1, secp521r1.
+ * secp192r1, secp224r1, secp256r1, secp384r1, secp521r1.
* They are defined in _Standards for Efficient Cryptography_,
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
*/
#define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t) 0x12)
-/* SECP160R2 (SEC2 v1, obsolete) */
+/* SECP160R2 (SEC2 v1, obsolete, not supported in Mbed TLS) */
#define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t) 0x1b)
/** SEC Koblitz curves over binary fields.
@@ -616,6 +620,8 @@
* They are defined in _Standards for Efficient Cryptography_,
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
+ *
+ * \note Mbed TLS does not support any curve in this family.
*/
#define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t) 0x27)
@@ -626,6 +632,8 @@
* They are defined in _Standards for Efficient Cryptography_,
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
+ *
+ * \note Mbed TLS does not support any curve in this family.
*/
#define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t) 0x22)
@@ -636,6 +644,8 @@
* It is defined in _Standards for Efficient Cryptography_,
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
+ *
+ * \note Mbed TLS does not support any curve in this family.
*/
#define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t) 0x2b)
@@ -645,6 +655,9 @@
* brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1,
* brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
* It is defined in RFC 5639.
+ *
+ * \note Mbed TLS only supports the 256-bit, 384-bit and 512-bit curves
+ * in this family.
*/
#define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t) 0x30)
@@ -673,6 +686,8 @@
* - 448-bit: Edwards448, the twisted Edwards curve birationally equivalent
* to Curve448.
* Hamburg, _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
+ *
+ * \note Mbed TLS does not support Edwards curves yet.
*/
#define PSA_ECC_FAMILY_TWISTED_EDWARDS ((psa_ecc_family_t) 0x42)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index b9801a0..a8afd42 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -439,6 +439,19 @@
size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+/**
+ * \brief Get the size limit in bytes for the protected outgoing records
+ * as defined in RFC 8449
+ *
+ * \param ssl SSL context
+ *
+ * \return The size limit in bytes for the protected outgoing
+ * records as defined in RFC 8449.
+ */
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e1fb128..f92e40a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2455,6 +2455,7 @@
* uint8 ticket_flags;
* opaque resumption_key<0..255>;
* uint32 max_early_data_size;
+ * uint16 record_size_limit;
* select ( endpoint ) {
* case client: ClientOnlyData;
* case server: uint64 ticket_creation_time;
@@ -2490,6 +2491,9 @@
#if defined(MBEDTLS_SSL_EARLY_DATA)
needed += 4; /* max_early_data_size */
#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ needed += 2; /* record_size_limit */
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
#if defined(MBEDTLS_HAVE_TIME)
needed += 8; /* ticket_creation_time or ticket_reception_time */
@@ -2534,6 +2538,10 @@
MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
p += 4;
#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
+ p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
@@ -2610,6 +2618,13 @@
session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
@@ -3372,6 +3387,31 @@
}
}
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+ const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+ size_t record_size_limit = max_len;
+
+ if (ssl->session != NULL &&
+ ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+ ssl->session->record_size_limit < max_len) {
+ record_size_limit = ssl->session->record_size_limit;
+ }
+
+ // TODO: this is currently untested
+ /* During a handshake, use the value being negotiated */
+ if (ssl->session_negotiate != NULL &&
+ ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+ ssl->session_negotiate->record_size_limit < max_len) {
+ record_size_limit = ssl->session_negotiate->record_size_limit;
+ }
+
+ return record_size_limit;
+}
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
{
@@ -3458,6 +3498,7 @@
size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+ !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
!defined(MBEDTLS_SSL_PROTO_DTLS)
(void) ssl;
#endif
@@ -3470,6 +3511,30 @@
}
#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
+
+ if (max_len > record_size_limit) {
+ max_len = record_size_limit;
+ }
+#endif
+
+ if (ssl->transform_out != NULL &&
+ ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ /* RFC 8449, section 4:
+ *
+ * This value [record_size_limit] is the length of the plaintext
+ * of a protected record.
+ * The value includes the content type and padding added in TLS 1.3
+ * (that is, the complete length of TLSInnerPlaintext).
+ *
+ * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+ * and subtract 1 (for the content type that will be added later)
+ */
+ max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+ }
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
@@ -3492,7 +3557,8 @@
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
- !defined(MBEDTLS_SSL_PROTO_DTLS)
+ !defined(MBEDTLS_SSL_PROTO_DTLS) && \
+ !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
((void) ssl);
#endif
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index ae11364..342ec52 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2113,12 +2113,11 @@
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
ssl, p, p + extension_data_len);
-
- /* TODO: Return unconditionally here until we handle the record
- * size limit correctly. Once handled correctly, only return in
- * case of errors. */
- return ret;
-
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+ return ret;
+ }
break;
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
@@ -2132,6 +2131,17 @@
p += extension_data_len;
}
+ if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
+ (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ (
+ "Record size limit extension cannot be used with max fragment length extension"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
handshake->received_extensions);
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index fe2a2eb..ecfaf8a 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1731,7 +1731,7 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
- /* RFC 8449, section 4
+ /* RFC 8449, section 4:
*
* Endpoints MUST NOT send a "record_size_limit" extension with a value
* smaller than 64. An endpoint MUST treat receipt of a smaller value
@@ -1744,14 +1744,11 @@
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
- MBEDTLS_SSL_DEBUG_MSG(
- 2, ("record_size_limit extension is still in development. Aborting handshake."));
+ ssl->session_negotiate->record_size_limit = record_size_limit;
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
- MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
- return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ return 0;
}
+
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index fe7a674..a7c266b 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1699,14 +1699,11 @@
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
ssl, p, extension_data_end);
-
- /*
- * TODO: Return unconditionally here until we handle the record
- * size limit correctly.
- * Once handled correctly, only return in case of errors.
- */
- return ret;
-
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+ return ret;
+ }
break;
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index e6ebd8e..598d38c 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3521,7 +3521,7 @@
mbedtls_printf(" [ Record expansion is unknown ]\n");
}
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) || defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
mbedtls_printf(" [ Maximum incoming record payload length is %u ]\n",
(unsigned int) mbedtls_ssl_get_max_in_record_payload(&ssl));
mbedtls_printf(" [ Maximum outgoing record payload length is %u ]\n",
diff --git a/scripts/mbedtls_dev/asymmetric_key_data.py b/scripts/mbedtls_dev/asymmetric_key_data.py
index ef3e3a0..8ca6758 100644
--- a/scripts/mbedtls_dev/asymmetric_key_data.py
+++ b/scripts/mbedtls_dev/asymmetric_key_data.py
@@ -41,13 +41,15 @@
'ECC(PSA_ECC_FAMILY_SECP_K1)': {
192: ("297ac1722ccac7589ecb240dc719842538ca974beb79f228",
"0426b7bb38da649ac2138fc050c6548b32553dab68afebc36105d325b75538c12323cb0764789ecb992671beb2b6bef2f5"),
- 224: ("0024122bf020fa113f6c0ac978dfbd41f749257a9468febdbe0dc9f7e8",
+ 225: ("0024122bf020fa113f6c0ac978dfbd41f749257a9468febdbe0dc9f7e8",
"042cc7335f4b76042bed44ef45959a62aa215f7a5ff0c8111b8c44ed654ee71c1918326ad485b2d599fe2a6eab096ee26d977334d2bac6d61d"),
256: ("7fa06fa02d0e911b9a47fdc17d2d962ca01e2f31d60c6212d0ed7e3bba23a7b9",
"045c39154579efd667adc73a81015a797d2c8682cdfbd3c3553c4a185d481cdc50e42a0e1cbc3ca29a32a645e927f54beaed14c9dbbf8279d725f5495ca924b24d"),
},
'ECC(PSA_ECC_FAMILY_SECP_R1)': {
- 225: ("872f203b3ad35b7f2ecc803c3a0e1e0b1ed61cc1afe71b189cd4c995",
+ 192: ("d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190",
+ "04e35fcbee11cec3154f80a1a61df7d7612de4f2fd70c5608d0ee3a4a1a5719471adb33966dd9b035fdb774feeba94b04c"),
+ 224: ("872f203b3ad35b7f2ecc803c3a0e1e0b1ed61cc1afe71b189cd4c995",
"046f00eadaa949fee3e9e1c7fa1247eecec86a0dce46418b9bd3117b981d4bd0ae7a990de912f9d060d6cb531a42d22e394ac29e81804bf160"),
256: ("49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee",
"047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45"),
diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py
index 285d6c6..ebfd55c 100644
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ b/scripts/mbedtls_dev/crypto_knowledge.py
@@ -131,8 +131,8 @@
'PSA_DH_FAMILY_RFC7919': (2048, 3072, 4096, 6144, 8192),
} # type: Dict[str, Tuple[int, ...]]
ECC_KEY_SIZES = {
- 'PSA_ECC_FAMILY_SECP_K1': (192, 224, 256),
- 'PSA_ECC_FAMILY_SECP_R1': (225, 256, 384, 521),
+ 'PSA_ECC_FAMILY_SECP_K1': (192, 225, 256),
+ 'PSA_ECC_FAMILY_SECP_R1': (224, 256, 384, 521),
'PSA_ECC_FAMILY_SECP_R2': (160,),
'PSA_ECC_FAMILY_SECT_K1': (163, 233, 239, 283, 409, 571),
'PSA_ECC_FAMILY_SECT_R1': (163, 233, 283, 409, 571),
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 8f899c0..f1b9cc2 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1540,7 +1540,7 @@
make test
}
-component_test_full_no_cipher () {
+component_test_full_no_cipher_no_psa_crypto () {
msg "build: full no CIPHER no PSA_CRYPTO_C"
scripts/config.py full
scripts/config.py unset MBEDTLS_CIPHER_C
@@ -1565,8 +1565,8 @@
}
# This is a common configurator and test function that is used in:
-# - component_test_full_no_cipher_with_crypto
-# - component_test_full_no_cipher_with_crypto_config
+# - component_test_full_no_cipher_with_psa_crypto
+# - component_test_full_no_cipher_with_psa_crypto_config
# It accepts 2 input parameters:
# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG
# - $2: a text string which describes the test component
@@ -1614,11 +1614,11 @@
make test
}
-component_test_full_no_cipher_with_crypto() {
+component_test_full_no_cipher_with_psa_crypto() {
common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG"
}
-component_test_full_no_cipher_with_crypto_config() {
+component_test_full_no_cipher_with_psa_crypto_config() {
common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER"
}
@@ -3741,9 +3741,9 @@
}
# This is a common configuration function used in:
-# - component_test_psa_crypto_config_accel_cipher_aead
-# - component_test_psa_crypto_config_reference_cipher_aead
-common_psa_crypto_config_accel_cipher_aead() {
+# - component_test_psa_crypto_config_accel_cipher_aead_cmac
+# - component_test_psa_crypto_config_reference_cipher_aead_cmac
+common_psa_crypto_config_accel_cipher_aead_cmac() {
# Start from the full config
helper_libtestdriver1_adjust_config "full"
@@ -3751,12 +3751,12 @@
}
# The 2 following test components, i.e.
-# - component_test_psa_crypto_config_accel_cipher_aead
-# - component_test_psa_crypto_config_reference_cipher_aead
+# - component_test_psa_crypto_config_accel_cipher_aead_cmac
+# - component_test_psa_crypto_config_reference_cipher_aead_cmac
# are meant to be used together in analyze_outcomes.py script in order to test
# driver's coverage for ciphers and AEADs.
-component_test_psa_crypto_config_accel_cipher_aead () {
- msg "build: full config with accelerated cipher and AEAD"
+component_test_psa_crypto_config_accel_cipher_aead_cmac () {
+ msg "build: full config with accelerated cipher inc. AEAD and CMAC"
loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
@@ -3766,7 +3766,7 @@
# Configure
# ---------
- common_psa_crypto_config_accel_cipher_aead
+ common_psa_crypto_config_accel_cipher_aead_cmac
# Disable the things that are being accelerated
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
@@ -3810,29 +3810,29 @@
# Run the tests
# -------------
- msg "test: full config with accelerated cipher and AEAD"
+ msg "test: full config with accelerated cipher inc. AEAD and CMAC"
make test
- msg "ssl-opt: full config with accelerated cipher and AEAD"
+ msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC"
tests/ssl-opt.sh
- msg "compat.sh: full config with accelerated cipher and AEAD"
+ msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC"
tests/compat.sh -V NO -p mbedTLS
}
-component_test_psa_crypto_config_reference_cipher_aead () {
- msg "build: full config with non-accelerated cipher and AEAD"
- common_psa_crypto_config_accel_cipher_aead
+component_test_psa_crypto_config_reference_cipher_aead_cmac () {
+ msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
+ common_psa_crypto_config_accel_cipher_aead_cmac
make
- msg "test: full config with non-accelerated cipher and AEAD"
+ msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
make test
- msg "ssl-opt: full config with non-accelerated cipher and AEAD"
+ msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC"
tests/ssl-opt.sh
- msg "compat.sh: full config with non-accelerated cipher and AEAD"
+ msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC"
tests/compat.sh -V NO -p mbedTLS
}
@@ -5815,11 +5815,8 @@
msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
cd tests; ./test_suite_ssl; cd ..
- msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
- # Both the server and the client will currently abort the handshake when they encounter the
- # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
- # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
- tests/ssl-opt.sh -f "Record Size Limit"
+ msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension enabled)"
+ tests/ssl-opt.sh
}
component_build_mingw () {
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 3b11ca2..a867971 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -240,16 +240,16 @@
}
}
},
- 'analyze_driver_vs_reference_cipher_aead': {
+ 'analyze_driver_vs_reference_cipher_aead_cmac': {
'test_function': do_analyze_driver_vs_reference,
'args': {
- 'component_ref': 'test_psa_crypto_config_reference_cipher_aead',
- 'component_driver': 'test_psa_crypto_config_accel_cipher_aead',
+ 'component_ref': 'test_psa_crypto_config_reference_cipher_aead_cmac',
+ 'component_driver': 'test_psa_crypto_config_accel_cipher_aead_cmac',
# Modules replaced by drivers.
'ignored_suites': [
# low-level (block/stream) cipher modules
'aes', 'aria', 'camellia', 'des', 'chacha20',
- # AEAD modes
+ # AEAD modes and CMAC
'ccm', 'chachapoly', 'cmac', 'gcm',
# The Cipher abstraction layer
'cipher',
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index d02d305..3d8937d 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -1776,6 +1776,10 @@
}
#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ session->record_size_limit = 2048;
+#endif
+
return 0;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4762285..92b3e17 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4481,7 +4481,7 @@
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Max fragment length: enabled, default" \
- "$P_SRV debug_level=3" \
+ "$P_SRV debug_level=3 force_version=tls12" \
"$P_CLI debug_level=3" \
0 \
-c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
@@ -4496,7 +4496,7 @@
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Max fragment length: enabled, default, larger message" \
- "$P_SRV debug_level=3" \
+ "$P_SRV debug_level=3 force_version=tls12" \
"$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
0 \
-c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
@@ -4534,7 +4534,7 @@
requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Max fragment length: disabled, larger message" \
- "$P_SRV debug_level=3" \
+ "$P_SRV debug_level=3 force_version=tls12" \
"$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
0 \
-C "Maximum incoming record payload length is 16384" \
@@ -4548,7 +4548,7 @@
requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Max fragment length, DTLS: disabled, larger message" \
- "$P_SRV debug_level=3 dtls=1" \
+ "$P_SRV debug_level=3 dtls=1 force_version=tls12" \
"$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
1 \
-C "Maximum incoming record payload length is 16384" \
@@ -4837,34 +4837,177 @@
requires_gnutls_tls1_3
requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test "Record Size Limit: TLS 1.3: Server-side parsing, debug output and fatal alert" \
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
"$P_SRV debug_level=3 force_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
- 1 \
- -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
- -c "Sending extension Record Size Limit/28 (2 bytes)" \
- -s "ClientHello: record_size_limit(28) extension received."\
- -s "found record_size_limit extension" \
+ 0 \
-s "RecordSizeLimit: 16385 Bytes" \
- -c "Received alert \[110]: An unsupported extension was sent"
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 16383" \
+ -s "bytes written in 1 fragments"
requires_gnutls_tls1_3
requires_gnutls_record_size_limit
requires_gnutls_next_disable_tls13_compat
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test "Record Size Limit: TLS 1.3: Client-side parsing, debug output and fatal alert" \
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
"$P_CLI debug_level=4 force_version=tls13" \
0 \
-s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'"
# The P_CLI can not yet send the Record Size Limit extension. Thus, the G_NEXT_SRV does not send
# a response in its EncryptedExtensions record.
-# -s "Parsing extension 'Record Size Limit/28 (2 bytes)" \
-# -s "Sending extension Record Size Limit/28 (2 bytes)" \
-# -c "EncryptedExtensions: record_size_limit(28) extension received."\
-# -c "found record_size_limit extension" \
-# -c "RecordSizeLimit: 16385 Bytes" \
-# -s "Received alert \[110]: An unsupported extension was sent"
+# -c "RecordSizeLimit: 16385 Bytes"
+
+# In the following (9) tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
+# maximum record size using "https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size".
+# There is currently a lower limit of 512, caused by this function not respecting the
+# "%ALLOW_SMALL_RECORDS" priority string and not using the more recent function
+# https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size.
+# There is currently an upper limit of 4096, caused by the cli arg parser:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/src/cli-args.def#L395.
+# Thus, these tests are currently limit to that value range.
+# Moreover, the value sent in the extension is expected to be larger by one compared
+# to the value passed on the cli:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
+
+# Currently test certificates being used do not fit in 513 record size limit
+# so for 513 record size limit tests we use preshared key to avoid sending
+# the certificate.
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
+ "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+ psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+ response_size=256" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+ --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+ 0 \
+ -s "RecordSizeLimit: 513 Bytes" \
+ -s "Maximum outgoing record payload length is 511" \
+ -s "256 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
+ "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+ psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+ response_size=768" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+ --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+ 0 \
+ -s "RecordSizeLimit: 513 Bytes" \
+ -s "Maximum outgoing record payload length is 511" \
+ -s "768 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
+ "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+ psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+ response_size=1280" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+ --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+ 0 \
+ -s "RecordSizeLimit: 513 Bytes" \
+ -s "Maximum outgoing record payload length is 511" \
+ -s "1280 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
+ "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+ 0 \
+ -s "RecordSizeLimit: 1024 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 1023" \
+ -s "512 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
+ "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+ 0 \
+ -s "RecordSizeLimit: 1024 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 1023" \
+ -s "1536 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
+ "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+ 0 \
+ -s "RecordSizeLimit: 1024 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 1023" \
+ -s "2560 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
+ "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+ 0 \
+ -s "RecordSizeLimit: 4096 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 4095" \
+ -s "2048 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
+ "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+ 0 \
+ -s "RecordSizeLimit: 4096 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 4095" \
+ -s "6144 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
+ "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
+ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+ 0 \
+ -s "RecordSizeLimit: 4096 Bytes" \
+ -s "ClientHello: record_size_limit(28) extension exists." \
+ -s "Maximum outgoing record payload length is 4095" \
+ -s "10240 bytes written in 3 fragments"
# Tests for renegotiation
@@ -8263,7 +8406,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "mbedtls_ssl_get_bytes_avail: extra data (max)" \
- "$P_SRV buffer_size=100" \
+ "$P_SRV buffer_size=100 force_version=tls12" \
"$P_CLI request_size=$MAX_CONTENT_LEN" \
0 \
-s "Read from client: $MAX_CONTENT_LEN bytes read (100 + $((MAX_CONTENT_LEN - 100)))"
@@ -8452,20 +8595,20 @@
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Large client packet TLS 1.3 AEAD" \
"$P_SRV" \
- "$P_CLI request_size=16384 \
+ "$P_CLI request_size=16383 \
force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
0 \
- -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
- -s "Read from client: $MAX_CONTENT_LEN bytes read"
+ -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
+ -s "Read from client: 16383 bytes read"
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Large client packet TLS 1.3 AEAD shorter tag" \
"$P_SRV" \
- "$P_CLI request_size=16384 \
+ "$P_CLI request_size=16383 \
force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
0 \
- -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
- -s "Read from client: $MAX_CONTENT_LEN bytes read"
+ -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
+ -s "Read from client: 16383 bytes read"
# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
run_test "Large server packet TLS 1.2 BlockCipher" \
@@ -8508,17 +8651,17 @@
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Large server packet TLS 1.3 AEAD" \
- "$P_SRV response_size=16384" \
+ "$P_SRV response_size=16383" \
"$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
0 \
- -c "Read from server: 16384 bytes read"
+ -c "Read from server: 16383 bytes read"
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Large server packet TLS 1.3 AEAD shorter tag" \
- "$P_SRV response_size=16384" \
+ "$P_SRV response_size=16383" \
"$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
0 \
- -c "Read from server: 16384 bytes read"
+ -c "Read from server: 16383 bytes read"
# Tests for restartable ECC
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 05571a1..8a03d1b 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -2096,6 +2096,10 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ TEST_ASSERT(original.record_size_limit == restored.record_size_limit);
+#endif
+
exit:
mbedtls_ssl_session_free(&original);
mbedtls_ssl_session_free(&restored);