Merge pull request #5545 from xffbai/tls13-write-enc-ext
TLS1.3: add writing encrypted extensions on server side.
diff --git a/.travis.yml b/.travis.yml
index 82e7d30..7b72515 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -54,7 +54,7 @@
env:
global:
- SEED=1
- - secure: "FrI5d2s+ckckC17T66c8jm2jV6i2DkBPU5nyWzwbedjmEBeocREfQLd/x8yKpPzLDz7ghOvr+/GQvsPPn0dVkGlNzm3Q+hGHc/ujnASuUtGrcuMM+0ALnJ3k4rFr9xEvjJeWb4SmhJO5UCAZYvTItW4k7+bj9L+R6lt3TzQbXzg="
+ - secure: "JECCru6HASpKZ0OLfHh8f/KXhKkdrCwjquZghd/qbA4ksxsWImjR7KEPERcaPndXEilzhDbKwuFvJiQX2duVgTGoq745YGhLZIjzo1i8tySkceCVd48P8WceYGz+F/bmY7r+m6fFNuxDSoGGSVeA4Lnjvmm8PFUP45YodDV9no4="
install:
- $PYTHON scripts/min_requirements.py
diff --git a/ChangeLog.d/doc-x509-profile-pk.txt b/ChangeLog.d/doc-x509-profile-pk.txt
new file mode 100644
index 0000000..35625fe
--- /dev/null
+++ b/ChangeLog.d/doc-x509-profile-pk.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
+ documentation stated that the `allowed_pks` field applies to signatures
+ only, but in fact it does apply to the public key type of the end entity
+ certificate, too. Fixes #1992.
diff --git a/ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt b/ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt
new file mode 100644
index 0000000..b30f7fa
--- /dev/null
+++ b/ChangeLog.d/fix-undefined-memcpy-mbedtls_asn1_named_data.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
+ not NULL and val_len is zero.
diff --git a/ChangeLog.d/psa_crypto_config_file.txt b/ChangeLog.d/psa_crypto_config_file.txt
new file mode 100644
index 0000000..d42651d
--- /dev/null
+++ b/ChangeLog.d/psa_crypto_config_file.txt
@@ -0,0 +1,6 @@
+Features
+ * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
+ feature requirements in the file named by the new macro
+ MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
+ Furthermore you may name an additional file to include after the main
+ file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
diff --git a/ChangeLog.d/psk_to_ms_mixed_psk.txt b/ChangeLog.d/psk_to_ms_mixed_psk.txt
new file mode 100644
index 0000000..b189661
--- /dev/null
+++ b/ChangeLog.d/psk_to_ms_mixed_psk.txt
@@ -0,0 +1,4 @@
+Features
+ * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
+ mixed-psk. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
+ holding the other secret.
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index f917133..7718f85 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -31,9 +31,17 @@
#define MBEDTLS_CONFIG_PSA_H
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+#else
#include "psa/crypto_config.h"
+#endif
#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
+#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -260,7 +268,6 @@
#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
(defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
(defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
- (defined(PSA_WANT_ALG_XTS) && !defined(MBEDTLS_PSA_ACCEL_ALG_XTS)) || \
defined(PSA_WANT_ALG_ECB_NO_PADDING) || \
(defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
!defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
@@ -382,14 +389,6 @@
#endif
#endif /* PSA_WANT_ALG_OFB */
-#if defined(PSA_WANT_ALG_XTS)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_XTS) || \
- defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
-#define MBEDTLS_PSA_BUILTIN_ALG_XTS 1
-#define MBEDTLS_CIPHER_MODE_XTS
-#endif
-#endif /* PSA_WANT_ALG_XTS */
-
#if defined(PSA_WANT_ALG_ECB_NO_PADDING) && \
!defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)
#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
@@ -726,11 +725,6 @@
#define PSA_WANT_ALG_OFB 1
#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-#define MBEDTLS_PSA_BUILTIN_ALG_XTS 1
-#define PSA_WANT_ALG_XTS 1
-#endif
-
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_256
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 72a1e10..2d32f67 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1775,8 +1775,19 @@
* This setting allows support for cryptographic mechanisms through the PSA
* API to be configured separately from support through the mbedtls API.
*
- * Uncomment this to enable use of PSA Crypto configuration settings which
- * can be found in include/psa/crypto_config.h.
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
*
* This feature is still experimental and is not ready for production since
* it is not completed.
@@ -3144,6 +3155,88 @@
/** \} name SECTION: mbed TLS modules */
/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
* \name SECTION: Module configuration options
*
* This section allows for the setting of module specific sizes and
@@ -3152,11 +3245,15 @@
*
* Our advice is to enable options and change their values here
* only if you have a good reason and know the consequences.
- *
- * Please check the respective header file for documentation on these
- * parameters (to prevent duplicate documentation).
* \{
*/
+/* The Doxygen documentation here is used when a user comments out a
+ * setting and runs doxygen themselves. On the other hand, when we typeset
+ * the full documentation including disabled settings, the documentation
+ * in specific modules' header files is used if present. When editing this
+ * file, make sure that each option is documented in exactly one place,
+ * plus optionally a same-line Doxygen comment here if there is a Doxygen
+ * comment in the specific module. */
/* MPI / BIGNUM options */
//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
@@ -3439,4 +3536,4 @@
*/
//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
-/** \} name SECTION: Customisation configuration options */
+/** \} name SECTION: Module configuration options */
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index dc808e8..5225c57 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -922,28 +922,24 @@
* \warning This is a temporary utility function for tests. It might
* change or be removed at any time without notice.
*
- * \note ECDSA & RSA keys are supported.
- * For both key types, signing with the specified hash
- * is the only allowed use of that key with PK API.
- * The RSA key supports RSA-PSS signing with the specified
- * hash with the PK EXT API.
- * In addition, the ECDSA key is also allowed for ECDH key
- * agreement derivation operation using the PSA API.
- *
* \param pk Input: the EC or RSA key to import to a PSA key.
* Output: a PK context wrapping that PSA key.
* \param key Output: a PSA key identifier.
* It's the caller's responsibility to call
* psa_destroy_key() on that key identifier after calling
* mbedtls_pk_free() on the PK context.
- * \param hash_alg The hash algorithm to allow for use with that key.
+ * \param alg The algorithm to allow for use with that key.
+ * \param usage The usage to allow for use with that key.
+ * \param alg2 The secondary algorithm to allow for use with that key.
*
* \return \c 0 if successful.
* \return An Mbed TLS error code otherwise.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
mbedtls_svc_key_id_t *key,
- psa_algorithm_t hash_alg );
+ psa_algorithm_t alg,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg2 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#ifdef __cplusplus
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 51883dc..51ce257 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -190,7 +190,9 @@
typedef struct mbedtls_x509_crt_profile
{
uint32_t allowed_mds; /**< MDs for signatures */
- uint32_t allowed_pks; /**< PK algs for signatures */
+ uint32_t allowed_pks; /**< PK algs for public keys;
+ * this applies to all certificates
+ * in the provided chain. */
uint32_t allowed_curves; /**< Elliptic curves for ECDSA */
uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */
}
diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h
index d3cf33a..35f3a8b 100644
--- a/include/psa/crypto_builtin_primitives.h
+++ b/include/psa/crypto_builtin_primitives.h
@@ -94,7 +94,6 @@
defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
- defined(MBEDTLS_PSA_BUILTIN_ALG_XTS) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index d290971..46cf126 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -87,7 +87,9 @@
#define PSA_WANT_ALG_STREAM_CIPHER 1
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
-#define PSA_WANT_ALG_XTS 1
+/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
+ * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+//#define PSA_WANT_ALG_XTS 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
diff --git a/library/asn1write.c b/library/asn1write.c
index dc61854..2110052 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -472,7 +472,7 @@
cur->val.len = val_len;
}
- if( val != NULL )
+ if( val != NULL && val_len != 0 )
memcpy( cur->val.p, val, val_len );
return( cur );
diff --git a/library/pk.c b/library/pk.c
index bba2ef7..42ff432 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -720,12 +720,16 @@
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
mbedtls_svc_key_id_t *key,
- psa_algorithm_t hash_alg )
+ psa_algorithm_t alg,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg2 )
{
#if !defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_RSA_C)
((void) pk);
((void) key);
- ((void) hash_alg);
+ ((void) alg);
+ ((void) usage);
+ ((void) alg2);
#else
#if defined(MBEDTLS_ECP_C)
if( mbedtls_pk_get_type( pk ) == MBEDTLS_PK_ECKEY )
@@ -752,10 +756,10 @@
/* prepare the key attributes */
psa_set_key_type( &attributes, key_type );
psa_set_key_bits( &attributes, bits );
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH |
- PSA_KEY_USAGE_DERIVE);
- psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA( hash_alg ) );
- psa_set_key_enrollment_algorithm( &attributes, PSA_ALG_ECDH );
+ psa_set_key_usage_flags( &attributes, usage );
+ psa_set_key_algorithm( &attributes, alg );
+ if( alg2 != PSA_ALG_NONE )
+ psa_set_key_enrollment_algorithm( &attributes, alg2 );
/* import private key into PSA */
status = psa_import_key( &attributes, d, d_len, key );
@@ -786,11 +790,10 @@
/* prepare the key attributes */
psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
psa_set_key_bits( &attributes, mbedtls_pk_get_bitlen( pk ) );
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH );
- psa_set_key_algorithm( &attributes,
- PSA_ALG_RSA_PKCS1V15_SIGN( hash_alg ) );
- psa_set_key_enrollment_algorithm( &attributes,
- PSA_ALG_RSA_PSS( hash_alg ) );
+ psa_set_key_usage_flags( &attributes, usage );
+ psa_set_key_algorithm( &attributes, alg );
+ if( alg2 != PSA_ALG_NONE )
+ psa_set_key_enrollment_algorithm( &attributes, alg2 );
/* import private key into PSA */
status = psa_import_key( &attributes,
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 141c40a..e8acc23 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -173,6 +173,12 @@
#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
#endif
+/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+ defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
+#endif
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
@@ -2222,6 +2228,28 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+/**
+ * \brief TLS record protection modes
+ */
+typedef enum {
+ MBEDTLS_SSL_MODE_STREAM = 0,
+ MBEDTLS_SSL_MODE_CBC,
+ MBEDTLS_SSL_MODE_CBC_ETM,
+ MBEDTLS_SSL_MODE_AEAD
+} mbedtls_ssl_mode_t;
+
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
+ const mbedtls_ssl_transform *transform );
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
+ int encrypt_then_mac,
+ const mbedtls_ssl_ciphersuite_t *suite );
+#else
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
+ const mbedtls_ssl_ciphersuite_t *suite );
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+
#if defined(MBEDTLS_ECDH_C)
int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index c55c60f..083c8d2 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -523,9 +523,7 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
- mbedtls_cipher_mode_t mode;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ mbedtls_ssl_mode_t ssl_mode;
int auth_done = 0;
unsigned char * data;
unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
@@ -566,15 +564,13 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
+ ssl_mode = mbedtls_ssl_get_mode_from_transform( transform );
+
data = rec->buf + rec->data_offset;
post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
data, rec->data_len );
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
- mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET
@@ -654,17 +650,8 @@
* Add MAC before if needed
*/
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ||
- ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING
-#else
- if( mode == MBEDTLS_MODE_STREAM ||
- ( mode == MBEDTLS_MODE_CBC
-#endif
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
-#endif
- ) )
+ if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC )
{
if( post_avail < transform->maclen )
{
@@ -748,11 +735,7 @@
* Encrypt
*/
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER )
-#else
- if( mode == MBEDTLS_MODE_STREAM )
-#endif
+ if( ssl_mode == MBEDTLS_SSL_MODE_STREAM )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
"including %d bytes of padding",
@@ -767,13 +750,7 @@
#if defined(MBEDTLS_GCM_C) || \
defined(MBEDTLS_CCM_C) || \
defined(MBEDTLS_CHACHAPOLY_C)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( PSA_ALG_IS_AEAD( transform->psa_alg ) )
-#else
- if( mode == MBEDTLS_MODE_GCM ||
- mode == MBEDTLS_MODE_CCM ||
- mode == MBEDTLS_MODE_CHACHAPOLY )
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
{
unsigned char iv[12];
unsigned char *dynamic_iv;
@@ -891,11 +868,8 @@
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING )
-#else
- if( mode == MBEDTLS_MODE_CBC )
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if( ssl_mode == MBEDTLS_SSL_MODE_CBC ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t padlen, i;
@@ -1139,14 +1113,9 @@
mbedtls_record *rec )
{
size_t olen;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_ssl_mode_t ssl_mode;
int ret;
-#else
- mbedtls_cipher_mode_t mode;
- int ret;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
int auth_done = 0;
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
size_t padlen = 0, correct = 1;
@@ -1171,9 +1140,7 @@
}
data = rec->buf + rec->data_offset;
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
- mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ ssl_mode = mbedtls_ssl_get_mode_from_transform( transform );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
/*
@@ -1187,11 +1154,7 @@
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER )
-#else
- if( mode == MBEDTLS_MODE_STREAM )
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if( ssl_mode == MBEDTLS_SSL_MODE_STREAM )
{
/* The only supported stream cipher is "NULL",
* so there's nothing to do here.*/
@@ -1201,13 +1164,7 @@
#if defined(MBEDTLS_GCM_C) || \
defined(MBEDTLS_CCM_C) || \
defined(MBEDTLS_CHACHAPOLY_C)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( PSA_ALG_IS_AEAD( transform->psa_alg ) )
-#else
- if( mode == MBEDTLS_MODE_GCM ||
- mode == MBEDTLS_MODE_CCM ||
- mode == MBEDTLS_MODE_CHACHAPOLY )
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
{
unsigned char iv[12];
unsigned char *dynamic_iv;
@@ -1333,11 +1290,8 @@
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING )
-#else
- if( mode == MBEDTLS_MODE_CBC )
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if( ssl_mode == MBEDTLS_SSL_MODE_CBC ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
{
size_t minlen = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -1391,7 +1345,7 @@
* Authenticate before decrypt if enabled
*/
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+ if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 7f65849..1c05001 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -216,19 +216,23 @@
uint32_t lifetime )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const mbedtls_cipher_info_t *cipher_info;
+ size_t key_bits;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg;
psa_key_type_t key_type;
- size_t key_bits;
-#endif
+#else
+ const mbedtls_cipher_info_t *cipher_info;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
- ctx->f_rng = f_rng;
- ctx->p_rng = p_rng;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( mbedtls_ssl_cipher_to_psa( cipher, TICKET_AUTH_TAG_BYTES,
+ &alg, &key_type, &key_bits ) != PSA_SUCCESS )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- ctx->ticket_lifetime = lifetime;
-
+ if( PSA_ALG_IS_AEAD( alg ) == 0 )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+#else
cipher_info = mbedtls_cipher_info_from_type( cipher );
if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM &&
@@ -238,14 +242,18 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
- if( mbedtls_cipher_info_get_key_bitlen( cipher_info ) > 8 * MAX_KEY_BYTES )
+ key_bits = mbedtls_cipher_info_get_key_bitlen( cipher_info );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if( key_bits > 8 * MAX_KEY_BYTES )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ ctx->f_rng = f_rng;
+ ctx->p_rng = p_rng;
+
+ ctx->ticket_lifetime = lifetime;
+
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( mbedtls_ssl_cipher_to_psa( cipher_info->type, TICKET_AUTH_TAG_BYTES,
- &alg, &key_type, &key_bits ) != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-
ctx->keys[0].alg = alg;
ctx->keys[0].key_type = key_type;
ctx->keys[0].key_bits = key_bits;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7804cb7..250bae9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -383,11 +383,9 @@
static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
int ciphersuite,
const unsigned char master[48],
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
- defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
int encrypt_then_mac,
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
- MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64],
mbedtls_ssl_protocol_version tls_version,
@@ -1716,6 +1714,109 @@
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
+ psa_algorithm_t alg )
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if( alg == PSA_ALG_CBC_NO_PADDING )
+ return( MBEDTLS_SSL_MODE_CBC );
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+ if( PSA_ALG_IS_AEAD( alg ) )
+ return( MBEDTLS_SSL_MODE_AEAD );
+ return( MBEDTLS_SSL_MODE_STREAM );
+}
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
+ mbedtls_cipher_mode_t mode )
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if( mode == MBEDTLS_MODE_CBC )
+ return( MBEDTLS_SSL_MODE_CBC );
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+#if defined(MBEDTLS_GCM_C) || \
+ defined(MBEDTLS_CCM_C) || \
+ defined(MBEDTLS_CHACHAPOLY_C)
+ if( mode == MBEDTLS_MODE_GCM ||
+ mode == MBEDTLS_MODE_CCM ||
+ mode == MBEDTLS_MODE_CHACHAPOLY )
+ return( MBEDTLS_SSL_MODE_AEAD );
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+
+ return( MBEDTLS_SSL_MODE_STREAM );
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
+ mbedtls_ssl_mode_t base_mode,
+ int encrypt_then_mac )
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
+ base_mode == MBEDTLS_SSL_MODE_CBC )
+ {
+ return( MBEDTLS_SSL_MODE_CBC_ETM );
+ }
+#else
+ (void) encrypt_then_mac;
+#endif
+ return( base_mode );
+}
+
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
+ const mbedtls_ssl_transform *transform )
+{
+ mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->psa_alg
+#else
+ mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc )
+#endif
+ );
+
+ int encrypt_then_mac = 0;
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ encrypt_then_mac = transform->encrypt_then_mac;
+#endif
+ return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) );
+}
+
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ int encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ const mbedtls_ssl_ciphersuite_t *suite )
+{
+ mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+ psa_algorithm_t alg;
+ psa_key_type_t type;
+ size_t size;
+ status = mbedtls_ssl_cipher_to_psa( suite->cipher, 0, &alg, &type, &size );
+ if( status == PSA_SUCCESS )
+ base_mode = mbedtls_ssl_get_base_mode( alg );
+#else
+ const mbedtls_cipher_info_t *cipher =
+ mbedtls_cipher_info_from_type( suite->cipher );
+ if( cipher != NULL )
+ {
+ base_mode =
+ mbedtls_ssl_get_base_mode(
+ mbedtls_cipher_info_get_mode( cipher ) );
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ int encrypt_then_mac = 0;
+#endif
+ return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) );
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
size_t taglen,
psa_algorithm_t *alg,
@@ -3615,11 +3716,9 @@
ret = ssl_tls12_populate_transform( ssl->transform,
ssl->session->ciphersuite,
ssl->session->master,
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
- defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
ssl->session->encrypt_then_mac,
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
- MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
p, /* currently pointing to randbytes */
MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
@@ -4715,6 +4814,8 @@
psa_algorithm_t alg,
const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length,
+ const unsigned char* other_secret,
+ size_t other_secret_length,
size_t capacity )
{
psa_status_t status;
@@ -4731,6 +4832,15 @@
if( status != PSA_SUCCESS )
return( status );
+ if ( other_secret != NULL )
+ {
+ status = psa_key_derivation_input_bytes( derivation,
+ PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
+ other_secret, other_secret_length );
+ if( status != PSA_SUCCESS )
+ return( status );
+ }
+
if( mbedtls_svc_key_id_is_null( key ) )
{
status = psa_key_derivation_input_bytes(
@@ -4804,6 +4914,7 @@
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
+ NULL, 0,
dlen );
if( status != PSA_SUCCESS )
{
@@ -4989,8 +5100,10 @@
return( 0 );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
- defined(MBEDTLS_USE_PSA_CRYPTO)
+
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED )
static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
{
if( ssl->conf->f_psk != NULL )
@@ -5009,7 +5122,7 @@
return( 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
- MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+ MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
/*
* Compute master secret if needed
@@ -5045,15 +5158,15 @@
* is used. */
char const *lbl = "master secret";
- /* The salt for the KDF used for key expansion.
+ /* The seed for the KDF used for key expansion.
* - If the Extended Master Secret extension is not used,
* this is ClientHello.Random + ServerHello.Random
* (see Sect. 8.1 in RFC 5246).
* - If the Extended Master Secret extension is used,
* this is the transcript of the handshake so far.
* (see Sect. 4 in RFC 7627). */
- unsigned char const *salt = handshake->randbytes;
- size_t salt_len = 64;
+ unsigned char const *seed = handshake->randbytes;
+ size_t seed_len = 64;
#if !defined(MBEDTLS_DEBUG_C) && \
!defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
@@ -5073,17 +5186,17 @@
if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
{
lbl = "extended master secret";
- salt = session_hash;
- handshake->calc_verify( ssl, session_hash, &salt_len );
+ seed = session_hash;
+ handshake->calc_verify( ssl, session_hash, &seed_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
- session_hash, salt_len );
+ session_hash, seed_len );
}
-#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
- if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 &&
ssl_use_opaque_psk( ssl ) == 1 )
{
/* Perform PSK-to-MS expansion in a single step. */
@@ -5103,10 +5216,34 @@
else
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
+ size_t other_secret_len = 0;
+ unsigned char* other_secret = NULL;
+
+ switch( handshake->ciphersuite_info->key_exchange )
+ {
+ /* Provide other secret.
+ * Other secret is stored in premaster, where first 2 bytes hold the
+ * length of the other key.
+ */
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ /* For RSA-PSK other key length is always 48 bytes. */
+ other_secret_len = 48;
+ other_secret = handshake->premaster + 2;
+ break;
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
+ other_secret = handshake->premaster + 2;
+ break;
+ default:
+ break;
+ }
+
status = setup_psa_key_derivation( &derivation, psk, alg,
- salt, salt_len,
+ seed, seed_len,
(unsigned char const *) lbl,
(size_t) strlen( lbl ),
+ other_secret, other_secret_len,
master_secret_len );
if( status != PSA_SUCCESS )
{
@@ -5131,7 +5268,7 @@
#endif
{
ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
- lbl, salt, salt_len,
+ lbl, seed, seed_len,
master,
master_secret_len );
if( ret != 0 )
@@ -5193,11 +5330,9 @@
ret = ssl_tls12_populate_transform( ssl->transform_negotiate,
ssl->session_negotiate->ciphersuite,
ssl->session_negotiate->master,
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
- defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
ssl->session_negotiate->encrypt_then_mac,
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
- MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
ssl->tls_version,
@@ -5344,21 +5479,27 @@
unsigned char *end = p + sizeof( ssl->handshake->premaster );
const unsigned char *psk = NULL;
size_t psk_len = 0;
+ int psk_ret = mbedtls_ssl_get_psk( ssl, &psk, &psk_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
(void) key_ex;
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
- if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
- == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
+ if( psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
{
/*
* This should never happen because the existence of a PSK is always
- * checked before calling this function
+ * checked before calling this function.
+ *
+ * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
+ * the shared secret without PSK.
*/
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ if ( key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
}
/*
@@ -5419,6 +5560,14 @@
p += 2 + len;
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
+
+ /* For opaque PSK fill premaster with the the shared secret without PSK. */
+ if( psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "skip PMS generation for opaque DHE-PSK" ) );
+ return( 0 );
+ }
}
else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
@@ -6789,11 +6938,9 @@
static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
int ciphersuite,
const unsigned char master[48],
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
- defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
int encrypt_then_mac,
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
- MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64],
mbedtls_ssl_protocol_version tls_version,
@@ -6810,8 +6957,9 @@
size_t iv_copy_len;
size_t keylen;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
- const mbedtls_cipher_info_t *cipher_info;
+ mbedtls_ssl_mode_t ssl_mode;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ const mbedtls_cipher_info_t *cipher_info;
const mbedtls_md_info_t *md_info;
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
@@ -6836,10 +6984,9 @@
/*
* Some data just needs copying into the structure
*/
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
- defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
transform->encrypt_then_mac = encrypt_then_mac;
-#endif
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
transform->tls_version = tls_version;
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
@@ -6866,6 +7013,28 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
+ ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ ciphersuite_info );
+
+ if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
+ transform->taglen =
+ ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ( status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher,
+ transform->taglen,
+ &alg,
+ &key_type,
+ &key_bits ) ) != PSA_SUCCESS )
+ {
+ ret = psa_ssl_status_to_mbedtls( status );
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret );
+ goto end;
+ }
+#else
cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
if( cipher_info == NULL )
{
@@ -6873,6 +7042,7 @@
ciphersuite_info->cipher ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mac_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
@@ -6932,21 +7102,21 @@
* Determine the appropriate key, IV and MAC length.
*/
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ keylen = PSA_BITS_TO_BYTES(key_bits);
+#else
keylen = mbedtls_cipher_info_get_key_bitlen( cipher_info ) / 8;
+#endif
#if defined(MBEDTLS_GCM_C) || \
defined(MBEDTLS_CCM_C) || \
defined(MBEDTLS_CHACHAPOLY_C)
- if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_GCM ||
- mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CCM ||
- mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY )
+ if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
{
size_t explicit_ivlen;
transform->maclen = 0;
mac_key_len = 0;
- transform->taglen =
- ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
/* All modes haves 96-bit IVs, but the length of the static parts vary
* with mode and version:
@@ -6957,7 +7127,11 @@
* sequence number).
*/
transform->ivlen = 12;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( key_type == PSA_KEY_TYPE_CHACHA20 )
+#else
if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY )
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
transform->fixed_ivlen = 12;
else
transform->fixed_ivlen = 4;
@@ -6969,10 +7143,17 @@
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ||
- mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
+ if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type );
+#else
+ size_t block_size = cipher_info->block_size;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Get MAC length */
mac_key_len = PSA_HASH_LENGTH(mac_alg);
#else
@@ -6990,10 +7171,14 @@
transform->maclen = mac_key_len;
/* IV length */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->ivlen = PSA_CIPHER_IV_LENGTH( key_type, alg );
+#else
transform->ivlen = cipher_info->iv_size;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Minimum length */
- if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM )
+ if( ssl_mode == MBEDTLS_SSL_MODE_STREAM )
transform->minlen = transform->maclen;
else
{
@@ -7004,17 +7189,17 @@
* 2. IV
*/
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+ if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
{
transform->minlen = transform->maclen
- + cipher_info->block_size;
+ + block_size;
}
else
#endif
{
transform->minlen = transform->maclen
- + cipher_info->block_size
- - transform->maclen % cipher_info->block_size;
+ + block_size
+ - transform->maclen % block_size;
}
if( tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
@@ -7096,17 +7281,6 @@
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( ( status = mbedtls_ssl_cipher_to_psa( cipher_info->type,
- transform->taglen,
- &alg,
- &key_type,
- &key_bits ) ) != PSA_SUCCESS )
- {
- ret = psa_ssl_status_to_mbedtls( status );
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret );
- goto end;
- }
-
transform->psa_alg = alg;
if ( alg != MBEDTLS_SSL_NULL_CIPHER )
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index dcc7dfb..d286764 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -73,7 +73,9 @@
return( 0 );
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ) || \
+ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) )
static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
{
if( conf->psk_identity == NULL ||
@@ -87,7 +89,9 @@
return( 0 );
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+ ( MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ) */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
@@ -2959,10 +2963,6 @@
* ciphersuites we offered, so this should never happen. */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- /* Opaque PSKs are currently only supported for PSK-only suites. */
- if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-
/* uint16 to store content length */
const size_t content_len_size = 2;
@@ -3068,30 +3068,40 @@
MBEDTLS_PUT_UINT16_BE( zlen, pms, 0 );
pms += zlen_size + zlen;
- const unsigned char *psk = NULL;
- size_t psk_len = 0;
+ /* In case of opaque psk skip writting psk to pms.
+ * Opaque key will be handled later. */
+ if( ssl_conf_has_static_raw_psk( ssl->conf ) == 1 )
+ {
+ const unsigned char *psk = NULL;
+ size_t psk_len = 0;
- if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
- == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
- /*
- * This should never happen because the existence of a PSK is always
- * checked before calling this function
- */
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
+ == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
+ /*
+ * This should never happen because the existence of a PSK is always
+ * checked before calling this function
+ */
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- /* opaque psk<0..2^16-1>; */
- if( (size_t)( pms_end - pms ) < ( 2 + psk_len ) )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ /* opaque psk<0..2^16-1>; */
+ if( (size_t)( pms_end - pms ) < ( 2 + psk_len ) )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- /* Write the PSK length as uint16 */
- MBEDTLS_PUT_UINT16_BE( psk_len, pms, 0 );
- pms += 2;
+ /* Write the PSK length as uint16 */
+ MBEDTLS_PUT_UINT16_BE( psk_len, pms, 0 );
+ pms += 2;
- /* Write the PSK itself */
- memcpy( pms, psk, psk_len );
- pms += psk_len;
+ /* Write the PSK itself */
+ memcpy( pms, psk, psk_len );
+ pms += psk_len;
- ssl->handshake->pmslen = pms - ssl->handshake->premaster;
+ ssl->handshake->pmslen = pms - ssl->handshake->premaster;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "skip PMS generation for opaque ECDHE-PSK" ) );
+ }
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
@@ -3138,12 +3148,6 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Opaque PSKs are currently only supported for PSK-only suites. */
- if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
&content_len, 2 ) ) != 0 )
return( ret );
@@ -3153,12 +3157,6 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Opaque PSKs are currently only supported for PSK-only suites. */
- if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
/*
* ClientDiffieHellmanPublic public (DHM send G^X mod P)
*/
@@ -3224,6 +3222,13 @@
( "skip PMS generation for opaque PSK" ) );
}
else
+ if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK &&
+ ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "skip PMS generation for opaque RSA-PSK" ) );
+ }
+ else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 6fd916f..a60b5ad 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -171,7 +171,10 @@
return( 0 );
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ) || \
+ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
{
if( ssl->conf->f_psk != NULL )
@@ -190,7 +193,10 @@
return( 0 );
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+ ( MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
@@ -1973,20 +1979,13 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t *olen )
{
unsigned char *p = buf;
const mbedtls_ssl_ciphersuite_t *suite = NULL;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_type_t key_type;
- psa_algorithm_t alg;
- size_t key_bits;
-#else
- const mbedtls_cipher_info_t *cipher = NULL;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* RFC 7366: "If a server receives an encrypt-then-MAC request extension
@@ -1994,18 +1993,19 @@
* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
* encrypt-then-MAC response extension back to the client."
*/
- if( ( suite = mbedtls_ssl_ciphersuite_from_id(
- ssl->session_negotiate->ciphersuite ) ) == NULL ||
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- ( mbedtls_ssl_cipher_to_psa( suite->cipher, 0, &alg,
- &key_type, &key_bits ) != PSA_SUCCESS ) ||
- alg != PSA_ALG_CBC_NO_PADDING )
-#else
- ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
- cipher->mode != MBEDTLS_MODE_CBC )
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- {
+ suite = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite );
+ if( suite == NULL )
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
+ else
+ {
+ mbedtls_ssl_mode_t ssl_mode =
+ mbedtls_ssl_get_mode_from_ciphersuite(
+ ssl->session_negotiate->encrypt_then_mac,
+ suite );
+
+ if( ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM )
+ ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
}
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
@@ -2024,7 +2024,7 @@
*olen = 4;
}
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
@@ -2593,7 +2593,7 @@
ext_len += olen;
#endif
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
@@ -4047,18 +4047,19 @@
return( ret );
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Opaque PSKs are currently only supported for PSK-only. */
- if( ssl_use_opaque_psk( ssl ) == 1 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif
-
if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
return( ret );
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /* For opaque PSKs, we perform the PSK-to-MS derivation automatically
+ * and skip the intermediate PMS. */
+ if( ssl_use_opaque_psk( ssl ) == 1 )
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque RSA-PSK" ) );
+ else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
ciphersuite_info->key_exchange ) ) != 0 )
{
@@ -4082,12 +4083,6 @@
return( ret );
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Opaque PSKs are currently only supported for PSK-only. */
- if( ssl_use_opaque_psk( ssl ) == 1 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif
-
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
@@ -4111,10 +4106,6 @@
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
uint8_t ecpoint_len;
- /* Opaque PSKs are currently only supported for PSK-only. */
- if( ssl_use_opaque_psk( ssl ) == 1 )
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
@@ -4187,28 +4178,38 @@
const unsigned char *psk = NULL;
size_t psk_len = 0;
- if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
- == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
- /*
- * This should never happen because the existence of a PSK is always
- * checked before calling this function
- */
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ /* In case of opaque psk skip writting psk to pms.
+ * Opaque key will be handled later. */
+ if( ssl_use_opaque_psk( ssl ) == 0 )
+ {
+ if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
+ == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
+ /*
+ * This should never happen because the existence of a PSK is always
+ * checked before calling this function
+ */
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- /* opaque psk<0..2^16-1>; */
- if( (size_t)( psm_end - psm ) < ( 2 + psk_len ) )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ /* opaque psk<0..2^16-1>; */
+ if( (size_t)( psm_end - psm ) < ( 2 + psk_len ) )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- /* Write the PSK length as uint16 */
- MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 );
- psm += 2;
+ /* Write the PSK length as uint16 */
+ MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 );
+ psm += 2;
- /* Write the PSK itself */
- memcpy( psm, psk, psk_len );
- psm += psk_len;
+ /* Write the PSK itself */
+ memcpy( psm, psk, psk_len );
+ psm += psk_len;
- ssl->handshake->pmslen = psm - ssl->handshake->premaster;
-#else
+ ssl->handshake->pmslen = psm - ssl->handshake->premaster;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "skip PMS generation for opaque ECDHE-PSK" ) );
+ }
+#else /* MBEDTLS_USE_PSA_CRYPTO */
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index cd60986..f741d99 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1406,17 +1406,6 @@
#if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( opt.psk_opaque != 0 )
{
- /* Ensure that the chosen ciphersuite is PSK-only; we must know
- * the ciphersuite in advance to set the correct policy for the
- * PSK key slot. This limitation might go away in the future. */
- if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
- opt.min_version != MBEDTLS_SSL_VERSION_TLS1_2 )
- {
- mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
- ret = 2;
- goto usage;
- }
-
/* Determine KDF algorithm the opaque PSK will be used in. */
#if defined(MBEDTLS_SHA384_C)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
@@ -1709,8 +1698,22 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.key_opaque != 0 )
{
- if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot,
- PSA_ALG_ANY_HASH ) ) != 0 )
+ psa_algorithm_t psa_alg, psa_alg2;
+
+ if( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY )
+ {
+ psa_alg = PSA_ALG_ECDSA( PSA_ALG_ANY_HASH );
+ psa_alg2 = PSA_ALG_NONE;
+ }
+ else
+ {
+ psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_ANY_HASH );
+ psa_alg2 = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH );
+ }
+
+ if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot, psa_alg,
+ PSA_KEY_USAGE_SIGN_HASH,
+ psa_alg2 ) ) != 0 )
{
mbedtls_printf( " failed\n ! "
"mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a91af0e..d728b95 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2207,17 +2207,6 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
{
- /* Ensure that the chosen ciphersuite is PSK-only; we must know
- * the ciphersuite in advance to set the correct policy for the
- * PSK key slot. This limitation might go away in the future. */
- if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK ||
- opt.min_version != MBEDTLS_SSL_VERSION_TLS1_2 )
- {
- mbedtls_printf( "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n" );
- ret = 2;
- goto usage;
- }
-
/* Determine KDF algorithm the opaque PSK will be used in. */
#if defined(MBEDTLS_SHA384_C)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
@@ -2575,11 +2564,29 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.key_opaque != 0 )
{
+ psa_algorithm_t psa_alg, psa_alg2;
+ psa_key_usage_t psa_usage;
+
if ( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY ||
mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_RSA )
{
+ if( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY )
+ {
+ psa_alg = PSA_ALG_ECDSA( PSA_ALG_ANY_HASH );
+ psa_alg2 = PSA_ALG_ECDH;
+ psa_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
+ }
+ else
+ {
+ psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_ANY_HASH );
+ psa_alg2 = PSA_ALG_NONE;
+ psa_usage = PSA_KEY_USAGE_SIGN_HASH;
+ }
+
if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot,
- PSA_ALG_ANY_HASH ) ) != 0 )
+ psa_alg,
+ psa_usage,
+ psa_alg2 ) ) != 0 )
{
mbedtls_printf( " failed\n ! "
"mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret );
@@ -2590,8 +2597,23 @@
if ( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY ||
mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_RSA )
{
+ if( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY )
+ {
+ psa_alg = PSA_ALG_ECDSA( PSA_ALG_ANY_HASH );
+ psa_alg2 = PSA_ALG_ECDH;
+ psa_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
+ }
+ else
+ {
+ psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_ANY_HASH );
+ psa_alg2 = PSA_ALG_NONE;
+ psa_usage = PSA_KEY_USAGE_SIGN_HASH;
+ }
+
if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot2,
- PSA_ALG_ANY_HASH ) ) != 0 )
+ psa_alg,
+ psa_usage,
+ psa_alg2 ) ) != 0 )
{
mbedtls_printf( " failed\n ! "
"mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret );
diff --git a/scripts/config.py b/scripts/config.py
index c373936..c09212b 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -161,8 +161,16 @@
return section.endswith('support') or section.endswith('modules')
def realfull_adapter(_name, active, section):
- """Activate all symbols found in the system and feature sections."""
- if not is_full_section(section):
+ """Activate all symbols found in the global and boolean feature sections.
+
+ This is intended for building the documentation, including the
+ documentation of settings that are activated by defining an optional
+ preprocessor macro.
+
+ Do not activate definitions in the section containing symbols that are
+ supposed to be defined and documented in their own module.
+ """
+ if section == 'Module configuration options':
return active
return True
diff --git a/scripts/generate_ssl_debug_helpers.py b/scripts/generate_ssl_debug_helpers.py
index a722c19..42e4fc8 100755
--- a/scripts/generate_ssl_debug_helpers.py
+++ b/scripts/generate_ssl_debug_helpers.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
-"""Generate library/ssl_debug_helps_generated.c
+"""Generate library/ssl_debug_helpers_generated.c
The code generated by this module includes debug helper functions that can not be
implemented by fixed codes.
@@ -224,7 +224,7 @@
if( in > ( sizeof( in_to_str )/sizeof( in_to_str[0]) - 1 ) ||
in_to_str[ in ] == NULL )
{{
- return "UNKOWN_VAULE";
+ return "UNKNOWN_VALUE";
}}
return in_to_str[ in ];
}}
@@ -296,9 +296,9 @@
/* Automatically generated by generate_ssl_debug_helpers.py. DO NOT EDIT. */
/**
- * \file ssl_debug_helpers_generated.c
+ * \\file ssl_debug_helpers_generated.c
*
- * \brief Automatically generated helper functions for debugging
+ * \\brief Automatically generated helper functions for debugging
*/
/*
* Copyright The Mbed TLS Contributors
diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py
index 1bd011f..592fc0a 100644
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ b/scripts/mbedtls_dev/crypto_knowledge.py
@@ -20,11 +20,34 @@
import enum
import re
-from typing import Dict, Iterable, Optional, Pattern, Tuple
+from typing import FrozenSet, Iterable, List, Optional, Tuple
from mbedtls_dev.asymmetric_key_data import ASYMMETRIC_KEY_DATA
+def short_expression(original: str, level: int = 0) -> str:
+ """Abbreviate the expression, keeping it human-readable.
+
+ If `level` is 0, just remove parts that are implicit from context,
+ such as a leading ``PSA_KEY_TYPE_``.
+ For larger values of `level`, also abbreviate some names in an
+ unambiguous, but ad hoc way.
+ """
+ short = original
+ short = re.sub(r'\bPSA_(?:ALG|ECC_FAMILY|KEY_[A-Z]+)_', r'', short)
+ short = re.sub(r' +', r'', short)
+ if level >= 1:
+ short = re.sub(r'PUBLIC_KEY\b', r'PUB', short)
+ short = re.sub(r'KEY_PAIR\b', r'PAIR', short)
+ short = re.sub(r'\bBRAINPOOL_P', r'BP', short)
+ short = re.sub(r'\bMONTGOMERY\b', r'MGM', short)
+ short = re.sub(r'AEAD_WITH_SHORTENED_TAG\b', r'AEAD_SHORT', short)
+ short = re.sub(r'\bDETERMINISTIC_', r'DET_', short)
+ short = re.sub(r'\bKEY_AGREEMENT\b', r'KA', short)
+ short = re.sub(r'_PSK_TO_MS\b', r'_PSK2MS', short)
+ return short
+
+
BLOCK_CIPHERS = frozenset(['AES', 'ARIA', 'CAMELLIA', 'DES'])
BLOCK_MAC_MODES = frozenset(['CBC_MAC', 'CMAC'])
BLOCK_CIPHER_MODES = frozenset([
@@ -104,6 +127,13 @@
`self.name`.
"""
+ def short_expression(self, level: int = 0) -> str:
+ """Abbreviate the expression, keeping it human-readable.
+
+ See `crypto_knowledge.short_expression`.
+ """
+ return short_expression(self.expression, level=level)
+
def is_public(self) -> bool:
"""Whether the key type is for public keys."""
return self.name.endswith('_PUBLIC_KEY')
@@ -178,35 +208,31 @@
return b''.join([self.DATA_BLOCK] * (length // len(self.DATA_BLOCK)) +
[self.DATA_BLOCK[:length % len(self.DATA_BLOCK)]])
- KEY_TYPE_FOR_SIGNATURE = {
- 'PSA_KEY_USAGE_SIGN_HASH': re.compile('.*KEY_PAIR'),
- 'PSA_KEY_USAGE_VERIFY_HASH': re.compile('.*KEY.*')
- } #type: Dict[str, Pattern]
- """Use a regexp to determine key types for which signature is possible
- when using the actual usage flag.
- """
- def is_valid_for_signature(self, usage: str) -> bool:
- """Determine if the key type is compatible with the specified
- signitute type.
-
- """
- # This is just temporaly solution for the implicit usage flags.
- return re.match(self.KEY_TYPE_FOR_SIGNATURE[usage], self.name) is not None
-
def can_do(self, alg: 'Algorithm') -> bool:
"""Whether this key type can be used for operations with the given algorithm.
This function does not currently handle key derivation or PAKE.
"""
- #pylint: disable=too-many-return-statements
+ #pylint: disable=too-many-branches,too-many-return-statements
if alg.is_wildcard:
return False
+ if alg.is_invalid_truncation():
+ return False
if self.head == 'HMAC' and alg.head == 'HMAC':
return True
+ if self.head == 'DES':
+ # 64-bit block ciphers only allow a reduced set of modes.
+ return alg.head in [
+ 'CBC_NO_PADDING', 'CBC_PKCS7',
+ 'ECB_NO_PADDING',
+ ]
if self.head in BLOCK_CIPHERS and \
alg.head in frozenset.union(BLOCK_MAC_MODES,
BLOCK_CIPHER_MODES,
BLOCK_AEAD_MODES):
+ if alg.head in ['CMAC', 'OFB'] and \
+ self.head in ['ARIA', 'CAMELLIA']:
+ return False # not implemented in Mbed TLS
return True
if self.head == 'CHACHA20' and alg.head == 'CHACHA20_POLY1305':
return True
@@ -215,6 +241,13 @@
return True
if self.head == 'RSA' and alg.head.startswith('RSA_'):
return True
+ if alg.category == AlgorithmCategory.KEY_AGREEMENT and \
+ self.is_public():
+ # The PSA API does not use public key objects in key agreement
+ # operations: it imports the public key as a formatted byte string.
+ # So a public key object with a key agreement algorithm is not
+ # a valid combination.
+ return False
if self.head == 'ECC':
assert self.params is not None
eccc = EllipticCurveCategory.from_family(self.params[0])
@@ -391,11 +424,113 @@
# Assume kdf_alg is either a valid KDF or 0.
return not re.match(r'(?:0[Xx])?0+\s*\Z', kdf_alg)
+
+ def short_expression(self, level: int = 0) -> str:
+ """Abbreviate the expression, keeping it human-readable.
+
+ See `crypto_knowledge.short_expression`.
+ """
+ return short_expression(self.expression, level=level)
+
+ HASH_LENGTH = {
+ 'PSA_ALG_MD5': 16,
+ 'PSA_ALG_SHA_1': 20,
+ }
+ HASH_LENGTH_BITS_RE = re.compile(r'([0-9]+)\Z')
+ @classmethod
+ def hash_length(cls, alg: str) -> int:
+ """The length of the given hash algorithm, in bytes."""
+ if alg in cls.HASH_LENGTH:
+ return cls.HASH_LENGTH[alg]
+ m = cls.HASH_LENGTH_BITS_RE.search(alg)
+ if m:
+ return int(m.group(1)) // 8
+ raise ValueError('Unknown hash length for ' + alg)
+
+ PERMITTED_TAG_LENGTHS = {
+ 'PSA_ALG_CCM': frozenset([4, 6, 8, 10, 12, 14, 16]),
+ 'PSA_ALG_CHACHA20_POLY1305': frozenset([16]),
+ 'PSA_ALG_GCM': frozenset([4, 8, 12, 13, 14, 15, 16]),
+ }
+ MAC_LENGTH = {
+ 'PSA_ALG_CBC_MAC': 16, # actually the block cipher length
+ 'PSA_ALG_CMAC': 16, # actually the block cipher length
+ }
+ HMAC_RE = re.compile(r'PSA_ALG_HMAC\((.*)\)\Z')
+ @classmethod
+ def permitted_truncations(cls, base: str) -> FrozenSet[int]:
+ """Permitted output lengths for the given MAC or AEAD base algorithm.
+
+ For a MAC algorithm, this is the set of truncation lengths that
+ Mbed TLS supports.
+ For an AEAD algorithm, this is the set of truncation lengths that
+ are permitted by the algorithm specification.
+ """
+ if base in cls.PERMITTED_TAG_LENGTHS:
+ return cls.PERMITTED_TAG_LENGTHS[base]
+ max_length = cls.MAC_LENGTH.get(base, None)
+ if max_length is None:
+ m = cls.HMAC_RE.match(base)
+ if m:
+ max_length = cls.hash_length(m.group(1))
+ if max_length is None:
+ raise ValueError('Unknown permitted lengths for ' + base)
+ return frozenset(range(4, max_length + 1))
+
+ TRUNCATED_ALG_RE = re.compile(
+ r'(?P<face>PSA_ALG_(?:AEAD_WITH_SHORTENED_TAG|TRUNCATED_MAC))'
+ r'\((?P<base>.*),'
+ r'(?P<length>0[Xx][0-9A-Fa-f]+|[1-9][0-9]*|0[0-7]*)[LUlu]*\)\Z')
+ def is_invalid_truncation(self) -> bool:
+ """False for a MAC or AEAD algorithm truncated to an invalid length.
+
+ True for a MAC or AEAD algorithm truncated to a valid length or to
+ a length that cannot be determined. True for anything other than
+ a truncated MAC or AEAD.
+ """
+ m = self.TRUNCATED_ALG_RE.match(self.expression)
+ if m:
+ base = m.group('base')
+ to_length = int(m.group('length'), 0)
+ permitted_lengths = self.permitted_truncations(base)
+ if to_length not in permitted_lengths:
+ return True
+ return False
+
def can_do(self, category: AlgorithmCategory) -> bool:
- """Whether this algorithm fits the specified operation category."""
+ """Whether this algorithm can perform operations in the given category.
+ """
if category == self.category:
return True
if category == AlgorithmCategory.KEY_DERIVATION and \
self.is_key_agreement_with_derivation():
return True
return False
+
+ def usage_flags(self, public: bool = False) -> List[str]:
+ """The list of usage flags describing operations that can perform this algorithm.
+
+ If public is true, only return public-key operations, not private-key operations.
+ """
+ if self.category == AlgorithmCategory.HASH:
+ flags = []
+ elif self.category == AlgorithmCategory.MAC:
+ flags = ['SIGN_HASH', 'SIGN_MESSAGE',
+ 'VERIFY_HASH', 'VERIFY_MESSAGE']
+ elif self.category == AlgorithmCategory.CIPHER or \
+ self.category == AlgorithmCategory.AEAD:
+ flags = ['DECRYPT', 'ENCRYPT']
+ elif self.category == AlgorithmCategory.SIGN:
+ flags = ['VERIFY_HASH', 'VERIFY_MESSAGE']
+ if not public:
+ flags += ['SIGN_HASH', 'SIGN_MESSAGE']
+ elif self.category == AlgorithmCategory.ASYMMETRIC_ENCRYPTION:
+ flags = ['ENCRYPT']
+ if not public:
+ flags += ['DECRYPT']
+ elif self.category == AlgorithmCategory.KEY_DERIVATION or \
+ self.category == AlgorithmCategory.KEY_AGREEMENT:
+ flags = ['DERIVE']
+ else:
+ raise AlgorithmNotRecognized(self.expression)
+ return ['PSA_KEY_USAGE_' + flag for flag in flags]
diff --git a/scripts/mbedtls_dev/macro_collector.py b/scripts/mbedtls_dev/macro_collector.py
index 987779d..3cad2a3 100644
--- a/scripts/mbedtls_dev/macro_collector.py
+++ b/scripts/mbedtls_dev/macro_collector.py
@@ -186,7 +186,7 @@
for value in argument_lists[i][1:]:
arguments[i] = value
yield self._format_arguments(name, arguments)
- arguments[i] = argument_lists[0][0]
+ arguments[i] = argument_lists[i][0]
except BaseException as e:
raise Exception('distribute_arguments({})'.format(name)) from e
@@ -400,10 +400,26 @@
'other_algorithm': [],
'lifetime': [self.lifetimes],
} #type: Dict[str, List[Set[str]]]
- self.arguments_for['mac_length'] += ['1', '63']
- self.arguments_for['min_mac_length'] += ['1', '63']
- self.arguments_for['tag_length'] += ['1', '63']
- self.arguments_for['min_tag_length'] += ['1', '63']
+ mac_lengths = [str(n) for n in [
+ 1, # minimum expressible
+ 4, # minimum allowed by policy
+ 13, # an odd size in a plausible range
+ 14, # an even non-power-of-two size in a plausible range
+ 16, # same as full size for at least one algorithm
+ 63, # maximum expressible
+ ]]
+ self.arguments_for['mac_length'] += mac_lengths
+ self.arguments_for['min_mac_length'] += mac_lengths
+ aead_lengths = [str(n) for n in [
+ 1, # minimum expressible
+ 4, # minimum allowed by policy
+ 13, # an odd size in a plausible range
+ 14, # an even non-power-of-two size in a plausible range
+ 16, # same as full size for at least one algorithm
+ 63, # maximum expressible
+ ]]
+ self.arguments_for['tag_length'] += aead_lengths
+ self.arguments_for['min_tag_length'] += aead_lengths
def add_numerical_values(self) -> None:
"""Add numerical values that are not supported to the known identifiers."""
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 8528a4f..1e5cd65 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -866,6 +866,12 @@
fi
tests/scripts/check_test_cases.py $opt
unset opt
+
+ # Check that no tests are explicitely disabled when USE_PSA_CRYPTO is set
+ # as a matter of policy to ensure there is no missed testing
+ msg "Check: explicitely disabled test with USE_PSA_CRYPTO" # < 1s
+ not grep -n 'depends_on:.*!MBEDTLS_USE_PSA_CRYPTO' tests/suites/*.function tests/suites/*.data
+ not grep -n '^ *requires_config_disabled.*MBEDTLS_USE_PSA_CRYPTO' tests/ssl-opt.sh tests/opt-testcases/*.sh
}
component_check_doxygen_warnings () {
@@ -2532,13 +2538,42 @@
component_build_mbedtls_config_file () {
msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
- # Use the full config so as to catch a maximum of places where
- # the check of MBEDTLS_CONFIG_FILE might be missing.
- scripts/config.py full
- sed 's!"check_config.h"!"mbedtls/check_config.h"!' <"$CONFIG_H" >full_config.h
+ scripts/config.py -w full_config.h full
echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
- rm -f full_config.h
+ # Make sure this feature is enabled. We'll disable it in the next phase.
+ programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
+ make clean
+
+ msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE"
+ # In the user config, disable one feature (for simplicity, pick a feature
+ # that nothing else depends on).
+ echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
+ make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
+ not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
+
+ rm -f user_config.h full_config.h
+}
+
+component_build_psa_config_file () {
+ msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ cp "$CRYPTO_CONFIG_H" psa_test_config.h
+ echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H"
+ make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'"
+ # Make sure this feature is enabled. We'll disable it in the next phase.
+ programs/test/query_compile_time_config MBEDTLS_CMAC_C
+ make clean
+
+ msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
+ # In the user config, disable one feature, which will reflect on the
+ # mbedtls configuration so we can query it with query_compile_time_config.
+ echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
+ scripts/config.py unset MBEDTLS_CMAC_C
+ make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
+ not programs/test/query_compile_time_config MBEDTLS_CMAC_C
+
+ rm -f psa_test_config.h psa_user_config.h
}
component_test_m32_o0 () {
diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py
index ca94d7d..492810b 100755
--- a/tests/scripts/generate_psa_tests.py
+++ b/tests/scripts/generate_psa_tests.py
@@ -145,7 +145,7 @@
"""
hack_dependencies_not_implemented(dependencies)
tc = test_case.TestCase()
- short_key_type = re.sub(r'PSA_(KEY_TYPE|ECC_FAMILY)_', r'', key_type)
+ short_key_type = crypto_knowledge.short_expression(key_type)
adverb = 'not' if dependencies else 'never'
if param_descr:
adverb = param_descr + ' ' + adverb
@@ -206,7 +206,7 @@
continue
# For public key we expect that key generation fails with
# INVALID_ARGUMENT. It is handled by KeyGenerate class.
- if not kt.name.endswith('_PUBLIC_KEY'):
+ if not kt.is_public():
yield test_case_for_key_type_not_supported(
'generate', kt.expression, bits,
finish_family_dependencies(generate_dependencies, bits),
@@ -243,7 +243,7 @@
"""
hack_dependencies_not_implemented(dependencies)
tc = test_case.TestCase()
- short_key_type = re.sub(r'PSA_(KEY_TYPE|ECC_FAMILY)_', r'', key_type)
+ short_key_type = crypto_knowledge.short_expression(key_type)
tc.set_description('PSA {} {}-bit'
.format(short_key_type, bits))
tc.set_dependencies(dependencies)
@@ -335,7 +335,7 @@
"""Construct a failure test case for a one-key or keyless operation."""
#pylint: disable=too-many-arguments,too-many-locals
tc = test_case.TestCase()
- pretty_alg = re.sub(r'PSA_ALG_', r'', alg.expression)
+ pretty_alg = alg.short_expression()
if reason == self.Reason.NOT_SUPPORTED:
short_deps = [re.sub(r'PSA_WANT_ALG_', r'', dep)
for dep in not_deps]
@@ -344,7 +344,7 @@
pretty_reason = reason.name.lower()
if kt:
key_type = kt.expression
- pretty_type = re.sub(r'PSA_KEY_TYPE_', r'', key_type)
+ pretty_type = kt.short_expression()
else:
key_type = ''
pretty_type = ''
@@ -456,7 +456,7 @@
def __init__(
self,
- usage: str,
+ usage: Iterable[str],
without_implicit_usage: Optional[bool] = False,
**kwargs
) -> None:
@@ -465,13 +465,16 @@
* `usage` : The usage flags used for the key.
* `without_implicit_usage`: Flag to defide to apply the usage extension
"""
- super().__init__(usage=usage, **kwargs)
-
+ usage_flags = set(usage)
if not without_implicit_usage:
- for flag, implicit in self.IMPLICIT_USAGE_FLAGS.items():
- if self.usage.value() & psa_storage.Expr(flag).value() and \
- self.usage.value() & psa_storage.Expr(implicit).value() == 0:
- self.usage = psa_storage.Expr(self.usage.string + ' | ' + implicit)
+ for flag in sorted(usage_flags):
+ if flag in self.IMPLICIT_USAGE_FLAGS:
+ usage_flags.add(self.IMPLICIT_USAGE_FLAGS[flag])
+ if usage_flags:
+ usage_expression = ' | '.join(sorted(usage_flags))
+ else:
+ usage_expression = '0'
+ super().__init__(usage=usage_expression, **kwargs)
class StorageTestData(StorageKey):
"""Representation of test case data for storage format testing."""
@@ -479,7 +482,7 @@
def __init__(
self,
description: str,
- expected_usage: Optional[str] = None,
+ expected_usage: Optional[List[str]] = None,
**kwargs
) -> None:
"""Prepare to generate test data
@@ -491,7 +494,12 @@
"""
super().__init__(**kwargs)
self.description = description #type: str
- self.expected_usage = expected_usage if expected_usage else self.usage.string #type: str
+ if expected_usage is None:
+ self.expected_usage = self.usage #type: psa_storage.Expr
+ elif expected_usage:
+ self.expected_usage = psa_storage.Expr(' | '.join(expected_usage))
+ else:
+ self.expected_usage = psa_storage.Expr(0)
class StorageFormat:
"""Storage format stability test cases."""
@@ -510,6 +518,47 @@
self.version = version #type: int
self.forward = forward #type: bool
+ RSA_OAEP_RE = re.compile(r'PSA_ALG_RSA_OAEP\((.*)\)\Z')
+ BRAINPOOL_RE = re.compile(r'PSA_KEY_TYPE_\w+\(PSA_ECC_FAMILY_BRAINPOOL_\w+\)\Z')
+ @classmethod
+ def exercise_key_with_algorithm(
+ cls,
+ key_type: psa_storage.Expr, bits: int,
+ alg: psa_storage.Expr
+ ) -> bool:
+ """Whether to the given key with the given algorithm.
+
+ Normally only the type and algorithm matter for compatibility, and
+ this is handled in crypto_knowledge.KeyType.can_do(). This function
+ exists to detect exceptional cases. Exceptional cases detected here
+ are not tested in OpFail and should therefore have manually written
+ test cases.
+ """
+ # Some test keys have the RAW_DATA type and attributes that don't
+ # necessarily make sense. We do this to validate numerical
+ # encodings of the attributes.
+ # Raw data keys have no useful exercise anyway so there is no
+ # loss of test coverage.
+ if key_type.string == 'PSA_KEY_TYPE_RAW_DATA':
+ return False
+ # OAEP requires room for two hashes plus wrapping
+ m = cls.RSA_OAEP_RE.match(alg.string)
+ if m:
+ hash_alg = m.group(1)
+ hash_length = crypto_knowledge.Algorithm.hash_length(hash_alg)
+ key_length = (bits + 7) // 8
+ # Leave enough room for at least one byte of plaintext
+ return key_length > 2 * hash_length + 2
+ # There's nothing wrong with ECC keys on Brainpool curves,
+ # but operations with them are very slow. So we only exercise them
+ # with a single algorithm, not with all possible hashes. We do
+ # exercise other curves with all algorithms so test coverage is
+ # perfectly adequate like this.
+ m = cls.BRAINPOOL_RE.match(key_type.string)
+ if m and alg.string != 'PSA_ALG_ECDSA_ANY':
+ return False
+ return True
+
def make_test_case(self, key: StorageTestData) -> test_case.TestCase:
"""Construct a storage format test case for the given key.
@@ -521,10 +570,10 @@
"""
verb = 'save' if self.forward else 'read'
tc = test_case.TestCase()
- tc.set_description('PSA storage {}: {}'.format(verb, key.description))
+ tc.set_description(verb + ' ' + key.description)
dependencies = automatic_dependencies(
key.lifetime.string, key.type.string,
- key.expected_usage, key.alg.string, key.alg2.string,
+ key.alg.string, key.alg2.string,
)
dependencies = finish_family_dependencies(dependencies, key.bits)
tc.set_dependencies(dependencies)
@@ -533,19 +582,15 @@
extra_arguments = []
else:
flags = []
- # Some test keys have the RAW_DATA type and attributes that don't
- # necessarily make sense. We do this to validate numerical
- # encodings of the attributes.
- # Raw data keys have no useful exercise anyway so there is no
- # loss of test coverage.
- if key.type.string != 'PSA_KEY_TYPE_RAW_DATA':
+ if self.exercise_key_with_algorithm(key.type, key.bits, key.alg):
flags.append('TEST_FLAG_EXERCISE')
if 'READ_ONLY' in key.lifetime.string:
flags.append('TEST_FLAG_READ_ONLY')
extra_arguments = [' | '.join(flags) if flags else '0']
tc.set_arguments([key.lifetime.string,
key.type.string, str(key.bits),
- key.expected_usage, key.alg.string, key.alg2.string,
+ key.expected_usage.string,
+ key.alg.string, key.alg2.string,
'"' + key.material.hex() + '"',
'"' + key.hex() + '"',
*extra_arguments])
@@ -559,12 +604,12 @@
short = lifetime
short = re.sub(r'PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION',
r'', short)
- short = re.sub(r'PSA_KEY_[A-Z]+_', r'', short)
+ short = crypto_knowledge.short_expression(short)
description = 'lifetime: ' + short
key = StorageTestData(version=self.version,
id=1, lifetime=lifetime,
type='PSA_KEY_TYPE_RAW_DATA', bits=8,
- usage='PSA_KEY_USAGE_EXPORT', alg=0, alg2=0,
+ usage=['PSA_KEY_USAGE_EXPORT'], alg=0, alg2=0,
material=b'L',
description=description)
return key
@@ -590,19 +635,21 @@
test_implicit_usage: Optional[bool] = True
) -> StorageTestData:
"""Construct a test key for the given key usage."""
- usage = ' | '.join(usage_flags) if usage_flags else '0'
- if short is None:
- short = re.sub(r'\bPSA_KEY_USAGE_', r'', usage)
extra_desc = ' without implication' if test_implicit_usage else ''
- description = 'usage' + extra_desc + ': ' + short
+ description = 'usage' + extra_desc + ': '
key1 = StorageTestData(version=self.version,
id=1, lifetime=0x00000001,
type='PSA_KEY_TYPE_RAW_DATA', bits=8,
- expected_usage=usage,
+ expected_usage=usage_flags,
without_implicit_usage=not test_implicit_usage,
- usage=usage, alg=0, alg2=0,
+ usage=usage_flags, alg=0, alg2=0,
material=b'K',
description=description)
+ if short is None:
+ usage_expr = key1.expected_usage.string
+ key1.description += crypto_knowledge.short_expression(usage_expr)
+ else:
+ key1.description += short
return key1
def generate_keys_for_usage_flags(self, **kwargs) -> Iterator[StorageTestData]:
@@ -623,49 +670,70 @@
yield from self.generate_keys_for_usage_flags()
yield from self.generate_key_for_all_usage_flags()
+ def key_for_type_and_alg(
+ self,
+ kt: crypto_knowledge.KeyType,
+ bits: int,
+ alg: Optional[crypto_knowledge.Algorithm] = None,
+ ) -> StorageTestData:
+ """Construct a test key of the given type.
+
+ If alg is not None, this key allows it.
+ """
+ usage_flags = ['PSA_KEY_USAGE_EXPORT']
+ alg1 = 0 #type: psa_storage.Exprable
+ alg2 = 0
+ if alg is not None:
+ alg1 = alg.expression
+ usage_flags += alg.usage_flags(public=kt.is_public())
+ key_material = kt.key_material(bits)
+ description = 'type: {} {}-bit'.format(kt.short_expression(1), bits)
+ if alg is not None:
+ description += ', ' + alg.short_expression(1)
+ key = StorageTestData(version=self.version,
+ id=1, lifetime=0x00000001,
+ type=kt.expression, bits=bits,
+ usage=usage_flags, alg=alg1, alg2=alg2,
+ material=key_material,
+ description=description)
+ return key
+
def keys_for_type(
self,
key_type: str,
- params: Optional[Iterable[str]] = None
+ all_algorithms: List[crypto_knowledge.Algorithm],
) -> Iterator[StorageTestData]:
- """Generate test keys for the given key type.
-
- For key types that depend on a parameter (e.g. elliptic curve family),
- `param` is the parameter to pass to the constructor. Only a single
- parameter is supported.
- """
- kt = crypto_knowledge.KeyType(key_type, params)
+ """Generate test keys for the given key type."""
+ kt = crypto_knowledge.KeyType(key_type)
for bits in kt.sizes_to_test():
- usage_flags = 'PSA_KEY_USAGE_EXPORT'
- alg = 0
- alg2 = 0
- key_material = kt.key_material(bits)
- short_expression = re.sub(r'\bPSA_(?:KEY_TYPE|ECC_FAMILY)_',
- r'',
- kt.expression)
- description = 'type: {} {}-bit'.format(short_expression, bits)
- key = StorageTestData(version=self.version,
- id=1, lifetime=0x00000001,
- type=kt.expression, bits=bits,
- usage=usage_flags, alg=alg, alg2=alg2,
- material=key_material,
- description=description)
- yield key
+ # Test a non-exercisable key, as well as exercisable keys for
+ # each compatible algorithm.
+ # To do: test reading a key from storage with an incompatible
+ # or unsupported algorithm.
+ yield self.key_for_type_and_alg(kt, bits)
+ compatible_algorithms = [alg for alg in all_algorithms
+ if kt.can_do(alg)]
+ for alg in compatible_algorithms:
+ yield self.key_for_type_and_alg(kt, bits, alg)
def all_keys_for_types(self) -> Iterator[StorageTestData]:
"""Generate test keys covering key types and their representations."""
key_types = sorted(self.constructors.key_types)
+ all_algorithms = [crypto_knowledge.Algorithm(alg)
+ for alg in self.constructors.generate_expressions(
+ sorted(self.constructors.algorithms)
+ )]
for key_type in self.constructors.generate_expressions(key_types):
- yield from self.keys_for_type(key_type)
+ yield from self.keys_for_type(key_type, all_algorithms)
def keys_for_algorithm(self, alg: str) -> Iterator[StorageTestData]:
- """Generate test keys for the specified algorithm."""
- # For now, we don't have information on the compatibility of key
- # types and algorithms. So we just test the encoding of algorithms,
- # and not that operations can be performed with them.
- descr = re.sub(r'PSA_ALG_', r'', alg)
- descr = re.sub(r',', r', ', re.sub(r' +', r'', descr))
- usage = 'PSA_KEY_USAGE_EXPORT'
+ """Generate test keys for the encoding of the specified algorithm."""
+ # These test cases only validate the encoding of algorithms, not
+ # whether the key read from storage is suitable for an operation.
+ # `keys_for_types` generate read tests with an algorithm and a
+ # compatible key.
+ descr = crypto_knowledge.short_expression(alg, 1)
+ usage = ['PSA_KEY_USAGE_EXPORT']
key1 = StorageTestData(version=self.version,
id=1, lifetime=0x00000001,
type='PSA_KEY_TYPE_RAW_DATA', bits=8,
@@ -738,17 +806,14 @@
"""
bits = key_type.sizes_to_test()[0]
implicit_usage = StorageKey.IMPLICIT_USAGE_FLAGS[implyer_usage]
- usage_flags = 'PSA_KEY_USAGE_EXPORT'
- material_usage_flags = usage_flags + ' | ' + implyer_usage
- expected_usage_flags = material_usage_flags + ' | ' + implicit_usage
+ usage_flags = ['PSA_KEY_USAGE_EXPORT']
+ material_usage_flags = usage_flags + [implyer_usage]
+ expected_usage_flags = material_usage_flags + [implicit_usage]
alg2 = 0
key_material = key_type.key_material(bits)
- usage_expression = re.sub(r'PSA_KEY_USAGE_', r'', implyer_usage)
- alg_expression = re.sub(r'PSA_ALG_', r'', alg)
- alg_expression = re.sub(r',', r', ', re.sub(r' +', r'', alg_expression))
- key_type_expression = re.sub(r'\bPSA_(?:KEY_TYPE|ECC_FAMILY)_',
- r'',
- key_type.expression)
+ usage_expression = crypto_knowledge.short_expression(implyer_usage, 1)
+ alg_expression = crypto_knowledge.short_expression(alg, 1)
+ key_type_expression = key_type.short_expression(1)
description = 'implied by {}: {} {} {}-bit'.format(
usage_expression, alg_expression, key_type_expression, bits)
key = StorageTestData(version=self.version,
@@ -822,8 +887,10 @@
for key_type in sorted(alg_with_keys[alg]):
# The key types must be filtered to fit the specific usage flag.
kt = crypto_knowledge.KeyType(key_type)
- if kt.is_valid_for_signature(usage):
- yield self.keys_for_implicit_usage(usage, alg, kt)
+ if kt.is_public() and '_SIGN_' in usage:
+ # Can't sign with a public key
+ continue
+ yield self.keys_for_implicit_usage(usage, alg, kt)
def generate_all_keys(self) -> Iterator[StorageTestData]:
yield from super().generate_all_keys()
diff --git a/tests/scripts/test_psa_constant_names.py b/tests/scripts/test_psa_constant_names.py
index 07c8ab2..e43a0ba 100755
--- a/tests/scripts/test_psa_constant_names.py
+++ b/tests/scripts/test_psa_constant_names.py
@@ -77,6 +77,22 @@
"""
return re.sub(NORMALIZE_STRIP_RE, '', expr)
+ALG_TRUNCATED_TO_SELF_RE = \
+ re.compile(r'PSA_ALG_AEAD_WITH_SHORTENED_TAG\('
+ r'PSA_ALG_(?:CCM|CHACHA20_POLY1305|GCM)'
+ r', *16\)\Z')
+
+def is_simplifiable(expr: str) -> bool:
+ """Determine whether an expression is simplifiable.
+
+ Simplifiable expressions can't be output in their input form, since
+ the output will be the simple form. Therefore they must be excluded
+ from testing.
+ """
+ if ALG_TRUNCATED_TO_SELF_RE.match(expr):
+ return True
+ return False
+
def collect_values(inputs: InputsForTest,
type_word: str,
include_path: Optional[str] = None,
@@ -87,7 +103,9 @@
value is a string representation of its integer value.
"""
names = inputs.get_names(type_word)
- expressions = sorted(inputs.generate_expressions(names))
+ expressions = sorted(expr
+ for expr in inputs.generate_expressions(names)
+ if not is_simplifiable(expr))
values = run_c(type_word, expressions,
include_path=include_path, keep_c=keep_c)
return expressions, values
diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index 71a1b78..9576afd 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -164,20 +164,29 @@
psa_algorithm_t alg )
{
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
- unsigned char iv[16] = {0};
- size_t iv_length = sizeof( iv );
+ unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = {0};
+ size_t iv_length;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
const unsigned char plaintext[16] = "Hello, world...";
unsigned char ciphertext[32] = "(wabblewebblewibblewobblewubble)";
size_t ciphertext_length = sizeof( ciphertext );
unsigned char decrypted[sizeof( ciphertext )];
size_t part_length;
+ PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
+ key_type = psa_get_key_type( &attributes );
+ iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg );
+
if( usage & PSA_KEY_USAGE_ENCRYPT )
{
PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
- PSA_ASSERT( psa_cipher_generate_iv( &operation,
- iv, sizeof( iv ),
- &iv_length ) );
+ if( iv_length != 0 )
+ {
+ PSA_ASSERT( psa_cipher_generate_iv( &operation,
+ iv, sizeof( iv ),
+ &iv_length ) );
+ }
PSA_ASSERT( psa_cipher_update( &operation,
plaintext, sizeof( plaintext ),
ciphertext, sizeof( ciphertext ),
@@ -195,18 +204,14 @@
int maybe_invalid_padding = 0;
if( ! ( usage & PSA_KEY_USAGE_ENCRYPT ) )
{
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
- /* This should be PSA_CIPHER_GET_IV_SIZE but the API doesn't
- * have this macro yet. */
- iv_length = PSA_BLOCK_CIPHER_BLOCK_LENGTH(
- psa_get_key_type( &attributes ) );
maybe_invalid_padding = ! PSA_ALG_IS_STREAM_CIPHER( alg );
- psa_reset_key_attributes( &attributes );
}
PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
- PSA_ASSERT( psa_cipher_set_iv( &operation,
- iv, iv_length ) );
+ if( iv_length != 0 )
+ {
+ PSA_ASSERT( psa_cipher_set_iv( &operation,
+ iv, iv_length ) );
+ }
PSA_ASSERT( psa_cipher_update( &operation,
ciphertext, ciphertext_length,
decrypted, sizeof( decrypted ),
@@ -229,6 +234,7 @@
exit:
psa_cipher_abort( &operation );
+ psa_reset_key_attributes( &attributes );
return( 0 );
}
@@ -236,8 +242,10 @@
psa_key_usage_t usage,
psa_algorithm_t alg )
{
- unsigned char nonce[16] = {0};
- size_t nonce_length = sizeof( nonce );
+ unsigned char nonce[PSA_AEAD_NONCE_MAX_SIZE] = {0};
+ size_t nonce_length;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
unsigned char plaintext[16] = "Hello, world...";
unsigned char ciphertext[48] = "(wabblewebblewibblewobblewubble)";
size_t ciphertext_length = sizeof( ciphertext );
@@ -249,19 +257,9 @@
alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) );
}
- /* Default IV length for AES-GCM is 12 bytes */
- if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
- PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ) )
- {
- nonce_length = 12;
- }
-
- /* IV length for CCM needs to be between 7 and 13 bytes */
- if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
- PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ) )
- {
- nonce_length = 12;
- }
+ PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
+ key_type = psa_get_key_type( &attributes );
+ nonce_length = PSA_AEAD_NONCE_LENGTH( key_type, alg );
if( usage & PSA_KEY_USAGE_ENCRYPT )
{
@@ -291,9 +289,21 @@
return( 1 );
exit:
+ psa_reset_key_attributes( &attributes );
return( 0 );
}
+static int can_sign_or_verify_message( psa_key_usage_t usage,
+ psa_algorithm_t alg )
+{
+ /* Sign-the-unspecified-hash algorithms can only be used with
+ * {sign,verify}_hash, not with {sign,verify}_message. */
+ if( alg == PSA_ALG_ECDSA_ANY || alg == PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
+ return( 0 );
+ return( usage & ( PSA_KEY_USAGE_SIGN_MESSAGE |
+ PSA_KEY_USAGE_VERIFY_MESSAGE ) );
+}
+
static int exercise_signature_key( mbedtls_svc_key_id_t key,
psa_key_usage_t usage,
psa_algorithm_t alg )
@@ -344,7 +354,7 @@
}
}
- if( usage & ( PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE ) )
+ if( can_sign_or_verify_message( usage, alg ) )
{
unsigned char message[256] = "Hello, world...";
unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0};
@@ -613,15 +623,39 @@
psa_algorithm_t alg )
{
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+ unsigned char input[1];
unsigned char output[1];
int ok = 0;
+ psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
if( usage & PSA_KEY_USAGE_DERIVE )
{
/* We need two keys to exercise key agreement. Exercise the
* private key against its own public key. */
PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
+ if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
+ PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
+ {
+ PSA_ASSERT( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_SEED,
+ input, sizeof( input ) ) );
+ }
+
PSA_ASSERT( mbedtls_test_psa_key_agreement_with_self( &operation, key ) );
+
+ if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
+ PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
+ {
+ PSA_ASSERT( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_LABEL,
+ input, sizeof( input ) ) );
+ }
+ else if( PSA_ALG_IS_HKDF( kdf_alg ) )
+ {
+ PSA_ASSERT( psa_key_derivation_input_bytes(
+ &operation, PSA_KEY_DERIVATION_INPUT_INFO,
+ input, sizeof( input ) ) );
+ }
PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output,
sizeof( output ) ) );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0a61c19..07ad1b3 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -6454,6 +6454,186 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque rsa-psk on client, no callback" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque RSA-PSK"\
+ -S "skip PMS generation for opaque RSA-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque RSA-PSK"\
+ -S "skip PMS generation for opaque RSA-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque RSA-PSK"\
+ -S "skip PMS generation for opaque RSA-PSK"\
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque RSA-PSK"\
+ -S "skip PMS generation for opaque RSA-PSK"\
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque ecdhe-psk on client, no callback" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque ECDHE-PSK"\
+ -S "skip PMS generation for opaque ECDHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque ECDHE-PSK"\
+ -S "skip PMS generation for opaque ECDHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque ECDHE-PSK"\
+ -S "skip PMS generation for opaque ECDHE-PSK"\
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque ECDHE-PSK"\
+ -S "skip PMS generation for opaque ECDHE-PSK"\
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque dhe-psk on client, no callback" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque DHE-PSK"\
+ -S "skip PMS generation for opaque DHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque DHE-PSK"\
+ -S "skip PMS generation for opaque DHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque DHE-PSK"\
+ -S "skip PMS generation for opaque DHE-PSK"\
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 psk_opaque=1" \
+ 0 \
+ -c "skip PMS generation for opaque DHE-PSK"\
+ -S "skip PMS generation for opaque DHE-PSK"\
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -6516,6 +6696,192 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \
+ "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123" \
+ 0 \
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123" \
+ 0 \
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \
+ "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123 extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \
+ "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \
+ "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123" \
+ 0 \
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123" \
+ 0 \
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \
+ "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123 extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
+ "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \
+ "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123" \
+ 0 \
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123" \
+ 0 \
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \
+ "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=foo psk=abc123 extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
+ "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=foo psk=abc123 extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -6578,6 +6944,192 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback" \
+ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=def psk=beef" \
+ 0 \
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=def psk=beef" \
+ 0 \
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS" \
+ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=abc psk=dead extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS, SHA384" \
+ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=abc psk=dead extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque RSA-PSK"\
+ -s "skip PMS generation for opaque RSA-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback" \
+ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=def psk=beef" \
+ 0 \
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=def psk=beef" \
+ 0 \
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS" \
+ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=abc psk=dead extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS, SHA384" \
+ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=abc psk=dead extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque ECDHE-PSK"\
+ -s "skip PMS generation for opaque ECDHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback" \
+ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=def psk=beef" \
+ 0 \
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, SHA-384" \
+ "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=def psk=beef" \
+ 0 \
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -C "session hash for extended master secret"\
+ -S "session hash for extended master secret"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS" \
+ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
+ psk_identity=abc psk=dead extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS, SHA384" \
+ "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
+ force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
+ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
+ psk_identity=abc psk=dead extended_ms=1" \
+ 0 \
+ -c "session hash for extended master secret"\
+ -s "session hash for extended master secret"\
+ -C "skip PMS generation for opaque DHE-PSK"\
+ -s "skip PMS generation for opaque DHE-PSK"\
+ -S "SSL - The handshake negotiation failed" \
+ -S "SSL - Unknown identity received" \
+ -S "SSL - Verification of the message MAC failed"
+
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -9975,7 +10527,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_SSL_ALPN
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
run_test "TLS 1.3: alpn - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -alpn h2" \
"$P_CLI debug_level=3 alpn=h2" \
@@ -10011,7 +10562,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_SSL_ALPN
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
run_test "TLS 1.3: alpn - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert --alpn=h2" \
"$P_CLI debug_level=3 alpn=h2" \
@@ -10411,6 +10961,279 @@
-c "signature algorithm not in received or offered list." \
-C "unkown pk type"
+# Test using an opaque private key for client authentication
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \
+ "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
+ "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \
+ key_file=data_files/cli2.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
+ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \
+ key_file=data_files/ecdsa_secp256r1.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
+ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \
+ key_file=data_files/ecdsa_secp256r1.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
+ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \
+ key_file=data_files/ecdsa_secp384r1.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
+ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \
+ key_file=data_files/ecdsa_secp384r1.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
+ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \
+ key_file=data_files/ecdsa_secp521r1.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
+ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
+ key_file=data_files/ecdsa_secp521r1.key key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
+ "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
+ key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
+ "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
+ "$P_CLI debug_level=4 force_version=tls13 crt_file=data_files/cert_sha256.crt \
+ key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
+ "$P_CLI debug_level=3 force_version=tls13 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
+ "$P_CLI debug_level=4 force_version=tls13 crt_file=data_files/cert_sha256.crt \
+ key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
+ "$P_CLI debug_level=3 force_version=tls13 crt_file=data_files/server2-sha256.crt \
+ key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
+ 0 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \
+ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10
+ -sigalgs ecdsa_secp256r1_sha256" \
+ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
+ key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
+ 1 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "signature algorithm not in received or offered list." \
+ -C "unkown pk type"
+
+requires_gnutls_tls1_3
+requires_gnutls_next_no_ticket
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
+run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \
+ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \
+ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
+ key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
+ 1 \
+ -c "got a certificate request" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
+ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
+ -c "signature algorithm not in received or offered list." \
+ -C "unkown pk type"
+
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
diff --git a/tests/suites/test_suite_asn1write.data b/tests/suites/test_suite_asn1write.data
index 7f5f536..f844d48 100644
--- a/tests/suites/test_suite_asn1write.data
+++ b/tests/suites/test_suite_asn1write.data
@@ -374,10 +374,13 @@
store_named_data_val_found:4:9
Store named data: new, val_len=0
-store_named_data_val_new:0
+store_named_data_val_new:0:1
+
+Stored named data: new, val_len=0, val=NULL
+store_named_data_val_new:0:0
Store named data: new, val_len=4
-store_named_data_val_new:4
+store_named_data_val_new:4:1
Store named data: new, val_len=4, val=NULL
-store_named_data_val_new:-4
+store_named_data_val_new:4:0
diff --git a/tests/suites/test_suite_asn1write.function b/tests/suites/test_suite_asn1write.function
index 103a024..8d5579d 100644
--- a/tests/suites/test_suite_asn1write.function
+++ b/tests/suites/test_suite_asn1write.function
@@ -431,7 +431,7 @@
/* END_CASE */
/* BEGIN_CASE */
-void store_named_data_val_new( int new_len )
+void store_named_data_val_new( int new_len, int set_new_val )
{
mbedtls_asn1_named_data *head = NULL;
mbedtls_asn1_named_data *found = NULL;
@@ -439,10 +439,8 @@
size_t oid_len = strlen( (const char *) oid );
const unsigned char *new_val = (unsigned char *) "new value";
- if( new_len <= 0 )
+ if( set_new_val == 0 )
new_val = NULL;
- if( new_len < 0 )
- new_len = - new_len;
found = mbedtls_asn1_store_named_data( &head,
(const char *) oid, oid_len,
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index 306cfd7..a0844ea 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -185,12 +185,8 @@
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C
pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:128:0
-Verify ext RSA #5 using PSA (PKCS1 v2.1, wrong salt_len)
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_USE_PSA_CRYPTO
-pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_VERIFY_FAILED
-
Verify ext RSA #5 (PKCS1 v2.1, wrong salt_len)
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:!MBEDTLS_USE_PSA_CRYPTO
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C
pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_INVALID_PADDING
Verify ext RSA #6 (PKCS1 v2.1, MGF1 alg != MSG hash alg)
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 8fd5367..32c2644 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -487,6 +487,7 @@
mbedtls_pk_rsassa_pss_options pss_opts;
void *options;
size_t hash_len;
+ int ret;
USE_PSA_INIT( );
mbedtls_pk_init( &pk );
@@ -526,9 +527,29 @@
pss_opts.expected_salt_len = salt_len;
}
- TEST_ASSERT( mbedtls_pk_verify_ext( pk_type, options, &pk,
- digest, hash_result, hash_len,
- result_str->x, sig_len ) == result );
+ ret = mbedtls_pk_verify_ext( pk_type, options, &pk,
+ digest, hash_result, hash_len,
+ result_str->x, sig_len );
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( result == MBEDTLS_ERR_RSA_INVALID_PADDING )
+ {
+ /* Mbed TLS distinguishes "invalid padding" from "valid padding but
+ * the rest of the signature is invalid". This has little use in
+ * practice and PSA doesn't report this distinction.
+ * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated
+ * to MBEDTLS_ERR_RSA_VERIFY_FAILED.
+ * However, currently `mbedtls_pk_verify_ext()` may use either the
+ * PSA or the Mbed TLS API, depending on the PSS options used.
+ * So, it may return either INVALID_PADDING or INVALID_SIGNATURE.
+ */
+ TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ }
+ else
+#endif
+ {
+ TEST_EQUAL( ret, result );
+ }
exit:
mbedtls_pk_free( &pk );
@@ -1059,6 +1080,7 @@
unsigned char pkey_legacy[200];
unsigned char pkey_psa[200];
unsigned char *pkey_legacy_start, *pkey_psa_start;
+ psa_algorithm_t alg_psa;
size_t sig_len, klen_legacy, klen_psa;
int ret;
mbedtls_svc_key_id_t key_id;
@@ -1086,6 +1108,7 @@
TEST_ASSERT( mbedtls_rsa_gen_key( mbedtls_pk_rsa( pk ),
mbedtls_test_rnd_std_rand, NULL,
parameter_arg, 3 ) == 0 );
+ alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 );
}
else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
@@ -1101,6 +1124,7 @@
TEST_ASSERT( mbedtls_ecp_gen_key( grpid,
(mbedtls_ecp_keypair*) pk.pk_ctx,
mbedtls_test_rnd_std_rand, NULL ) == 0 );
+ alg_psa = PSA_ALG_ECDSA( PSA_ALG_SHA_256 );
}
else
#endif /* MBEDTLS_ECDSA_C */
@@ -1118,8 +1142,9 @@
pkey_legacy_start = pkey_legacy + sizeof( pkey_legacy ) - klen_legacy;
/* Turn PK context into an opaque one. */
- TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &pk, &key_id,
- PSA_ALG_SHA_256 ) == 0 );
+ TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &pk, &key_id, alg_psa,
+ PSA_KEY_USAGE_SIGN_HASH,
+ PSA_ALG_NONE ) == 0 );
PSA_ASSERT( psa_get_key_attributes( key_id, &attributes ) );
TEST_EQUAL( psa_get_key_type( &attributes ), expected_type );
@@ -1220,6 +1245,7 @@
unsigned char *pkey_start;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg );
+ psa_algorithm_t psa_alg;
size_t hash_len = PSA_HASH_LENGTH( psa_md_alg );
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
void const *options = NULL;
@@ -1245,8 +1271,17 @@
/* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
pkey_start = pkey + sizeof( pkey ) - pkey_len;
+ if( key_pk_type == MBEDTLS_PK_RSA )
+ psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN( psa_md_alg );
+ else if( key_pk_type == MBEDTLS_PK_RSASSA_PSS )
+ psa_alg = PSA_ALG_RSA_PSS( psa_md_alg );
+ else
+ TEST_ASSUME( ! "PK key type not supported in this configuration" );
+
/* Turn PK context into an opaque one. */
- TEST_EQUAL( mbedtls_pk_wrap_as_opaque( &pk, &key_id, psa_md_alg ), 0 );
+ TEST_EQUAL( mbedtls_pk_wrap_as_opaque( &pk, &key_id, psa_alg,
+ PSA_KEY_USAGE_SIGN_HASH,
+ PSA_ALG_NONE ), 0 );
memset( hash, 0x2a, sizeof( hash ) );
memset( sig, 0, sizeof( sig ) );
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 5939b39..14343aa 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -2109,23 +2109,23 @@
PSA symmetric encrypt: AES-ECB, 0 bytes, good
depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
-cipher_encrypt_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":""
+cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":""
PSA symmetric encrypt: AES-ECB, 16 bytes, good
depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
-cipher_encrypt_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a":"3ad77bb40d7a3660a89ecaf32466ef97"
+cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a":"3ad77bb40d7a3660a89ecaf32466ef97"
PSA symmetric encrypt: AES-ECB, 32 bytes, good
depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
-cipher_encrypt_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a3ad77bb40d7a3660a89ecaf32466ef97":"3ad77bb40d7a3660a89ecaf32466ef972249a2638c6f1c755a84f9681a9f08c1"
+cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a3ad77bb40d7a3660a89ecaf32466ef97":"3ad77bb40d7a3660a89ecaf32466ef972249a2638c6f1c755a84f9681a9f08c1"
PSA symmetric encrypt: 2-key 3DES-ECB, 8 bytes, good
depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES
-cipher_encrypt_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce":"c78e2b38139610e3":"5d0652429c5b0ac7"
+cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce":"c78e2b38139610e3":"5d0652429c5b0ac7"
PSA symmetric encrypt: 3-key 3DES-ECB, 8 bytes, good
depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES
-cipher_encrypt_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"c78e2b38139610e3":"817ca7d69b80d86a"
+cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"c78e2b38139610e3":"817ca7d69b80d86a"
PSA symmetric encrypt validation: AES-CBC-nopad, 16 bytes, good
depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index ea0d5c4..6cd6bee 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -3304,72 +3304,117 @@
/* END_CASE */
/* BEGIN_CASE */
-void cipher_encrypt_alg_without_iv( int alg_arg,
- int key_type_arg,
- data_t *key_data,
- data_t *input,
- data_t *expected_output )
+void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data,
+ data_t *plaintext, data_t *ciphertext )
{
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_type_t key_type = key_type_arg;
psa_algorithm_t alg = alg_arg;
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
uint8_t iv[1] = { 0x5a };
- size_t iv_length;
unsigned char *output = NULL;
size_t output_buffer_size = 0;
- size_t output_length = 0;
+ size_t output_length, length;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
PSA_ASSERT( psa_crypto_init( ) );
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
+ /* Validate size macros */
+ TEST_ASSERT( ciphertext->len <=
+ PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, plaintext->len ) );
+ TEST_ASSERT( PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, plaintext->len ) <=
+ PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( plaintext->len ) );
+ TEST_ASSERT( plaintext->len <=
+ PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, ciphertext->len ) );
+ TEST_ASSERT( PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, ciphertext->len ) <=
+ PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( ciphertext->len ) );
+
+
+ /* Set up key and output buffer */
+ psa_set_key_usage_flags( &attributes,
+ PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, key_type );
-
- output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len );
- ASSERT_ALLOC( output, output_buffer_size );
-
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&key ) );
+ output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg,
+ plaintext->len );
+ ASSERT_ALLOC( output, output_buffer_size );
+ /* set_iv() is not allowed */
PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ),
PSA_ERROR_BAD_STATE );
- PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
- TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ),
- &iv_length ),
+ PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
+ TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ),
PSA_ERROR_BAD_STATE );
- /* Encrypt, one-shot */
- PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output,
- output_buffer_size, &output_length ) );
- TEST_ASSERT( output_length <=
- PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) );
- TEST_ASSERT( output_length <=
- PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) );
+ /* generate_iv() is not allowed */
+ PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
+ TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ),
+ &length ),
+ PSA_ERROR_BAD_STATE );
+ PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
+ TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ),
+ &length ),
+ PSA_ERROR_BAD_STATE );
- ASSERT_COMPARE( expected_output->x, expected_output->len,
+ /* Multipart encryption */
+ PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
+ output_length = 0;
+ length = ~0;
+ PSA_ASSERT( psa_cipher_update( &operation,
+ plaintext->x, plaintext->len,
+ output, output_buffer_size,
+ &length ) );
+ TEST_ASSERT( length <= output_buffer_size );
+ output_length += length;
+ PSA_ASSERT( psa_cipher_finish( &operation,
+ output + output_length,
+ output_buffer_size - output_length,
+ &length ) );
+ output_length += length;
+ ASSERT_COMPARE( ciphertext->x, ciphertext->len,
output, output_length );
- /* Encrypt, multi-part */
- PSA_ASSERT( psa_cipher_abort( &operation ) );
- PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
-
- PSA_ASSERT( psa_cipher_update( &operation, input->x, input->len,
+ /* Multipart encryption */
+ PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
+ output_length = 0;
+ length = ~0;
+ PSA_ASSERT( psa_cipher_update( &operation,
+ ciphertext->x, ciphertext->len,
output, output_buffer_size,
- &output_length) );
- TEST_ASSERT( output_length <=
- PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) );
- TEST_ASSERT( output_length <=
- PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) );
+ &length ) );
+ TEST_ASSERT( length <= output_buffer_size );
+ output_length += length;
+ PSA_ASSERT( psa_cipher_finish( &operation,
+ output + output_length,
+ output_buffer_size - output_length,
+ &length ) );
+ output_length += length;
+ ASSERT_COMPARE( plaintext->x, plaintext->len,
+ output, output_length );
- ASSERT_COMPARE( expected_output->x, expected_output->len,
+ /* One-shot encryption */
+ output_length = ~0;
+ PSA_ASSERT( psa_cipher_encrypt( key, alg, plaintext->x, plaintext->len,
+ output, output_buffer_size,
+ &output_length ) );
+ ASSERT_COMPARE( ciphertext->x, ciphertext->len,
+ output, output_length );
+
+ /* One-shot decryption */
+ output_length = ~0;
+ PSA_ASSERT( psa_cipher_decrypt( key, alg, ciphertext->x, ciphertext->len,
+ output, output_buffer_size,
+ &output_length ) );
+ ASSERT_COMPARE( plaintext->x, plaintext->len,
output, output_length );
exit:
PSA_ASSERT( psa_cipher_abort( &operation ) );
mbedtls_free( output );
+ psa_cipher_abort( &operation );
psa_destroy_key( key );
PSA_DONE( );
}
diff --git a/tests/suites/test_suite_psa_crypto_storage_format.function b/tests/suites/test_suite_psa_crypto_storage_format.function
index b90ef6e..c52dae1 100644
--- a/tests/suites/test_suite_psa_crypto_storage_format.function
+++ b/tests/suites/test_suite_psa_crypto_storage_format.function
@@ -60,6 +60,155 @@
return( 0 );
}
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+static int is_accelerated_rsa( psa_algorithm_t alg )
+{
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
+ if ( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
+ return( 1 );
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+ if( PSA_ALG_IS_RSA_PSS( alg ) )
+ return( 1 );
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+ if( PSA_ALG_IS_RSA_OAEP( alg ) )
+ return( 1 );
+#endif
+ (void) alg;
+ return( 0 );
+}
+
+/* Whether the algorithm is implemented as a builtin, i.e. not accelerated,
+ * and calls mbedtls_md() functions that require the hash algorithm to
+ * also be built-in. */
+static int is_builtin_calling_md( psa_algorithm_t alg )
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+ if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
+ return( 1 );
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+ if( PSA_ALG_IS_RSA_PSS( alg ) )
+ return( 1 );
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+ if( PSA_ALG_IS_RSA_OAEP( alg ) )
+ return( 1 );
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ if( PSA_ALG_IS_DETERMINISTIC_ECDSA( alg ) )
+ return( 1 );
+#endif
+ (void) alg;
+ return( 0 );
+}
+
+static int has_builtin_hash( psa_algorithm_t alg )
+{
+#if !defined(MBEDTLS_MD5_C)
+ if( alg == PSA_ALG_MD5 )
+ return( 0 );
+#endif
+#if !defined(MBEDTLS_RIPEMD160_C)
+ if( alg == PSA_ALG_RIPEMD160 )
+ return( 0 );
+#endif
+#if !defined(MBEDTLS_SHA1_C)
+ if( alg == PSA_ALG_SHA_1 )
+ return( 0 );
+#endif
+#if !defined(MBEDTLS_SHA224_C)
+ if( alg == PSA_ALG_SHA_224 )
+ return( 0 );
+#endif
+#if !defined(MBEDTLS_SHA256_C)
+ if( alg == PSA_ALG_SHA_256 )
+ return( 0 );
+#endif
+#if !defined(MBEDTLS_SHA384_C)
+ if( alg == PSA_ALG_SHA_384 )
+ return( 0 );
+#endif
+#if !defined(MBEDTLS_SHA512_C)
+ if( alg == PSA_ALG_SHA_512 )
+ return( 0 );
+#endif
+ (void) alg;
+ return( 1 );
+}
+#endif
+
+/* Mbed TLS doesn't support certain combinations of key type and algorithm
+ * in certain configurations. */
+static int can_exercise( const psa_key_attributes_t *attributes )
+{
+ psa_key_type_t key_type = psa_get_key_type( attributes );
+ psa_algorithm_t alg = psa_get_key_algorithm( attributes );
+ psa_algorithm_t hash_alg =
+ PSA_ALG_IS_HASH_AND_SIGN( alg ) ? PSA_ALG_SIGN_GET_HASH( alg ) :
+ PSA_ALG_IS_RSA_OAEP( alg ) ? PSA_ALG_RSA_OAEP_GET_HASH( alg ) :
+ PSA_ALG_NONE;
+ psa_key_usage_t usage = psa_get_key_usage_flags( attributes );
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+ /* We test some configurations using drivers where the driver doesn't
+ * support certain hash algorithms, but declares that it supports
+ * compound algorithms that use those hashes. Until this is fixed,
+ * in those configurations, don't try to actually perform operations.
+ *
+ * Hash-and-sign algorithms where the asymmetric part doesn't use
+ * a hash operation are ok. So randomized ECDSA signature is fine,
+ * ECDSA verification is fine, but deterministic ECDSA signature is
+ * affected. All RSA signatures are affected except raw PKCS#1v1.5.
+ * OAEP is also affected.
+ */
+ if( PSA_ALG_IS_DETERMINISTIC_ECDSA( alg ) &&
+ ! ( usage & ( PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE ) ) )
+ {
+ /* Verification only. Verification doesn't use the hash algorithm. */
+ return( 1 );
+ }
+
+#if defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
+ if( PSA_ALG_IS_DETERMINISTIC_ECDSA( alg ) &&
+ ( hash_alg == PSA_ALG_MD5 ||
+ hash_alg == PSA_ALG_RIPEMD160 ||
+ hash_alg == PSA_ALG_SHA_1 ) )
+ {
+ return( 0 );
+ }
+#endif
+ if( is_accelerated_rsa( alg ) &&
+ ( hash_alg == PSA_ALG_RIPEMD160 || hash_alg == PSA_ALG_SHA_384 ) )
+ {
+ return( 0 );
+ }
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+ if( PSA_ALG_IS_RSA_OAEP( alg ) &&
+ ( hash_alg == PSA_ALG_RIPEMD160 || hash_alg == PSA_ALG_SHA_384 ) )
+ {
+ return( 0 );
+ }
+#endif
+
+ /* The built-in implementation of asymmetric algorithms that use a
+ * hash internally only dispatch to the internal md module, not to
+ * PSA. Until this is supported, don't try to actually perform
+ * operations when the operation is built-in and the hash isn't. */
+ if( is_builtin_calling_md( alg ) && ! has_builtin_hash( hash_alg ) )
+ {
+ return( 0 );
+ }
+#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 */
+
+ (void) key_type;
+ (void) alg;
+ (void) hash_alg;
+ (void) usage;
+ return( 1 );
+}
+
/** Write a key with the given representation to storage, then check
* that it has the given attributes and (if exportable) key material.
*
@@ -108,7 +257,7 @@
exported_material, length );
}
- if( flags & TEST_FLAG_EXERCISE )
+ if( ( flags & TEST_FLAG_EXERCISE ) && can_exercise( &actual_attributes ) )
{
TEST_ASSERT( mbedtls_test_psa_exercise_key(
key_id,
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 0565603..e42f8ba 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -4844,7 +4844,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void mbedtls_endpoint_sanity( int endpoint_type )
{
enum { BUFFSIZE = 1024 };
@@ -4867,13 +4867,15 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void move_handshake_to_state(int endpoint_type, int state, int need_pass)
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint base_ep, second_ep;
int ret = -1;
+ USE_PSA_INIT( );
+
ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA,
NULL, NULL, NULL, NULL );
TEST_ASSERT( ret == 0 );
@@ -4906,6 +4908,7 @@
exit:
mbedtls_endpoint_free( &base_ep, NULL );
mbedtls_endpoint_free( &second_ep, NULL );
+ USE_PSA_DONE( );
}
/* END_CASE */
@@ -4980,7 +4983,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments )
@@ -4992,7 +4995,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments )
@@ -5004,7 +5007,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_serialization( )
{
handshake_test_options options;
@@ -5018,7 +5021,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation)
{
handshake_test_options options;
@@ -5054,7 +5057,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void renegotiation( int legacy_renegotiation )
{
handshake_test_options options;
@@ -5070,7 +5073,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation,
int serialize, int dtls, char *cipher )
{
@@ -5091,7 +5094,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void resize_buffers_serialize_mfl( int mfl )
{
test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
@@ -5102,7 +5105,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation,
char *cipher )
{
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index fea02f3..33591d3 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -35,8 +35,8 @@
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
- 0xFFFFFFF, /* Any PK alg */
- 0xFFFFFFF, /* Any curve */
+ 0xFFFFFFFF, /* Any PK alg */
+ 0xFFFFFFFF, /* Any curve */
1024,
};
@@ -53,8 +53,8 @@
const mbedtls_x509_crt_profile profile_sha512 =
{
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
- 0xFFFFFFF, /* Any PK alg */
- 0xFFFFFFF, /* Any curve */
+ 0xFFFFFFFF, /* Any PK alg */
+ 0xFFFFFFFF, /* Any curve */
1024,
};
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 485bbe2..f5001bd 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -170,7 +170,7 @@
{
mbedtls_pk_context key;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
- psa_algorithm_t md_alg_psa;
+ psa_algorithm_t md_alg_psa, alg_psa;
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
@@ -187,7 +187,17 @@
mbedtls_pk_init( &key );
TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL ) == 0 );
- TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, md_alg_psa ) == 0 );
+
+ if( mbedtls_pk_get_type( &key ) == MBEDTLS_PK_ECKEY )
+ alg_psa = PSA_ALG_ECDSA( md_alg_psa );
+ else if( mbedtls_pk_get_type( &key ) == MBEDTLS_PK_RSA )
+ alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN( md_alg_psa );
+ else
+ TEST_ASSUME( ! "PK key type not supported in this configuration" );
+
+ TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, alg_psa,
+ PSA_KEY_USAGE_SIGN_HASH,
+ PSA_ALG_NONE ) == 0 );
mbedtls_x509write_csr_init( &req );
mbedtls_x509write_csr_set_md_alg( &req, md_type );
@@ -280,12 +290,21 @@
/* For Opaque PK contexts, wrap key as an Opaque RSA context. */
if( pk_wrap == 2 )
{
- psa_algorithm_t md_alg_psa =
- mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type );
+ psa_algorithm_t alg_psa, md_alg_psa;
+ md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type );
TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE );
- TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &issuer_key, &key_id,
- md_alg_psa ) == 0 );
+
+ if( mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_ECKEY )
+ alg_psa = PSA_ALG_ECDSA( md_alg_psa );
+ else if( mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
+ alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN( md_alg_psa );
+ else
+ TEST_ASSUME( ! "PK key type not supported in this configuration" );
+
+ TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &issuer_key, &key_id, alg_psa,
+ PSA_KEY_USAGE_SIGN_HASH,
+ PSA_ALG_NONE ) == 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
